2022 | 中国科学技术大学第九届信息安全大赛 | Web

# 微积分计算小练习

## 题目¶

bot.py
# Copyright 2022 USTC-Hackergame
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

from selenium import webdriver
import selenium
import sys
import time
import urllib.parse
import os
# secret.py will NOT be revealed to players
from secret import FLAG, BOT_SECRET

url = input('> ')

# URL replacement
# In our environment bot access http://web
# If you need to test it yourself locally you should adjust LOGIN_URL and remove the URL replacement source code
parsed = urllib.parse.urlparse(url)
parsed = parsed._replace(netloc="web", scheme="http")
url = urllib.parse.urlunparse(parsed)

try:
options = webdriver.ChromeOptions()
options.add_argument('--no-sandbox') # sandbox not working in docker
os.environ['TMPDIR'] = "/dev/shm/"

with webdriver.Chrome(options=options) as driver:
ua = driver.execute_script('return navigator.userAgent')
print(' I am using', ua)

time.sleep(4)

print(' Putting secret flag...')
time.sleep(1)

print('- Now browsing your quiz result...')
driver.get(url)
time.sleep(4)

try:
greeting = driver.execute_script(f"return document.querySelector('#greeting').textContent")
score = driver.execute_script(f"return document.querySelector('#score').textContent")
except selenium.common.exceptions.JavascriptException:
print('JavaScript Error: Did you give me correct URL?')
exit(1)

print("OK. Now I know that:")
print(greeting)
print(score)

print('- Thank you for joining my quiz!')

except Exception as e:
print('ERROR', type(e))
import traceback
traceback.print_exception(*sys.exc_info(), limit=0, file=None, chain=False)


## 解题思路¶

• 练习网站可以输入姓名和各题的答案

• 提交后跳转到成绩页面，输入姓名中的 HTML 标签并没有被过滤

• 第一反应是反射型 XSS，本地试了也能获取到请求，但一直获取不到 bot 的请求，才又重新看了 bot.py，发现 bot 请求的是 http://web，无法访问外部网络，结合输入姓名回显，实际上应该是 DOM 型 XSS

• 直接使用 <script> 无法执行脚本，通过以下 payload 获取 Flag

<p id='cookie'></p><img src=x onerror="javascript: document.getElementById('cookie').innerHTML = document.cookie;">


### Flag¶

flag{xS5_1OI_is_N0t_SOHARD}

Contributors: YanhuiJessica
Pageviews: