Detailed clearance course of xss shooting range of pikachu

Tip: after the article is written, the directory can be generated automatically. Please refer to the help document on the right for how to generate it

Less-1 reflective xss(get)

Let's input some special characters first to see if there are any special characters filtered out. Click Submit, as shown in the figure

' '' <>6666

At this time, it is found that special characters are not filtered out, and there may be an xss vulnerability. Let's check the page source code and right-click the blank space.
Then press Ctrl+F and enter 6666 to find the corresponding output statement.
Then we enter


At this time, it is found that the length of the input text box is not enough. We can try to modify the front-end code. Press F12 to open the developer tool, and then change 20 to a larger number.Then enter and click Submit

Less-2 reflective xss(post)

You can know the account password by brute force cracking, log in and enter it like less-1. The difference between GET and POST is that GET submits data in the form of URL, while POST submits data in the request body in the form of form. That is, in the previous experiment, you can change parameters through URL and use xss holes, but not in this experiment.

Less-3 storage xss

First, we try to enter some special characters

" ' <> 666&

It can be found that there is no filtering, and then, as in the previous steps, enter the code and submit it


The difference from the previous two experiments is that this is a storage XSS, and the previous is a one-time reflection XSS. This is written into the database. Compared with the previous experiments, this will cause a persistent damage, and a pop-up window will appear every time you open the page.

Less-4DOM type xss

Let's enter 111 first
Find out what do you see. Click the discovery page 404. We can check the source code and find out what do you see

        <div id="xssd_main">
                function domxss(){
                    var str = document.getElementById("text").value;
                    document.getElementById("dom").innerHTML = "<a href='"+str+"'>what do you see?</a>";
                //Try: '> < img SRC = "#" OnMouseOver = "alert ('xss')" >
                //Try: 'onclick = "alert ('xss')" >, just close it
            <!--<a href="" onclick=('xss')>-->
            <input id="text" name="text" type="text"  value="" />
            <input id="button" type="button" value="click me!" onclick="domxss()" />
            <div id="dom"></div>

When clicking the submit button, the onclick event will be triggered, the domxss() function will be executed, and the contents in the input box will be obtained and displayed on the page through the document.getElementById() function
As long as the < a href = "'> < / a > tag is closed, we can enter

#' onclick="alert(111)">

Click Submit

Less-5DOM type xss

We first enter 1111 and click Submit
Let's look at the page source code

<div id="xssd_main">
                    function domxss(){
                        var str =;
                        var txss = decodeURIComponent(str.split("text=")[1]);
                        var xss = txss.replace(/\+/g,' ');
//                        alert(xss);

                        document.getElementById("dom").innerHTML = "<a href='"+xss+"'>Let the past go with the wind,Let's go with the wind</a>";
                    //Try: '> < img SRC = "#" ο nm ο use ο ver="alert('xss')">
                    //Try: ' ο Nclick = "alert ('xss')" >, just close it
                <!--<a href="" onclick=('xss')>-->
                <form method="get">
                <input id="text" name="text" type="text"  value="" />
                <input id="submit" type="submit" value="Please tell me your sad past"/>
                <div id="dom"></div>

            <a href='#'onclick ='domxss()' > there are some things you try hard to forget, and then you really forget them</a>

By reading the code, we can find that this also reads our input from the url. Like the reflection type, its output is also in the a tag, which we input

#' onclick="alert(111)">

Then click to let the past go with the wind, and the window will pop up

Less-6xss Braille

Enter 111 in two blanks and click submit to see
It looks like what we entered is submitted to the background. We try to enter a statement


Click Submit, and then log in to the background administrator interface.
Click the prompt to view the login interface
After logging in, you can find the pop-up box

Less-7xss filtering

Supplementary knowledge:
xss bypass filter
1. Bypass the front-end restrictions, directly capture and replay packets, or modify the html front-end code
2. Case, such as:


3. Patchwork:

<scri<script>pt>alert(111)</scri</script> pt>

4. Interference with notes:

<scri<!--test-->pt>alert(111)</sc <!--test--> ript>

xss bypass encoding
Special characters, such as script tag, are filtered in the background, but the tag can be encoded by various codes. The background does not necessarily filter. When the browser recognizes the code, it will be translated into normal tags for execution
For example:

Let's start customs clearance, first enter

<script>;' "123

Click submit to try,
Check the page source code and find that the script tag has been filtered out

Next, we try to inject in a mixed case method, and the window pops up successfully.


Similarly, we can also use the img tag to enter

<img src=x onerror="alert(111)"/> 

You can also pop up the frame

htmlspecialchars of Less-8xss

First of all, you should understand that the htmlspecialchars() function is a common method in php, which converts predefined characters into HTML entities. The predefined characters are:

&(And) become&amp
"(Double quotes) become&quot
′(Single quotation mark)become&#039
<(less than)become&lt
>(Greater than) become&gt
 Available quote types:
ENT_COMPAT -Default. Encode only double quotes.
ENT_QUOTES-Encode double and single quotation marks.
ENT_NOQUOTES-No quotation marks are encoded.

Let's enter it first

111' " <>&

Check the page source code and find that the single quotation marks are not filtered

We input

1' onclick='alert(111)'

Click Submit, and then click the input statement below the text box to pop up the box

href output of Less-9xss

The output is in the herf attribute of the a tag, and javascript protocol can be used to execute js
During defense, only http or https is allowed. Secondly, handle the htmlspecialchars() function.
We open the php file of the local level to view the source code

We can find that it filters the characters, including single quotation marks, double quotation marks, left and right angle brackets

We try to enter


Then click Submit and click the basket below to pop up the window

js output of Less-10xss

First, we enter 1111 to view the page source code

Then we can construct

The corresponding color is closed
So we enter


Pop up window


Posted on Thu, 18 Nov 2021 08:53:05 -0500 by trube