├── README.md
├── xss10_mvm
    └── index.php
├── xss13_request_uri
    └── index.php
├── xss14_hidden
    └── index.php
├── xss15_frameBuster
    └── index.php
├── xss16_phpself
    └── index.php
├── xss17_passiveElement
    └── index.php
├── xss18_graduate
    └── index.php
├── xss19_party
    └── index.php
├── xss1_uploadfiles
    └── index.php
├── xss20_theend
    └── index.php
├── xss21_othersJquery
    └── index.php
├── xss2_getallheaders
    └── index.php
├── xss3_json
    └── index.php
├── xss4_referer
    └── index.php
├── xss5_redirect
    └── index.php
├── xss6_forcedownload
    └── index.php
├── xss7_textplain
    └── index.php
├── xss8_tag
    └── index.php
└── xss9_plaintext
    └── index.php


/README.md:
--------------------------------------------------------------------------------
 1 | ## 阿里云先知社区xss挑战题源码
 2 | 
 3 | @L3m0n师傅 的wp
 4 | >https://xianzhi.aliyun.com/forum/read/2044.html
 5 | 
 6 | 微信公众号阅读地址:
 7 | >http://mp.weixin.qq.com/s/d_UCJusUdWCRTo3Vutsk_A
 8 | 
 9 | @LoRexxar师傅的解读
10 | >https://lorexxar.cn/2017/08/31/xss-ali/
11 | 
12 | 在线挑战地址
13 | >http://t.r00tuserclient.xyz/xianzhi_xss/
14 | 
15 | ### 题目uri
16 | 1. xss1_uploadfiles
17 | 2. xss2_getallheaders
18 | 3. xss3_json
19 | 4. xss4_referer
20 | 5. xss5_redirect
21 | 6. xss6_forcedownload
22 | 7. xss7_textplain
23 | 8. xss8_tag
24 | 9. xss9_plaintext
25 | 10. xss10_mvm
26 | 13. xss13_request_uri
27 | 14. xss14_hidden
28 | 15. xss15_frameBuster
29 | 16. xss16_phpself
30 | 17. xss17_passiveElement
31 | 18. xss18_graduate
32 | 19. xss19_party
33 | 20. xss20_theend
34 | 21. xss21_othersJquery
35 | 
36 | ex:
37 | 题目1：http://t.r00tuserclient.xyz/xianzhi_xss/xss1_uploadfiles/
38 | 


--------------------------------------------------------------------------------
/xss10_mvm/index.php:
--------------------------------------------------------------------------------
1 | <html ng-app>
2 | <head>
3 | <meta charset=utf-8>
4 | <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.5/angular.js"></script>
5 | </head>
6 | <body>
7 | <input id="username" name="username" tabindex="1" ng-model="username" ng-init="username='<?php if(strlen($_GET["username"])<37){echo htmlspecialchars($_GET["username"]);}?>'" placeholder="username" maxlength="11" type="text">
8 | </body>
9 | </html>


--------------------------------------------------------------------------------
/xss13_request_uri/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | header("X-XSS-Protection: 0");
3 | echo "REQUEST_URI:".$_SERVER['REQUEST_URI'];
4 | ?>


--------------------------------------------------------------------------------
/xss14_hidden/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header('X-XSS-Protection:0');
 3 | header('Content-Type:text/html;charset=utf-8');
 4 | ?>
 5 | <head>
 6 | <meta http-equiv="x-ua-compatible" content="IE=10">
 7 | </head>
 8 | <body>
 9 | <form action=''>
10 | <input type='hidden' name='token' value='<?php
11 |   echo htmlspecialchars($_GET['token']); ?>'>
12 | <input type='submit'>
13 | </body>


--------------------------------------------------------------------------------
/xss15_frameBuster/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | $page=strtolower($_GET["page"]);
 4 | $regex="/on([a-zA-Z])+/i";
 5 | $page=str_replace("style","_",$page);
 6 | ?>
 7 | <html>
 8 | <head>
 9 | <meta charset=utf-8>
10 | </head>
11 | <body>
12 | <form action='index.php?page=<?php
13 | if(preg_match($regex,$page))
14 | {
15 | echo "XSS Detected!";
16 | }
17 | else
18 | {
19 | echo htmlspecialchars($page);
20 | }
21 | ?>'></form>
22 | <script>
23 | if(top!=self){
24 |  location=self.location
25 | }
26 | </script>
27 | </body>
28 | </html>


