Hack The World

XSS game: Level2 Write up 본문

Wargame/XSS game

XSS game: Level2 Write up

Talkative 2020. 3. 12. 20:20

Level2

게시판에 댓글을 달수있는 페이지인거같다.

 

기본적으로 댓글을 입력해보니 문자열은 입력이되지만

<script> 를 필터링하는거같다. 

코드를 살펴보면 다음과 같다.

<!doctype html>
<html>
  <head>
    <!-- Internal game scripts/styles, mostly boring stuff -->
    <script src="/static/game-frame.js"></script>
    <link rel="stylesheet" href="/static/game-frame-styles.css" />
 
    <!-- This is our database of messages -->
    <script src="/static/post-store.js"></script>
   
    <script>
      var defaultMessage = "Welcome!<br><br>This is your <i>personal</i>"
        + " stream. You can post anything you want here, especially "
        + "<span style='color: #f00ba7'>madness</span>.";
 
      var DB = new PostDB(defaultMessage);
 
      function displayPosts() {
        var containerEl = document.getElementById("post-container");
        containerEl.innerHTML = "";
 
        var posts = DB.getPosts();
        for (var i=0; i<posts.length; i++) {
          var html = '<table class="message"> <tr> <td valign=top> '
            + '<img src="/static/level2_icon.png"> </td> <td valign=top '
            + ' class="message-container"> <div class="shim"></div>';
 
          html += '<b>You</b>';
          html += '<span class="date">' + new Date(posts[i].date) + '</span>';
          html += "<blockquote>" + posts[i].message + "</blockquote";
          html += "</td></tr></table>"
          containerEl.innerHTML += html; 
        }
      }
 
      window.onload = function() { 
        document.getElementById('clear-form').onsubmit = function() {
          DB.clear(function() { displayPosts() });
          return false;
        }
 
        document.getElementById('post-form').onsubmit = function() {
          var message = document.getElementById('post-content').value;
          DB.save(message, function() { displayPosts() } );
          document.getElementById('post-content').value = "";
          return false;
        }
 
        displayPosts();
      }
 
    </script>
 
  </head>
 
  <body id="level2">
    <div id="header">
      <img src="/static/logos/level2.png" /> 
      <div>Chatter from across the Web.</div>
      <form action="?" id="clear-form">
        <input class="clear" type="submit" value="Clear all posts">
      </form>
    </div>
 
    <div id="post-container"></div>
 
    <table class="message">
      <tr>
        <td valign="top">
          <img src="/static/level2_icon.png">
        </td>
        <td class="message-container">
          <div class="shim"></div>
          <form action="?" id="post-form">
            <textarea id="post-content" name="content" rows="2"
              cols="50"></textarea>
            <input class="share" type="submit" value="Share status!">
            <input type="hidden" name="action" value="sign">
          </form>
        </td>
      </tr>
    </table>
 
  </body>
</html>

 

아마도 댓글로 입력하는 부분은

html += "<blockquote>" + posts[i].message + "</blockquote";

이부분에 들어가는거같다.

<script> 를 필터링 거치니 다른 alert 창을 뛰우는 명령

<img src=x onerror=alert(1)> 명령을 입력해보면

다음과 같이 alert  창 생성

'Wargame > XSS game' 카테고리의 다른 글

XSS game : Level 5 Write up  (0) 2020.03.23
XSS game: Level 4 Write up  (0) 2020.03.13
XSS game: Level 3 Write up  (0) 2020.03.13
XSS game: Level 1 Write up  (0) 2020.03.12
공유하기 링크
'Wargame/XSS game' Related Articles more
Comments