目录
进入挑战
打开题目后,找到对应页面的js代码,寻找一下我们用户可控的点
js代码
html
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="robots" content="noindex">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' 'unsafe-inline';">
<title>Window Maker</title>
<!-- downloaded from https://unpkg.com/xp.css@0.3.0/dist/XP.css -->
<link rel="stylesheet" href="Window%20Maker_files/XP.css">
<style>
body {
margin: 0;
padding: 0;
background-image: url("bg.jpg");
background-position: center;
background-repeat: no-repeat;
font-size: 18px;
min-height: 100vh;
}
main {
max-width: 750px;
margin: 100px auto;
}
.window-body {
margin: 16px;
font-size: 14px;
}
label {
font-size: 13px;
}
@media (min-height: 980px), (min-width: 1900px) {
body {
background-size: 100% 100%;
}
}
</style>
</head>
<body>
<!-- downloaded from https://unpkg.com/mithril@2.0.4/mithril.js -->
<script src="Window%20Maker_files/mithril.js"></script>
<script>
(function(){
const App = {
view: function() {
return m("div", {class: "window"}, [
m(TitleBar),
m(WindowBody),
m(StatusBar)
])
}
}
const TitleBar = {
view: function(vnode) {
const options = vnode.attrs.options || ['min', 'max', 'close']
const name = vnode.attrs.name || "Window Maker"
return m("div", {class: "title-bar"}, [
m("div", {class: "title-bar-text"}, String(name)),
m("div", {class: "title-bar-controls"}, [
options.includes('min') && m("button", {'aria-label': 'Minimize'}),
options.includes('max') && m("button", {'aria-label': 'Maximize'}),
options.includes('close') && m("button", {'aria-label': 'Close'}),
]),
])
}
}
const WindowBody = {
view: function() {
return m("div", {class: "window-body"}, [
m("p", [
"Do you miss these looks and feels? We can help!",
m("br"),
"Window Maker is a website to help people build their own UI in 3 minutes!"
]),
m("p", [
m(InputWindowName),
m(InputWindowContent),
m("br"),
m(InputToolbar),
m("br"),
m(InputStatusBar)
]),
m("button", {onclick: function() {
const windowName = document.querySelector('#win-name').value
const windowContent = document.querySelector('#win-content').value
const toolbar = Array.from(document.querySelectorAll('input[type=checkbox]:checked')).map(item => item.value)
const showStatus = document.querySelector('#radio-yes').checked
const config = {
'window-name': windowName,
'window-content': windowContent,
'window-toolbar': toolbar,
'window-statusbar': showStatus
}
const qs = m.buildQueryString({
config
})
window.location.search = '?' + qs
}}, "generate")
])
}
}
const InputWindowName = {
view: function(vnode) {
return m("div", {class: "field-row-stacked"}, [
m("label", {for: 'win-name' }, 'Window name'),
m("input", {id: 'win-name', type: 'text' }),
])
}
}
const InputWindowContent = {
view: function(vnode) {
return m("div", {class: "field-row-stacked"}, [
m("label", {for: 'win-content' }, 'Window content(plaintext only)'),
m("textarea", {id: 'win-content', rows: '8' }),
])
}
}
const InputToolbar = {
view: function(vnode) {
return m("div", [
m("div", {class: "field-row"}, [
m("label", "Toolbar"),
]),
m(Checkbox, { id: "toolbar-min", value: "min" }),
m(Checkbox, { id: "toolbar-max", value: "max" }),
m(Checkbox, { id: "toolbar-close", value: "close" }),
])
}
}
const Checkbox = {
view: function(vnode) {
return m("div", {class: "field-row"}, [
m("input", {id: String(vnode.attrs.id), type: 'checkbox', value: String(vnode.attrs.value) }),
m("label", {for: String(vnode.attrs.id) }, String(vnode.attrs.value)),
])
}
}
const InputStatusBar = {
view: function() {
return m("div", [
m("div", {class: "field-row"}, [
m("label", "Status bar"),
]),
m(RadioButton, { id: "radio-yes", value: "Yes" }),
m(RadioButton, { id: "radio-no", value: "No" }),
])
}
}
const RadioButton = {
view: function(vnode) {
