Tags: rpo xss web
Rating: 4.0
# ▼▼▼Grandline(Web:700pts) solved:16/753=2.1%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
It was said to be hidden somewhere deep in the Grand Line, someone in the second part of Grand Line can capture it, could you tell them to give it for you. Let's start a trip in Grand Line
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/
```
---
## 【Investigation of functions】
```
・Source code can be viewed with debug parameters
・Sending URL to bot(Chrome) will access it (The URL is limited to http://localhost/)
```
---
Access URL `http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/`
↓
```
HTTP/1.1 200 OK
Date: Mon, 16 Jul 2018 02:18:31 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1464
Connection: close
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<title>The Two piece Treasure</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/bootstrap.min.css">
<script src="js/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="jumbotron">
<h1>GRAND LINE</h1>
Welcome to Grand Line, You are in the way to become Pirate King, now, let's defeat BigMom first
</body>
</html>
<html lang="en">
<head>
<title>The Two piece Treasure</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/bootstrap.min.css">
<script src="js/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</head>
<body>
";
?>
<div class="container">
<div class="jumbotron">
<h1>GRAND LINE</h1>
Welcome to Grand Line, You are in the way to become Pirate King, now, let's defeat BigMom first
?>
<h4>If you eat fruit, you can't swim</h4>
<form method="get" action="index.php">
<input type="text" name="eat" placeholder="" value="gomu gomu no mi">
<input type="submit">
</form>
Pirate, Let's go to your Grand Line
You need to eat 'gomu gomu no mi'
";</body>
</html>
";
```
↓
Also, there are places where input characters are escaped but reflected.
---
## 【Identify the vulnerability】
---
### 1.Try CSS injection
In order to acquire secret, a CSS vulnerability is required on the same page as secret.
Therefore, there is only CSS injection by relative path overwriting attack.
↓
There is a CSS relative path( `<link rel="stylesheet" href="css/bootstrap.min.css">`).
↓
When confirming the response header of index.php, `Content-Type: text/html; charset=UTF-8` is given.
There is ``
bot is Chrome, so it is impossible
The reason is that in Chrome, when loading CSS, if Content-Type is not `text/css`, it will be an error and will not be executed.
---
### 2.Try RPO's XSS
I check the index.php
↓
```
<script src="js/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
```
↓
Reading in relative path.
---
```
```
↓
there is `/*` at the beginning
---
```
Since I never heard of this type of attack I have made quick research and there are few false statements in your write-up:
> But, the bot is described as Chrome, so it is impossible
> The reason is that in Chrome, when loading CSS, if Content-Type is not text/css, it will be an error and will not be executed.
This is not true. It is being executed but only until `` is reached. Which is very interesting and if we removed this tag (or commented it via ``) then the http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/ will work. This header somehow breaks the whole stylesheet even though it is in the comment section. Very interesting.
Another interesting fact is that javascript does treat `
Another interesting fact is that javascript does treat `
Sorry for the spam, didn't know I cannot use grave accent character.
Since I never heard of this type of attack I have made quick research and there are few false statements in your write-up:
> But, the bot is described as Chrome, so it is impossible
> The reason is that in Chrome, when loading CSS, if Content-Type is not text/css, it will be an error and will not be executed.
This is not true. It is being executed but only until is reached. Which is very interesting and if we removed this tag (or commented it via ) then the http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/ will work. This header somehow breaks the whole stylesheet even though it is in the comment section. Very interesting.
Another interesting fact is that javascript does treat
holly *** this website sucks
https://pastebin.com/raw/GJypyJc8
1.About CSS error
Yes. I ran it with comments prefixed, but it has been confirmed that it will not run on the latest version of Chrome.
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/{} *{background-color:red}/
Also, css was executed when the file in the local environment was read with extension .css
2.About treatment of +
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/alert(%60%2b%20does%20work%20%60);(function()%7B%7D)(/*/
It is described with an input character + in form. In the actual request I sent it at% 2b. I tried this behavior at 178.128.6.184, + worked, but it did not work on bot. Probably I think that setting of bot is the cause.
You misunderstood me because the website removed half of my comments. It is the full comment in raw: https://pastebin.com/raw/GJypyJc8
And what I meant is that it is totally not true that Chrome will not execute CSS sent with content type text/html. It throws a warning not an error: Resource interpreted as Stylesheet but transferred with MIME type text/html
And actually the CSS by visiting the URL(http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/) is being executed untill it reaches DOCTYPE:HTML tag and it breaks there.
Put manually the
a{} body{background:red}
anywhere before DOCTYPE:HTML Tag and then
a{} body{background:yellow!}
somewhere after the tag.
The background will turn into red
This is exactly the same page with commented DOCTYPE:HTML:
http://terjanq.cf/meepwn/grandline/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/
See that it's working no matter of HTTP response. Also, I just upgraded to the latest version of Chrome and the warning has even disappeared.
It is the site that I referred.
http://delivery.acm.org/10.1145/3190000/3186090/p237-arshad.html?ip=182.171.250.216&id=3186090&acc=OPEN&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E6D218144511F3437&__acm__=1531812842_e03ba93d67b0737f0f62da6d25fbdc62
If the site has a definition of DOCTYPE, the browser will strictly confirm the Content-Type.
OK?