XSS labs clearance challenge

Time:2021-12-5

XSS labs clearance challenge

0x00 xss-labs

I’ve been watching XSS recently. Today I’ll do XSS labs pass the challenge. After looking for the source code for a long time, I finally found it. Because everyone knows the download speed on GitHub, I directly transferred it to my code cloud and posted it here. You are welcome to download and use it.

  Please click the source code link: https://gitee.com/ruoli-s/xss-labs

  there’s nothing to say about installation. Put it directly into the built onewwwUnder the directory, you can start to break through. There are XSS labslevel 20, do it.

  (actually, I think these pictures are the biggest reason why I really want to be an XSS challengeimg)

image-20210115185051244

0x01 level 1 no filtering mechanism

image-20210115190305848

  after watching for a long time, the original parameters areURLIt’s in the car,

image-20210115192519758

   after modifying the parameters, the page also changes. Right click to view the source code and find that there is a problem of jumping to level 2JS, and the parameters we pass in are several bits. The length of payload is shown below.

image-20210115192731335

OK, go directly to the code:

alert(/xss/)

image-20210115193519094


0x02 leval 2 closed label

image-20210115194005055

  we directly enter the value of level 1payload, it is found that the output is direct. Here, the entity escape should be done.

image-20210115193744576

  F12View front end code:

image-20210115194351470

    the first is the code displayed on the page, and the second is the code we entered. Here we should escape. We construct payload and use">Attempt to closeinputlabel:

">alert(/xss/)

image-20210115194940046


0x03 Leval 3 Single quote closure+htmlspecialchar()function

image-20210115205058546

When we come to leval 3, we still use the payload tested in the previous two levels to verify:

image-20210115205557603

It is found that all are escaped by entities. Let’s look at the source code:

No results found related to '. Htmlspecialchars ($STR).'

	


";
?>

  cough, double quotation marks foundRestrictions were made, but single quotes were released'And it’s added herehtmlspecialcharsFunction, in which case we canEvent tagTrigger form execution. Here we begin to construct the payload:

'onmouseover='alert(/xss/)

image-20210115221343280

It can be seen that the event does not pop up immediately after submission. Here, we also need to move the mouse to the text box to trigger the event.

image-20210115221850004

Supplement:

  Htmlspecialchars function

  HTML event properties


0x04 leval 4 double quotation mark closing + add event

image-20210115224342651

We are still the same. We will go through the previous tests one by one. Of course, the result must be failure. Next, let’s look at the whole end code:

image-20210115234612324

  source code pairs can be found>and<After filtering, let’s look at the source code:

","",$str);
$str3=str_ Replace ("no results found related to". Htmlspecialchars ($STR). "."




';
?>

  actually usestr_replace()yesAngle bracketFiltered, and single quotes'Therefore, we directly imitate the previous question and use HTML events to construct a payload:

"onmouseover="alert(/xss/)

image-20210115235939043

Here is also a successful pass.


0x05 leval 5 JavaScript pseudo protocol

image-20210116112615699

Finally, we came to the fifth level. We tested it in the previous way. There was no doubt that it failed, but we found some other things:

image-20210116150442506

  looks likeonIt’s been tampered with, and we’re going onoAfter entering others, it is found that onlyonReplaced, which meanseventIt doesn’t work.

