Table of contents
Here’s a way to bypass the URL code
The first step is to start escaping the restrictions of double quotes.
dhcp workflow chart
- 1 Discovery phase: The phase in which the DHCP client searches for the DHCP server. The client sends DISCOVER messages in broadcast mode.
- 2 Provision phase: The phase in which the DHCP server provides an IP address. After receiving the DISCOVER message from the client, the DHCP server selects an IP address based on the priority of IP address allocation, and sends it to the client through an OFFER message together with other parameters.
- 3 Selection phase: The phase in which the DHCP client selects an IP address. If multiple DHCP servers send OFFER messages to the client, the client only accepts the first received OFFER message, and then sends a REQUEST message in broadcast mode, which contains the DHCP server's content in the OFFER message. IP address assigned in . At the same time, the message contains Option 54 (server identification option), which is the IP address information of the DHCP server it selected.
- 4 Confirmation phase: The phase in which the DHCP server confirms the IP address. After the DHCP server receives the REQUEST message from the DHCP client, only the server selected by the DHCP client will perform the following operations: If the address is confirmed to be assigned to the client, an ACK message will be returned; otherwise, a NAK message will be returned, indicating that The address cannot be assigned to this client. After receiving the ACK confirmation message returned by the server, the client will send an ARP message in a broadcast manner (the destination address is the assigned address) for address detection. If no response is received within the specified time, the client will Use this address.
request response status code
200 success
403 forbidden (insufficient permissions)
401 unanthorized
500 server error
30x redirect redirection (login)
UTF-8
To put it directly here, it is actually variable-length unicode, so as not to waste it.
UTF-8 encoding rules:
1. For single byte, it is actually unicode encoding.
2. For N bytes (N>1), the first N bits of the first byte are all 1, (in the first byte) the N+1th bit and the following bits are all 0
The first two digits of the following bytes are always set to 10.
Notice:
The word word
byte byte
bit comes from the English bit, which is transliterated as "bit" and represents a binary bit.
Word length refers to the length of the word
1 word = 2 bytes (1 word = 2 byte)
1 byte = 8 bits (1 byte = 8bit)
The word length of a word is 16 and
the word length of a byte is 8
Byte length
So single byte (0~127)
Double byte (128~2047)
Three bytes (2048~65535)
Let's take a look at an example, taking '中' as an example
Note: Only python3 supports Chinese ascii code conversion
Convert to binary
Let's first take out '0b100 111000 101101' and start filling, because 'middle' is three bytes, so the format is:
1110xxxx 10xxxxxx 10xxxxxx, starting from the last digit, fill in unknown x from back to front, if not enough, fill in zeros. Then the UTF-8 encoding is 11100100 10111000 10101101
It's obvious, that's it
Here’s a way to bypass the URL code
Front-end (php) page code
<?php
header('X-XSS-Protection:0');
$xss = isset($_GET['xss'])? $_GET['xss'] : '';
$xss = str_replace(array("(",")","&","\\","<",">","'"),'',$xss);
echo "<img src=\"{$xss}\">";
?>
The first step is to start escaping the restrictions of double quotes.
The second step is to try to come up with <img src=http://www.baidu.com οnerrοr="alert(1)">. When src cannot be found, the string in onerror will be executed.
Since the brackets are filtered, we can use backticks to replace
success!
If the backtick is filtered, then we can only perform urlcode encoding bypass
Let's try it first
It doesn't seem to work, because when you press Enter, the browser parses %28%29 into (), which causes it to be filtered out on the front-end page.
Let’s try it again with %2528 %2529 (%25 is encoded by urlcode%)
Unsatisfactory results
JS Specification: Symbols (), :, etc. may not be encoded
But we can use our location and javascript
Reason: The location function can turn everything on the right side of the equal sign into a variable. Variables can be encoded at will in JS.
Pay attention and take a look
1, 2, and 3 cannot be used for pop-up windows, because the protocol cannot be urlcoded, but can be encoded by html entities, so 4 can be used for pop-up windows.
Summarize
Let me talk about my understanding. Generally speaking, it is because the html entity encoding (&) is filtered, and because url code encoding cannot encode protocols, unicode cannot encode symbols, and because the parsing process of the page is html --> url --> js, so we use url to encode the brackets. Since the browser address will parse the urlcode, we need to encode the url code. But at this time, since it is not a variable, the second url code decoding will not be performed. Then we The following can be treated as a variable through the location function, but at this time alert(1) is still read-only. We need to use the JavaScript pseudo-protocol to turn it into a string.
HTML example (no pop-up window)
When there is an encoding tag, it will not re-enter the state where the tag started. It will only think that it is a text, and two cannot pop up.
The <script> tag is a JS tag, it can only contain functions and text (it cannot be played)