--------------------------------------------------------------------------------
/xss16_phpself/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <meta charset=utf-8>
 4 | <meta http-equiv="X-UA-Compatible" content="IE=10">
 5 | <link href="styles.css" rel="stylesheet" type="text/css" />
 6 | </head>
 7 | <body>
 8 | <img src="xss.png" style="display: none;">
 9 | <h1>
10 | <?php
11 | $output=str_replace("<","<",$_SERVER['PHP_SELF']);
12 | $output=str_replace(">",">",$output);
13 | echo $output;
14 | ?>
15 | </h1>
16 | </body>
17 | </html>


--------------------------------------------------------------------------------
/xss17_passiveElement/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | header("Content-Type:text/html;charset=utf-8");
3 | header("X-Content-Type-Options: nosniff");
4 | header("X-FRAME-OPTIONS: DENY");
5 | header("X-XSS-Protection: 0");
6 | $content=$_GET["content"];
7 | echo "<div data-content='".htmlspecialchars($content)."'>";
8 | ?>


--------------------------------------------------------------------------------
/xss18_graduate/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("Content-Type:text/html;charset=utf-8");
 3 | header("X-Content-Type-Options: nosniff");
 4 | header("X-FRAME-OPTIONS: DENY");
 5 | header("X-XSS-Protection: 1");
 6 | ?>
 7 | <html>
 8 | <head>
 9 | <meta charset=utf-8>
10 | </head>
11 | <body>
12 | <textarea>
13 | <?php
14 | //Fix#001
15 | $input=str_replace("<script>","",$_GET["input"]);
16 | //Fix#002
17 | $input=str_replace("/","\/",$input);
18 | echo $input;
19 | ?>
20 | </textarea>
21 | </body>
22 | </html>


--------------------------------------------------------------------------------
/xss19_party/index.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | <head>
 4 | <meta charset="utf-8">
 5 | <script>
 6 | function getCookie(cname) {
 7 |     var name = cname + "=";
 8 |     var decodedCookie = decodeURIComponent(document.cookie);
 9 |     var ca = decodedCookie.split(';');
10 |     for(var i = 0; i < ca.length; i++) {
11 |         var c = ca[i];
12 |         while (c.charAt(0) == ' ') {
13 |             c = c.substring(1);
14 |         }
15 |         if (c.indexOf(name) == 0) {
16 |             return c.substring(name.length, c.length);
17 |         }
18 |     }
19 |     return "";
20 | }
21 | function checkCookie() {
22 |     var user=getCookie("username");
23 |     if (user != "") {
24 |         document.write("欢迎, " + unescape(user));
25 |     } else {
26 |          alert("请登陆")
27 |     }
28 | }
29 | </script>
30 | </head>
31 | <body onload="checkCookie()">
32 | <?php echo '<img name="avatar" src="'.str_replace('"',""",$_GET["link"]).'" width="30" height="40">';?>
33 | </body>
34 | </html>


--------------------------------------------------------------------------------
/xss1_uploadfiles/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | $target_dir = "uploads/";
 4 | $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
 5 | $uploadOk = 1;
 6 | $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
 7 | // Check if image file is a actual image or fake image
 8 | if(isset($_POST["submit"])) {
 9 |     $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
10 |     if($check !== false) {
11 |         echo "File is an image - " . $check["mime"] . ".<BR>";
12 |         $uploadOk = 1;
13 |     } else {
14 |         echo "File is not an image.";
15 |         $uploadOk = 0;
16 |     }
17 | }
18 | // Check if file already exists
19 | if (file_exists($target_file)) {
20 |     echo "Sorry, file already exists.";
21 |     $uploadOk = 0;
22 | }
23 | // Check file size
24 | if ($_FILES["fileToUpload"]["size"] > 500000) {
25 |     echo "Sorry, your file is too large.";
26 |     $uploadOk = 0;
27 | }
28 | // Allow certain file formats
29 | if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
30 | && $imageFileType != "gif" ) {
31 |     echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
32 |     $uploadOk = 0;
33 | }
34 | // Check if $uploadOk is set to 0 by an error
35 | if ($uploadOk == 0) {
36 |     echo "Sorry, your file was not uploaded.";
37 | // if everything is ok, try to upload file
38 | } else {
39 |         echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
40 | }
41 | ?>


