I got my script to be pulled by the admin account.
My script.js looks like this:
I tried even the image payload and it doesn’t seem to try to fetch it. Can someone point out the obvious to me?
you have to call for the script in the payload you’re injecting for it to work also use the PHP script they provide for you that calls for the cookie and the victim’s IP. I hope this helps and good luck
Hey, did you ever figure this out? I am having the same exact issue. My script executes but I don’t get a cookie in my response. Looks exactly like your photo’s with a 200 response on /script.js and then closes.
Anyone have any suggestions?
FYI - after working this for 4 evenings, someone suggested resetting the instance after unsuccessful attempts when you think it should work.
I did this, and boom! Hello Mr. Flag!