Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Decloaking an internal IP
Posted by: lat
Date: November 23, 2009 05:11PM

I want to use http://decloak.net/decloak.html in my XSS payload to extract the victim's internal IP. How can I include that script in the payload, via an iframe for example, then extract the results URL to send back to me?

Options: ReplyQuote
Re: Decloaking an internal IP
Posted by: PaPPy
Date: November 24, 2009 07:23AM

i know its possible with java, so you could get your own applet and get the results that way

i also googled get internal ip address javascript
and came up with this
http://www.gnucitizen.org/projects/javascript-address-info/

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Decloaking an internal IP
Posted by: lat
Date: November 24, 2009 08:25AM

I'm aware of the Java method, and decloak.net uses that too. I want to use decloak.net as it seems to be the most comprehensive. My only question is, how I can include that as part of my demo payload.

Options: ReplyQuote
Re: Decloaking an internal IP
Posted by: PaPPy
Date: November 24, 2009 09:12AM

well u would have to break the cross domain policy
unless u find xss on decloak.net

id just use a java applet on ur site where your xss payload is

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.