--------------------------------------------------------------------------------
/xss20_theend/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("Content-Type:text/html;charset=utf-8");
 3 | header("X-Content-Type-Options: nosniff");
 4 | header("X-FRAME-OPTIONS: DENY");
 5 | header("X-XSS-Protection: 0");
 6 | $hookid=str_replace("=","",htmlspecialchars($_GET["hookid"]));
 7 | $hookid=str_replace(")","",$hookid);
 8 | $hookid=str_replace("(","",$hookid);
 9 | $hookid=str_replace("`","",$hookid);
10 | ?>
11 | <!DOCTYPE html>
12 | <html>
13 | <head>
14 | <meta charset="utf-8">
15 | <script>
16 | hookid='<?php echo $hookid;?>';
17 | </script>
18 | <body>
19 | </body>
20 | </html>


--------------------------------------------------------------------------------
/xss21_othersJquery/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("Content-Type:text/html;charset=utf-8");
 3 | header("X-Content-Type-Options: nosniff");
 4 | header("X-FRAME-OPTIONS: DENY");
 5 | header("X-XSS-Protection: 0");
 6 | ?>
 7 | <html>
 8 | <head>
 9 | <meta charset="utf-8">
10 | <script src="https://code.jquery.com/jquery-3.2.1.js" integrity="sha256-DZAnKJ/6XZ9si04Hgrsxu/8s717jcIzLy3oi35EouyE=" crossorigin="anonymous"></script>
11 | <script>
12 | window.jQuery || document.write('<script src="http://xianzhi.aliyun.com/jquery.js"><\/script>');
13 | </script>
14 | </head>
15 | <body>
16 | <script>
17 |     $(function(){
18 |         try { $(location.hash) } catch(e) {}
19 |     })
20 | </script>
21 | </body>
22 | </html>


--------------------------------------------------------------------------------
/xss2_getallheaders/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header('Pragma: cache');
 3 | header("Cache-Control: max-age=".(60*60*24*100)); 
 4 | header("X-XSS-Protection: 0");
 5 | ?>
 6 | <html>
 7 | <head>
 8 | <meta charset=utf-8>
 9 | <head>
10 | <body>
11 | <?php
12 | if(isset($_SERVER['HTTP_REFERER'])) 
13 | {
14 | echo "Bad Referrer!";
15 | }
16 | else
17 | {
18 | foreach (getallheaders() as $name => $value) {
19 |     echo "$name: $value\n";
20 | }
21 | }
22 | ?>
23 | </body>
24 | </html>


--------------------------------------------------------------------------------
/xss3_json/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | header("Content-Type:application/json;charset=utf-8");
3 | header("X-XSS-Protection: 0");
4 | echo '{"errno":0,"error":"","data":{"user":{"id":"2","user_name":"\u4e13\u4e1a\u6295\u8d44\u4ebafh","email":"","mobile":"139****0002","intro":"'.$_GET["value"].'","address":null,"photo":"\/avatar\/000\/00\/00\/02virtual_avatar_big.jpg","user_uuid":"779ab6bd7e2df90c37f1e892","header_url":"\/avatar\/000\/00\/00\/02virtual_avatar_big.jpg","user_id":"2","is_real_name":0,"is_real_name_string":"\u672a\u5b9e\u540d\u8ba4\u8bc1","real_name":"\u5c24\u6654","is_investor":0,"is_leader_investor":1,"cetificate_id":"511********4273","focus_area":["\u91d1\u878d:\u91c7\u8d2d\u7269\u6d41:\u80fd\u6e90\u73af\u4fdd:\u6cd5\u5f8b\u6559\u80b2:"],"third_party":[{"openid":"1212","type":1,"is_band":1},{"openid":"2oiVL4wNxso9ttarGMIoVa1q-w8kU","type":1,"is_band":1}]}}}'
5 | ?>


