Cross-Site Scripting
反射型xss(get)
- 輸出點
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
發現輸入框限制了長度,通過F12修改
maxlength
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
反射性xss(post)
- 輸出點
這裡需要先登入,我也是看了半天才看見提示的 admin 123456
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
存儲型xss
- 輸出點
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
DOM型xss
- 輸出點
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
#' οnclick='alert(1) pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
DOM型xss-x
- 輸出點
這裡輸入後要先點選一下”有些費盡心機想要忘記的事情,後來真的就忘掉了”這句話
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
a' οnclick='alert(1) pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
xss盲打
- 輸出點
根據提示來到
/xssblind/admin_login.php
目錄下 使用前面關卡的賬戶密碼登入 admin 123456
登入後發現我們剛才寫的留言和内容會顯示在頁面上
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
輸入payload後重新整理
/xssblind/admin_login.php
<script>alert(1)</script> pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
xss之過濾
- 輸出點
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
會發現有很多标簽都被過濾,使用大小寫繞過
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
xss之htmlspecialchars
- 輸出點
htmlspecialchars()是把預定義的字元轉換為 HTML 實體。
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
1' onclick='alert(1) pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
xss之href輸出
- 輸出點
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
javascript:alert(1) pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting
xss之js輸出
- 輸出點
檢視頁面源代碼,可以發現我們輸入的值被放在了
<script>
pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting - 構造payload
1';alert(1);' pikachu靶場通關-Cross-Site Scripting(XSS)Cross-Site Scripting