Free passport creator lets you show your island!
Cloud WAF usually has several layers and several filtering methods. Here I also designed two layers of protection.
The way to bypass the blacklist is to avoid the strings and characters of ban. Here, because of the iris framework problem of go, the
; and the data after it will be deleted, and can be bypassed with
This layer of WAF, in fact, only needs to find out the rule of ban and find the unprocessed syntax to bypass it. My expected solution here is to pass variables with
throw, but there are many other syntax that can be used.
After bypassing the two layers of WAF protection, the local successful alert, we can use:
get the admin cookie, and the cookie is a part of the flag:
In the other half of the flag, hint:
Read the administrator’s document, you will find that there are 400 PNG images, and the flag is hidden in these images.
Here are several solutions preset during the design:
- Bypass CSP to import html2canvas lib, get the screenshot and upload to server, get the image address and send it back, then download the image
- Use the for loop to send all 400 pictures to /upload, get 400 picture addresses and send back
- Read the pictures directly and send them back one by one, write scripts, or use for to circulate and batch transfer, but the return process needs code conversion, and after the transfer back, it also needs to be converted into pictures for splicing
All three solutions can get the flag, I will introduce the solution of bypassing CSP and import html2canvas lib. Other methods are similar, so I won’t write them all (You can go to see the players’ writeup),
The main function of this website is to create a animal crossing passport, The homepage has a
/upload api for upload image, you can upload a file with
png suffix, and use
fetch get the png file source, then
eval it. You can bypass CSP to import the html2canvas lib and execute it.
The png file:
Here I also write the JS of screenshot operation into png.
It upload the screenshot to the server and get the returned image address, then send it back to the attacker
After upload the image, get the png address, then you can read the image with the controllable JS part and execute it
And you can use the method of bypassing the WAF to pack it
Finally, when submitted to the BOT, you can receive the address of the screenshot of the admin’s interface, and download it to see the other half of the flag