So I tried the phishing section for the XSS module without walking through most of the examples. Spent several hours trying to figure out why in the heck my payload worked locally(I could see username and password upon logging in), but NOT with ‘/send.php’.
For whatever reason, I did NOT put ‘name=“submit”’ for “input type=“submit”” in the payload. It makes sense why this works locally; the index.php script being used is looking for ‘username’ and ‘password’ fields via the isset() function. I’m pretty sure ‘/send.php’ is looking for “submit” as a conditional. I might be wrong about this, but it makes sense.
tldr: just copy the html form presented via the top of the page. Make sure each field, including the button, is named.
Based on the XSS payload we know that we need to start our XSS injection payload with '>
Then let’s submit ‘>test and the source looks like.
’>
to make this clearer let’s group this like below:
'>
So essentially by adding the '> as input we complete the img src tag.
So, I would think then in the final payload when doing the assignment one also would use the '>
But in all of these discussions all the sudden one needs to use '/>
It is foundamental that you write the HTML part as in the example. The placeholders have to be “Username” and “Password” otherwise the send.php page will not work. The names of the elements have to match as well… This was the problem on my side. Hope this helps.