image-20210116150807491

  continue to try to find< / code > has also been replaced < code > < SCR_ ipt></code>,</p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151044701.png" alt="image-20210116151044701" loading="lazy"></p>
<p>    I'm sure everyone has thought of it here. Let's try to mix case and case:</p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151747433.png" alt="image-20210116151747433" loading="lazy"></p>
<p>                     </ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151900058.png" alt="image-20210116151900058" loading="lazy"></p>
<p>   continue to try to see if it can be closed. We enter < code > '< / code >, < code > "< / code >, < code > < / code >, < code > > < / code >, < code > \ < / code >, and find that only < code >' < / code > is escaped by entities. That should be to use < code >" < / code > to construct closure:</p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151535724.png" alt="image-20210116151535724" loading="lazy"></p>
<p>  OK, we've tried everything we should try. Next, let's try the < code > pseudo protocol < / code >:</p>
<p>  <a href=" https://www.html.cn/qa/javascript/11155.html "Target =" _blank "> to see the of JavaScript pseudo protocol, please click here</a></p>
<pre><code><code>"><a href=javascript:alert(/xss/)>
</code></code></pre>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116153331190.png" alt="image-20210116153331190" loading="lazy"></p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116153501066.png" alt="image-20210116153501066" loading="lazy"></p>
<p>   finally, we passed the test successfully. Of course, it's more practical to look at the source code:</p>
<pre><code><code><?php
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
Echo "< H2 align = center > no results related to". Htmlspecialchars ($STR). "< / H2 >". '< center >
<form action=level5.php method=GET>
<input name=keyword value="'.$str3.'">
< input type = submit name = submit value = search / >
</form>
</center>';
?>
</code></code></pre>
<p>    as we guessed, we replaced < code > on < / code > and < code > < script > < / code > respectively, and also made < code > case filtering < / code >. All right, go on to the next level, ori</ p>
<hr>
< H4 id = "0x06-leval-6-case bypass" > 0x06 leval 6 case bypass < / H4 >
<p>  we have successfully reached the 6th level. We are walking forward</ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116154828872.png" alt="image-20210116154828872" loading="lazy"></p>
<p>   let's test the payload directly. Of course, don't think about it. It must not work. Let's look at the front-end code directly. Ouch, I found something. This time, even < code > href < / code > has been filtered. It's a cruel man</ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116183918429.png" alt="image-20210116183918429" loading="lazy"></p>
<p>    we also tested < code > on < / code >, < code > < script > < / code >, and found that the filtered ones are plain and clear, and the single quotation marks < code > '< / code > are also escaped by entities, but we also found other things. It seems that we don't care about case, huh</ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116185419800.png" alt="image-20210116185419800" loading="lazy"></p>
<p>   we use double quotation marks < code > "> < / code > to construct closure directly by case:</p>
<pre><code><code><ScRipt>alert(/xss/)

image-20210116185731885

Here is also a successful pass. Go on, go on!!!


0x07 leval 7 double write bypass

   come to the seventh level. Well, this picture is good. It’s magical. Do you have it?XSS labs clearance challenge

image-20210116190206085

No more nonsense. Let’s start with a wave. It’s still useful to find something? (●’◡’●)。

image-20210116195035217

  discovery imagescriptThis keyword is filtered, isn’t itDouble write? We use double quotation marks directly"Closed structure payload:

">alert(/xss/)

image-20210116195454082

Easy, next.


0x08 leval 8 code bypass

Come to the eighth level, nothing.

image-20210116210245989

  when testing the payload, you can see that the previously tested are basically filtered and the case is stuck. However, we found that the front-end code is directly constructedLabel, in that case, we might as well trycode, see if you can bypass:

image-20210116210823200

Here, the author has tested that both HTML entity coding and hex coding can be bypassed. I’ll just put hex coding. See that most blogs are HTML entity coding. Those who are not familiar with it can understand it by themselves.

  we can see that the code conversion mechanism is toscriptMediumriBecomer_i, so we just coderanditry:

letter decimal system Hex (HEX)
r r r
i i i

  Please click here for the coding link

Construct payload:

javascript:alert(/xss/)

image-20210116213444302

Well done, next level.


0x09 leval 9 detection keyword

The more you look at these pictures, the more you like them. According to the Convention, we’d better make some noise first.

image-20210116213925894

I’ll go. I’ve tried everything I should try. What does this code give? What about the payload we entered??

image-20210116215646648

img

No, wait for me to check the source code:

';
?>
Links';
        }
else
{
  echo 'Links';
}
?>

                     Strpos function, everyone will obey you. This function means that there must be in the string we enterhttp://Character, I vomited. Who can think of it:

  want to know more about the strpos functionPlease click here

We can see that the code is not filtered here, so we continue to use the payload in the above question:

javascript:alert('xsshttp://')

image-20210116221407612

Cough, this question is very inhumane. Next, it’s nothing.


0x10 leval 10 hidden information

After thousands of hardships, finally came to the half of the whole challenge, sobbing.

image-20210116222501534

Puff, puff, spit again. I tried everything. Why did Mao run to the URL link again? Look at the code, god horse didn’t get it, but what’s a form? Still not displayed on the page?

image-20210116225702764

No way, go and see the source code. Hey, my heart is broken

","",$str11);
$str33=str_ Replace ("no results found related to". Htmlspecialchars ($STR). "."





