一道xss题目--intigriti-0422-XSS-Challenge-Write-up

目录

进入挑战

js代码

代码分析

构造payload

​编辑

结果


进入挑战

Intigriti April Challenge题目地址

打开题目后,找到对应页面的js代码,寻找一下我们用户可控的点

js代码

html 复制代码
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta charset="utf-8">
  <meta name="robots" content="noindex">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="ie=edge">
  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' 'unsafe-inline';">

  <title>Window Maker</title>
  <!-- downloaded from https://unpkg.com/xp.css@0.3.0/dist/XP.css -->
  <link rel="stylesheet" href="Window%20Maker_files/XP.css">
  <style>
    body {
      margin: 0;
      padding: 0;
      background-image: url("bg.jpg");
      background-position: center;
      background-repeat: no-repeat;
      font-size: 18px;
      min-height: 100vh;
    }
    main {
      max-width: 750px;
      margin: 100px auto;
    }
    .window-body {
      margin: 16px;
      font-size: 14px;
    }
    label {
      font-size: 13px;
    }

    @media (min-height: 980px), (min-width: 1900px) {
      body {
        background-size: 100% 100%;
      }
    }
  </style>
</head>

<body>
    <!-- downloaded from https://unpkg.com/mithril@2.0.4/mithril.js -->
    <script src="Window%20Maker_files/mithril.js"></script>
    <script>
      (function(){
        const App = {
          view: function() {
            return m("div", {class: "window"}, [
              m(TitleBar),
              m(WindowBody),
              m(StatusBar)
            ])
          }
        }

        const TitleBar = {
          view: function(vnode) {
            const options = vnode.attrs.options || ['min', 'max', 'close']
            const name = vnode.attrs.name || "Window Maker"
            return m("div", {class: "title-bar"}, [
              m("div", {class: "title-bar-text"}, String(name)),
              m("div", {class: "title-bar-controls"}, [
                options.includes('min') && m("button", {'aria-label': 'Minimize'}),
                options.includes('max') && m("button", {'aria-label': 'Maximize'}),
                options.includes('close') && m("button", {'aria-label': 'Close'}),
              ]),
            ])
          }
        }

        const WindowBody = {
          view: function() {
            return m("div", {class: "window-body"}, [
              m("p", [
                "Do you miss these looks and feels? We can help!",
                m("br"),
                "Window Maker is a website to help people build their own UI in 3 minutes!"
              ]),
              m("p", [
                m(InputWindowName),
                m(InputWindowContent),
                m("br"),
                m(InputToolbar),
                m("br"),
                m(InputStatusBar)
              ]),
              m("button", {onclick: function() {
                const windowName = document.querySelector('#win-name').value
                const windowContent = document.querySelector('#win-content').value
                const toolbar = Array.from(document.querySelectorAll('input[type=checkbox]:checked')).map(item => item.value)
                const showStatus = document.querySelector('#radio-yes').checked
                const config = {
                  'window-name': windowName,
                  'window-content': windowContent,
                  'window-toolbar': toolbar,
                  'window-statusbar': showStatus
                }
                const qs = m.buildQueryString({
                  config
                })
                window.location.search = '?' + qs
              }}, "generate")
            ])
          }
        } 

        const InputWindowName = {
          view: function(vnode) {
            return m("div", {class: "field-row-stacked"}, [
              m("label", {for: 'win-name' }, 'Window name'),
              m("input", {id: 'win-name', type: 'text' }),
            ])
          }
        }

        const InputWindowContent = {
          view: function(vnode) {
            return m("div", {class: "field-row-stacked"}, [
              m("label", {for: 'win-content' }, 'Window content(plaintext only)'),
              m("textarea", {id: 'win-content', rows: '8' }),
            ])
          }
        }

        const InputToolbar = {
          view: function(vnode) {
            return m("div", [
              m("div", {class: "field-row"}, [
                m("label", "Toolbar"),
              ]),
              m(Checkbox, { id: "toolbar-min", value: "min" }),
              m(Checkbox, { id: "toolbar-max", value: "max" }),
              m(Checkbox, { id: "toolbar-close", value: "close" }),
            ])
          }
        }

        const Checkbox = {
          view: function(vnode) {
            return m("div", {class: "field-row"}, [
              m("input", {id: String(vnode.attrs.id), type: 'checkbox', value: String(vnode.attrs.value) }),
              m("label", {for: String(vnode.attrs.id) }, String(vnode.attrs.value)),
            ])
          }
        }

        const InputStatusBar = {
          view: function() {
            return m("div", [
              m("div", {class: "field-row"}, [
                m("label", "Status bar"),
              ]),
              m(RadioButton, { id: "radio-yes", value: "Yes" }),
              m(RadioButton, { id: "radio-no", value: "No" }),
            ])
          }
        }

        const RadioButton = {
          view: function(vnode) {
            return m("div", {class: "field-row"}, [
              m("input", {id: String(vnode.attrs.id), type: 'radio', name: 'status-radio' }),
              m("label", {for: String(vnode.attrs.id) }, String(vnode.attrs.value)),
            ])
          }
        }

        const StatusBar = {
          view: function() {
            return m("div", {class: "status-bar"}, [
              m("p", {class: "status-bar-field"}, "Press F1 for help"),
              m("p", {class: "status-bar-field"}, "Powered by XP.css and Mithril.js"),
              m("p", {class: "status-bar-field"}, "CPU Usage: 32%"),
            ])
          }
        }

