目录
进入挑战
js代码
代码分析
构造payload
编辑
结果
进入挑战
Intigriti April Challenge题目地址
打开题目后,找到对应页面的js代码,寻找一下我们用户可控的点
js代码
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta charset="utf-8"><meta name="robots" content="noindex"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="ie=edge"><meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' 'unsafe-inline';"><title>Window Maker</title><!-- downloaded from https://unpkg.com/xp.css@0.3.0/dist/XP.css --><link rel="stylesheet" href="Window%20Maker_files/XP.css"><style>body {margin: 0;padding: 0;background-image: url("bg.jpg");background-position: center;background-repeat: no-repeat;font-size: 18px;min-height: 100vh;}main {max-width: 750px;margin: 100px auto;}.window-body {margin: 16px;font-size: 14px;}label {font-size: 13px;}@media (min-height: 980px), (min-width: 1900px) {body {background-size: 100% 100%;}}</style>
</head><body><!-- downloaded from https://unpkg.com/mithril@2.0.4/mithril.js --><script src="Window%20Maker_files/mithril.js"></script><script>(function(){const App = {view: function() {return m("div", {class: "window"}, [m(TitleBar),m(WindowBody),m(StatusBar)])}}const TitleBar = {view: function(vnode) {const options = vnode.attrs.options || ['min', 'max', 'close']const name = vnode.attrs.name || "Window Maker"return m("div", {class: "title-bar"}, [m("div", {class: "title-bar-text"}, String(name)),m("div", {class: "title-bar-controls"}, [options.includes('min') && m("button", {'aria-label': 'Minimize'}),options.includes('max') && m("button", {'aria-label': 'Maximize'}),options.includes('close') && m("button", {'aria-label': 'Close'}),]),])}}const WindowBody = {view: function() {return m("div", {class: "window-body"}, [m("p", ["Do you miss these looks and feels? We can help!",m("br"),"Window Maker is a website to help people build their own UI in 3 minutes!"]),m("p", [m(InputWindowName),m(InputWindowContent),m("br"),m(InputToolbar),m("br"),m(InputStatusBar)]),m("button", {onclick: function() {const windowName = document.querySelector('#win-name').valueconst windowContent = document.querySelector('#win-content').valueconst toolbar = Array.from(document.querySelectorAll('input[type=checkbox]:checked')).map(item => item.value)const showStatus = document.querySelector('#radio-yes').checkedconst config = {'window-name': windowName,'window-content': windowContent,'window-toolbar': toolbar,'window-statusbar': showStatus}const qs = m.buildQueryString({config})window.location.search = '?' + qs}}, "generate")])}} const InputWindowName = {view: function(vnode) {return m("div", {class: "field-row-stacked"}, [m("label", {for: 'win-name' }, 'Window name'),m("input", {id: 'win-name', type: 'text' }),])}}const InputWindowContent = {view: function(vnode) {return m("div", {class: "field-row-stacked"}, [m("label", {for: 'win-content' }, 'Window content(plaintext only)'),m("textarea", {id: 'win-content', rows: '8' }),])}}const InputToolbar = {view: function(vnode) {return m("div", [m("div", {class: "field-row"}, [m("label", "Toolbar"),]),m(Checkbox, { id: "toolbar-min", value: "min" }),m(Checkbox, { id: "toolbar-max", value: "max" }),m(Checkbox, { id: "toolbar-close", value: "close" }),])}}const Checkbox = {view: function(vnode) {return m("div", {class: "field-row"}, [m("input", {id: String(vnode.attrs.id), type: 'checkbox', value: String(vnode.attrs.value) }),m("label", {for: String(vnode.attrs.id) }, String(vnode.attrs.value)),])}}const InputStatusBar = {view: function() {return m("div", [m("div", {class: "field-row"}, [m("label", "Status bar"),]),m(RadioButton, { id: "radio-yes", value: "Yes" }),m(RadioButton, { id: "radio-no", value: "No" }),])}}const RadioButton = {view: