webPromedium

Lab 393 — ShareVault — Stored XSS via File Browser innerHTML

hackadvisor

Task: Express/Node.js file sharing platform renders uploaded filenames via innerHTML without sanitization; admin bot reviews reported files. Solution: stored XSS via malicious filename with img onerror handler, exfiltrate admin's non-HttpOnly cookie by uploading a new file with stolen data encoded in the filename via FormData+fetch.

$ ls tags/ techniques/

file_upload nodejs xss stored_xss express admin_bot cookie_theft innerHTML

innerHTML_injectionstored_xss_via_filenamebase64_eval_payloadformdata_exfiltrationadmin_bot_trigger

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 342 — CloudVault — Stored XSS via Malicious SVG Upload— hackadvisor
[web][Pro]Lab 49 — PixelVault — Stored XSS via Malicious SVG Upload— hackadvisor
[web][Pro]Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)— hackadvisor
[web][Pro]DeployVault — Path Confusion to SSRF Chain— hackadvisor
[web][free]Desires— HackTheBox