--------------------------------------------------------------------------------
/xss4_referer/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | ?>
 4 | <html>
 5 | <head>
 6 | <meta charset="utf-8">
 7 | </head>
 8 | <body>
 9 | <?php echo "你来自:".$_SERVER['HTTP_REFERER'];?>
10 | </body>
11 | </html>


--------------------------------------------------------------------------------
/xss5_redirect/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | $url=str_replace(urldecode(""),"",$_GET["url"]);
 4 | $url=str_replace(urldecode("%0d"),"",$url);
 5 | $url=str_replace(urldecode("%0a"),"",$url);
 6 | header("Location: ".$url);
 7 | ?>
 8 | <html>
 9 | <head>
10 | <meta charset="utf-8">
11 | </head>
12 | <body>
13 | <?php echo "<a href='".$url."'>如果跳转失败请点我</a>";?>
14 | </body>
15 | </html>


--------------------------------------------------------------------------------
/xss6_forcedownload/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | header('Content-Disposition: attachment; filename="'.$_GET["filename"].'"');
 4 | if(substr($_GET["url"],0,4) ==="http" && substr($_GET["url"],0,8)<>"http://0" && substr($_GET["url"],0,8)<>"http://1" && substr($_GET["url"],0,8)<>"http://l" && strpos($_GET["url"], '@') === false)
 5 | {
 6 | $opts = array('http' =>
 7 |     array(
 8 |         'method' => 'GET',
 9 |         'max_redirects' => '0',
10 |         'ignore_errors' => '1'
11 |     )
12 | );
13 | $context = stream_context_create($opts);
14 | $url=str_replace("..","",$_GET["url"]);
15 | $stream = fopen($url, 'r', false, $context);
16 | echo stream_get_contents($stream);
17 | }
18 | else
19 | {
20 | echo "Bad URL!";
21 | }
22 | ?>


--------------------------------------------------------------------------------
/xss7_textplain/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | header('Content-Type: text/plain; charset=utf-8');
 4 | if(substr($_GET["url"],0,4) ==="http" && substr($_GET["url"],0,8)<>"http://0" && substr($_GET["url"],0,8)<>"http://1" && substr($_GET["url"],0,8)<>"http://l" && strpos($_GET["url"], '@') === false)
 5 | {
 6 | $opts = array('http' =>
 7 |     array(
 8 |         'method' => 'GET',
 9 |         'max_redirects' => '0',
10 |         'ignore_errors' => '1'
11 |     )
12 | );
13 | $context = stream_context_create($opts);
14 | $url=str_replace("..","",$_GET["url"]);
15 | $stream = fopen($url, 'r', false, $context);
16 | echo stream_get_contents($stream);
17 | }
18 | else
19 | {
20 | echo "Bad URL!";
21 | }
22 | ?>


--------------------------------------------------------------------------------
/xss8_tag/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("X-XSS-Protection: 0");
 3 | header("Content-Type: text/html;charset=utf-8");
 4 | if(substr($_GET["url"],0,4) ==="http" && substr($_GET["url"],0,8)<>"http://0" && substr($_GET["url"],0,8)<>"http://1" && substr($_GET["url"],0,8)<>"http://l" && strpos($_GET["url"], '@') === false)
 5 | {
 6 | $rule="/<[a-zA-Z]/";
 7 | $opts = array('http' =>
 8 |     array(
 9 |         'method' => 'GET',
10 |         'max_redirects' => '0',
11 |         'ignore_errors' => '1'
12 |     )
13 | );
14 | $context = stream_context_create($opts);
15 | $url=str_replace("..","",$_GET["url"]);
16 | $stream = fopen($url, 'r', false, $context);
17 | $content=stream_get_contents($stream);
18 | if(preg_match($rule,$content))
19 | {
20 | echo "XSS Detected!";
21 | }
22 | else
23 | {
24 | echo $content;
25 | }
26 | }
27 | else
28 | {
29 | echo "Bad URL!";
30 | }
31 | ?>


--------------------------------------------------------------------------------
/xss9_plaintext/index.php:
--------------------------------------------------------------------------------
1 | <?php
2 | header("X-XSS-Protection: 0");
3 | header("Content-Type: text/html;charset=gb3212");
4 | ?>
5 | <plaintext><?php echo $_GET["text"];?>


--------------------------------------------------------------------------------