Not sure why everyone is so hung up on encoding. I just revisited this challenge and there should be no need for you to encode anything. It should be as easy as:
Load the /phishing page.
Paste the JavaScript payload (after you edit it with ip/port) into the online image viewer box and hit enter.
Then look to the url after the webpage embeds the javascript form. (Note that its already encoded)
Launch your netcat listener with a reasonable port like 3333 or 8009, or anything but 80.
Copy the whole url from step 3 to the send.php text box.
Feel free to message me if your stuck, but this shouldnât be frustrating. Donât even worry if you canât clean it perfectly as the extra '> shouldnât mess the exercise up.
-onthesauce
Iâm on Discord but I barely ever use it. Can you post the URL (no encoding) you are using? From the image you posted it looks like the code isnât being injected properly. Feel free to DM me, but it can help others to solve these issues on the forum.
You need to remove the urlform too. Set the listener to something like 8009 and make sure to add it you your address in the url. The only thing you donât need to worry about is the >' that gets left behind.
I am guessing the script in the background browses to the pages url, if you donât remove the urlform, it probably tries to fill in the information there.
Hi, Iâve been struggling with the same issue, where Iâm pretty sure my payload and url are both correct (have tested them manually), but the /send.php page just doesnât accept them.
Backend: A url generated by webhook.site (Iâve tried both http and https), e.g
Manually navigating to the payload url and filling out the form results in a log in my webhook.site dashboard (on a separate computer, not in the attack box, so the firewall is not a problem, the form action call does go out of the attack box to webhook.siteâs servers). /send.php does not accept this payload.
FYI Iâve also tried this using a netcat server running on my attack box too. Used the attack boxâs global ip queried through curl ifconfig.me in the payload. The Netcat server was running on port 8000. Started by sudo nc -lvnp 8000. Manually filling out the form resulted in the username and password being logged by the netcat server (in the attack box) successully. /send.php doesnât accept this payload either.
Iâve tried several other payloads, all of which work, including:
So Iâve been sparring with this one for a day now, and despite successful tests from setting up the phishing page and having it reroute without issues, all the way through to the PHP server capturing the test login info perfectly⌠I continue to get the âIssue in sending URL!â message when trying to submit the URL. Iâve also tried to submit it both decoded and encoded (as it is in the address bar) after walking through this thread.
As trusting as send.php may be, its starting to feel like my URL is where it draws the lineâŚ
Iâm stuck but I can send the url but I donât recieve anything, I read the code and clean perfectly my payload thinking that it was that, but I saw that the IP of my tun0 machine and the pwnbox it gives an error when I use it in the payload example I use http://fullIPtun0:8080 it gives me âIssue in sending URLâ but when I use http://0.0.0.0:8080 it works and sent url but doesnt give me nothing back. someone have an idea why.
this is how my phishing login looks like, I think its really clean
When I did this section I had the exact same issues and I wanted to smash something. For some reason this one doesnât work with the VPN. You need to use the Pwnbox for this task. Seems they still havenât resolved this issue.