function(vnode) {return m("div", {class: "field-row"}, [m("input", {id: String(vnode.attrs.id), type: 'radio', name: 'status-radio' }),m("label", {for: String(vnode.attrs.id) }, String(vnode.attrs.value)),])}}const StatusBar = {view: function() {return m("div", {class: "status-bar"}, [m("p", {class: "status-bar-field"}, "Press F1 for help"),m("p", {class: "status-bar-field"}, "Powered by XP.css and Mithril.js"),m("p", {class: "status-bar-field"}, "CPU Usage: 32%"),])}}const CustomizedApp = {view: function(vnode) {return m("div", {class: "window"}, [m(TitleBar, {name: vnode.attrs.name, options: vnode.attrs.options}),m("div", {class: "window-body"},[String(vnode.attrs.content)]),vnode.attrs.status && m(StatusBar)])}}function main() {const qs = m.parseQueryString(location.search)let appConfig = Object.create(null)appConfig["version"] = 1337appConfig["mode"] = "production"appConfig["window-name"] = "Window"appConfig["window-content"] = "default content"appConfig["window-toolbar"] = ["close"]appConfig["window-statusbar"] = falseappConfig["customMode"] = falseif (qs.config) {merge(appConfig, qs.config)appConfig["customMode"] = true}let devSettings = Object.create(null)devSettings["root"] = document.createElement('main')devSettings["isDebug"] = falsedevSettings["location"] = 'challenge-0422.intigriti.io'devSettings["isTestHostOrPort"] = falseif (checkHost()) {devSettings["isTestHostOrPort"] = truemerge(devSettings, qs.settings)}if (devSettings["isTestHostOrPort"] || devSettings["isDebug"]) {console.log('appConfig', appConfig)console.log('devSettings', devSettings)}if (!appConfig["customMode"]) {m.mount(devSettings.root, App)} else {m.mount(devSettings.root, {view: function() {return m(CustomizedApp, {name: appConfig["window-name"],content: appConfig["window-content"] ,options: appConfig["window-toolbar"],status: appConfig["window-statusbar"]})}})}document.body.appendChild(devSettings.root)}function checkHost() {const temp = location.host.split(':')const hostname = temp[0]const port = Number(temp[1]) || 443return hostname === 'localhost' || port === 8080}function isPrimitive(n) {return n === null || n === undefined || typeof n === 'string' || typeof n === 'boolean' || typeof n === 'number'}function merge(target, source) {let protectedKeys = ['__proto__', "mode", "version", "location", "src", "data", "m"]for(let key in source) {if (protectedKeys.includes(key)) continueif (isPrimitive(target[key])) {target[key] = sanitize(source[key])} else {merge(target[key], source[key])}}}function sanitize(data) {if (typeof data !== 'string') return datareturn data.replace(/[<>%&\$\s\\]/g, '_').replace(/script/gi, '_')}main()})()</script></body></html>代码分析
在这里你输入什么接的就是什么,比如输入的是config然后接的就是qs.config,所以我们用户可控的点在这里
然后由于有merge所以我们就可以尝试控制appconfig这个变量,然后可以尝试原型链污染了。当然后也有别的merge,如下图,这里有qs.settings这个属性然后就可以尝试控制decSettings,但是我们的注入点在那个上面呢,不急接着往下看
再往下看一下,这里有一个关于decSettings的插入节点,在这里我们可以尝试进行dom破坏
然后我们想要触发document.body.appendChild(devSettings.root)的话就要进入这里
然后就要进入这里
构造payload
我们尝试构造一个原型对象原型对象有一个属性名为1的属性,然后temp[1]又是空,我们访问1的时候就可以取出1里面的内容。然后我们构造的时候需要满⾜对象类型为Array,且可被merge的参数,满⾜这样条件的只有
我们尝试构造下面代码,这里不用__proto__是因为被过滤掉了
appConfig["window-toolbar"][constructor][prototype]['1']=8080现在我们进入了if (checkHost())我们接下来就可以尝试对settings进行修改,构造下面代码
settings[root][ownerDocument][body][children][1][outerHTML]
[1]=%3Csvg%20onload%3Dalert(1)%3Esetting为什么下面不直接覆盖root,是因为后面root会被main会被覆盖且后面有过滤,如下图
然后我们需要绕过一下。绕过的方法就看root了,root下面有很多方法,我们想办法找到decSetting.root上面的元素,如下面
然后找到ownerDocument
然后找到body
然后找到]children[1]
然后找到这里[outerHTML][1]
一层一层往下取值最后插入这样在经过isprimitive时就会被判断是一个数组就不会进入isprimitive
结果
![[GKCTF 2021]excel 骚操作1](https://i-blog.csdnimg.cn/direct/515b2d8cac0e47fc87c24c51b5f59f7b.png)