        const CustomizedApp = {
          view: function(vnode) {
            return m("div", {class: "window"}, [
              m(TitleBar, {name: vnode.attrs.name, options: vnode.attrs.options}),
              m("div", {class: "window-body"},[
                String(vnode.attrs.content)
              ]),
               vnode.attrs.status && m(StatusBar)
            ])
          }
        }

        function main() {
          const qs = m.parseQueryString(location.search)

          let appConfig = Object.create(null)
          appConfig["version"] = 1337
          appConfig["mode"] = "production"
          appConfig["window-name"] = "Window"
          appConfig["window-content"] = "default content"
          appConfig["window-toolbar"] = ["close"]
          appConfig["window-statusbar"] = false
          appConfig["customMode"] = false

          if (qs.config) {
            merge(appConfig, qs.config)
            appConfig["customMode"] = true
          }

          let devSettings = Object.create(null)
          devSettings["root"] = document.createElement('main')
          devSettings["isDebug"] = false
          devSettings["location"] = 'challenge-0422.intigriti.io'
          devSettings["isTestHostOrPort"] = false

          if (checkHost()) {
            devSettings["isTestHostOrPort"] = true
            merge(devSettings, qs.settings)
          }

          if (devSettings["isTestHostOrPort"] || devSettings["isDebug"]) {
            console.log('appConfig', appConfig)
            console.log('devSettings', devSettings)
          }

          if (!appConfig["customMode"]) {
            m.mount(devSettings.root, App)
          } else {
            m.mount(devSettings.root, {view: function() {
              return m(CustomizedApp, {
                name: appConfig["window-name"],
                content: appConfig["window-content"] ,
                options: appConfig["window-toolbar"],
                status: appConfig["window-statusbar"]
              })
            }})
          }

          document.body.appendChild(devSettings.root)
        }

        function checkHost() {
          const temp = location.host.split(':')
          const hostname = temp[0]
          const port = Number(temp[1]) || 443
          return hostname === 'localhost' || port === 8080
        }

        function isPrimitive(n) {
          return n === null || n === undefined || typeof n === 'string' || typeof n === 'boolean' || typeof n === 'number'
        }

        function merge(target, source) {
          let protectedKeys = ['__proto__', "mode", "version", "location", "src", "data", "m"]

          for(let key in source) {
            if (protectedKeys.includes(key)) continue

            if (isPrimitive(target[key])) {
              target[key] = sanitize(source[key])
            } else {
              merge(target[key], source[key])
            }
          }
        }
        function sanitize(data) {
          if (typeof data !== 'string') return data
          return data.replace(/[<>%&\$\s\\]/g, '_').replace(/script/gi, '_')
        }

        main()
      })()
    </script>

</body></html>

代码分析

在这里你输入什么接的就是什么,比如输入的是config然后接的就是qs.config,所以我们用户可控的点在这里

然后由于有merge所以我们就可以尝试控制appconfig这个变量,然后可以尝试原型链污染了。当然后也有别的merge,如下图,这里有qs.settings这个属性然后就可以尝试控制decSettings,但是我们的注入点在那个上面呢,不急接着往下看

再往下看一下,这里有一个关于decSettings的插入节点,在这里我们可以尝试进行dom破坏

然后我们想要触发document.body.appendChild(devSettings.root)的话就要进入这里

然后就要进入这里

构造payload

我们尝试构造一个原型对象原型对象有一个属性名为1的属性,然后temp[1]又是空,我们访问1的时候就可以取出1里面的内容。然后我们构造的时候需要满⾜对象类型为Array,且可被merge的参数,满⾜这样条件的只有

我们尝试构造下面代码,这里不用__proto__是因为被过滤掉了

javascript 复制代码
appConfig["window-toolbar"][constructor][prototype]['1']=8080

现在我们进入了if (checkHost())我们接下来就可以尝试对settings进行修改,构造下面代码

javascript 复制代码
settings[root][ownerDocument][body][children][1][outerHTML]
[1]=%3Csvg%20onload%3Dalert(1)%3E

setting为什么下面不直接覆盖root,是因为后面root会被main会被覆盖且后面有过滤,如下图

然后我们需要绕过一下。绕过的方法就看root了,root下面有很多方法,我们想办法找到decSetting.root上面的元素,如下面

然后找到ownerDocument

然后找到body

然后找到]children[1]

然后找到这里[outerHTML][1]

一层一层往下取值最后插入这样在经过isprimitive时就会被判断是一个数组就不会进入isprimitive

结果

相关推荐
hzyyyyyyyu1 小时前
内网安全隧道搭建-ngrok-frp-nps-sapp
服务器·网络·安全
网络研究院1 小时前
国土安全部发布关键基础设施安全人工智能框架
人工智能·安全·框架·关键基础设施
Daniel 大东2 小时前
BugJson因为json格式问题OOM怎么办
java·安全
EasyNVR7 小时前
NVR管理平台EasyNVR多个NVR同时管理:全方位安防监控视频融合云平台方案
安全·音视频·监控·视频监控
黑客Ash10 小时前
【D01】网络安全概论
网络·安全·web安全·php
阿龟在奔跑11 小时前
引用类型的局部变量线程安全问题分析——以多线程对方法局部变量List类型对象实例的add、remove操作为例
java·jvm·安全·list
.Ayang11 小时前
SSRF漏洞利用
网络·安全·web安全·网络安全·系统安全·网络攻击模型·安全架构
.Ayang11 小时前
SSRF 漏洞全解析(概述、攻击流程、危害、挖掘与相关函数)
安全·web安全·网络安全·系统安全·网络攻击模型·安全威胁分析·安全架构
好想打kuo碎12 小时前
1、HCIP之RSTP协议与STP相关安全配置
网络·安全