31C3 CTF – Page Builder writeup

This challenge needs only XSS but it is interesting to me :)

These guys have ripped off our designs and using them in their web pages builder! We’d Haxx them, don’t worry we’ll give you decent points for it.

スクリーンショット 2015-01-02 8.40.09

By using the form, we could generate a page.(such as

It htmlspecialchars the “title” and “file content” but not “style” or “filename”.

The maximum size of “style” is 8bytes and that of “filename” is 65bytes.

Then, “filename” can be foo.php and “style” can be <?php a so that it shows PHP error.


Parse error: syntax error, unexpected ‘” rel=”‘ (T_CONSTANT_ENCAPSED_STRING) in /var/www/html/output/19c94d778563b117e18e3442e887989aea14277d/foo.php on line 10

hmm… PHP code exeution looks difficult because maximum size of “style” is 8bytes and short_open_tag is offed. (and * is removed from “title” and “file content”)

So let’s search another vulnerability.

We can XSS with “filename”, because the error page above prints “filename” that is not escaped! onload=%22eval%28location.hash.slice%281%29%29%22.php#

(Notice: we put the code in location.hash to fit in the maximum length of “filename”)

Now, just submit a link above in the contact form and we capture the flag!




メールアドレスが公開されることはありません。 * が付いている欄は必須項目です