HTML Introduction to entity code

 stay XHTML in , These reserved characters will immediately report an error if they appear in the label , however HTML The parser is too lazy , High fault tolerance , There will be no syntax errors 

 To use safely <,&,>," Equal character , You need to use a set of entity codes (entity encoding) Simple coding strategy 

 This set of HTML Entity coding strategy is based on & Symbol at the beginning , With ; Semicolon ending 

 stay XML There are only a few such codes in , And in the HTML in , There are hundreds of such entity codes , And common browsers support this usage 

HTML There are several ways to encode

HTML Entity encoding , Format With & Symbol at the beginning , With ; Semicolon ending

HTML Entity coding reference manual  

<textarea name="" id="textarea" cols="30" rows="10">
    &lt;img src=&quot;localhost&quot;&gt;
  </textarea>

The result is ：

<img src="localhost">

Decimal ASCLL code , Format : To sign &# start , A semicolon ; ending

ascll Coding comparison table

<textarea name="" id="textarea" cols="30" rows="10">
    &#60;&#105;mg src&#61;"localhost"&#62;
  </textarea>

The result is ：

<img src="localhost">

Unicode Character encoding , Format : To sign &# start , A semicolon ; ending

in addition , Below unicode The numbers of the coding reference table correspond to hexadecimal , But we need to convert it to decimal before displaying ！

unicode Code reference
First turn on the 0022 The conversion to decimal is 0034;003D The conversion to decimal is 0061

  <textarea name="" id="textarea" cols="30" rows="10">
    <img src&#0061;&#0034;localhost&#0034;>
  </textarea>

The result is ：

<img src="localhost">

Hexadecimal ascll code , Format ： With &#x start , A semicolon ; ending

Refer to the above ascll surface , But note that it needs to be converted to hexadecimal .

<textarea name="" id="textarea" cols="30" rows="10">
    <img src&#x3D;&#x0022;localhost&#x0022;>
  </textarea>

The result is ：

<img src="localhost">

Finally, take a look at several ways of writing

  <textarea name="" id="textarea" cols="30" rows="10">
    &lt;&#64;&#0033;&#x3c;&gt;
  </textarea>

Last in textarea It shows that

<@!<>

That is to say < Is interpreted as "<“;&#64 Is interpreted as ”@“;&#0033 Is interpreted as ”!“;&#x3c Is interpreted as ”<“;> Is interpreted as ”>"

HTML Entity coding uses

 Use inside the double quotation marks of the label  

HTML Entity codes are not available for javascript

HTML The scope of entity code is HTML file , barring javscript execution environment , because javascript The parser of the execution environment is not HTML Parser ！

Next, let's look at the code

document.write('&lt;img src=@ οnerrοr=alert(123) /&gt;') // <img [email protected] οnerrοr=alert(123) />
console.log('&lt;img src=@ οnerrοr=alert(123) /&gt;') // &lt;img [email protected] οnerrοr=alert(123) /&gt;
console.log('\<img [email protected] οnerrοr=alert(123) \/\>') // <img [email protected] οnerrοr=alert(123) />_

1. document.write Because the last string is output to html page , So it will still be html The entity is decoded into the corresponding tag
   2. Because it's just js Print in the environment , So in the end, there was no html Entity encoding , The string doesn't change
   3. because js The self decoding mechanism of will add backslashes to pure escape characters , So it is finally resolved to the form without backslash

URL analysis

URL The parser is also a state machine model , Characters coming in from the input stream can be guided URL The parser transitions to different states ;
URL Resource type must be ASCII Letter , Otherwise, it will enter “ No type ” state . Simply put, you can't write the protocol into code ; And in URL Use... During coding utf-8 Encoding type to encode every character , If you try to URL The connection is encoded by other encoding types ,URL The parser will not recognize correctly .

JavaScript analysis

JavaScript Analytical process and HTML The parsing process is a little different .JavaScript Language is a language whose content is irrelevant to language .
image \uXXXX The same characters are called Unicode Escape sequences . Escape sequences can be divided into 3 Parts of ： Namely ：

 In a string ： When Unicode When the escape sequence exists in the string , He will only be interpreted as a regular character , Not single quotes , Double quotation marks and other characters that can break the context of a string .
 Identifier name ： It will be decoded and interpreted as part of the identifier name .

Unicode Escape sequences are also allowed to be used in token names , As a character in the name ; But put the symbol before Unicode The escape sequence string cannot be used as a character in the identifier name . And will Unicode It is illegal to put an escape sequence string in an identifier name .

