[quote="Exa" pid="158053" dateline="1658158722"][quote="Erik" pid="158033" dateline="1658157296"][quote="Exa" pid="157788" dateline="1658149215"]Some thoughts about the check() function:SCRIPT should work instead of script.str.replace() replaces only the first occurrence. That is, a second tag will not be replaced.I created a new issue with this text, but I received no callback (the issue got deleted though): test[hr][/quote]Okay I reached that point, finally. I'll tell you if I find anythingEdit : I do get a hit back on my server[/quote]Are you sure the hit back is not from your own browser?[/quote]Oh yeah that was it, I tried uploading a rev shell but didn't get it through nc, though I had a callback. Back to square one

For better testing, I inject this line at the bottom of the HTTP response when opening the main issue page with Burp:Doing so, I can see "Previewing http://dev.snippet.htb/api/v1/repos/test/extension/issues/xxx" in the Firefox Console and I can see the issue body (if it passes the filter) being inserted.So I tested test and I get a callback when I open the main issue page with my browser. The cron job doesn't work though.I also tried test but that doesn't get executed by my browser. When using Firefox Inspector, that whole script block is greyed out. Not sure what that means.I also tried test with no luck.

(July 18, 2022, 02:03 PM)Exa Wrote:

(July 18, 2022, 02:00 PM)mhendel Wrote: I did exactly what you proposed with that raft-small-words.txt : always error 400 with length 1183...

You need to check the response body. The correct key word will also give a 400 error (and the same length, coincidentally) but with a different message.

---

(July 18, 2022, 01:44 PM)Erik Wrote: I do, but Idk why both john and hashcat won't work for me

--format=raw-sha256 and a reasonably large wordlist
Or use https://crackstation.net/

Hey, i have the password hashes, tried to bruteforce with john and hashcat with realuniq.lst for the 2 users i know in dev...And not working...What am i doing wrong?

(July 18, 2022, 05:48 PM)mhendel Wrote:

(July 18, 2022, 02:03 PM)Exa Wrote:

(July 18, 2022, 02:00 PM)mhendel Wrote: I did exactly what you proposed with that raft-small-words.txt : always error 400 with length 1183...

You need to check the response body. The correct key word will also give a 400 error (and the same length, coincidentally) but with a different message.

---

(July 18, 2022, 01:44 PM)Erik Wrote: I do, but Idk why both john and hashcat won't work for me

--format=raw-sha256 and a reasonably large wordlist
Or use https://crackstation.net/

Hey, i have the password hashes, tried to bruteforce with john and hashcat with realuniq.lst for the 2 users i know in dev...And not working...What am i doing wrong?

Don't focus on these two users.

This one gets executed in my browser:testI guess the next step is to steal the session from the cron job using some kind of filter evasion.EDIT: I noticed there was a change to inject.js by jean. So perhaps bypassing the special characters (; ' ( ...) is not necessary, since the cron job runs the older version of that file.

[quote="Exa" pid="158292" dateline="1658167523"]This one gets executed in my browser:testI guess the next step is to steal the session from the cron job using some kind of filter evasion.EDIT: I noticed there was a change to inject.js by jean. So perhaps bypassing the special characters (; ' ( ...) is not necessary, since the cron job runs the older version of that file.[/quote]You should post in private repo and you'll get the backconnectAnd you need to bypass special characters of course

[quote="teksius" pid="158650" dateline="1658182446"][quote="Exa" pid="158292" dateline="1658167523"]This one gets executed in my browser:testI guess the next step is to steal the session from the cron job using some kind of filter evasion.EDIT: I noticed there was a change to inject.js by jean. So perhaps bypassing the special characters (; ' ( ...) is not necessary, since the cron job runs the older version of that file.[/quote]You should post in private repo and you'll get the backconnectAnd you need to bypass special characters of course[/quote]You mean we should insert the payload above into the body of the private repos extension in order to get the rev shell?Edited. I have created a new issue in repos and fill in the tag like this: test. I got hit back from the Gitea through netcat ! But no rev shell payload yet!

[quote="nhocit" pid="159395" dateline="1658210287"][quote="teksius" pid="158650" dateline="1658182446"][quote="Exa" pid="158292" dateline="1658167523"]This one gets executed in my browser:testI guess the next step is to steal the session from the cron job using some kind of filter evasion.EDIT: I noticed there was a change to inject.js by jean. So perhaps bypassing the special characters (; ' ( ...) is not necessary, since the cron job runs the older version of that file.[/quote]You should post in private repo and you'll get the backconnectAnd you need to bypass special characters of course[/quote]You mean we should insert the payload above into the body of the private repos extension in order to get the rev shell?Edited. I have created a new issue in repos and fill in the tag like this: test. I got hit back from the Gitea through netcat ! But no rev shell payload yet![/quote]What rev shell? It's XSS :)

[quote="teksius" pid="159826" dateline="1658223247"][quote="nhocit" pid="159395" dateline="1658210287"][quote="teksius" pid="158650" dateline="1658182446"][quote="Exa" pid="158292" dateline="1658167523"]This one gets executed in my browser:testI guess the next step is to steal the session from the cron job using some kind of filter evasion.EDIT: I noticed there was a change to inject.js by jean. So perhaps bypassing the special characters (; ' ( ...) is not necessary, since the cron job runs the older version of that file.[/quote]You should post in private repo and you'll get the backconnectAnd you need to bypass special characters of course[/quote]You mean we should insert the payload above into the body of the private repos extension in order to get the rev shell?Edited. I have created a new issue in repos and fill in the tag like this: test. I got hit back from the Gitea through netcat ! But no rev shell payload yet![/quote]What rev shell? It's XSS :)[/quote]That's the aim of XSS lmao, to get a hit back through a shell Idk what you mean

(July 19, 2022, 10:25 AM)Erik Wrote: That's the aim of XSS lmao, to get a hit back through a shell Idk what you mean

Nah, XSS doesn't result in RCE on the server, like a rev shell as its client side. but as the script running is JS, then you should be able to run javascript commands in the context of jean vai RXSS.

On that note, anyone successfully get a remote hosted XSS script that managed to get anything useful?