return m("div", {class: "field-row"}, [
m("input", {id: String(vnode.attrs.id), type: 'radio', name: 'status-radio' }),
m("label", {for: String(vnode.attrs.id) }, String(vnode.attrs.value)),
])
}
}
const StatusBar = {
view: function() {
return m("div", {class: "status-bar"}, [
m("p", {class: "status-bar-field"}, "Press F1 for help"),
m("p", {class: "status-bar-field"}, "Powered by XP.css and Mithril.js"),
m("p", {class: "status-bar-field"}, "CPU Usage: 32%"),
])
}
}
const CustomizedApp = {
view: function(vnode) {
return m("div", {class: "window"}, [
m(TitleBar, {name: vnode.attrs.name, options: vnode.attrs.options}),
m("div", {class: "window-body"},[
String(vnode.attrs.content)
]),
vnode.attrs.status && m(StatusBar)
])
}
}
function main() {
const qs = m.parseQueryString(location.search)
let appConfig = Object.create(null)
appConfig["version"] = 1337
appConfig["mode"] = "production"
appConfig["window-name"] = "Window"
appConfig["window-content"] = "default content"
appConfig["window-toolbar"] = ["close"]
appConfig["window-statusbar"] = false
appConfig["customMode"] = false
if (qs.config) {
merge(appConfig, qs.config)
appConfig["customMode"] = true
}
let devSettings = Object.create(null)
devSettings["root"] = document.createElement('main')
devSettings["isDebug"] = false
devSettings["location"] = 'challenge-0422.intigriti.io'
devSettings["isTestHostOrPort"] = false
if (checkHost()) {
devSettings["isTestHostOrPort"] = true
merge(devSettings, qs.settings)
}
if (devSettings["isTestHostOrPort"] || devSettings["isDebug"]) {
console.log('appConfig', appConfig)
console.log('devSettings', devSettings)
}
if (!appConfig["customMode"]) {
m.mount(devSettings.root, App)
} else {
m.mount(devSettings.root, {view: function() {
return m(CustomizedApp, {
name: appConfig["window-name"],
content: appConfig["window-content"] ,
options: appConfig["window-toolbar"],
status: appConfig["window-statusbar"]
})
}})
}
document.body.appendChild(devSettings.root)
}
function checkHost() {
const temp = location.host.split(':')
const hostname = temp[0]
const port = Number(temp[1]) || 443
return hostname === 'localhost' || port === 8080
}
function isPrimitive(n) {
return n === null || n === undefined || typeof n === 'string' || typeof n === 'boolean' || typeof n === 'number'
}
function merge(target, source) {
let protectedKeys = ['__proto__', "mode", "version", "location", "src", "data", "m"]
for(let key in source) {
if (protectedKeys.includes(key)) continue
if (isPrimitive(target[key])) {
target[key] = sanitize(source[key])
} else {
merge(target[key], source[key])
}
}
}
function sanitize(data) {
if (typeof data !== 'string') return data
return data.replace(/[<>%&\$\s\\]/g, '_').replace(/script/gi, '_')
}
main()
})()
</script>
</body></html>
代码分析
在这里你输入什么接的就是什么,比如输入的是config然后接的就是qs.config,所以我们用户可控的点在这里
然后由于有merge所以我们就可以尝试控制appconfig这个变量,然后可以尝试原型链污染了。当然后也有别的merge,如下图,这里有qs.settings这个属性然后就可以尝试控制decSettings,但是我们的注入点在那个上面呢,不急接着往下看
再往下看一下,这里有一个关于decSettings的插入节点,在这里我们可以尝试进行dom破坏
然后我们想要触发document.body.appendChild(devSettings.root)的话就要进入这里
然后就要进入这里
构造payload
我们尝试构造一个原型对象原型对象有一个属性名为1的属性,然后temp[1]又是空,我们访问1的时候就可以取出1里面的内容。然后我们构造的时候需要满⾜对象类型为Array,且可被merge的参数,满⾜这样条件的只有
我们尝试构造下面代码,这里不用__proto__是因为被过滤掉了
javascript
appConfig["window-toolbar"][constructor][prototype]['1']=8080
现在我们进入了if (checkHost())我们接下来就可以尝试对settings进行修改,构造下面代码
javascript
settings[root][ownerDocument][body][children][1][outerHTML]
[1]=%3Csvg%20onload%3Dalert(1)%3E
setting为什么下面不直接覆盖root,是因为后面root会被main会被覆盖且后面有过滤,如下图
然后我们需要绕过一下。绕过的方法就看root了,root下面有很多方法,我们想办法找到decSetting.root上面的元素,如下面
然后找到ownerDocument
然后找到body
然后找到]children[1]
然后找到这里[outerHTML][1]
一层一层往下取值最后插入这样在经过isprimitive时就会被判断是一个数组就不会进入isprimitive