I encountered a very interesting xss in the process of digging a hole recently, record it and share with you, the full text has been desensitized
Quick Directory
There are suspicious points in xss
During the test, a passive scanner hit a suspected xss point
Just pick out the universal verification payload console.log(111), but the. Is converted to _, and the space is also converted to _
The space is solved by commenting /**/, but the biggest problem is that the. Is blocked
A wave of various coding attempts, to no avail, started to try such as alert, prompt, confirm, eval and ended up being intercepted
I tried another wave, fuzzing various characters and keywords to see if they were replaced with empty ones, but it still failed.
go out
Looking at the payload I collected, since the interception in the script tag is so deadly, change your thinking, can you close the tag and try it out
I used to dream of going to the world with a sword, but when I went out I was beaten back by reality
</script>Can be used to close the previous one script, but <script>was intercepted and cannot close the tail</script>
However, when using <sript>to close, the chrome browser will make a correction and automatically close (the principle is unknown, wait for a comment area master)
good, succeeded
After that, try <object data=data:text/html;base64,the payload of this bs64 structure
Then the intercepted html is followed by;,
Try again data:image/svg+xml;base64,, still blocked by the xml;format
It's no good, abandon it, it's too difficult
Walk back
I found a master and asked if he had any ideas. The master came up and said, "Why are you closing the script and going out?"
I explained: "It was blocked inside"
"I do not believe"
"Hey, I will try to show you"
“!!!”
······
The magical thing happened. After closing the script, the first half of the script is no longer intercepted by waf, and all functions are released, except for.
But what's afraid of eval, I successfully got cookies
Final payload
%22%3a%22%22}%3beval(%22\u0063\u006f\u006e\u0073\u006f\u006c\u0065\u002e\u006c\u006f\u0067\u0028\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0063\u006f\u006f\u006b\u0069\u0065\u0029%22)%3b%3C/script%3E%3Cobject/**/data%3E%3C/object%3E%3Csript%3Evar/**/b%3d{
%229533
This article is also known as "A meal is as fierce as a tiger, and a reward is ten dollars and five. "