';
?>

  did you find it? feelingkeywordParameters are just a puzzle. What really works ist_sortParameter, but there is a problem with itstypeType ishidden, we have to change the front end totextType, let it appear, and the background is only for<>After filtering, we can use events to construct:

"onmouseover="alert(/xss/)

image-20210116230805030

image-20210116231027885

be careful: be sure to modify it at the front end2 timesType to complete the pop-up window.


0x11 Leval 11 Referer

image-20210119122300252

We came to level 11, because it is basically impossible to be so simple after level 10, so we don’t need to guess and waste time. We can directly look at the front-end code and detect it. We can’t do it. We can only look at the source code.

image-20210119122703745

  you can see that, similar to the tenth level, there are hidden forms. Just one moret_refParameter, I just don’t know whether it is passed. Let’s try to use the method of the previous level, starting with the label.

Construction Code:

&t_link="type="text&t_history="type="text&t_sort="type="text&t_ref="type="text

View page code:

image-20210119131830006

  you can seet_sortWe still accept parameters. Let’s look at the source code directly!!

","",$str11);
$str33=str_ Replace ("no results found related to". Htmlspecialchars ($STR). "."





';
?>

  found one more$str11=$_SERVER['HTTP_REFERER']Field, and we know that http_ Reference is to obtain the referer field in the HTTP request, that is, from which page we came to the current page. We can useHackbarMake modificationsRefererField.

image-20210119133704345

  check the web page code and find that the passed in referer value is changedt_refGot it.

image-20210119133751936

Next, we can try to construct code and break through from referer:

" type="text

image-20210119134913417

View page code:

image-20210119135009098

Finally, click the text box:

image-20210119135118607


0x12 Leval 12 User-agent

It seems more and more difficult. Even the picture began to cry. Sang Xin / (ㄒ o ㄒ)/~~

image-20210119135440733

Let’s just look at the web Code:

image-20210119135613289

Did anyone find that the value introduced this time looks so familiar? (● ‘◡ ●), if not, let’s look at the following figure:

image-20210119135802890

Ha ha, is as like as two peas? Then there’s the idea. Let’s start directly fromUser-agentStart with and construct the code:

user-agent" type="text

image-20210119140150460

Finally, let’s check the web page code:

image-20210119140258240

OK, here we also pass directly.

image-20210119140936072


image-20210119141246975

When we came to level 13, we didn’t know where they started, so we went directly to the web Code:

image-20210119141431656

As you can see, another parameter is addedt_cook, I guess it may be a cookie. Let’s try the code directly:

Cookie" type="text

image-20210119142557689

image-20210119142425520

You can see that the cookie field we added in hackbar was not successfully passed in.

  then we can only grab a bag and have a look. It’s time to open our dusty bagBurp SuiteYes. Through packet capturing, we can see that there is one more parameteruserIt turns out that the value of the cookie is passed in through the user. Helpless (╯▽) ╭

image-20210119142958638

Now that we know the key to parameter passing, we can construct the code:

Cookie" type="text

image-20210119143211310

We passRepeaterWhen the module sees that the parameters have been passed in, release the package to see our harvest.

image-20210119143413840

image-20210119143544368

OK, the 13th pass passed smoothly. continue


0x14 Leval 14 Exif

image-20210119144114978

Is this a thing?? What about the picture? Wait, it seems to jump, but Xiaobian doesn’t seem to live that long. Wait, ha, I can’t brush it out all the time (the key is that I can’t open the ladder, so I resolutely give up looking at the answer)····

image-20210119144313365

  I checked the Internet and said what EXIF XSS is. Well, I only knowCTFThe one in charge of steganography in miscellaneous items in has hidden information in EXIF (anyway, Xiaobian hasn’t encountered such a simple steganography problem), and then go to Baidu

image-20210119145158694

Well, let’s see


0x15 Leval ng-include

image-20210119145952335

At first, I looked around, but I didn’t find anything. Finally, I found that the parameters in the URL are displayed in the web source code. I think there may be some moths.

