XSS Chanllenges 11-15
Stage #11
根据提示,发现正则匹配,过滤掉了很多关键字
除on 事件和script 事件外,能执行js 代码的还有a 标签构造的超链接
构造 "><a href=javascript:alert(document.domain)>test</a><
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202127584-1533738007.png)
发现仍然存在过滤,尝试用HTML 实体进行绕过,	 HTML tab制表符十进制编码
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202241675-1451664985.png)
HTML 16进制转义符清单
ASCII 的十进制或者十六进制,加上不同的前缀转换成unicode,utf-8,html实体
查看源代码,成功绕过过滤
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202356619-1109649848.png)
点击链接,得到下关入口
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202433905-1319876819.png)
Stage #12
测试代码,查看源代码
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202659811-1549348826.png)
发现过滤了尖括号以及单双引号
IE8 特性会把`` 符号识别为双引号
尝试利用IE8 特性进行绕过
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202749876-1701120965.png)
成功绕过,弹窗通关
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225202845149-1854405690.png)
Stage #13
查看源代码,发现多了一个style 属性
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203035378-1567601645.png)
利用行内样式的动态属性进行XSS
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203118006-1219992674.png)
插入代码 xss:expression(onmousemove=function(){alert(document.domain)})
点击通过,查看源代码
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203203179-1766913011.png)
弹窗得到下关入口
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203235759-568670559.png)
Stage #14
查看源代码,仍然是style 型XSS
插入代码 xss:expression(onmousemove=function(){alert(document.domain)})
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203356798-1673042707.png)
expression 存在过滤,尝试用HTML 实体进行绕过
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203430879-1735742100.png)
& 存在过滤,尝试构建 xss:expre/**/ssion(onmousemove=function(){alert(document.domain)})
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203507779-513401085.png)
成功绕过,弹窗得到下关入口
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203544803-882703701.png)
f. 绕过WAF 的几种常见方法
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203621171-452658463.png)
Stage #15
DOM 型 XSS
document对象write方法,用于向文档写入 HTML 表达式或 JavaScript 代码。
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203747170-1562942175.png)
测试代码</xss>
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203823642-1825413871.png)
过滤了尖括号,尝试十六进制编码绕过
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203859065-1653722730.png)
过滤了反斜杠,而不是转化反斜杠,双斜杠绕过
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225203929620-417128966.png)
成功绕过,得到入口
![](https://img2018.cnblogs.com/blog/1504127/201812/1504127-20181225204003583-2103466222.png)
❤
本文来自博客园,作者:twsec,转载请注明原文链接:https://www.cnblogs.com/TWX521/p/10176337.html