-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
97 additions
and
3 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| In the previous examples, your injection content was first stored in the database (as posts), and was triggered when the web server retrieved it from the database and sent it to the victim's browser. | ||
| Because the data has to be stored first and retrieved later, this is called a _Stored_ XSS. | ||
| However, the magic of HTTP GET requests and their URL parameters opens the door to another type of XSS: _Reflected_ XSS. | ||
|
|
||
| Reflected XSS happens when a URL parameter is rendered into a generated HTML page in a way that, again, allows the attacker to insert HTML/JavaScript/etc. | ||
| To carry out such an attack, an attacker typically needs to trick the victim into visiting a very specifically-crafted URL with the right URL parameters. | ||
| This is unlike a Stored XSS, where an attacker might be able to simply make a post in a vulnerable forum and wait for victims to stumble onto it. | ||
|
|
||
| Anyways, this level is a Reflected XSS vulnerability. | ||
| Fool the `/challenge/victim` into making a JavaScript `alert("PWNED")`, and you'll get the flag! |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| #!/opt/pwn.college/python | ||
|
|
||
| import flask | ||
| import os | ||
|
|
||
| app = flask.Flask(__name__) | ||
|
|
||
| @app.route("/", methods=["GET"]) | ||
| def challenge_get(): | ||
| return f""" | ||
| <html><body> | ||
| <h1>pwnmsg ephemeral message service</h1> | ||
| The message: {flask.request.args.get("msg", "(none)")} | ||
| <hr><form>Craft a message:<input type=text name=msg><input type=submit value=Submit></form> | ||
| </body></html> | ||
| """ | ||
|
|
||
| app.secret_key = os.urandom(8) | ||
| app.run("challenge.localhost", 8080 if os.geteuid() else 80) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| #!/opt/pwn.college/python | ||
|
|
||
| import contextlib | ||
| import urllib | ||
| import sys | ||
| import os | ||
|
|
||
| from selenium import webdriver | ||
| from selenium.webdriver.firefox.options import Options as FirefoxOptions | ||
| from selenium.webdriver.firefox.service import Service as FirefoxService | ||
| from selenium.webdriver.common.by import By | ||
| from selenium.webdriver.support.wait import WebDriverWait | ||
| from selenium.webdriver.support import expected_conditions as EC | ||
| from selenium.common.exceptions import TimeoutException, WebDriverException | ||
|
|
||
| os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
|
|
||
| @contextlib.contextmanager | ||
| def run_browser(): | ||
| options = FirefoxOptions() | ||
| options.add_argument("--headless") | ||
|
|
||
| # workaround for ubuntu | ||
| if os.path.exists("/snap/bin/geckodriver"): | ||
| service = FirefoxService(executable_path="/snap/bin/geckodriver", log_path="/dev/null") | ||
| else: | ||
| service = FirefoxService(log_path="/dev/null") | ||
| driver = webdriver.Firefox(service=service, options=options) | ||
|
|
||
| try: | ||
| yield driver | ||
| finally: | ||
| driver.quit() | ||
|
|
||
| if len(sys.argv) <= 1: | ||
| print(f"Usage: {sys.argv[0]} URL") | ||
| sys.exit(1) | ||
|
|
||
| url = sys.argv[1] | ||
| url_arg_parsed = urllib.parse.urlparse(url) | ||
| try: | ||
| assert url_arg_parsed.hostname == "challenge.localhost", "hostname should be 'challenge.localhost'" | ||
| assert url_arg_parsed.port in {None, 80, 8080}, "port should be 80 or 8080" | ||
| except AssertionError as e: | ||
| print(f"Invalid URL: {e}") | ||
| sys.exit(2) | ||
|
|
||
| print("Visiting the URL!") | ||
| with run_browser() as browser: | ||
| try: | ||
| browser.get(url) | ||
| print("URL loaded...") | ||
| WebDriverWait(browser, 1).until(EC.alert_is_present()) | ||
| except TimeoutException: | ||
| print("Failure: JavaScript alert did not trigger...") | ||
| sys.exit(3) | ||
| except WebDriverException as e: | ||
| if "can%E2%80%99t%20establish%20a%20connection" in str(e): | ||
| print("Connection error! Is the service running?") | ||
| else: | ||
| print(f"Failure: {e}...") | ||
| sys.exit(4) | ||
| else: | ||
| if url_arg_parsed.port is None or url_arg_parsed.port == 80: | ||
| print("Alert triggered! Your flag:") | ||
| print(open("/flag").read()) | ||
| else: | ||
| print("Alert triggered! Now do it on the real service (port 80)!") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters