Some thoughts on xss vulnerabilities
Without further ado, let’s look at these two practical cases:
XSS Case 1:
1. A certain system has a problem feedback function, as shown below:
2. Of course, you can test file upload here, but today’s topic is XSS, so just skip it , first enter it randomly, and then click to view, you can see the submitted questions:
3. Start Burp and capture the packet for testing:
Analyze the data package: There are three main controllable parameters at this time, description represents the feedback content; contact represents the phone number; url represents the location of the uploaded image.
4. After testing, both description and contact have been materialized and output. So we can only move to the url parameters and view the source code analysis:
5. It is obvious that it directly puts the data in the URL <img src="">
, so we spliced the final data into this test:<img src="1" onerror="alert(1)">
payload:
1" οnerrοr="alert(666)
6. When I excitedly clicked to view the fantasy pop-up window, an accident happened. It did not pop up, and there was no information in the source code: 7. So I
returned to locate the source code to view:
8. Here I saw the following a Label:
<a href="javascript:void(0)" data-url="url=1" onerror="alert(666)" data-replycontent="null" data-description="test" data-moduleame="我的反馈" data-submittime="2022-07-14 19:30:41" data-replytime="null" class="feedback-detail">查看</a>
9. Since the jump does not work, then we can directly close it in the a tag to construct the XSS statement:
The key splicing point:
after the previous payload is like this:
data-url="url=1" onerror="alert(666)"
After restoration it should look like this:
data-url=""
The ideal state after reconstruction is this:
data-url=""><img src="1" onerror="alert(1)"></a>
payload:
"><img src="1" οnerrοr="alert(1)"></a>
Submit for viewing, successful pop-up window, one stored XSS
10. Reposition to view the source code:
xss case two:
1. A certain system has self-evaluation content, and the payload test is directly output here:
2. Return to view the results, you can see the following have </script>
been deleted:
3. It is suspected that the display size is limited. After checking the html, a maximum of 25 can be taken:
4. Then we use img to test:
payload:
<img src="1" onerror="alert(1)">
5. You can see that the img tag is executed successfully, but the equal sign here is encoded as Thinking =
: The code here may first match = through regular expressions and other methods. If it matches, it will be replaced by something =
similar to the following:
<?php
$str = '=';
$str2 = '<img src="1" οnerrοr="alert(1)">';
//$str2 = '<img src="1" onerror = "alert(1)">';
$res = str_replace($str,"=",$str2);
echo($res);
?>
6. By trying, changing = to [space]=[space] can interfere with the original rules and prevent them from matching =, thereby bypassing:
Payload:
<img src="1" onerror = "alert(1)">
View the source code as follows:
7. Thinking:
Try to use the above method to implement it in the code, and test regularity, string replacement and other methods, but all failed, = will be replaced! I hope someone can give me some advice!