目录

实验

level2

 level3

 level4

level5

 level6

 level7

level8

 level9

level10

 level11

level12

 level13

实验

level2

我们首先进行<script>alert(1)</script>测试,发现不行

 查看代码,You can see that the code we uploaded is enclosed in double quotes

 We try to bypass the double quotes ："><script>alert(1)</script><"  ,成功了,You can see that the double quotes are closed by us

 level3

我们首先尝试level2的绕过方法,Sure enough, double quotes are restricted,

 Try replacing it with single quotes,成功了 

成功的原因：我们查看源码,It is found that there is a single quote before the double quote to close the operation,And no single quotes are encoded.So we can use single quotes for closure

 level4

我们还是先用<script>alert(1)</script>测试一下

 It can be seen that this page filters the angle brackets,Then let's switch to one that doesn't use angle bracketsonclik测试

 测试成功

level5

我们先用aaa" οnclick="alert(1)  和 <script>alert(1)</script> 测试,It can be seen that this time it will beonclick/scriptFunctions are underlined,使其失效

Then let's test whether the angle brackets are filtered,Clearly the angle brackets are not filtering

 Then we can try to change a less commonly used function to test whether the page is filtered   

 如：aa"> <a href="javascript:alter(1)">bbb</a>

 为什么这个JavaScriptNot filtered yet,We need to look at the source code

原来,Filter in the source codescriptIt is with the angle brackets in front,然而JavaScript中scriptNo angle brackets before it,所以不符合条件.没有过滤成功,It is generally better to use regular expressions for filtering restrictions.

 level6

先使用aaa" οnclick="alert(1)  和 <script>alert(1)</script>Test the rules for this page

 It can be seen that the underscore is still used to invalidate the function,We move on to see if the angle brackets filter

Angle brackets are not filtered,我们继续使用aThe label tries to bypass

 虽然JavaScriptNo filtering yethref被过滤了,那怎么办了,Let's try again to see if the case can be bypassed

如：aaa" ONCLICK="alter(1),绕过成功

 level7

 Pass the previous questions,We can guess that the previous method should not work,我们先试一下aaa" οnclick="alert(1)

可以看出,This page has been removedondisable its function,At this time, we can try to bypass it by double writingaaa" oonnclick="alert(1),成功了 

level8

我们先测试一下aaa" οnclick="alert(1),发现被过滤了

 Looking at the source code, you can see that this filters a lot of tags that can be used,Let's test it with coding

我们将javascript:alert(1)Submit after entity coding,bypassed successfully 

 level9

This page needs to be filled withhttp://的网址,We use Baidu web link test to be successful,Let's still test if we can entity-encode it：javascript:alert(1)//http://,其中在http://前面的//is used to comment out the backhttp://

编码后：&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;:alert(1)//http://

成功了：

level10

 First, look at the code on the web page：

It can be seen that our input box is hidden,We can try totypechange the properties：keyword=abc&t_link=bcd&T_history=cde&t_sort=def" type="text"

 After we display an input box, we can add a click event behind it：

keyword=abc&t_link=bcd&t_history=cde&t_sort=def" type="text" οnclick="alert(1)

 level11

Let's start by looking at the limitations of this level,Available to submitt_sortdata is restricted,所以我们尝试使用HTTP_REFERERThis is bypassed

referer:Indicates from which page the service is accessed

 我们首先在referer中提交：bbb" type="text" οnclick="alert(1) 

 成功了

level12

查看源码,It can be found that this level is similar to the previous one

我们选择在user_agentSubmit the test：bbb" type="text" οnclick="alert(1) 

 level13

查看源码,This level transfer can be seencookie中设置了user

 So we need to add it when uploadinguser=

user=callme bbb" type="text" οnclick="alert(1)

成功了