image-20210119170059117

  I looked at the web page source code again and found that there was indeed ang-include, I don’t know what it is…

image-20210119170950357

  finally, I went to Baidu and said whatng-includeyesangular jsI don’t know much about the things in PHP, but it seems to be similar to the include function in PHP, which includes a file.

  speaking of this, let’s have a lookng-includeUsage of:

1. The ng include directive is used to include external HTML files.

2. The contained content will be the child node of the specified element.

3. The value of the ng include attribute can be an expression that returns a file name.

4. By default, the included files need to be included under the same domain name.

It is worth noting that:

  1. Ng include. If you specify an address only, you must use quotation marks

  2. Ng include: external html is loaded, and the content in the script tag is not executed

  3. Ng include, load the style tag in the external HTML, and the style can be recognized

Take another look at the source code:

window.alert = function()  
{     
Confirm ("well done!");
 window.location.href="level16.php?keyword=test"; 
}

Welcome to level 15

Welcome to level 15. Find a way to go out!

';
?>

  you can see here throughsrcPass on parameters, and it’s right<>After filtering, since HTML files can be included here, that is, files with XSS vulnerabilities that we have done before can also be included, so we can construct:

'level1.php?name='

image-20210119224302094

image-20210119224317343

OK, the window pops up successfully. Next, the people who do these two levels are uncomfortable.


0x16leval 16 space entity escape

image-20210119224551486

After testing, it is found that parameters are passed in the URL. Let’s try the simplest way:

image-20210119225350398

  discoveryscriptThe words are filtered directly, even/scriptAlso filtered out, then try the payload off:

Er, it seems that the space has been by the entity:

image-20210119230245413

  well, now we can only use other instead of spaces. The first thought isenter, as follows: in HTML, carriage return can replace spaces.

  last useURL encodingConvert carriage return to%0aSubstitute:

OK, OK, pop up successfully.

image-20210119230838006

  by the way, look at the source code: sure enough, all are used Entity replaced.

".$str5."";
?>

0x17 leval parameter splicing

image-20210119232204018

   emmm, there is no picture again. Hey, I casually passed a few parameters and found that it is based onarg01andarg02Two parameters are accepted. After parameters are passed, two parameters areSplicing, can we use events directly to trigger?

image-20210120103903247

Er, it seems that there is no response, but we can see that there are events that can be triggered. It’s strange.

image-20210120122554556

  I went to ask Du Niang. They said it was loaded hereswfPictures, but unfortunately, ourfirefoxI can’t get out directly. Woo woo, change Google, wipe,flashIt’s shielded, but the pop-up window can still come out:

image-20210120123402970

  changed againStar wish, finally come out, woo woo

image-20210120123441156

   by the way, look at the source code. It seems to be similar to what we think, through twoargPass parameters and filter<>

";
?>

0x18 leval parameter splicing

  Er, at first I thought there was no picture again. When I saw the web page code, there was another oneswf, well, change the browser decisively.

image-20210120124126300

Poof, what’s this? Flickering is not like this,

image-20210120124249027

Directly use the payload of the previous level:

onmouse&arg02=alert(/xss/)

Poof poof, that’s OK. Just play it? I don’t understand, let’s go!!

image-20210120124816706


0x19 Leval 19 Flash xss

image-20210120125013597

  first try the payload: OK, it seems to be used"Closed, but after closing, because there arehtmlspecialchars()The function is filtered here, so it can’t be closed.

image-20210120125224613

  I can’t help it. I went to see the answer and said what it wasflashofDecompile, OK, anyway, I don’t understand. If you are interested, you can have a look. You can’t chew it down at present. When the time is ripe, write it alone and put an answer first.

version&arg02=xss

image-20210120131742266

  what you want to study in depth:Click here


0x20 Leval 20 Flash xss

image-20210120131844756

Well, it should be a white flash, or stick an answer first: in detail, wait until you can calm down.

arg01=id&arg02=\"))}catch(e){}if(!self.a)self.a=!alert(1)//%26width%26height

image-20210120132209948

Recommended Today

The real problem of Alibaba IOS algorithm can’t hang up this time

More and more IOS developers continue to enter the peak of job hopping in 2020 Three main trends of interview in 2020: IOS bottom layer, algorithm, data structure and audio and video development Occupied the main battlefield. Data structure and algorithm interview, especially figure, has become the main reason for the failure of most first-line […]