Posts: 231
Threads: 18
Joined: Jul 2023
i can't approve by admin .. got an idea by xss with css code but nothing work!
Anybody got make it work! i think it's the only way .. bot it's looking only in there..
router.post('/api/submission/submit', async (req, res) => {
const { customCSS } = req.body;
if(customCSS) {
return db.insertSubmission(customCSS)
.then(submissionID => {
fs.writeFile(`card_styles/${submissionID}.css`, customCSS, function (err) {
if (err) return console.log(err);
});
bot.visitURL(`http://127.0.0.1:1337/view/${submissionID}`);
return res.send(response(
`Your submission (Number ${submissionID}) successfully sent!<br>When approved it will become available <a href="/view/${submissionID}">here</a>`
));
});
}
return res.status(403).send(response('CSS code field cannot be empty!'));
});
Posts: 11
Threads: 0
Joined: Jan 2024
Nothing to do with XSS...
Just go through the code and you will get it...
Posts: 25
Threads: 2
Joined: Oct 2023
Apr 11, 2024, 09:53 AM
(This post was last modified: Apr 11, 2024, 10:49 AM by h2m0nRe-d0b1e.)
we need submit approval with token, but get token and approve may a only from local 127.0.0.1 (isAdmin in code); and how can we do this, where to look ssrf or csrf
UPD: after approve easy sqli with sqlmap
Posts: 231
Threads: 18
Joined: Jul 2023
ZombieBear i was able to bypass csp! so xss is util to exfil approvalToken how you got flag without this part of path 
Posts: 10
Threads: 0
Joined: Jan 2024
(Apr 11, 2024, 12:12 PM)cavour13 Wrote: ZombieBear i was able to bypass csp! so xss is util to exfil approvalToken how you got flag without this part of path
I haven't solved it yet, but I assumed it was CSS injection to exfil the approvalToken value
Posts: 25
Threads: 2
Joined: Oct 2023
it is, but we need a solution, hints of what to cling to
Posts: 231
Threads: 18
Joined: Jul 2023
pwned ! try in local and figure out how token is generated ! then exfil and sql as any other says.. anyway ZombieBear why you don't share with us your incredible skills?
Posts: 11
Threads: 0
Joined: Jan 2024
(Apr 11, 2024, 02:41 PM)herpyderp Wrote: (Apr 11, 2024, 12:12 PM)cavour13 Wrote: ZombieBear i was able to bypass csp! so xss is util to exfil approvalToken how you got flag without this part of path
I haven't solved it yet, but I assumed it was CSS injection to exfil the approvalToken value
Yes, That is CSS Injection. You just need to reconstruct Token via CSSi...
Posts: 116
Threads: 6
Joined: Mar 2024
Any tips for this CSS injection ? I tried every payload that i was able to find... nothing works.
do we need to re-write this from our custom css with js payload to exfil token ?
<div class="card-body">
<p class="card-text">...</p>
</div>
i'm also trying with just copied html + css templates, which is visible only to admin/bot with python http.server.
not able to trigger xss from css.
Posts: 25
Threads: 2
Joined: Oct 2023
(Apr 20, 2024, 06:01 PM)mazafaka555 Wrote: Any tips for this CSS injection ? I tried every payload that i was able to find... nothing works.
do we need to re-write this from our custom css with js payload to exfil token ?
<div class="card-body">
<p class="card-text">...</p>
</div>
i'm also trying with just copied html + css templates, which is visible only to admin/bot with python http.server.
not able to trigger xss from css.
Look at this technique [ https://github.com/HackTricks-wiki/hackt...ode-range-]
|
