on
[Web Hacking] Dreamhack 문제풀이 : xss-1
[Web Hacking] Dreamhack 문제풀이 : xss-1
문제 풀이 간단 요약
1.
2.
상세 풀이
app.py를 열어보면 아래 코드와 같다
#!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" def read_url(url, cookie={"name": "name", "value": "value"}): cookie.update({"domain": "127.0.0.1"}) try: options = webdriver.ChromeOptions() for _ in [ "headless", "window-size=1920x1080", "disable-gpu", "no-sandbox", "disable-dev-shm-usage", ]: options.add_argument(_) driver = webdriver.Chrome("/chromedriver", options=options) driver.implicitly_wait(3) driver.set_page_load_timeout(3) driver.get("http://127.0.0.1:8000/") driver.add_cookie(cookie) driver.get(url) except Exception as e: driver.quit() # return str(e) return False driver.quit() return True def check_xss(param, cookie={"name": "name", "value": "value"}): url = f"http://127.0.0.1:8000/vuln?param={urllib.parse.quote(param)}" return read_url(url, cookie) @app.route("/") def index(): return render_template("index.html") @app.route("/vuln") def vuln(): param = request.args.get("param", "") return param @app.route("/flag", methods=["GET", "POST"]) def flag(): if request.method == "GET": return render_template("flag.html") elif request.method == "POST": param = request.form.get("param") if not check_xss(param, {"name": "flag", "value": FLAG.strip()}): return 'alert("wrong??");history.go(-1);' return 'alert("good");history.go(-1);' memo_text = "" @app.route("/memo") def memo(): global memo_text text = request.args.get("memo", "") memo_text += text + "
" return render_template("memo.html", memo=memo_text) app.run(host="0.0.0.0", port=8000)
from http://kozeldark.tistory.com/160 by ccl(A) rewrite - 2021-07-10 19:26:23