pwnshopize xss-stored-alert

pwncollege · Dec 24, 2024 · 982bbd9 · 982bbd9
1 parent af56848
commit 982bbd9
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 7 deletions.
diff --git a/web-security/pwnshop.yml b/web-security/pwnshop.yml
@@ -28,3 +28,5 @@ challenges:
   challenge: SQLInjectionBlind
 - id: xss-stored-html
   challenge: XSSStoredHTML
+- id: xss-stored-alert
+  challenge: XSSStoredAlert
diff --git a/web-security/xss-stored-alert/server b/web-security/xss-stored-alert/server
@@ -1,12 +1,15 @@
 #!/opt/pwn.college/python
 
-import tempfile
-import sqlite3
 import flask
 import os
 
 app = flask.Flask(__name__)
 
+
+import sqlite3
+import tempfile
+
+
 class TemporaryDB:
     def __init__(self):
         self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
@@ -19,26 +22,31 @@ class TemporaryDB:
         connection.commit()
         return result
 
+
 db = TemporaryDB()
+
 # https://www.sqlite.org/lang_createtable.html
 db.execute("""CREATE TABLE posts AS SELECT "First Post!" AS content""")
 
+
 @app.route("/", methods=["POST"])
 def challenge_post():
     content = flask.request.form.get("content", "")
     db.execute("INSERT INTO posts VALUES (?)", [content])
     return flask.redirect(flask.request.path)
 
+
 @app.route("/", methods=["GET"])
 def challenge_get():
     page = "<html><body>\nWelcome to pwnpost, the anonymous posting service. Post away!\n"
-    page += "<form method=post>Post:<input type=text name=content></form>\n"
+    page += "<form method=post>Post:<input type=text name=content><input type=submit value=Submit></form>\n"
 
     for post in db.execute("SELECT content FROM posts").fetchall():
         page += "<hr>" + post["content"] + "\n"
 
     return page + "</body></html>"
 
+
 app.secret_key = os.urandom(8)
-app.config['SERVER_NAME'] = f"challenge.localhost:80"
+app.config["SERVER_NAME"] = f"challenge.localhost:80"
 app.run("challenge.localhost", 80)
diff --git a/web-security/xss-stored-alert/victim b/web-security/xss-stored-alert/victim
@@ -25,12 +25,12 @@ service = FirefoxService(log_path="/dev/null")
 browser = webdriver.Firefox(service=service, options=options)
 atexit.register(browser.quit)
 
-open_ports = { s.laddr.port for s in psutil.net_connections(kind="inet") if s.status == 'LISTEN' }
+open_ports = {s.laddr.port for s in psutil.net_connections(kind="inet") if s.status == "LISTEN"}
 if 80 not in open_ports:
     print("Service doesn't seem to be running?")
     sys.exit(1)
+
 challenge_url = "http://challenge.localhost:80/"
-flag = open("/flag").read().strip()
 
 print(f"Visiting {challenge_url}")
 browser.get(challenge_url)
@@ -41,4 +41,4 @@ except TimeoutException:
     sys.exit(3)
 else:
     print("Alert triggered! Your reward:")
-    print(flag)
+    print(open("/flag").read().strip())