 Control characters ： For example, single quotation mark 、 Double quotes 、 Parentheses, etc. are not interpreted as control characters , It is decoded and parsed into an indicator name or string constant .7

So the conclusion is ：Unicode Escape sequences are not treated as strings only in identifier names , And the encoded characters in the identifier name can be parsed normally .

from XSS Payload Learn browser decoding

（1）

<a href="%6a%61%76%61%73%63%72%69%70%74:%61%6c%65%72%74%28%31%29"></a>

Here the URL The encoding method will javascript:alert(1) Turned into the above

（2）

<a href="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;:%61%6c%65%72%74%28%32%29">

First HTML Decoding in progress URL decode

<a href="javascript:alert(2)">

（3）

<a href="javascript%3aalert(3)"></a>

Use as before URL code

（4）

<div>&#60;img src=x οnerrοr=alert(4)&#62;</div>

It contains HTML Code content , In turn, think from the perspective of developers ,HTML Encoding is to display these special characters , Without interfering with normal DOM analysis , So the content in this will not become a img Elements , It's not going to be implemented .

（5）

<textarea>&#60;script&#62;alert(5)&#60;/script&#62;</textarea> 

<

yes RCDATA Elements （RCDATA elements）, Can hold text and character references , Note that other elements cannot be accommodated ,HTML Decode and display directly RCDATA Elements （RCDATA elements） Include textarea and title, So I won't pop up

（6）

<textarea><script>alert(6)</script></textarea>

Like the fifth ,textarea and title There will be HTML Decoding operation , But there will be no child elements , So I won't pop up

（7）

<button onclick="confirm('7&#39;);">Button</button>

here onclick Is the attribute value of the tag （ analogy 2 Medium href）, Will be HTML decode , obtain

<button onclick="confirm('7');">Button</button>

（8）

<button onclick="confirm('8\u0027);">Button</button>

onclick The value in will be given to JS Handle , stay JS Only strings and identifiers can be used in Unicode Express , Nor can you encode symbols ,' Obviously not. ,JS Execution failure , So I won't pop up

（9）

<script>&#97;&#108;&#101;&#114;&#116;&#40;&#57;&#41;</script>

script Belongs to the original text element (Raw text elements), Only text can be accommodated , Note that there are no character references , So directly by JS Handle , Here's all to the composition book ,,JS I can't recognize it , Execution failure , So you can't pop up
Original text elements (Raw text elements) Yes

（10）

<script>\u0061\u006c\u0065\u0072\u0074(10);</script>

Same as the second one above , Function name alert Belongs to identifier , Characters encoded without encoding symbols , Directly be JS perform , So you can pop up

（11）

<script>\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0031\u0029</script>

stay JS Only strings and identifiers can be used in Unicode Express , This encodes symbols ,JS Execution failure , Don't pop up

（12）

<script>\u0061\u006c\u0065\u0072\u0074(\u0031\u0032)</script>

There seems to be nothing wrong here , But here \u0031\u0032 When decoding, it will be decoded into a string 12, Notice the string , Not numbers , Words obviously need quotation marks ,JS Execution failure

（13）

<script>alert('13\u0027)</script>

Coded ‘ It's a symbol , So I can't pop up

（14）

<script>alert('14\u000a')</script>

\u000a stay JavaScript Inside is a new line , Namely \n, Although the line changed , But the quotation marks are all , Not encoded , It can be executed directly , So you can pop up

(15)

<a
href="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x36;&#x25;&#x33;&#x31;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x36;&#x25;&#x36;&#x33;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x36;&#x25;&#x33;&#x35;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x37;&#x25;&#x33;&#x32;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x37;&#x25;&#x33;&#x34;&#x28;&#x31;&#x35;&#x29;"></a>

First use HTML Decoding and URL decode

javascript:\u0061\u006c\u0065\u0072\u0074(15)

distinguish JS agreement , Then from JS Module processing , Decode to get

javascript:alert(15)

summary

<script> and <style> Data can only have text , There will be no HTML Decoding and URL Decoding operation 

<textarea> and <title> There will be HTML Decoding operation , But there will be no child elements 

 Other element data （ Such as div） And element attribute data （ Such as href） There will be HTML Decoding operation 

 Some properties （ Such as href） There will be URL Decoding operation , but URL The agreement in must be ASCII

JavaScript String and identifier Unicode decode 

3. This machine builds galleryCMS Server for

open PHPstudy, take galleryCMS Put the file under the root file , And modify the configuration file

Open database , Add database galleryCMS
Go to the browser and refresh , Get into galleryCMS Webpage

In the source code, we change the limit length to 35
although xss-clean Filter a lot of tags , But he hasn't filtered it out < svg > label , So we use < svg> Label a test .

We found that we added successfully , So we use svg Tag to bypass , The next step is to solve the problem of character length

We can see that this is all 29 A character. , So we can only modify the length of the domain name , Replace three characters with one character , Used to bypass short domain names .

℠ expands to sm
㏛ expands to sr
st expands to st
㎭ expands to rad
℡ expands to tel
ff expands to ff

When I was there kali Prepare to install beef-xss When , Errors always occur during installation , I also tried to use apt-get update to update

But the update speed is too slow , Then I gave up ......