How i get XSS & HTMLi with FUFF

KiRaaDx
May 31, 2024

--

Hey Guys, I hope you are doing well.

Description
This is a small story about one of my findings :)!!

So let’s Start, First the target is external (Google Dorking) let’s call it: target.com

1. i do a FUZZING on one of main domain and i get two files (1.txt) (123.txt)

2. go to check this files and i get just white screen with 1 & 123 on screen
3. i try to write anything before /1.txt
the url will be like this: https://target[.]com/test/1.txt and i get test will print on screen.

4. so i try to put XSS & HTMLi payload simple and i got HTMLi & XSS:

the url will be like this: https://target[.]com/PAYLOAD/1.txt

and i Got HTMLi

HTML Injection

AND i Got XSS

XSS

--

--